|
HP OpenVMS Systemsask the wizard |
|
The Question is: RE: Security Audits, Alarms, Logfails, and OPCOM? OK, let me try this again... The problem we're having is that ANY login failure (not just bad passwords or user names) are reported on OPCOM. This includes the times when the user lets the connection time out or if they hit ^Z at the prompt. Here's some more OPCOM messages: %%%%%%%%%%% OPCOM 20-JAN-1999 10:07:37.33 %%%%%%%%%%% (from node VAX at 20-JAN-1999 10:07:37.31) Message from user AUDIT$SERVER on VAX Security alarm (SECURITY) and security audit (SECURITY) on VAX, system id: 1145 Auditable event: Local interactive login failure Event time: 20-JAN-1999 10:07:37.30 PID: 606024B8 Process name: _NTY959: Username: <login> Process owner: [SYSTEM] Terminal name: _NTY959:, [10.102.100.238] Image name: $1$DIA0:[SYS1.SYSCOMMON.][SYSEXE]LOGINOUT.EXE Status: %LOGIN-F-CMDINPUT, error reading command input and %%%%%%%%%%% OPCOM 20-JAN-1999 09:36:52.35 %%%%%%%%%%% (from node VAX at 20-JAN-1999 09:36:52.34) Message from user AUDIT$SERVER on VAX Security alarm (SECURITY) and security audit (SECURITY) on VAX, system id: 1145 Auditable event: Local interactive login failure Event time: 20-JAN-1999 09:36:52.34 PID: 60602698 Process name: _NTY953: Username: <login> Terminal name: NTY953:, _NTY953:, [10.28.100.225] Remote nodename: TELNET Remote username: 0A1C64E1:0402 Status: %LOGIN-F-NOSUCHUSER, no such user I don't want to disable all login failures, but I'd rather not see these failures. We get so many failures of these types it's hard to diagnose when there is a problem or breakin. Thanks again! The Answer is : A LOGFAIL is a LOGFAIL, unfortunately for you there is no finer granularity provided by the auditing subsystem. On possibility would be to disable the LOGFAIL ALARMs but leave BREAKIN ALARMs enabled. You could enable LOGFAIL AUDITs and BREAKIN AUDITs and ALARMs. That way only breakin messages will be sent to OPCOM, but all events are logged to the audit journal file. Another possibility is to implement your own finer granularity for LOGFAIL and/or breakin messages. Write your own AUDIT LISTENER process which scans alarms and sends OPCOM messages only for the ones you want.
|