|
 HP OpenVMS Guide to System Security |
 Security for the User |
| Using the System Responsibly |
|
|
| |
Auditing Access to Your Account and Files
This section describes how to monitor your last login timefor possible intrusions. It also describes how to work with yoursecurity administrator to enable certain types of auditing.
Observing Your Last Login Time
The operating system maintains information in your UAF recordabout the last time you logged in to your account. Your securityadministrator decides whether the system should display this informationat login time. Sites with medium to high security requirements frequentlydisplay this information and ask users to check it for unusual orunexplained successful logins and unexplained failed logins.
If there is a report of an interactive or a noninteractivelogin at a time when you were not logged in, report it promptlyto your security administrator. Also change your password. The securityadministrator can investigate further by using accounting filesand audit logs.
If you receive a login failure message and cannot accountfor the failure, it is likely that someone has been trying to accessyour account unsuccessfully. Check your password to ensure thatit adheres to all recommendations for password security describedin Guidelines for Protecting Your Password. If not,change your password immediately.
If you expect to see a login failure message and it does notappear or if the count of failures is too low, change your password.Report either of these indications of login failure problems toyour security administrator.
Adding Access Control Entries to SensitiveFiles
If you have key files that may have been accessed improperly,you may want to develop a strategy with your security administratorto audit access to the files.
Once you review the situation and ensure that you have doneeverything possible to protect your files with standard protectioncodes and general ACLs (described in Protecting Data), you may conclude that security auditing is required.
To specify security auditing, you can add special access controlentries (ACEs) to files you own or to which you have control access.Keep in mind, however, that the audit log file is a systemwide mechanism,so HP recommends that a site security administrator control theuse of file auditing. Although you can add auditing ACEs to filesover which you have control, the security administrator has to enableauditing of files on a system level.
For example, if user RWOODS and his security administratoragree that they must know when a highly confidential file, CONFIDREVIEW.MEM,is being accessed, RWOODS can add an entry to the existing ACL forthe file CONFIDREVIEW.MEM, as follows:
After RWOODS adds the security-auditing entry, the securityadministrator enables file-access auditing so that access attemptsare recorded. See Auditing File Access formore information on file-access auditing.$SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-_$+DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
An access violation of one file frequently indicates accessproblems with other files. Therefore, the security administratormay need to monitor access to all key files having security-auditingACEs. When undesired access is gained to key files, the securityadministrator must take immediate action.
Asking Your Security Administrator to EnableAuditing
A security administrator can direct the operating system tosend an audit message to the system security audit log file or analarm to terminals enabled as security operator terminals wheneversecurity-relevant events occur. For example, the security administratormight identify one or more files for which write access is prohibited.An audit message can be sent to indicate attempted access to thesefiles.
Auditing File Access
If you suspect intrusion attempts to your account, the securityadministrator may temporarily enable auditing for all file access.The security administrator can also enable auditing to monitor readaccess to your files to catch file browsers.
For example, assume you decide to audit the file CONFIDREVIEW.MEM,which has a security-auditing ACE (see Adding Access Control Entries to Sensitive Files). If user ABADGUY accesses CONFIDREVIEW.MEM andhas delete access, the following audit record is written to thesystem security audit log file:
%%%%%%%%%%% OPCOM 7-DEC-2001 07:21:11.10 %%%%%%%%%%%Message from user AUDIT$SERVER on BOSTONSecurity audit (SECURITY) on BOSTON, system id: 19424Auditable event: Attempted file accessEvent time: 7-DEC-2001 07:21:10.84PID: 23E00231Username: ABADGUYImage name: BOSTON$DUA0:[SYS0.SYSCOMMON.][SYSEXE]DELETE.EXEObject name: _BOSTON$DUA1:[RWOODS]CONFIDREVIEW.MEM;1Object type: fileAccess requested: DELETEStatus: %SYSTEM-S-NORMAL, normal successful completionPrivileges used: SYSPRVThe auditing message reveals the name of the perpetrator,the method of access (successful deletion accomplished by usingthe program [SYSEXE]DELETE.EXE), time of access (7:21 a.m.), andthe use of a privilege (SYSPRV) to gain access to the file. Withthis information, the security administrator can take action.
Note that the security audit message is written to the securityaudit log file every time any file is accessed and meets the conditionsspecified in the audit entry of the ACL for that file (see Adding Access Control Entries to Sensitive Files). Access to the fileCONFIDREVIEW.MEM, as well as access to any file on the system thatis protected with security auditing, prompts an audit record tobe written to the security audit log file.
After auditing has been introduced, check with your securityadministrator periodically to see if any additional intrusions haveoccurred.
Additional Events to Audit
In addition to file auditing, the security administrator canselect other types of events that warrant special attention whenthey occur. Events triggering an audit or alarm may include thefollowing:
|
|
