- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- How to select "User record" explicitly from Securi...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2005 10:30 PM
03-10-2005 10:30 PM
Is it possible to select records only for a specific user that and sysuaf modification was performed on? Please note! I do NOT mean the privileged user that is performing the audit summary, but the user that is listed in the "User record:" field!
Example: analyze/audit/full/out=a.a/since="01-mar-2005 12:00"/event=(authorization,sysuaf)
I would like to find the /select= option where i can select the username that was modified in the sysuaf operation.
I know that there is a /select=ident=name=<****>, but i want the username :o)
Thanks for ur help!
Ed van der Kaaij
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2005 10:43 PM
03-10-2005 10:43 PM
Re: How to select "User record" explicitly from Security Database?
$ search a.a "User record:"
or write a dcl script to extract the info.
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2005 10:50 PM
03-10-2005 10:50 PM
Re: How to select "User record" explicitly from Security Database?
mfg Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2005 10:53 PM
03-10-2005 10:53 PM
SolutionI know yo are going to be annoyed with me, look what i have got
$pipe analyze/audit/full/since="01-Jan-2005 12:00"/event=(authorization,sysuaf) | search sys$input "Username"
I am teasing my brains to see any qualifiers help .. its been a good reading excercise for me :)
rgds
Mobeen
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2005 11:18 PM
03-10-2005 11:18 PM
Re: How to select "User record" explicitly from Security Database?
Kalle, That would be a last resort haha. Good exercise, but quite a bit of work.
Mobeen, hmmm... very good advise!
I wonder why such qualifier does not exist. It seems many people would want to know who has modified who...
Thanks for your help!
Ed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2005 11:26 PM
03-10-2005 11:26 PM
Re: How to select "User record" explicitly from Security Database?
and wrote a program that gets all the alarm info out of the mailbox, format it as needed and pass it to our real time monitoring.
And the piping only works if your nodes are 7+.
Wim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-11-2005 12:09 AM
03-11-2005 12:09 AM
Re: How to select "User record" explicitly from Security Database?
I clearly see the use of your question!
Historically, we have security alarms on SYSUAF, so we are able to subtract this info from the Operator logfile, but that indeed is a clumsy trick.
This kind of logging belongs in the AUDIT file, and should be simply available from it.
The ANAL/AUDIT/SELE=TARGET_USER looks like what we want, but it does not produce what one would expect.
I would think that we are not the only ones to whom this is missing functionality, so, I took the liberty to mail Guy Peleg the URL of this thread. Let us hope he can work his magic again!
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2005 11:24 PM
03-12-2005 11:24 PM
Re: How to select "User record" explicitly from Security Database?
There are several undocumented keywords for
ANALYZE/AUDIT/SELECT, these are fully supported keywords that will be documented with the next release of the O/S
UAF_ADD=(username,...)
Specifies the user name added to the SYSUAF file
UAF_COPY=(username,...)
Specifies the user name added to the SYSUAF file as the
result of a copy operation
UAF_DELETE=(username,...)
Specifies the user name deleted from the SYSUAF file
UAF_MODIFY=(username,...)
Specifies the user name modifed in the SYSUAF file
UAF_RENAME=(username,...)
Specifies the (need more research on exact details;
please yell when this is being done...) (I believe
this is the new username)
UAF_SOURCE=(username,...)
Specifies the (need more research on exact details;
please yell when this is being done...) (I believe
this is the source username for RENAME and COPY
operations)
UID=(uid,...)
Specifies the POSIX-style UID to be used when selecting
records.
Is this what you want?
Regards,
Guy Peleg
OpenVMS Engineering
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2005 12:44 AM
03-13-2005 12:44 AM
Re: How to select "User record" explicitly from Security Database?
mfg Kalle
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2005 10:56 PM
03-13-2005 10:56 PM
Re: How to select "User record" explicitly from Security Database?
Thanks for your info Guy.
But... we have tried the uaf_add, uaf_delete and the uaf_modify qualifiers and get no results. The command is accepted by the DCL interpreter, but even with *one letter* wildcards for the name we get no results.
Where are we making a mistake in our thinking?
analyze/audit/select=uaf_modify=*1*/since=10-mar-2005/full/nointer/out=a.a
we get: %AUDSRV-W-NOSELECT, no records selected
We run OpenVMS V7.3-2.
Greetings, Ed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 12:51 AM
03-14-2005 12:51 AM
Re: How to select "User record" explicitly from Security Database?
group:
**************************************
My apologies for the initial (/quick/incorrect) response regarding the $ANALYZE/AUDIT qualifiers while hunting for particular user records.
I'll be the first to say that this looks "incomplete" and that, at a minimum, two pieces seem missing.
Here's the answer, from tests and looking at the source code:
To find records that have been ADDED, MODIFIED, or DELETED, use:
/SELECT=UAF_SOURCE=FOOBAR
To find records that have been COPIED, use:
/SELECT=NEW_DATA=NEWFOO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 01:56 AM
03-14-2005 01:56 AM
Re: How to select "User record" explicitly from Security Database?
This is (at least to us, Ed will have to evaluate it for his situation) another good step into the right direction.
We now are able to reproduce all changes
_BY A SPECIFIC USER_.
But, to find all changes _TO A SPECIFIC USER RECORD_........
.. and native pipe does not help.
We still have an old command PIPE command procedure that works via an intermediate file, and using that, ANA/AUD /SEL=UAF_=*, and searching /WINDOWS=(7,1) procduces what we want, but it _IS_ rather clumsy.
Please Guy, keep your SECURITY collegue hot on this, or maybe, get him into ITRC himself!
TIA.
Proost.
Have one on me.
Jan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:15 AM
03-14-2005 03:15 AM
Re: How to select "User record" explicitly from Security Database?
UAF_MODIFY does not. UAF_MODIFY is mentioned in the help.
Purely Personal Opinion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2005 03:20 AM
03-14-2005 03:20 AM
Re: How to select "User record" explicitly from Security Database?
Purely Personal Opinion