From: SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM" 27-MAY-1994 12:19:51.64 To: EVERHART CC: Subj: Accessing the intrusion database Date: Thu, 26 May 1994 10:58:52 +0300 (CET-DST) From: "All thoughts, all passions, all delights..." To: info-vax@sri.com Message-Id: <940526105852.7b3d@DECUS.DECUS.DE> Subject: Accessing the intrusion database Hi, Joel ! ;Date: Wed, 25 May 1994 16:03:04 GMT ;From: "Joel M. DeYoung" ;Subject: Accessing the intrusion database ;... ;I'm updating a program that will allow a user to list and delete ;intrusion records. Such a program could become security hole, so you should seal acces to it with some checks of user's privileges and/or right identifiers. ;Does anyone know of a system service or routine ;that I can call that will allow me access to the intrusion database? ;The *only* references I can find in the literature about the intrusion ;database are the commands SHOW INTRUSION and DELETE/INTRUSION_RECORD. Nope. To prove myself I tried to find words like 'INTRUSION', 'INTRUDER' in system service reference manual ... Alas ... so the only possibility I see is ... Ask by CIA ! 1. write short macro program: $ create ciadef.mar .TITLE CIADEF .IDENT /V 001/ .LIBRARY /SYS$LIBRARY:LIB/ $CIADEF GLOBAL .END 2. compile it $ macro/obj=ciadef.stb ciadef 3. Call SDA (it would be in $ analyze/system SDA> read sys$system:sys SDA> read ciadef SDA> ex CIA$GQ_INTRUDER SDA> FORMAT/TYPE=CIA @CIA$GQ_INTRUDER Then you could write a program, that does the same. The intrusion database is ERKW protected (excutive read/kernel write) - you should write your own system service or make $CM{KRNL|EXEC}. To delete a record you should extract an element from the queue at CIA$GQ_INTRUDER and free it. Here you could run in the difficulties, because to access this database you should lock it using the spinlock whose name is unknown to me ... Note that all this stuff it is unsupported. I'm not 100% sure, that the intrusion data is used only by 2 DCL commands you citate and LOGINOUT.EXE. Perhaps someone who has more clue could give you more help. = Seva