|
 HP OpenVMS Guide to System Security |
 Security for the System Administrator |
|
|
| |
| D | Alarm Messages |
The information included in the alarm message depends on thetype of event. In all cases, the alarm message contains the operatorcommunication manager (OPCOM) heading, which includes the date andtime the alarm was sent. It contains the type of alarm event, thedate and time the alarm event occurred, and the user who causedthe event, as identified by the user name and process identification(PID). Other information contained in alarm messages is specificto the type of event that the alarm signaled.
Alarms Announcing an Object Access
You can audit successful or unsuccessful access to a protectedobject by specifying the ACCESS keyword with the /ENABLE qualifierof the SET AUDIT command. You designate the object type with the/CLASS qualifier. See Auditing Protected Objects"Auditing Protected Objects" onpage 87 for a description of object auditing. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:20.46 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 19728Auditable event: Object accessEvent time: 17-SEP-2001 10:13:20.09PID: 30200117Process name: HobbitUsername: GREGProcess owner: [MTI,GREG]Terminal name: RTA1:Image name: DSA1:[GREG.TEST.ACCESS]ACCESS.EXE;50Object class name: COMMON_EVENT_CLUSTERObject name: FOOAccess requested: READDeaccess key: 808E3380Status: %SYSTEM-S-NORMAL, normal successful completionPrivileges used: none
Alarms Requested by an ACL
You can audit successfulor unsuccessful access to individual protected objects by addingan Alarm ACE or an Audit ACE to an object's ACL and enabling ACLevents by specifying the ACL keyword with the /ENABLE qualifierof the SET AUDIT command. For example:
%%%%%%%%%%% OPCOM 12-NOV-2001 10:53:16.34 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) and security audit (SECURITY) on FNORD, system id: 19681Auditable event: Object deletionEvent information: file deletion request (IO$_DELETE)Event time: 12-NOV-2001 10:53:16.30PID: 20200158Process name: FNORD$RTA2Username: HUBERTProcess owner: [LEGAL,HUBERT]Terminal name: RTA2:Image name: $1$DIA1:[SYS0.SYSCOMMON.][SYSEXE]DELETE.EXEObject class name: FILEObject owner: [SYSTEM]Object protection: SYSTEM:RWE, OWNER:RWE, GROUP:, WORLD:File name: _$1$DIA3:[USERS.HUBERT.TMP]FOO.BAR;2File ID: (4134,20,0)Access requested: DELETESequence key: 0005E05FStatus: %SYSTEM-F-NOPRIV, insufficient privilege or objectprotection violation
The Authorization class of security events is enabled by default.All changes to the rights database, the system user authorizationfile, and the network proxy authorization file immediately producean audit event message.
Changes to the rights database result from such actions asthe creation of a new database or the addition, modification, orremoval of an identifier. The audit server also reports when thereis a change in a user's identifiers. Note that the alarm messagecites the image used to modify the rights database and the change itself.For example:
%%%%%%%%%%% OPCOM 15-DEC-2001 12:27:17.44 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) and security audit (SECURITY) on LASSIE, system id: 19661Auditable event: Identifier modifiedEvent time: 15-DEC-2001 12:27:17.43PID: 00000113Username: SYSTEMImage name: LASSIE$DMA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXEIdentifier name: ROBINSONIdentifier value: %X80010014 New attributes: RESOURCE
%%%%%%%%%%% OPCOM 18-DEC-2001 19:53:25.99 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) and security audit (SECURITY) on LASSIE, system id: 19611Auditable event: System UAF record additionEvent time: 18-DEC-2001 19:53:25.98PID: 20200B25Username: SYSTEMImage name: $1$DUS0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXEObject name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;2Object type: fileUser record added: COOPERFields modified: FLAGS,PWDLIFETIME
%%%%%%%%%%% OPCOM 26-SEP-2001 15:12:35.95 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) and security audit (SECURITY) on FNORD, system id:20300Auditable event: System UAF record modificationEvent time: 26-SEP-2001 15:12:35.92PID: 52C00119Process name: HobbitUsername: GREGProcess owner: [RTB,GREG]Terminal name: RTA2:Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXEObject name: CLU$COMMON:<SYSEXE>SYSUAF.DAT;1Object type: fileUser record: GREGPassword: New: 7C5E4DA2 F19176AF Original: 7C5E4DA2 F19176AFPassword date: New: 0 00:00:00.00 Original: 26-SEP-2001 15:12
Break-in attemptsare audited by default in the operating system; it audits dialup,local, remote, network and detached break-ins. Passwords used inbreak-in attempts are not displayed on security operator terminals,but they are logged to the security audit log file and can be displayedwith the Audit Analysis utility.
This type of alarm notes the type of break-in attempt, thedevice user, the origin of attempt (if the break-in type was remoteor network), and the parent user name (if the break-in type wasdetached). For example:
%%%%%%%%%%% OPCOM 7-DEC-2001 14:33:20.69 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) on LASSIE, system id: 19611Auditable event: Dialup interactive breakin detectionEvent time: 7-DEC-2001 14:33:20.68PID: 00000052Username: SNIDELYTerminal name: _LTA13: (AV47C1/LC-2-10)
You can auditthe creation of objects by specifying the CREATE keyword with the/ENABLE qualifier of the SET AUDIT command. This type of alarm notesthe class of the object as well as its object name. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:20.29 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 19728Auditable event: Object creationEvent time: 17-SEP-2001 10:13:20.01PID: 30200117Process name: HobbitUsername: HUBERTProcess owner: [SST,HUBERT]Terminal name: RTA1:Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50Object class name: COMMON_EVENT_CLUSTERObject name: FOOStatus: %SYSTEM-S-NORMAL, normal successful completion
You can auditthe deaccess of a process from an object by specifying the DEACCESSkeyword with the /ENABLE qualifier of the SET AUDIT command. Thistype of alarm notes the class of the object. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:38.34 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 19728Auditable event: Object deaccessEvent time: 17-SEP-2001 10:13:38.31PID: 30200117Object class name: COMMON_EVENT_CLUSTERDeaccess key: 808E3380
You can auditthe deletion of objects by specifying the DELETE keyword with the/ENABLE qualifier of the SET AUDIT command. This type of alarm notesthe class of the object as well as its object name. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:36.17 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 19728Auditable event: Object accessEvent time: 17-SEP-2001 10:13:36.08PID: 30200117Process name: HobbitUsername: HUBERTProcess owner: [MTI,HUBERT]Terminal name: RTA1:Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50Object class name: COMMON_EVENT_CLUSTERObject name: FOOAccess requested: DELETEStatus: %SYSTEM-S-NORMAL, normal successful completionPrivileges used: none
You can audit the use of the Install utility (to install animage or to remove an installed image) by specifying the INSTALLkeyword with the /ENABLE qualifier of the SET AUDIT command. Installalarms identify the type of operation, the name of the image affectedby the operation, the flags set by the Install operation, and theprivileges used. For example:
%%%%%%%%%%% OPCOM 7-DEC-2001 12:37:49.69 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) on LASSIE, system id: 19661Auditable event: Installed file additionEvent time: 7-DEC-2001 12:37:49.68PID: 00000113Username: SYSTEMObject name: LASSIE$DMA0:[SYS0.SYSCOMMON.][SYSEXE]NCP.EXE;1Object type: fileINSTALL flags: /OPEN/HEADER_RESIDENT/SHARED
You can audit successfullogins by specifying the LOGIN keyword with the /ENABLE qualifierof the SET AUDIT command. You can audit batch, dialup, local, remote,network, subprocess and detached login classes. This type of alarmnotes the class of login, the device used, the origin of the login(if it was remote or network), the parent PID (if the login wassubprocess), and the parent user name (if the login was detached).For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 18:49:40.09 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) on LASSIE, system id: 19611Auditable event: Batch process loginEvent time: 18-DEC-2001 18:49:40.08PID: 20002001Username: LEWIS
You can audit login failuresby specifying the LOGFAILURE keyword with the /ENABLE qualifierof the SET AUDIT command. You can audit the batch, dialup, local,remote, network, subprocess and detached login failure classes.This type of alarm contains the class of login, the device used,a status message detailing the reason for the failure, the originof the login (if it was remote or network), the parent PID (if thelogin was subprocess), and the parent user name (if the login wasdetached). For example:
%%%%%%%%%%% OPCOM 7-DEC-2001 12:48:43.50 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) on LASSIE, system id: 19611Auditable event: Network login failureEvent time: 7-DEC-2001 12:48:43.49PID: 0000011DUsername: DECNETRemote nodename: TIGER Remote node id: 3218Remote username: PROBERStatus: %LOGIN-F-INVPWD, invalid password
You can audit logouts by specifying the LOGOUT keyword withthe /ENABLE qualifier of the SET AUDIT command. You can audit batch,dialup, local, remote, network, subprocess and detached logout classes.This type of alarm contains the class of logout, the device used,the origin of the login (if it was remote or network), and the parentPID (if the login was subprocess). For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 19:14:22.03 %%%%%%%%%%%Message from user AUDIT$SERVER on LASSIESecurity alarm (SECURITY) on LASSIE, system id: 19611Auditable event: Dialup interactive logoutEvent time: 18-DEC-2001 19:14:22.02PID: 20200001Username: DANCERTerminal name: _TTA1:
You can audit mount or dismount requests by specifying theMOUNT keyword with the /ENABLE qualifier of the SET AUDIT command.This type of alarm contains the name of the image used to mountor dismount the volume, the device used, the log file recordingthe operation, the volume name, its UIC and protection code, andthe flags set during the operation. For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 17:43:26.94 %%%%%%%%%%%Message from user AUDIT$SERVER on CANINESecurity alarm (SECURITY) on CANINE, system id: 19681Auditable event: Volume mountEvent time: 18-DEC-2001 17:43:26.04PID: 00000038Username: HOBBITImage name: CANINE$DUA0:[SYS0.SYSCOMMON.][SYSEXE]VMOUNT.EXE;1Object name: _CANINE$MUA0:Object type: deviceObject owner: [DEVO,HOBBIT]Object protection: SYSTEM:RWEDC, OWNER:RWEDC, GROUP:RWEDC, WORLD:RWEDCLogical name: TAPE$DBACK1Volume name: DBACK1Mount flags: /OVERRIDE=IDENT/MESSAGE
On VAX systems, you can audit the creation and terminationof logical links with other nodes in the network when the connectionswere made through DECnet for OpenVMS. To do so, specify the CONNECTION keywordwith the /ENABLE qualifier of the SET AUDIT command. For example:
Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 19681Auditable event: DECnet logical link deletedEvent time: 12-NOV-2001 10:54:25.01PID: 202002EBProcess name: FAL_16729Username: HUBERT_NProcess owner: [ACCOUNTS,HUBERT]Image name: $1$DIA1:[SYS0.SYSCOMMON.][SYSEXE]FAL.EXERemote nodename: JPTRemote node id: 19.130Remote username: HUBERTDECnet logical link ID: 16729DECnet object name: FALDECnet object number: 17Remote logical link ID: 35429Status: %SYSTEM-S-NORMAL, normal successful completion
You can audit use of the process control system services,such as $CREPRC or $GETJPI, by specifying the PROCESS keyword withthe /ENABLE qualifier of the SET AUDIT command. This type of alarmreports the system service used to control a process, the deviceused, the name of the process and its user name. For example:
%%%%%%%%%%% OPCOM 25-JUL-2001 16:07:09.20 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 20300Auditable event: Process suspended ($SUSPND)Event time: 25-JUL-2001 16:07:08.77PID: 30C00119Process name: HobbitUsername: HUBERTProcess owner: [LEGAL,HUBERT]Terminal name: RTA1:Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXEStatus: %SYSTEM-S-NORMAL, normal successful completionTarget PID: 30C00126Target process name: SMISERVERTarget username: SYSTEMTarget process owner: [SYSTEM]
You can audit the use of privilege by specifying the PRIVILEGEkeyword with the /ENABLE qualifier of the SET AUDIT command. Thealarm reports the privilege used and what it was used to do. Forexample:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:20.16 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 19728Auditable event: Privilege usedEvent information: PRMCEB used to create permanent common event flagcluster ($ASCEFC)Event time: 17-SEP-2001 10:13:20.01PID: 30200117Process name: HobbitUsername: HUBERTProcess owner: [MTI,HUBERT]Terminal name: RTA1:Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50Event flag cluster name: FOOPrivileges used: PRMCEB
You can audit the modification of a system parameter by specifyingthe SYSGEN keyword with the /ENABLE qualifier of the SET AUDIT command.This type of alarm reports on both the active parameters and the parametersstored on disk. For example:
%%%%%%%%%%% OPCOM 25-JUL-2001 16:09:04.67 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 20300Auditable event: SYSGEN parameter setEvent time: 25-JUL-2001 16:09:04.65PID: 30C00119Process name: HobbitUsername: HUBERTProcess owner: [LEGAL,HUBERT]Terminal name: RTA1:Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SYSGEN.EXEParameters write: SYS$SYSROOT:[SYSEXE]VAXVMSSYS.PAR;68Parameters inuse: SYS$SYSROOT:[SYSEXE]VAXVMSSYS.PAR;68NSA_PAGES: New: 15 Original: 10
You can audit changes to system time by specifying the TIMEkeyword with the /ENABLE qualifier of the SET AUDIT command. Thistype of alarm reports the old and the new system time, the nameof the user making the modification, and the device used. For example:
%%%%%%%%%%% OPCOM 25-JUL-2001 16:08:25.23 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) on FNORD, system id: 20300Auditable event: System time recalibratedEvent time: 25-JUL-2001 16:08:25.21PID: 30C00119Process name: HobbitUsername: HUBERTProcess owner: [LEGAL,HUBERT]Terminal name: RTA1:Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXENew system time: 25-JUL-2001 16:08:25.19Old system time: 25-JUL-2001 16:08:25.18
All uses of the SET AUDIT command are automatically audited,and you cannot disable it. The following alarm messages are examplesof SET AUDIT alarms:
%%%%%%%%%%% OPCOM 12-NOV-2001 10:54:11.91 %%%%%%%%%%%Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) and security audit (SECURITY) on FNORD, system id: 19681Auditable event: Security alarm state setEvent time: 12-NOV-2001 10:54:11.58PID: 20200158Alarm flags: ACL,AUTHORIZATION,CONNECTION BREAKIN: (DIALUP,LOCAL,REMOTE,NETWORK,DETACHED) LOGFAIL: (BATCH,DIALUP,LOCAL,REMOTE,NETWORK, SUBPROCESS,DETACHED)
|
|
