Re: Does AUDIT=SECURITY,ACCESS=DELETE work?

Jess Goodman · ‎03-04-2009

Can anyone explain why I am not getting a security audit record when I delete a file that has the ACL:
(AUDIT=SECURITY,ACCESS=WRITE+DELETE+SUCCESS+FAILURE)
on it?

$ SHOW SYSTEM/NOPROCESS
OpenVMS V7.3-2 on node AX38 4-MAR-2009 21:30:50
$ SHOW AUDIT /AUDIT
System security audits currently enabled for:
ACL
Authorization
Time
SYSGEN
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: dialup,local,remote,network,subprocess,detached
QUEUE access:
Failure: submit,manage,delete,control
$ CREATE JUNK.TXT /FDL=NL:
$ SET SECURITY JUNK.TXT -
/ACL=(AUDIT=SECURITY,ACCESS=WRITE+DELETE+SUCCESS+FAILURE)
$ DIRECTORY /SECURITY JUNK.TXT

Directory DSKC:[GOODMAN]

JUNK.TXT;1 [STAFF,GOODMAN] (RWED,RWED,RE,)
(AUDIT=SECURITY,ACCESS=WRITE+DELETE+SUCCESS+FAILURE)

Total of 1 file.
$ DELETE /LOG JUNK.TXT;1
%DELETE-I-FILDEL, DSKC:[GOODMAN]JUNK.TXT;1 deleted (0 blocks)

$ ANALYZE/AUDIT SYS_COMMON:SECURITY.AUDIT$JOURNAL -
/EVENT=ACCESS /SINCE=21:00
%AUDSRV-W-NOSELECT, no records selected

If I just write to the file I do get an audit record. If I put the same ACL on the directory the file is in, then I get an audit record when I delete the file, but that is because of write access to the directory.

Hard to believe that ACCESS=DELETE audits don't work at all, at least thru VMS 7.3-2.

I have one, but it's personal.

Jess Goodman · ‎03-04-2009

Never mind..............

Just figured it out - have to use /EVENT=DELETE instead of /EVENT=ACCESS.

Sorry for wasting bandwidth.

I have one, but it's personal.

John Gillings · ‎03-04-2009

Jess,

> Sorry for wasting bandwidth.

Not waste, it's the accumulation of informative mistakes that brings wisdom.

As we've seen in recent threads, finding the correct ANALYZE/AUDIT query can be difficult (even if it's one of the documented ones!).

Highly targetted ANALYZE/AUDIT commands are great for regular (and debugged) reports, but for casual use, it's usually faster and more reliable to just dump the whole lot!

If in doubt use ANALYZE/AUDIT/FULL/SINCE=time/OUTPUT=file to dump the whole lot and SEARCH the output.

Note although you can PIPE the output into a SEARCH command, you can't use /WINDOW to include text prior to the search string.

A crucible of informative mistakes

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Does AUDIT=SECURITY,ACCESS=DELETE work?

Does AUDIT=SECURITY,ACCESS=DELETE work?

Re: Does AUDIT=SECURITY,ACCESS=DELETE work?

Re: Does AUDIT=SECURITY,ACCESS=DELETE work?