HPE Community
Operating System - OpenVMS
1755012 Members
3221 Online
108828 Solutions
New Discussion юеВ

How to audit someone changing the servers time.

 
Victor Mendham
Regular Advisor

тАО09-28-2004 10:35 PM

тАО09-28-2004 10:35 PM

How to audit someone changing the servers time.

Can anyone give me some hints on how to audit for someone changing the servers time?

The time was changed to 26-Sep-2004 and then back to 25-Sep-2004.

I think you need OPER and LOG_IO priv to change the time.

I tried to do an anal/audit/event=time/since=25-sep-2004:21:00/before=25-sep-2004:23:30

But I do not get any events even though the time was changed either by a batch process or an interactive user.
0 Kudos
Reply
9 REPLIES 9
Lokesh_2
Esteemed Contributor

тАО09-28-2004 10:44 PM

тАО09-28-2004 10:44 PM

Re: How to audit someone changing the servers time.

Hi Victor,

You need to enable audit for time.

$SET AUDIT/ENABLE=TIME/AUDIT
$SET AUDIT/ENABLE=TIME/ALARM

Then you will find time change information in your security audit file.

HTH,
Thanks & regards,
Lokesh
What would you do with your life if you knew you could not fail?
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО09-28-2004 10:50 PM

тАО09-28-2004 10:50 PM

Re: How to audit someone changing the servers time.

Its not audited by default but can be. Commands to enable audit records and opcom security alarms have been given by Lokesh already.
____________________
Purely Personal Opinion
0 Kudos
Reply
Willem Grooters
Honored Contributor

тАО09-28-2004 10:51 PM

тАО09-28-2004 10:51 PM

Re: How to audit someone changing the servers time.

Victor,

First shot, I could think of.
I'm not sure what class the system time is, but this may help once that's figured out:

$ SET AUDIT/CLASS=/ENABLE

(Perhaps the security manual tells you more)


HTH

Willem
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
Reply
Victor Mendham
Regular Advisor

тАО09-29-2004 04:14 AM

тАО09-29-2004 04:14 AM

Re: How to audit someone changing the servers time.

ok so in order to use the anal/audit/event=time I need to enable time auditing.

Any idea how much this will add to my audit file, it is already 3 gb in size per month.

Is there any way to see anything in any other log ( like operator.log etc..), which might indictate changes?

Thanks Vic...
0 Kudos
Reply
Lawrence Czlapinski
Trusted Contributor

тАО09-29-2004 11:44 AM

тАО09-29-2004 11:44 AM

Re: How to audit someone changing the servers time.

If your audit files are that large, it is good to create new audit files on a regular basis, either monthly, weekly or whatever frequency seems reasonable to you.
See link for a way of doing this:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?admit=716493758+1096501334712+28353475&threadId=581282
Lawrence
0 Kudos
Reply
Victor Mendham
Regular Advisor

тАО09-29-2004 01:22 PM

тАО09-29-2004 01:22 PM

Re: How to audit someone changing the servers time.

Lawrence, not sure if you noticed, but that original posting was from me as well.

Thanks.
0 Kudos
Reply
Ian Miller.
Honored Contributor

тАО09-29-2004 08:34 PM

тАО09-29-2004 08:34 PM

Re: How to audit someone changing the servers time.

"Any idea how much this will add to my audit file, it is already 3 gb in size per month."

One record per time change - not a lot.

I think you should be creating a new audit file more often than once per month. Did you do the changes as suggested by John Gillings et al in your previous thread?
____________________
Purely Personal Opinion
0 Kudos
Reply
Lawrence Czlapinski
Trusted Contributor

тАО09-30-2004 06:18 AM

тАО09-30-2004 06:18 AM

Re: How to audit someone changing the servers time.

Victor, actually I did notice that you had made the post with the information on creating new audit file, etc. So I knew you knew how to do that but felt it was good to have a link to it. I forgot to put a note in my post saying that.
NOTE: By the way, for reference in OpenVMS System Management Utilities Reference Manual: A-L, the default audit file is SYS$MANGAGER:SECURITY.AUDIT$JOURNAL. [Victor knows that.]
Lawrence
0 Kudos
Reply
Victor Mendham
Regular Advisor

тАО09-30-2004 08:04 AM

тАО09-30-2004 08:04 AM

Re: How to audit someone changing the servers time.

I didn't change the resubmit as we didn't have any issues. I did originally have a problem where I wasn't specifing the cluster and fixed that. Because HP suggested the stop, we used the stop rather than /new-file. So far we are happy with the roll-over every month to a seperate directory which gets offloaded to tape for archive.

I also just recently received the 7.3-1 security guide in pdf, so we now have that to assist us.

I just found out the time issue wasn't on our server, but rather on the server where the db was running, so the problem appears in the log where we call from the db and it relfected the issues with their clock, before they blew up and had their clock replaced.

Many Thanks for all the help
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.