Operating System - OpenVMS
1748169 Members
4338 Online
108758 Solutions
New Discussion юеВ

Re: Submiting batch jobs as a different user

 
Jimson_1
Frequent Advisor

Submiting batch jobs as a different user

Hi,

I suspect someone at my place of work may be submitting batch jobs under my UIC. In fact I'm certain of it. Its not malicious but nonetheless its something that I want to keep an eye on.

Anyone know of a way of monitoring this sort of activity?

5 REPLIES 5
Jan van den Ende
Honored Contributor

Re: Submiting batch jobs as a different user

Jimson,

that would require CMKRNL privilege. That should be VERY scarse, and therefor easy to find out!

But other than that, it would require an audit on the submit command. Also pretty straightforward, for a priv'd user.
The audit log is fairly easy to search.
Adding an alarm would usually cause MUCH noise!

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Jimson_1
Frequent Advisor

Re: Submiting batch jobs as a different user

Unfortunately lots of users here in our development environment have elevated privileges.

Can you explain how to audit the SUBMIT command?
RBrown_1
Trusted Contributor

Re: Submiting batch jobs as a different user

What version of VMS?

How much privilege do you have?

What do you know about these jobs?

Off the top of my head:

With no privilege at all, when you log in you can see when your last batch login was.

You could modify your LOGIN.COM file to send you mail when a batch job in your name starts. You probably won't need extra privilege to do this, but you won't find out who submitted it.

If accounting is active, you can review processes run with your username or uic. This does not, however, report who submitted it. You will need permission to view the accounting file.

If you turn on image accounting. And see who executes the submit command. If you match this with batch jobs in your name, perhaps you would find out who is doing it. You will need permission to view the accounting file and lots of extra disk space for the larger accounting files.

You could put an alarm or an audit ACE on the submit command to see when it is executed, but you will still need to match this info with accounting or something to figure out which is doing it in your name. And you will need privilege to do this.

You could give everybody a SUBMIT symbol that checks the command line to see if it does /USER=you (and then does the SUBMIT anyway). You will need privilege to this. And any non-privileged user can defeat it.

That is all I can think of for now. Probably somebody else knows a simple obvious way.
Hoff
Honored Contributor

Re: Submiting batch jobs as a different user

Why do you suspect that SUBMIT is in use here, and why do you suspect this is another user? Please post details, log file contents or other information around the rogue process(es).

As for your question, start with the Security Manual at:

http://www.hp.com/go/openvms/doc

Online help for the specific commands of interest here:

$ HELP SET AUDIT
$ HELP ANALYZE /AUDIT

You can selectively enable alarms or (preferably) audits for batch process creation as well as use of privileges audits.

And using the documented interface, batch jobs are submitted under a username and not under a UIC, and it is entirely possible to have two users with the same UIC.
Jimson_1
Frequent Advisor

Re: Submiting batch jobs as a different user

Ok that's a start.
I'll modify my login.com to log details of the job which is executing it.

Thanks