HP OpenVMS DCL Dictionary


Previous Contents Index


SHOW INTRUSION

Displays the contents of the intrusion database.

Requires SECURITY privilege.


Format

SHOW INTRUSION


Description

The OpenVMS system stores information in the intrusion database about login failures that originate from a specific source and that result from any number of failure types (invalid password, account expired, unknown user name). A security manager can identify possible break-in attempts by using the SHOW INTRUSION command to display the contents of the intrusion database.

The entries in the intrusion database have the following format:


Intrusion      Type      Count      Expiration      Source 

The information provided in the fields in each entry is as follows:
Field Description
Intrusion Class of intrusion. The type of evasive action that the OpenVMS system takes depends on the class of intrusion.
Type Severity of intrusion as defined by the threshold count for login failures.
Count Number of login failures associated with a particular source.
Expiration Absolute time at which a login failure is no longer counted by OpenVMS. The system parameter LGI_BRK_TMO controls how long the OpenVMS system keeps track of a login failure.
Source Origin of the login failure. The information provided in this field depends on the class of intrusion.

In the intrusion database, the operating system classifies login failures according to their source. The four classes of system intrusion are as follows:
Intrusion Class Description
NETWORK Login failure originating from a remote node, using a valid user name.
TERMINAL Login failure originating from one terminal.
TERM_USER Login failure originating from one terminal, using a valid user name.
USERNAME Login failure attempting to create a detached process.

The class of intrusion determines the type of information presented in the source field of the entry. Information appears in the source field in one of the following formats:
Intrusion Class Format of Source Field
NETWORK node::user name
TERMINAL terminal:
TERM_USER terminal:user name
USERNAME user name

The type of evasive action that a security manager can take is based on the type of information provided. For details on how to use this information, see the HP OpenVMS Guide to System Security.

The intrusion database contains two levels of intrusion entries: suspect and intruder. The severity level of an entry is displayed in the type field of the entry. When a login failure associated with a particular source occurs, the OpenVMS system classifies the login failure as suspect. Each succeeding login failure from the same source is counted. The login failure count is displayed in the count field of the entry. The absolute time at which the login failure ceases to be counted is displayed in the expiration field of the entry. When the number of login failures exceeds the number specified by the system parameter LGI_BRK_LIM, the entry is classified as an intruder. However, if the parameter LGI_BRK_LIM is set to zero, the first login failure is not classified as an intruder; the result is the same as if the parameter LGI_BRK_LIM were set to one.

When an entry is promoted to intruder, the OpenVMS system takes evasive action by blocking all login attempts from that particular source.

The duration of the evasive action is determined by the system parameter LGI_HID_TIM. The absolute time at which the evasive action ends is displayed in the expiration field of the entry.

For information on intrusion detection, prevention, and evasive actions, see the HP OpenVMS Guide to System Security.

If you determine that an entry in the intrusion database resulted from a user error and not a break-in attempt, you can remove an entry from the intrusion database with the DELETE/INTRUSION command. See the DELETE/INTRUSION command for more details.


Qualifiers

/NODE[=(node-name[,...])]

The /NODE qualifier displays each intrusion record with the supporting node information.

If you specify individual nodes, the supporting node information is displayed only for the nodes listed.

/OUTPUT[=filespec]

Directs the output from the SHOW INTRUSION command to the file specified with the qualifier. By default, output from the command is displayed to SYS$OUTPUT.

/TYPE=keyword

Selects the type of information from the intrusion database that is displayed. The valid keywords are as follows:
ALL All entries. By default, all entries are displayed.
SUSPECT Entries for login failures that have occurred but have not yet passed the threshold necessary to be identified as intruders.
INTRUDER Entries for which the login failure rate was high enough to warrant evasive action.

Examples

#1

$ SHOW INTRUSION/OUTPUT=INTRUDER.LIS
      

The SHOW INTRUSION command in this example writes all the entries currently in the intrusion database to the file INTRUDER.LIS.

#2

$ SHOW INTRUSION/TYPE=INTRUDER
                                                   
Intrusion   Type      Count    Expiration    Source
TERMINAL    INTRUDER    9      10:29:39.16   AV34C2/LC-1-15:
NETWORK     INTRUDER    7      10:47:53.12   NODE22::RONNING
      

In this example, the SHOW INTRUSION command displays all intruder entries currently in the intrusion database.

#3

$ SHOW INTRUSION/NODE
 NETWORK      SUSPECT       5   26-JUL-2001 08:51:25.66  POPEYE::WONG
    Node: TSAVO      Count:    2
    Node: FROGGY     Count:    2
    Node: KITTY      Count:    1
      

This command displays each intrusion record for all nodes.

#4

$ SHOW INTRUSION/NODE=(FROGGY,KITTY)
 NETWORK      SUSPECT       5   26-JUL-2001 08:51:25.66  POPEYE::HAMMER
    Node: FROGGY     Count:    2
    Node: KITTY      Count:    2
      

This command displays intrusion record information for nodes FROGGY and KITTY.

#5

$ SHOW INTRUSION/NODE=EVMSA
$ 
      

This command shows that there are no intrusion records for node EVMSA.


Previous Next Contents Index