How to select "User record" explicitly from Security Database?

Edwin R. van der Kaaij · ‎03-10-2005

ANALYZE/AUDIT can produce nice summaries.

Is it possible to select records only for a specific user that and sysuaf modification was performed on? Please note! I do NOT mean the privileged user that is performing the audit summary, but the user that is listed in the "User record:" field!

Example: analyze/audit/full/out=a.a/since="01-mar-2005 12:00"/event=(authorization,sysuaf)

I would like to find the /select= option where i can select the username that was modified in the sysuaf operation.

I know that there is a /select=ident=name=<****>, but i want the username :o)

Thanks for ur help!

Ed van der Kaaij

Wim Van den Wyngaert · ‎03-10-2005

I'm afraid it's
$ search a.a "User record:"
or write a dcl script to extract the info.

Wim

Wim

Karl Rohwedder · ‎03-10-2005

I think the layout of the audit file is documented, so you can write a little program :-)...

mfg Kalle

Mobeen_1 · ‎03-10-2005

Ed,
I know yo are going to be annoyed with me, look what i have got

$pipe analyze/audit/full/since="01-Jan-2005 12:00"/event=(authorization,sysuaf) | search sys$input "Username"

I am teasing my brains to see any qualifiers help .. its been a good reading excercise for me :)

rgds
Mobeen

Edwin R. van der Kaaij · ‎03-10-2005

Wim, we had considered that :o) but the frantic search was for an option in ANALYZE

Kalle, That would be a last resort haha. Good exercise, but quite a bit of work.

Mobeen, hmmm... very good advise!

I wonder why such qualifier does not exist. It seems many people would want to know who has modified who...

Thanks for your help!

Ed.

Wim Van den Wyngaert · ‎03-10-2005

We did set audit/listener=audit_mbx
and wrote a program that gets all the alarm info out of the mailbox, format it as needed and pass it to our real time monitoring.

And the piping only works if your nodes are 7+.

Wim

Wim

Jan van den Ende · ‎03-11-2005

Ed,

I clearly see the use of your question!
Historically, we have security alarms on SYSUAF, so we are able to subtract this info from the Operator logfile, but that indeed is a clumsy trick.
This kind of logging belongs in the AUDIT file, and should be simply available from it.

The ANAL/AUDIT/SELE=TARGET_USER looks like what we want, but it does not produce what one would expect.

I would think that we are not the only ones to whom this is missing functionality, so, I took the liberty to mail Guy Peleg the URL of this thread. Let us hope he can work his magic again!

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

Guy Peleg · ‎03-12-2005

I have forwarded this to the OpenVMS security team.

There are several undocumented keywords for
ANALYZE/AUDIT/SELECT, these are fully supported keywords that will be documented with the next release of the O/S

UAF_ADD=(username,...)
Specifies the user name added to the SYSUAF file

UAF_COPY=(username,...)
Specifies the user name added to the SYSUAF file as the
result of a copy operation

UAF_DELETE=(username,...)
Specifies the user name deleted from the SYSUAF file

UAF_MODIFY=(username,...)
Specifies the user name modifed in the SYSUAF file

UAF_RENAME=(username,...)
Specifies the (need more research on exact details;
please yell when this is being done...) (I believe
this is the new username)

UAF_SOURCE=(username,...)
Specifies the (need more research on exact details;
please yell when this is being done...) (I believe
this is the source username for RENAME and COPY
operations)

UID=(uid,...)
Specifies the POSIX-style UID to be used when selecting
records.

Is this what you want?

Regards,

Guy Peleg
OpenVMS Engineering

Karl Rohwedder · ‎03-13-2005

There is always something new to detect in VMS :-]

mfg Kalle

Edwin R. van der Kaaij · ‎03-13-2005

Hello!

Thanks for your info Guy.

But... we have tried the uaf_add, uaf_delete and the uaf_modify qualifiers and get no results. The command is accepted by the DCL interpreter, but even with *one letter* wildcards for the name we get no results.

Where are we making a mistake in our thinking?

analyze/audit/select=uaf_modify=*1*/since=10-mar-2005/full/nointer/out=a.a

we get: %AUDSRV-W-NOSELECT, no records selected

We run OpenVMS V7.3-2.

Greetings, Ed.

Guy Peleg · ‎03-14-2005

The attached is from the OpenVMS security
group:
**************************************

My apologies for the initial (/quick/incorrect) response regarding the $ANALYZE/AUDIT qualifiers while hunting for particular user records.

I'll be the first to say that this looks "incomplete" and that, at a minimum, two pieces seem missing.

Here's the answer, from tests and looking at the source code:

To find records that have been ADDED, MODIFIED, or DELETED, use:

/SELECT=UAF_SOURCE=FOOBAR

To find records that have been COPIED, use:

/SELECT=NEW_DATA=NEWFOO

Jan van den Ende · ‎03-14-2005

Thanks, Guy.

This is (at least to us, Ed will have to evaluate it for his situation) another good step into the right direction.

We now are able to reproduce all changes
_BY A SPECIFIC USER_.
But, to find all changes _TO A SPECIFIC USER RECORD_........
.. and native pipe does not help.
We still have an old command PIPE command procedure that works via an intermediate file, and using that, ANA/AUD /SEL=UAF_=*, and searching /WINDOWS=(7,1) procduces what we want, but it _IS_ rather clumsy.

Please Guy, keep your SECURITY collegue hot on this, or maybe, get him into ITRC himself!

TIA.

Proost.

Have one on me.

Jan

Don't rust yours pelled jacker to fine doll missed aches.

Ian Miller. · ‎03-14-2005

/EVENT_TYPE=AUTH/SEL=UAF_SOURCE=x appears to select records showing modifications TO username X which I think was the original question.

UAF_MODIFY does not. UAF_MODIFY is mentioned in the help.

____________________
Purely Personal Opinion

Ian Miller. · ‎03-14-2005

My previous reply was after testing on a Alpha VMS V7.1 system. On a V7.3-1 system the result is the same but the UAF_* keywords are no-longer mentioned in the help.

____________________
Purely Personal Opinion

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

How to select "User record" explicitly from Security Database?

How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?

Re: How to select "User record" explicitly from Security Database?