Operating System - OpenVMS
1839249 Members
2932 Online
110137 Solutions
New Discussion

Re: How to select "User record" explicitly from Security Database?

 
SOLVED
Go to solution
Edwin R. van der Kaaij
Frequent Advisor

How to select "User record" explicitly from Security Database?

ANALYZE/AUDIT can produce nice summaries.

Is it possible to select records only for a specific user that and sysuaf modification was performed on? Please note! I do NOT mean the privileged user that is performing the audit summary, but the user that is listed in the "User record:" field!

Example: analyze/audit/full/out=a.a/since="01-mar-2005 12:00"/event=(authorization,sysuaf)

I would like to find the /select= option where i can select the username that was modified in the sysuaf operation.

I know that there is a /select=ident=name=<****>, but i want the username :o)

Thanks for ur help!

Ed van der Kaaij
13 REPLIES 13
Wim Van den Wyngaert
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

I'm afraid it's
$ search a.a "User record:"
or write a dcl script to extract the info.

Wim
Wim
Karl Rohwedder
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

I think the layout of the audit file is documented, so you can write a little program :-)...


mfg Kalle
Mobeen_1
Esteemed Contributor
Solution

Re: How to select "User record" explicitly from Security Database?

Ed,
I know yo are going to be annoyed with me, look what i have got

$pipe analyze/audit/full/since="01-Jan-2005 12:00"/event=(authorization,sysuaf) | search sys$input "Username"

I am teasing my brains to see any qualifiers help .. its been a good reading excercise for me :)

rgds
Mobeen
Edwin R. van der Kaaij
Frequent Advisor

Re: How to select "User record" explicitly from Security Database?

Wim, we had considered that :o) but the frantic search was for an option in ANALYZE

Kalle, That would be a last resort haha. Good exercise, but quite a bit of work.

Mobeen, hmmm... very good advise!

I wonder why such qualifier does not exist. It seems many people would want to know who has modified who...

Thanks for your help!

Ed.
Wim Van den Wyngaert
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

We did set audit/listener=audit_mbx
and wrote a program that gets all the alarm info out of the mailbox, format it as needed and pass it to our real time monitoring.

And the piping only works if your nodes are 7+.

Wim
Wim
Jan van den Ende
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

Ed,

I clearly see the use of your question!
Historically, we have security alarms on SYSUAF, so we are able to subtract this info from the Operator logfile, but that indeed is a clumsy trick.
This kind of logging belongs in the AUDIT file, and should be simply available from it.

The ANAL/AUDIT/SELE=TARGET_USER looks like what we want, but it does not produce what one would expect.

I would think that we are not the only ones to whom this is missing functionality, so, I took the liberty to mail Guy Peleg the URL of this thread. Let us hope he can work his magic again!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Guy Peleg
Respected Contributor

Re: How to select "User record" explicitly from Security Database?

I have forwarded this to the OpenVMS security team.

There are several undocumented keywords for
ANALYZE/AUDIT/SELECT, these are fully supported keywords that will be documented with the next release of the O/S

UAF_ADD=(username,...)
Specifies the user name added to the SYSUAF file

UAF_COPY=(username,...)
Specifies the user name added to the SYSUAF file as the
result of a copy operation

UAF_DELETE=(username,...)
Specifies the user name deleted from the SYSUAF file

UAF_MODIFY=(username,...)
Specifies the user name modifed in the SYSUAF file

UAF_RENAME=(username,...)
Specifies the (need more research on exact details;
please yell when this is being done...) (I believe
this is the new username)

UAF_SOURCE=(username,...)
Specifies the (need more research on exact details;
please yell when this is being done...) (I believe
this is the source username for RENAME and COPY
operations)

UID=(uid,...)
Specifies the POSIX-style UID to be used when selecting
records.

Is this what you want?

Regards,

Guy Peleg
OpenVMS Engineering
Karl Rohwedder
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

There is always something new to detect in VMS :-]

mfg Kalle
Edwin R. van der Kaaij
Frequent Advisor

Re: How to select "User record" explicitly from Security Database?

Hello!

Thanks for your info Guy.

But... we have tried the uaf_add, uaf_delete and the uaf_modify qualifiers and get no results. The command is accepted by the DCL interpreter, but even with *one letter* wildcards for the name we get no results.

Where are we making a mistake in our thinking?

analyze/audit/select=uaf_modify=*1*/since=10-mar-2005/full/nointer/out=a.a

we get: %AUDSRV-W-NOSELECT, no records selected

We run OpenVMS V7.3-2.

Greetings, Ed.
Guy Peleg
Respected Contributor

Re: How to select "User record" explicitly from Security Database?

The attached is from the OpenVMS security
group:
**************************************

My apologies for the initial (/quick/incorrect) response regarding the $ANALYZE/AUDIT qualifiers while hunting for particular user records.

I'll be the first to say that this looks "incomplete" and that, at a minimum, two pieces seem missing.

Here's the answer, from tests and looking at the source code:

To find records that have been ADDED, MODIFIED, or DELETED, use:

/SELECT=UAF_SOURCE=FOOBAR

To find records that have been COPIED, use:

/SELECT=NEW_DATA=NEWFOO

Jan van den Ende
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

Thanks, Guy.

This is (at least to us, Ed will have to evaluate it for his situation) another good step into the right direction.

We now are able to reproduce all changes
_BY A SPECIFIC USER_.
But, to find all changes _TO A SPECIFIC USER RECORD_........
.. and native pipe does not help.
We still have an old command PIPE command procedure that works via an intermediate file, and using that, ANA/AUD /SEL=UAF_=*, and searching /WINDOWS=(7,1) procduces what we want, but it _IS_ rather clumsy.

Please Guy, keep your SECURITY collegue hot on this, or maybe, get him into ITRC himself!

TIA.

Proost.

Have one on me.

Jan


Don't rust yours pelled jacker to fine doll missed aches.
Ian Miller.
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

/EVENT_TYPE=AUTH/SEL=UAF_SOURCE=x appears to select records showing modifications TO username X which I think was the original question.

UAF_MODIFY does not. UAF_MODIFY is mentioned in the help.
____________________
Purely Personal Opinion
Ian Miller.
Honored Contributor

Re: How to select "User record" explicitly from Security Database?

My previous reply was after testing on a Alpha VMS V7.1 system. On a V7.3-1 system the result is the same but the UAF_* keywords are no-longer mentioned in the help.
____________________
Purely Personal Opinion