HPE Community
Operating System - OpenVMS
1827293 Members
1400 Online
109717 Solutions
New Discussion

Log keystokes for the SYSTEM account

 
SOLVED
Go to solution
Melinda Chan
Advisor

‎05-24-2004 07:39 PM

‎05-24-2004 07:39 PM

Log keystokes for the SYSTEM account

Hello
as part of an audit requirement, I need to log the keystrokes entered for the SYSTEM account.

They do not want me to $set host 0/log=[filename]. They want an automated solution.

Suggestions anyone? Much appreciated.
0 Kudos
10 REPLIES 10
labadie_1
Honored Contributor

‎05-24-2004 07:56 PM

‎05-24-2004 07:56 PM

Re: Log keystokes for the SYSTEM account

there is a commercial tool called peek and spy, see at

http://www.networkingdynamics.com/Peek.htm
0 Kudos
Karl Rohwedder
Honored Contributor

‎05-24-2004 10:41 PM

‎05-24-2004 10:41 PM

Re: Log keystokes for the SYSTEM account

I use an (very) old utility called LOGGER, which creates a subprocess and logs everything in a file SESSION.LOG.

Perhaps your audit people are satisfied, if you put a call into LOGIN.COM for the system account for interactive logins.

You can find LOGGER e.g. here

http://ftp.uma.es/Vms/Wku/logger.zip
0 Kudos
Melinda Chan
Advisor

‎05-25-2004 01:38 PM

‎05-25-2004 01:38 PM

Re: Log keystokes for the SYSTEM account

thanks to Labadie and Karl for their pointers. You've answered my question. I've looked into both options and they do, do the job.

However a lot of other questions as to the feasibility of logging the SYSTEM a/c has come up. eg. cause & affect to system performance, system startup etc. which I need to work through...

again, thanks for you help MC
0 Kudos
Stanley F Quayle
Valued Contributor

‎05-26-2004 12:02 AM

‎05-26-2004 12:02 AM

Re: Log keystokes for the SYSTEM account

You may find some useful stuff here:

http://h71000.www7.hp.com/wizard/wiz_9607.html
http://h71000.www7.hp.com/wizard/wiz_4920.html

http://h71000.www7.hp.com/wizard/openvms_faq.html
(especially topic 5.2, but it's all good stuff)

You'll also want to refer to the Guide to OpenVMS System Security manual, available off of the Documentation link at http://www.hp.com/go/openvms

You will want to secure physical access to the system console, since that can be used to bypass security.

I have written a script that logs access to the SYSTEM account. Run it from SYS$MANAGER:SYLOGIN.COM. It's attached.
http://www.stanq.com/charon-vax.html
0 Kudos
Wim Van den Wyngaert
Honored Contributor

‎05-26-2004 03:16 AM

‎05-26-2004 03:16 AM

Re: Log keystokes for the SYSTEM account

If you setup proxy for rlogin, you can add to login.com

$ if (f$mode() .eqs. "INTERACTIVE") .and. -
f$getdvi("TT","TRM")
$ then
$ rlogin/log=xxx localhost
$ logout
$ endif

Wim
0 Kudos
Keith Parris
Trusted Contributor

‎06-08-2004 05:08 AM

‎06-08-2004 05:08 AM

Re: Log keystokes for the SYSTEM account

PointSecure's System Detective also seems to be able record session activity. See http://www.pointsecure.com/products/sys_det.asp
0 Kudos
John Gillings
Honored Contributor

‎06-08-2004 09:39 AM

‎06-08-2004 09:39 AM

Solution

Re: Log keystokes for the SYSTEM account

Melinda,

Auditors can be rather silly at times. This request is a bit like a bank giving tellers a special ledger to record the amounts they embezzle ;-)

Since this is the SYSTEM account, there is simply NO WAY to guarantee a high integrity log on the same host. The SYSTEM account has several "ALL" class privileges, so would be able to bypass or censor any mechanism you implement.

It would be possible to make a log on a different host (on which the users of the target SYSTEM account have no privileged access). You then need to force all logins to the secure system through the gatekeeper system.

Please log a call with the CSC. I have some sample code which may help. We can also discuss performance and management.

A crucible of informative mistakes
Martin P.J. Zinser
Honored Contributor

‎06-08-2004 02:54 PM

‎06-08-2004 02:54 PM

Re: Log keystokes for the SYSTEM account

Hello,

if there is really a good need for it, there
is always the solution of secondary passwords for the system account. If you make sure that every person only knows one of the two passwords, you can be pretty sure that no >>single<< person can tamper with the system, you need at least two to do so ;-). This does assume physical access to the console is secured.

Greetings, Martin
0 Kudos
Jan van den Ende
Honored Contributor

‎06-08-2004 09:29 PM

‎06-08-2004 09:29 PM

Re: Log keystokes for the SYSTEM account

Martin,

and then you still must be able to guarantee that there is no other way to tweak the double password requirement.
How do you enforce the permanent presence of two people at the logged-on session, and simultaniously have each one of them have his/her own password regularly changed without the other being aware?
And if you want to show real paranoia, how do you guarantee those two will not form a conspiracy?
Somewhere on the line you will hit the point where you just plainly HAVE to rely on some amount of trust...

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Willem Grooters
Honored Contributor

‎06-09-2004 12:16 AM

‎06-09-2004 12:16 AM

Re: Log keystokes for the SYSTEM account

You most definitely need some trust.

"If you don't trust anyone, don't allow anyone even near your machine and unplug all network connections"
I would add: "and if you're really paranoid, disconnect it from the main power as well, there might be nerds out there trying to break in along THAT way"

Ridiculous, of course. ;-))
Audit is fine. Being suspicious is Ok in some degree put paranoia tends to drift off into the blue. This type of audit logs tend to get quite unworkable

Best way to secure the system and keep a _workable_ audit log, just use some common sense. Of course you may run into exceptions, but these should be very rare (that means: exceptional).

1. NEVER use SYSTEM login, except when really required (typically installation) and then only from the console. A secondary (SYSTEM) password can be an extra barrier. Limit this to just a few people.
Diasllow interactive login, normally.
Have a password lifetime long enough to login and finish the intended activity, but as short as possible.

2. Strip authorized privileges to the bare bones to what a person REALLY needs. Same for default - being a (minimal) subset of authorized privileges.
Those that require access conform SYSTEM would need just enough privileges as well.
NEVER GIVE OUT SETPRV or BYPASS. These are 'never' needed.

3. That means that people that really need SYSTEM-like access can do with just their needs - normally a subset of the whole bunch. They can always set their level of privilege to match their need (BTW - kan SET PROC/PRIV be audited). One possibility they will need is to generate a new SYSTEM password and change other attributes when needed (this can be audited!).

4. If you do your SYSTEM work, keep away as far as you can from using arrowkeys (buffer recall), fullscreen editor....It makes the log quite unreadble.

The _easiest_ way for audit log is a plain-ASCII teletype terminal as I used to have them on PDP's. If you have a VT terminal hookedup as a console, you could think of attaching a printer to it and set it to follow in- and output.

Willem
Willem Grooters
OpenVMS Developer & System Manager
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.