This appendix describes alarm messages that result
from auditing various system events. See “Security Auditing” for a discussion of the auditing
system and see the HP OpenVMS System Management Utilities
Reference Manual for a description of the record format
of audit messages.
The information included in the alarm message
depends on the type of event. In all cases, the alarm message contains
the operator communication manager (OPCOM) heading, which includes
the date and time the alarm was sent. It contains the type of alarm
event, the date and time the alarm event occurred, and the user who
caused the event, as identified by the user name and process identification
(PID). Other information contained in alarm messages is specific to
the type of event that the alarm signaled.
Alarms Announcing an Object
Access
You can audit successful or unsuccessful access
to a protected object by specifying the ACCESS keyword with the /ENABLE
qualifier of the SET AUDIT command. You designate the object type
with the /CLASS qualifier. See “Auditing Protected Objects”"Auditing Protected Objects" on page 87
for a description of object auditing. For example:
%%%%%%%%%%% OPCOM 17-SEP-2008 10:13:20.46 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object access
Event time: 17-SEP-2008 10:13:20.09
PID: 30200117
Process name: Hobbit
Username: GREG
Process owner: [MTI,GREG]
Terminal name: RTA1:
Image name: DSA1:[GREG.TEST.ACCESS]ACCESS.EXE;50
Object class name: COMMON_EVENT_CLUSTER
Object name: FOO
Access requested: READ
Deaccess key: 808E3380
Status: %SYSTEM-S-NORMAL, normal successful completion
Privileges used: none |
You can also audit access through the use of GRPPRV,
READALL, SYSPRV, or BYPASS privilege.
Alarms Requested by an
ACL
You can audit successful
or unsuccessful access to individual protected objects by adding an
Alarm ACE or an Audit ACE to an object's ACL and enabling ACL
events by specifying the ACL keyword with the /ENABLE qualifier of
the SET AUDIT command. For example:
 |
%%%%%%%%%%% OPCOM 12-NOV-2008 10:53:16.34 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) and security audit (SECURITY) on FNORD, system id: 19681
Auditable event: Object deletion
Event information: file deletion request (IO$_DELETE)
Event time: 12-NOV-2008 10:53:16.30
PID: 20200158
Process name: FNORD$RTA2
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA2:
Image name: $1$DIA1:[SYS0.SYSCOMMON.][SYSEXE]DELETE.EXE
Object class name: FILE
Object owner: [SYSTEM]
Object protection: SYSTEM:RWE, OWNER:RWE, GROUP:, WORLD:
File name: _$1$DIA3:[USERS.HUBERT.TMP]FOO.BAR;2
File ID: (4134,20,0)
Access requested: DELETE
Sequence key: 0005E05F
Status: %SYSTEM-F-NOPRIV, insufficient privilege or object
protection violation |
Alarms Due to Modification
of the Authorization Databases
The Authorization class of security events is
enabled by default. All changes to the rights database, the system
user authorization file, and the network proxy authorization file
immediately produce an audit event message.
Changes to the rights database result from such
actions as the creation of a new database or the addition, modification,
or removal of an identifier. The audit server also reports when there
is a change in a user's identifiers. Note that the alarm message
cites the image used to modify the rights database and the change
itself. For example:
%%%%%%%%%%% OPCOM 15-DEC-2008 12:27:17.44 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) and security audit (SECURITY) on LASSIE, system id: 19661
Auditable event: Identifier modified
Event time: 15-DEC-2008 12:27:17.43
PID: 00000113
Username: SYSTEM
Image name: LASSIE$DMA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE
Identifier name: ROBINSON
Identifier value: %X80010014 New attributes: RESOURCE |
In reporting changes to the system or network
user authorization files, the audit server also notes any kind of
modification as well as the record modified and the change made. For
example:
%%%%%%%%%%% OPCOM 18-DEC-2008 19:53:25.99 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) and security audit (SECURITY) on LASSIE, system id: 19611
Auditable event: System UAF record addition
Event time: 18-DEC-2008 19:53:25.98
PID: 20200B25
Username: SYSTEM
Image name: $1$DUS0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;2
Object type: file
User record added: COOPER
Fields modified: FLAGS,PWDLIFETIME |
The following alarm message is an example of an
alarm resulting from a password change:
%%%%%%%%%%% OPCOM 26-SEP-2008 15:12:35.95 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) and security audit (SECURITY) on FNORD, system id:
20300
Auditable event: System UAF record modification
Event time: 26-SEP-2008 15:12:35.92
PID: 52C00119
Process name: Hobbit
Username: GREG
Process owner: [RTB,GREG]
Terminal name: RTA2:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE
Object name: CLU$COMMON:<SYSEXE>SYSUAF.DAT;1
Object type: file
User record: GREG
Password: New: 7C5E4DA2 F19176AF
Original: 7C5E4DA2 F19176AF
Password date: New: 0 00:00:00.00
Original: 26-SEP-2008 15:12 |
Alarms Announcing Break-In
Attempts
Break-in attempts
are audited by default in the operating system; it audits dialup,
local, remote, network and detached break-ins. Passwords used in break-in
attempts are not displayed on security operator terminals and also
not logged to the security audit log file.
This type of alarm notes the type of break-in
attempt, the device user, the origin of attempt (if the break-in type
was remote or network), and the parent user name (if the break-in
type was detached). For example:
%%%%%%%%%%% OPCOM 7-DEC-2008 14:33:20.69 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Dialup interactive breakin detection
Event time: 7-DEC-2008 14:33:20.68
PID: 00000052
Username: SNIDELY
Terminal name: _LTA13: (AV47C1/LC-2-10) |
Alarms Announcing Creation
of an Object
You can audit the creation
of objects by specifying the CREATE keyword with the /ENABLE qualifier
of the SET AUDIT command. This type of alarm notes the class of the
object as well as its object name. For example:
%%%%%%%%%%% OPCOM 17-SEP-2008 10:13:20.29 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object creation
Event time: 17-SEP-2008 10:13:20.01
PID: 30200117
Process name: Hobbit
Username: HUBERT
Process owner: [SST,HUBERT]
Terminal name: RTA1:
Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50
Object class name: COMMON_EVENT_CLUSTER
Object name: FOO
Status: %SYSTEM-S-NORMAL, normal successful completion |
Alarms Announcing Deaccess
from an Object
You can audit the deaccess
of a process from an object by specifying the DEACCESS keyword with
the /ENABLE qualifier of the SET AUDIT command. This type of alarm
notes the class of the object. For example:
%%%%%%%%%%% OPCOM 17-SEP-2008 10:13:38.34 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object deaccess
Event time: 17-SEP-2008 10:13:38.31
PID: 30200117
Object class name: COMMON_EVENT_CLUSTER
Deaccess key: 808E3380 |
Alarms Announcing Deletion
of an Object
You can audit the deletion
of objects by specifying the DELETE keyword with the /ENABLE qualifier
of the SET AUDIT command. This type of alarm notes the class of the
object as well as its object name. For example:
%%%%%%%%%%% OPCOM 17-SEP-2008 10:13:36.17 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object access
Event time: 17-SEP-2008 10:13:36.08
PID: 30200117
Process name: Hobbit
Username: HUBERT
Process owner: [MTI,HUBERT]
Terminal name: RTA1:
Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50
Object class name: COMMON_EVENT_CLUSTER
Object name: FOO
Access requested: DELETE
Status: %SYSTEM-S-NORMAL, normal successful completion
Privileges used: none |
Alarms Announcing Use of
the Install Utility
You can audit the use of the Install utility (to
install an image or to remove an installed image) by specifying the
INSTALL keyword with the /ENABLE qualifier of the SET AUDIT command.
Install alarms identify the type of operation, the name of the image
affected by the operation, the flags set by the Install operation,
and the privileges used. For example:
%%%%%%%%%%% OPCOM 7-DEC-2008 12:37:49.69 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19661
Auditable event: Installed file addition
Event time: 7-DEC-2008 12:37:49.68
PID: 00000113
Username: SYSTEM
Object name: LASSIE$DMA0:[SYS0.SYSCOMMON.][SYSEXE]NCP.EXE;1
Object type: file
INSTALL flags: /OPEN/HEADER_RESIDENT/SHARED |
Alarms Announcing Logins
You
can audit successful logins by specifying the LOGIN keyword with the
/ENABLE qualifier of the SET AUDIT command. You can audit batch, dialup,
local, remote, network, subprocess and detached login classes. This
type of alarm notes the class of login, the device used, the origin
of the login (if it was remote or network), the parent PID (if the
login was subprocess), and the parent user name (if the login was
detached). For example:
%%%%%%%%%%% OPCOM 18-DEC-2008 18:49:40.09 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Batch process login
Event time: 18-DEC-2008 18:49:40.08
PID: 20002001
Username: LEWIS |
Alarms Announcing Login
Failures
You can
audit login failures by specifying the LOGFAILURE keyword with the
/ENABLE qualifier of the SET AUDIT command. You can audit the batch,
dialup, local, remote, network, subprocess and detached login failure
classes. This type of alarm contains the class of login, the device
used, a status message detailing the reason for the failure, the origin
of the login (if it was remote or network), the parent PID (if the
login was subprocess), and the parent user name (if the login was
detached). For example:
%%%%%%%%%%% OPCOM 7-DEC-2008 12:48:43.50 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Network login failure
Event time: 7-DEC-2008 12:48:43.49
PID: 0000011D
Username: DECNET
Remote nodename: TIGER Remote node id: 3218
Remote username: PROBER
Status: %LOGIN-F-INVPWD, invalid password |
Alarms Announcing Logouts
You can audit logouts by specifying the LOGOUT
keyword with the /ENABLE qualifier of the SET AUDIT command. You can
audit batch, dialup, local, remote, network, subprocess and detached
logout classes. This type of alarm contains the class of logout, the
device used, the origin of the login (if it was remote or network),
and the parent PID (if the login was subprocess). For example:
%%%%%%%%%%% OPCOM 18-DEC-2008 19:14:22.03 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Dialup interactive logout
Event time: 18-DEC-2008 19:14:22.02
PID: 20200001
Username: DANCER
Terminal name: _TTA1: |
Alarms Announcing Volume
Mounts and Dismounts
You can audit mount or dismount requests by specifying
the MOUNT keyword with the /ENABLE qualifier of the SET AUDIT command.
This type of alarm contains the name of the image used to mount or
dismount the volume, the device used, the log file recording the operation,
the volume name, its UIC and protection code, and the flags set during
the operation. For example:
%%%%%%%%%%% OPCOM 18-DEC-2008 17:43:26.94 %%%%%%%%%%%
Message from user AUDIT$SERVER on CANINE
Security alarm (SECURITY) on CANINE, system id: 19681
Auditable event: Volume mount
Event time: 18-DEC-2008 17:43:26.04
PID: 00000038
Username: HOBBIT
Image name: CANINE$DUA0:[SYS0.SYSCOMMON.][SYSEXE]VMOUNT.EXE;1
Object name: _CANINE$MUA0:
Object type: device
Object owner: [DEVO,HOBBIT]
Object protection: SYSTEM:RWEDC, OWNER:RWEDC, GROUP:RWEDC, WORLD:RWEDC
Logical name: TAPE$DBACK1
Volume name: DBACK1
Mount flags: /OVERRIDE=IDENT/MESSAGE |
Alarms Reporting Network
Connections
On VAX systems, you can audit the creation and
termination of logical links with other nodes in the network when
the connections were made through DECnet for OpenVMS. To do so, specify
the CONNECTION keyword with the /ENABLE qualifier of the SET AUDIT
command. For example:
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19681
Auditable event: DECnet logical link deleted
Event time: 12-NOV-2008 10:54:25.01
PID: 202002EB
Process name: FAL_16729
Username: HUBERT_N
Process owner: [ACCOUNTS,HUBERT]
Image name: $1$DIA1:[SYS0.SYSCOMMON.][SYSEXE]FAL.EXE
Remote nodename: JPT
Remote node id: 19.130
Remote username: HUBERT
DECnet logical link ID: 16729
DECnet object name: FAL
DECnet object number: 17
Remote logical link ID: 35429
Status: %SYSTEM-S-NORMAL, normal successful completion
|
Alarms Reporting Use of
Process Control System Services
You can audit use of the process control system
services, such as $CREPRC or $GETJPI, by specifying the PROCESS keyword
with the /ENABLE qualifier of the SET AUDIT command. This type of
alarm reports the system service used to control a process, the device
used, the name of the process and its user name. For example:
%%%%%%%%%%% OPCOM 25-JUL-2008 16:07:09.20 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 20300
Auditable event: Process suspended ($SUSPND)
Event time: 25-JUL-2008 16:07:08.77
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXE
Status: %SYSTEM-S-NORMAL, normal successful completion
Target PID: 30C00126
Target process name: SMISERVER
Target username: SYSTEM
Target process owner: [SYSTEM] |
Alarms Reporting Use of
Privilege
You can audit the use of privilege by specifying
the PRIVILEGE keyword with the /ENABLE qualifier of the SET AUDIT
command. The alarm reports the privilege used and what it was used
to do. For example:
%%%%%%%%%%% OPCOM 17-SEP-2008 10:13:20.16 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Privilege used
Event information: PRMCEB used to create permanent common event flag
cluster ($ASCEFC)
Event time: 17-SEP-2008 10:13:20.01
PID: 30200117
Process name: Hobbit
Username: HUBERT
Process owner: [MTI,HUBERT]
Terminal name: RTA1:
Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50
Event flag cluster name: FOO
Privileges used: PRMCEB |
Alarms Reporting Modification
of a System Parameter
You can audit the modification of a system parameter
by specifying the SYSGEN keyword with the /ENABLE qualifier of the
SET AUDIT command. This type of alarm reports on both the active parameters
and the parameters stored on disk. For example:
%%%%%%%%%%% OPCOM 25-JUL-2008 16:09:04.67 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 20300
Auditable event: SYSGEN parameter set
Event time: 25-JUL-2008 16:09:04.65
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SYSGEN.EXE
Parameters write: SYS$SYSROOT:[SYSEXE]VAXVMSSYS.PAR;68
Parameters inuse: SYS$SYSROOT:[SYSEXE]VAXVMSSYS.PAR;68
NSA_PAGES: New: 15
Original: 10 |
Alarms Reporting a Change
in System Time
You can audit changes to system time by specifying
the TIME keyword with the /ENABLE qualifier of the SET AUDIT command.
This type of alarm reports the old and the new system time, the name
of the user making the modification, and the device used. For example:
%%%%%%%%%%% OPCOM 25-JUL-2008 16:08:25.23 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 20300
Auditable event: System time recalibrated
Event time: 25-JUL-2008 16:08:25.21
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXE
New system time: 25-JUL-2008 16:08:25.19
Old system time: 25-JUL-2008 16:08:25.18 |
Alarms Resulting from Execution
of the SET AUDIT Command
All uses of the SET AUDIT command are automatically
audited, and you cannot disable it. The following alarm messages are
examples of SET AUDIT alarms:
%%%%%%%%%%% OPCOM 12-NOV-2008 10:54:11.91 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) and security audit (SECURITY) on FNORD, system id: 19681
Auditable event: Security alarm state set
Event time: 12-NOV-2008 10:54:11.58
PID: 20200158
Alarm flags: ACL,AUTHORIZATION,CONNECTION
BREAKIN: (DIALUP,LOCAL,REMOTE,NETWORK,DETACHED)
LOGFAIL: (BATCH,DIALUP,LOCAL,REMOTE,NETWORK,
SUBPROCESS,DETACHED) |