HP OpenVMS Guide to System Security: OpenVMS Version 8.4 > Chapter 6 Managing the System and its Data

Logging a User's Session

While users are learning the system, you may choose to monitor terminal sessions if the user performs an especially sensitive function, such as accessing sensitive data or controlling a system operation. (Sometimes users may choose to log their own sessions so they have a record of their actions. If this is the case, they can use the command SET HOST 0/LOG interactively after their initial login.) This section describes one method of logging users' sessions by setting up a restricted account. Many third-party products provide other ways of monitoring sessions that are more efficient. Regardless of the method you select, you should check with your legal department to make sure this is acceptable practice.

By using a special restricted account and appropriate command procedures, you can enforce the logging of terminal sessions for selected users. These users would need to log in to the restricted account first and then log in to their own account. The restricted account ensures that the session is logged.

The following example provides guidelines on how to set up the restricted account (named USER_LOG in this example) and includes samples of appropriate command procedures:

  1. Set up the restricted account USER_LOG as follows:

    UAF>ADD USER_LOG /FLAGS=(RESTRICTED,DISMAIL,DISNEWMAIL)-
    _UAF>/LGICMD=SYS$SYSROOT:[USER_LOG]SESSIONLOG-
    _UAF>/DEV=SYS$SYSROOT: /DIR=[USER_LOG]-
    _UAF>/NONETWORK /NOBATCH /UIC=[200,256]
    
  2. The SESSIONLOG.COM command procedure enables logging of the terminal session:

    $ ! SESSIONLOG.COM - log in to specified account with terminal session
    $ ! logging enabled.
    $ !
    $ WRITE SYS$OUTPUT "Please log in to the account of your choice."
    $ WRITE SYS$OUTPUT "Your terminal session will be recorded."
    $ WRITE SYS$OUTPUT ""
    $ !
    $ ! Acquire the intended user name and save it in a temporary file. Use
    $ ! it to name the log file, and pass it as the first line of input to
    $ ! LOGIN.
    $ !
    $ READ/PROMPT="Username: " SYS$COMMAND USERNAME
    $ PID = F$GETJPI (0, "PID")
    $ OPEN/WRITE OUTPUT USERNAME'PID'.TMP
    $ WRITE OUTPUT USERNAME
    $ CLOSE OUTPUT
    $ DEFINE/USER SYS$INPUT USERNAME'PID'.TMP
    $ SET HOST 0 /LOG='USERNAME'.LOG
    $ DELETE USERNAME'PID'.TMP;0
    $ LOGOUT
  3. Set up each account for which session auditing is to be enforced. The following command sets up the account for user Smith:

    UAF>MODIFY SMITH /FLAGS=RESTRICTED /NOLOCAL /NODIALUP -
    _UAF>/LGICMD=SYS$SYSROOT:[USER_LOG]CHECKLOG
    

    Because the restricted login command procedure ensures that the login is coming from the USER_LOG account using a SET HOST command, the session is logged.

  4. You may also want to disable batch and network access for each user account to allow only local logins from the USER_LOG account. For example:

    UAF>MODIFY SMITH/FLAGS=RESTRICTED/NOLOCAL/NODIALUP/NOBATCH -
    /NONETWORK/LGICMD=SYS$SYSROOT:[USER_LOG]CHECKLOG
    

The following CHECKLOG.COM command procedure verifies that the user is logging in to the USER_LOG account. For this procedure to work correctly, you must enable DECnet proxy accounts as described in “Setting Up a Proxy Database”.

$ ! CHECKLOG.COM - ensure that the account is being logged in to
$ ! the USER_LOG account.
$ !
$ IF F$MODE () .NES. "INTERACTIVE" THEN EXIT
$ !
$ ! Verify that the connection originated from the local node and
$ ! from the USER_LOG account.
$ !
$ IF F$LOGICAL ("SYS$NODE") .EQS. F$LOGICAL ("SYS$REM_NODE")-
 .AND. F$LOGICAL ("SYS$REM_ID") .EQS. "USER_LOG"-
 THEN GOTO OK 
$ WRITE SYS$OUTPUT "You may log in to this account only with ",-
 "the USER_LOG account." 
$ LOGOUT
$ !
$ ! When the login has been verified, enable Ctrl/Y to
$ ! release the account, invoke the user's LOGIN.COM, and turn
$ ! control over to the user.
$ !
$ OK:
$ SET CONTROL_Y
$ IF F$SEARCH ("LOGIN.COM") .EQS. "" THEN EXIT
$ @LOGIN