The operating system provides a number of mechanisms thatallow systematic surveillance of the activity in your system. Thereare many mechanisms available for monitoring the system either manuallyor by user-written command procedures, for example:
Accounting utility (ACCOUNTING)
Authorize utility (AUTHORIZE)
Install utility (INSTALL)
System Management utility (SYSMAN)
Proper use of such mechanisms should help you verify settings,alert you to problems, and allow you to intervene. This sectiondescribes the most important system surveillance mechanisms--ACCOUNTINGand ANALYZE/AUDIT.
System Accounting
You can learn what the normal pattern of resource use is bystudying reports of the Accounting utility (ACCOUNTING). To obtaina report, you run the utility image SYS$SYSTEM:ACC.EXE. The resultingdata file is SYS$MANAGER:ACCOUNTNG.DAT. Review ACCOUNTING reportsbecause they can provide early indications of problems. Check forthe following:
Unfamiliar user names
Unfamiliar patterns of use, such as unusual activityfor a particular time of day or day of week
Use of an unusual amount of resources
Unfamiliar sources of login, such as network nodesor remote terminals
Security Auditing
As the security administrator, you can have the operatingsystem report on security-related activity by enabling categoriesof events for auditing using the DCL command SET AUDIT. Using theAudit Analysis utility (ANALYZE/AUDIT), you can periodically reviewevent messages collected in the security audit log file. (See Security Auditing for a full descriptionof the process.)
The operating system can send event messages to an audit logfile or to an operator terminal. You define whether events are reportedas audits or alarms in the following way:
Ordinarily, enable audits rather thanalarms for security-related events because the audit records are writtento the system security audit log where you can study them in volumeand archive log files for future reference. While an isolated auditingmessage may offer little insight, numerous audit records producea pattern of security violations. For example, with auditing ofobject access, you can see a pattern of time, types of objects beingaccessed, and other system information that, in total, paint a pictureof how the system is being used at different times of day.
To enable audits for unsuccessful access to files, devices,and volumes, enter the following command:
$ SET AUDIT/AUDIT/ENABLE=ACCESS=FAILURE/CLASS=(FILE,DEVICE,VOLUME)
This command records unsuccessful access events in the securityaudit log file but sends no alarms to the operator terminal.
Enable security alarms for real-time events or eventsthat should be reviewed immediately, for example, intrusion attemptsor changes to the system user authorization file (SYSUAF.DAT). Forexample, to enable alarms for modification to the known file listand changes to system time, enter the following command:
$ SET AUDIT/ALARM/ENABLE=(INSTALL,TIME)
This command sends event messages to the operator terminal.To keep a hardcopy record of these alarms, use a hardcopy operatorterminal, or enable the events as both alarms and audits.
Because security auditing affects system performance, enableauditing only for the most important events. The following security-auditingactions are presented in order of decreasing priority and increasingsystem cost:
Enable securityauditing for login failures and break-ins. This is the best wayto detect probing by outsiders (and insiders looking for accounts).All sites needing security should enable alarms for these events.
Enable security auditing for logins. Auditing successfullogins from the more suspicious sources like remote and dialup usersprovides the best way to track whichaccounts are being used. An audit record is written before userslogging in to a privileged account can disguise their identity.
Enable security auditing for unsuccessful file access(ACCESS=FAILURE). This technique audits all file-protection violationsand is an excellent method of catching probers.
Apply ACL-based file access auditing to detect writeaccess to critical system files. The most important files to auditare shown in System Files Benefiting from ACL-Based Auditing.(Access Control Entries (ACEs) for Security Auditing presents an exampleof how to establish security entries in ACLs.) Youmay want to audit only successful access to these files to detectpenetration, or you may want to audit access failures to detectprobing as well.
Note that some of the files in System Files Benefiting from ACL-Based Auditing are written during normal system operation. Forexample, SYSUAF.DAT is written during each login, and SYSMGR.DIRis written when the system boots.
Table 1 System Files Benefiting from ACL-Based Auditing
Device and Directory
File Name
SYS$SYSTEM
AUTHORIZE.EXE
F11BXQP.EXE
LOGINOUT.EXE
DCL.EXE
JOBCTL.EXE
SYSUAF.DAT
NETPROXY.DAT
RIGHTSLIST.DAT
STARTUP.COM
VMS$OBJECTS.DAT
SYS$LIBRARY
SECURESHR.EXE
SECURESHRP.EXE
SYS$MANAGER
VMS$AUDIT_SERVER.DAT
SY*.COM
VMSIMAGES.DAT
SYS$SYSROOT
[000000]SYSEXE.DIR
[000000]SYSLIB.DIR
[000000]SYS$LDR.DIR
[000000]SYSMGR.DIR
Enable security auditing for modifications to systemparameters or the known file list (/ENABLE=(SYSGEN,INSTALL) ).
Audit use of privilege to access files (either writeaccess or all forms of access). Implement the security audit withthe keywords ACCESS=(SYSPRV,BYPASS,READALL,GRPPRV). Note that thisclass of auditing can produce a large volume of output because privilegesare often used in normal system operation for such tasks as maildelivery and operator backups.