Operating System - OpenVMS
1839268 Members
2656 Online
110137 Solutions
New Discussion

Re: Is any system process specific to accounting? Am I just missing the obvious?

 
SOLVED
Go to solution
Rich Hearn
Regular Advisor

Is any system process specific to accounting? Am I just missing the obvious?

Hi,

I've had a report that runs every month on the 1st (in my 2 node cluster) and it checks for the use of Authorize:

Account/br/image=authorize dga60:[old_syslogs.Cache1]accountng_Cache1_12-01-2008.dat

In past months, I've always had entries on both node showing Authorize use, this month, 1 node has no usage and the other has only the 1st 2 days of the month showing usage.

As a check, I looked to see if Backup was there - in other months, every day it shows up, in this month it stops after the 1st 2 days of November also. I have no "show accounting" commands for November I can check, so I'm wondering if there's a specific process I can check - I usually do a "show sys" a couple of times a day I could go back and check (I keep copies) to see if the accounting had been "disabled"

open to any/all thoughts,
Rich
8 REPLIES 8
John Gillings
Honored Contributor
Solution

Re: Is any system process specific to accounting? Am I just missing the obvious?

Rich,

Do you really have image accounting enabled? I thought that was only recommended by disk manufacturers ;-)

Remember there's nothing to stop me from having my own copy of AUTHORIZE.EXE and calling it something else. You won't necessarily be able to see that using ACCOUNTING, but I'll still be able to play with SYSUAF if I have sufficient privilege.

If you want to track SYSUAF changes, use auditing.

$ SET AUDIT/AUDIT/ENABLE=AUTHORIZATION

"Specifies the modification of any portion of the system user authorization file (SYSUAF), network proxy authorization file (NETPROXY), or the rights list (RIGHTLIST) (including password changes made through the AUTHORIZE, SET PASSWORD, or LOGINOUT commands or the $SETUAI system service)."

The nice thing about auditing is it tells you exactly what was changed, as well as when and by whom, and you don't need to incur the cost of image accounting for all images to get an imperfect report.

For your specific question... the accounting file is written by JOBCTL, but you won't find any logs (since the accounting record IS the log). You may want to check for activations of ACC.EXE, but my guess is that the image activation of ACC which results in image activation accounting being turned off would not itself be logged (besides, accounting can only tell you the image was activated, not what it did). Perhaps there's an entry in OPERATOR.LOG showing the change in state of accounting?

I'd recommend you disable image accounting. It's a large blunt instrument whichy imposes a significant drain on the system for very little benefit. Use auditing for monitoring your system. It's much finer grained, less of a performance hit and gives much more information about events.
A crucible of informative mistakes
marsh_1
Honored Contributor

Re: Is any system process specific to accounting? Am I just missing the obvious?

HI,

further to john's comments, there is no entry in the operator.log when accounting is enabled/disabled.
what is your reason for doing this in the first place ? general security ? compliance for auditors or other ?
as john points out you'd be far better off using audit alarms either directly or through acls.
you mention you do a 'sh sys' a couple of times a day - you could write yourself a dcl program to do that and much more and get it to schedule itself.
better still if there is enough justification there are a number of management and security solutions kicking around (pointsecure, raxco etc) that will do the job for you and deliver your reports.
a bit of software doesn't (usually :-)) take days off, get sick ,go on holiday or leave the company!

good luck
Jon Pinkley
Honored Contributor

Re: Is any system process specific to accounting? Am I just missing the obvious?

Rich,

The most direct way to determine if accounting is enabled or disabled from DCL is to use the command "SHOW ACCOUNTING". From a program, the system cell exe$gl_acmflags contains the flags that control accounting. Note that accounting is node specific; which activities are recorded does not have to be the same on all nodes of the cluster.

If you don't have something that explicitly disables accounting with the set accounting/disable command, the most likely cause of accounting being disabled is the local JOBCTL process attempting to extend the ACCOUNTNG file unsuccessfully, usually due to the disk holding the accounting files filling up. That will disable accounting, and once disabled it will not automatically be re-enabled once disk space is available. Note that the if a node doesn't need to extend the file while there is zero space, then it will not have its accounting disabled. This can explain accounting being disabled at different times on different cluster nodes.

As said by John and Mark, accounting isn't the best tool to use for monitoring changes to the authorization file. It offers no direct information about what was done with the image, so you will not be able to tell the difference between the following commands from image accounting:

$ mcr authorize show system/br
$ mcr authorize modify system/flag=(disuse)

Even $ SET AUDIT/AUDIT/ENABLE=AUTHORIZATION does not catch everything that modifies SYSUAF.DAT. For example, direct RMS access to the file is not audited as an AUTHORIZATION event.

I disagree with John about the usefulness of image accounting. Comparing image accounting to event audits is a bit like comparing a hammer to a screwdriver. The tools are meant to solve different problems.

I think both image accounting and auditing have very useful information. For some things Auditing is better, for others image accounting is better. Image accounting gives you the start and stop times when images were active, a record of some of the resources that were used by it, and the exit status of the image. Those can be useful for giving clues about what things may have contributed to a problem.

The primary resources used by image accounting are disk space and I/O. The resources used by image accounting are essentially fixed per image activation. Whether the image is active for .001 second or 2 days, it uses the same amount of resources. So in effect, it increases the fixed cost of activating images. Unless you have many image activations with very short duration, you probably won't be able to detect the non-disk resources used by image accounting.

We have image accounting, auditing, and T4 running on our production systems. Each provides a different part of the complete picture, and each uses resources.

If the only reason you have image accounting enabled is to see how often AUTHORIZE is run, then I agree with John; turn it off.

However, I find the data useful enough for troubleshooting to dedicate disk space to collect image accounting. Normally I don't even look at the accounting data; but when I need it, I have it.

Jon
it depends
Wim Van den Wyngaert
Honored Contributor

Re: Is any system process specific to accounting? Am I just missing the obvious?

I would put an ACL on each critical file to get an audit alarm. Otherwise remote file access are not monitored (define sysuaf node::sys$system:sysuaf.dat and the alarm of audit will come on the node running authorize, not the node on which the sysuaf resides).

Wim
Wim
Hoff
Honored Contributor

Re: Is any system process specific to accounting? Am I just missing the obvious?

I never could manage to secure node::sys$system:sysuaf.dat redirection via DECnet. (Of course if I'm running traditional DECnet, I'm probably not all that much concerned with security, so issuing de facto SETPRV to everybody isn't an issue.)
Rich Hearn
Regular Advisor

Re: Is any system process specific to accounting? Am I just missing the obvious?



John,

Yes, I really am running with accounting enabled :^) it was a "quick & dirty" (we *all* know how that works :^) to take care of the outside Auditing Folks concerns. As you can guess, it worked well enough that I left it running. I also have Auditing for AUTHORIZE and T4 running. It seems to not bother the ES47's & OVMS 8.3, regarding performance, so track it in case it's needed.

Your point regarding a personal copy of AUTHORIZE.EXE is noted, but with the firewall in the .org and most folks, captured acc'ts, not even knowing what Caché (the application) is running on, that seems to be minimal risk. It may be just a matter of changing what reports what to the Security Mgt folks.

Thank you for specifically answering my question - I *know* I didn't stop/id JOB_CONTROL on *any* system :^)


Mark,

It was to get a report to mgt for the auditors concern that we didn't know when someone was using AUTHORIZE.EXE. The "show sys" is just something *I* do for my daily notes that I keep - if something "happens", I can check to see what was going on and, more importantly, did I miss something I should've seen. I do have a number of automated jobs running already, perhaps this should be included for twice a day also. I'll consider it.


Jon,

I'll confess that I don't normally check on Accounting. It hasn't been a problem since I started this last year. The job had run every month showing usage for both nodes. This was a "new one" on me. To answer you specific thought on disabling, I don't specifically disable accounting.

The disk I use for the accounting file, never goes far under 1,000,000 vms blocks - I page myself to alert me to correct the condition if it does. This was strange, it seemed that only the image accounting was missing from the monthly log after the 2nd of the month - there were logfails & other items 'til the end of the month.
That's why I was wondering if, perhaps, I inadvertantly disabled accounting by killing a process.

Putting my potential mistakes on the table, here's how both nodes in the cluster are set up (showing only one - they're identical, except for the names):

CACHE1::DISK$INFSYS:[RJHEARN]_>show time
2-DEC-2008 10:31:13
CACHE1::DISK$INFSYS:[RJHEARN]_>show accounting
Accounting is currently enabled to log the following activities:

PROCESS any process termination
IMAGE image execution
INTERACTIVE interactive job termination
LOGIN_FAILURE login failures
SUBPROCESS subprocess termination
DETACHED detached job termination
BATCH batch job termination
NETWORK network job termination
PRINT all print jobs
MESSAGE user messages
CACHE1::DISK$INFSYS:[RJHEARN]_>
CACHE1::DISK$INFSYS:[RJHEARN]_>show audit
System security alarms currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Privilege use:
OPER

System security audits currently enabled for:
ACL
Authorization
Audit: illformed
Breakin: dialup,local,remote,network,detached
Logfailure: batch,dialup,local,remote,network,subprocess,detached
Privilege use:
OPER
CACHE1::DISK$INFSYS:[RJHEARN]_>

I'm assuming they've been this way since I've started things because I haven't made any intentional changes.


Wim,

I had'nt even thought of that aspect; I was just checking for "local" access - thank you for pointing it out. I will have to spend some time reviewing the reports I've sent out to see how to improve the process.


Hoff,

DECnet isn't beging run, so we should be ok with it, but do appreciate the thought


I would like to say "Thank you" to all of you for your thoughts, knowledge, & yes, even opinions regarding my question, so, Thank you.

Rich
_
Zeni B. Schleter
Regular Advisor

Re: Is any system process specific to accounting? Am I just missing the obvious?

Forgive me for asking the obvious but doesn't the image that is to be tracked with image accounting have to be installed with the /Account switch.
Jon Pinkley
Honored Contributor

Re: Is any system process specific to accounting? Am I just missing the obvious?

RE:"Forgive me for asking the obvious but doesn't the image that is to be tracked with image accounting have to be installed with the /Account switch."

No.

INSTALL> help add /accounting

ADD

/ACCOUNTING

/ACCOUNTING
/NOACCOUNTING (default)

Enables image-level accounting for selected images even if image
accounting is disabled on the local node (by using the DCL
command SET ACCOUNTING/DISABLE=IMAGE). When image accounting
is enabled on the local node, it logs all images, and the
/NOACCOUNTING qualifier has no effect.
it depends