The OpenVMS system stores information in the intrusion database about
login failures that originate from a specific source and that result
from any number of failure types (invalid password, account expired,
unknown user name). A security manager can identify possible break-in
attempts by using the SHOW INTRUSION command to display the contents of
the intrusion database.
The entries in the intrusion database have the following format:
Intrusion Type Count Expiration Source
|
The information provided in the fields in each entry is as follows:
| Field |
Description |
|
Intrusion
|
Class of intrusion. The type of evasive action that the OpenVMS system
takes depends on the class of intrusion.
|
|
Type
|
Severity of intrusion as defined by the threshold count for login
failures.
|
|
Count
|
Number of login failures associated with a particular source.
|
|
Expiration
|
Absolute time at which a login failure is no longer counted by OpenVMS.
The system parameter LGI_BRK_TMO controls how long the OpenVMS system
keeps track of a login failure.
|
|
Source
|
Origin of the login failure. The information provided in this field
depends on the class of intrusion.
|
In the intrusion database, the operating system classifies login
failures according to their source. The four classes of system
intrusion are as follows:
| Intrusion Class |
Description |
|
NETWORK
|
Login failure originating from a remote node, using a valid user name.
|
|
TERMINAL
|
Login failure originating from one terminal.
|
|
TERM_USER
|
Login failure originating from one terminal, using a valid user name.
|
|
USERNAME
|
Login failure attempting to create a detached process.
|
The class of intrusion determines the type of information presented in
the source field of the entry. Information appears in the source field
in one of the following formats:
| Intrusion Class |
Format of Source Field |
|
NETWORK
|
node::user name
|
|
TERMINAL
|
terminal:
|
|
TERM_USER
|
terminal:user name
|
|
USERNAME
|
user name
|
The type of evasive action that a security manager can take is based on
the type of information provided. For details on how to use this
information, see the HP OpenVMS Guide to System Security.
The intrusion database contains two levels of intrusion entries:
suspect and intruder. The severity level of an entry is displayed in
the type field of the entry. When a login failure associated with a
particular source occurs, the OpenVMS system classifies the login
failure as suspect. Each succeeding login failure from the same source
is counted. The login failure count is displayed in the count field of
the entry. The absolute time at which the login failure ceases to be
counted is displayed in the expiration field of the entry. When the
number of login failures exceeds the number specified by the system
parameter LGI_BRK_LIM, the entry is classified as an intruder. However,
if the parameter LGI_BRK_LIM is set to zero, the first login failure is
not classified as an intruder; the result is the same as if the
parameter LGI_BRK_LIM were set to one.
When an entry is promoted to intruder, the OpenVMS system takes evasive
action by blocking all login attempts from that particular source.
The duration of the evasive action is determined by the system
parameter LGI_HID_TIM. The absolute time at which the evasive action
ends is displayed in the expiration field of the entry.
For information on intrusion detection, prevention, and evasive
actions, see the HP OpenVMS Guide to System Security.
If you determine that an entry in the intrusion database resulted from
a user error and not a break-in attempt, you can remove an entry from
the intrusion database with the DELETE/INTRUSION command. See the
DELETE/INTRUSION command for more details.
