[an error occurred while processing this directive]

HP OpenVMS Systems

ask the wizard
Content starts here

Security Audits, Alarms, Logfails, and OPCOM? (tak

» close window

The Question is:

 
RE: Security Audits, Alarms, Logfails, and OPCOM?
 
OK, let me try this again...
 
The problem we're having is that ANY login failure (not just bad passwords
or user names) are reported on OPCOM. This includes the times when the user
lets the connection time out or if they hit ^Z at the prompt. Here's some
more OPCOM messages:
 
%%%%%%%%%%%  OPCOM  20-JAN-1999 10:07:37.33  %%%%%%%%%%%    (from node VAX
at 20-JAN-1999 10:07:37.31)
Message from user AUDIT$SERVER on VAX
Security alarm (SECURITY) and security audit (SECURITY) on VAX, system id:
1145
Auditable event:          Local interactive login failure
Event time:               20-JAN-1999 10:07:37.30
PID:                      606024B8
Process name:             _NTY959:
Username:                 <login>
Process owner:            [SYSTEM]
Terminal name:            _NTY959:, [10.102.100.238]
Image name:               $1$DIA0:[SYS1.SYSCOMMON.][SYSEXE]LOGINOUT.EXE
Status:                   %LOGIN-F-CMDINPUT, error reading command input
 
and
 
%%%%%%%%%%%  OPCOM  20-JAN-1999 09:36:52.35  %%%%%%%%%%%    (from node VAX
at 20-JAN-1999 09:36:52.34)
Message from user AUDIT$SERVER on VAX
Security alarm (SECURITY) and security audit (SECURITY) on VAX, system id:
1145
Auditable event:          Local interactive login failure
Event time:               20-JAN-1999 09:36:52.34
PID:                      60602698
Process name:             _NTY953:
Username:                 <login>
Terminal name:            NTY953:, _NTY953:, [10.28.100.225]
Remote nodename:          TELNET
Remote username:          0A1C64E1:0402
Status:                   %LOGIN-F-NOSUCHUSER, no such user
 
 
I don't want to disable all login failures, but I'd rather not see these
failures. We get so many failures of these types it's hard to diagnose
when there is a problem or breakin.
 
Thanks again!

The Answer is :

  A LOGFAIL is a LOGFAIL, unfortunately for you there is no finer granularity
  provided by the auditing subsystem. On possibility would be to disable
  the LOGFAIL ALARMs but leave BREAKIN ALARMs enabled. You could enable
  LOGFAIL AUDITs and BREAKIN AUDITs and ALARMs. That way only breakin messages
  will be sent to OPCOM, but all events are logged to the audit journal file.
 
  Another possibility is to implement your own finer granularity for LOGFAIL
  and/or breakin messages. Write your own AUDIT LISTENER process which
  scans alarms and sends OPCOM messages only for the ones you want.


  

     
     
answer written or last revised on ( 20-JAN-1999 )

     
» close window