- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Submiting batch jobs as a different user
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2010 08:05 AM
тАО12-07-2010 08:05 AM
Submiting batch jobs as a different user
I suspect someone at my place of work may be submitting batch jobs under my UIC. In fact I'm certain of it. Its not malicious but nonetheless its something that I want to keep an eye on.
Anyone know of a way of monitoring this sort of activity?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2010 08:14 AM
тАО12-07-2010 08:14 AM
Re: Submiting batch jobs as a different user
that would require CMKRNL privilege. That should be VERY scarse, and therefor easy to find out!
But other than that, it would require an audit on the submit command. Also pretty straightforward, for a priv'd user.
The audit log is fairly easy to search.
Adding an alarm would usually cause MUCH noise!
hth
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2010 08:18 AM
тАО12-07-2010 08:18 AM
Re: Submiting batch jobs as a different user
Can you explain how to audit the SUBMIT command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2010 08:25 AM
тАО12-07-2010 08:25 AM
Re: Submiting batch jobs as a different user
How much privilege do you have?
What do you know about these jobs?
Off the top of my head:
With no privilege at all, when you log in you can see when your last batch login was.
You could modify your LOGIN.COM file to send you mail when a batch job in your name starts. You probably won't need extra privilege to do this, but you won't find out who submitted it.
If accounting is active, you can review processes run with your username or uic. This does not, however, report who submitted it. You will need permission to view the accounting file.
If you turn on image accounting. And see who executes the submit command. If you match this with batch jobs in your name, perhaps you would find out who is doing it. You will need permission to view the accounting file and lots of extra disk space for the larger accounting files.
You could put an alarm or an audit ACE on the submit command to see when it is executed, but you will still need to match this info with accounting or something to figure out which is doing it in your name. And you will need privilege to do this.
You could give everybody a SUBMIT symbol that checks the command line to see if it does /USER=you (and then does the SUBMIT anyway). You will need privilege to this. And any non-privileged user can defeat it.
That is all I can think of for now. Probably somebody else knows a simple obvious way.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2010 08:26 AM
тАО12-07-2010 08:26 AM
Re: Submiting batch jobs as a different user
As for your question, start with the Security Manual at:
http://www.hp.com/go/openvms/doc
Online help for the specific commands of interest here:
$ HELP SET AUDIT
$ HELP ANALYZE /AUDIT
You can selectively enable alarms or (preferably) audits for batch process creation as well as use of privileges audits.
And using the documented interface, batch jobs are submitted under a username and not under a UIC, and it is entirely possible to have two users with the same UIC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-07-2010 08:39 AM
тАО12-07-2010 08:39 AM
Re: Submiting batch jobs as a different user
I'll modify my login.com to log details of the job which is executing it.
Thanks