This appendix describes alarm messages that result from auditing
various system events. See Chapter 9 “Security Auditing” for a discussion of the auditing system and see the
HP OpenVMS System Management Utilities Reference Manual for
a description of the record format of audit messages.
The information included in the alarm message depends on the
type of event. In all cases, the alarm message contains the operator
communication manager (OPCOM) heading, which includes the date and
time the alarm was sent. It contains the type of alarm event, the
date and time the alarm event occurred, and the user who caused
the event, as identified by the user name and process identification
(PID). Other information contained in alarm messages is specific
to the type of event that the alarm signaled.
Alarms Announcing an Object Access
You can audit successful or unsuccessful access to a protected
object by specifying the ACCESS keyword with the /ENABLE qualifier
of the SET AUDIT command. You designate the object type with the
/CLASS qualifier. See “Auditing Protected
Objects”“Auditing Protected Objects” on
page 87 for a description of object auditing. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:20.46 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object access
Event time: 17-SEP-2001 10:13:20.09
PID: 30200117
Process name: Hobbit
Username: GREG
Process owner: [MTI,GREG]
Terminal name: RTA1:
Image name: DSA1:[GREG.TEST.ACCESS]ACCESS.EXE;50
Object class name: COMMON_EVENT_CLUSTER
Object name: FOO
Access requested: READ
Deaccess key: 808E3380
Status: %SYSTEM-S-NORMAL, normal successful completion
Privileges used: none |
You can also audit access through the use of GRPPRV, READALL,
SYSPRV, or BYPASS privilege.
Alarms Requested by an ACL
You can audit successful
or unsuccessful access to individual protected objects by adding
an Alarm ACE or an Audit ACE to an object's ACL and enabling ACL
events by specifying the ACL keyword with the /ENABLE qualifier
of the SET AUDIT command. For example:
%%%%%%%%%%% OPCOM 12-NOV-2001 10:53:16.34 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) and security audit (SECURITY) on FNORD, system id: 19681
Auditable event: Object deletion
Event information: file deletion request (IO$_DELETE)
Event time: 12-NOV-2001 10:53:16.30
PID: 20200158
Process name: FNORD$RTA2
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA2:
Image name: $1$DIA1:[SYS0.SYSCOMMON.][SYSEXE]DELETE.EXE
Object class name: FILE
Object owner: [SYSTEM]
Object protection: SYSTEM:RWE, OWNER:RWE, GROUP:, WORLD:
File name: _$1$DIA3:[USERS.HUBERT.TMP]FOO.BAR;2
File ID: (4134,20,0)
Access requested: DELETE
Sequence key: 0005E05F
Status: %SYSTEM-F-NOPRIV, insufficient privilege or object
protection violation |
Alarms Due to Modification of the
Authorization Databases
The Authorization class of security events is enabled by default.
All changes to the rights database, the system user authorization
file, and the network proxy authorization file immediately produce
an audit event message.
Changes to the rights database result from such actions as
the creation of a new database or the addition, modification, or
removal of an identifier. The audit server also reports when there
is a change in a user's identifiers. Note that the alarm message
cites the image used to modify the rights database and the change itself.
For example:
%%%%%%%%%%% OPCOM 15-DEC-2001 12:27:17.44 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) and security audit (SECURITY) on LASSIE, system id: 19661
Auditable event: Identifier modified
Event time: 15-DEC-2001 12:27:17.43
PID: 00000113
Username: SYSTEM
Image name: LASSIE$DMA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE
Identifier name: ROBINSON
Identifier value: %X80010014 New attributes: RESOURCE |
In reporting changes to the system or network user authorization
files, the audit server also notes any kind of modification as well
as the record modified and the change made. For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 19:53:25.99 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) and security audit (SECURITY) on LASSIE, system id: 19611
Auditable event: System UAF record addition
Event time: 18-DEC-2001 19:53:25.98
PID: 20200B25
Username: SYSTEM
Image name: $1$DUS0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE
Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;2
Object type: file
User record added: COOPER
Fields modified: FLAGS,PWDLIFETIME |
The following alarm message is an example of an alarm resulting
from a password change:
%%%%%%%%%%% OPCOM 26-SEP-2001 15:12:35.95 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) and security audit (SECURITY) on FNORD, system id:
20300
Auditable event: System UAF record modification
Event time: 26-SEP-2001 15:12:35.92
PID: 52C00119
Process name: Hobbit
Username: GREG
Process owner: [RTB,GREG]
Terminal name: RTA2:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE
Object name: CLU$COMMON:<SYSEXE>SYSUAF.DAT;1
Object type: file
User record: GREG
Password: New: 7C5E4DA2 F19176AF
Original: 7C5E4DA2 F19176AF
Password date: New: 0 00:00:00.00
Original: 26-SEP-2001 15:12 |
Alarms Announcing Break-In Attempts
Break-in attempts
are audited by default in the operating system; it audits dialup,
local, remote, network and detached break-ins. Passwords used in
break-in attempts are not displayed on security operator terminals,
but they are logged to the security audit log file and can be displayed
with the Audit Analysis utility.
This type of alarm notes the type of break-in attempt, the
device user, the origin of attempt (if the break-in type was remote
or network), and the parent user name (if the break-in type was
detached). For example:
%%%%%%%%%%% OPCOM 7-DEC-2001 14:33:20.69 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Dialup interactive breakin detection
Event time: 7-DEC-2001 14:33:20.68
PID: 00000052
Username: SNIDELY
Terminal name: _LTA13: (AV47C1/LC-2-10) |
Alarms Announcing Creation of an Object
You can audit
the creation of objects by specifying the CREATE keyword with the
/ENABLE qualifier of the SET AUDIT command. This type of alarm notes
the class of the object as well as its object name. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:20.29 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object creation
Event time: 17-SEP-2001 10:13:20.01
PID: 30200117
Process name: Hobbit
Username: HUBERT
Process owner: [SST,HUBERT]
Terminal name: RTA1:
Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50
Object class name: COMMON_EVENT_CLUSTER
Object name: FOO
Status: %SYSTEM-S-NORMAL, normal successful completion |
Alarms Announcing Deaccess from an
Object
You can audit
the deaccess of a process from an object by specifying the DEACCESS
keyword with the /ENABLE qualifier of the SET AUDIT command. This
type of alarm notes the class of the object. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:38.34 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object deaccess
Event time: 17-SEP-2001 10:13:38.31
PID: 30200117
Object class name: COMMON_EVENT_CLUSTER
Deaccess key: 808E3380 |
Alarms Announcing Deletion of an Object
You can audit
the deletion of objects by specifying the DELETE keyword with the
/ENABLE qualifier of the SET AUDIT command. This type of alarm notes
the class of the object as well as its object name. For example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:36.17 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Object access
Event time: 17-SEP-2001 10:13:36.08
PID: 30200117
Process name: Hobbit
Username: HUBERT
Process owner: [MTI,HUBERT]
Terminal name: RTA1:
Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50
Object class name: COMMON_EVENT_CLUSTER
Object name: FOO
Access requested: DELETE
Status: %SYSTEM-S-NORMAL, normal successful completion
Privileges used: none |
Alarms Announcing Use of the Install
Utility
You can audit the use of the Install utility (to install an
image or to remove an installed image) by specifying the INSTALL
keyword with the /ENABLE qualifier of the SET AUDIT command. Install
alarms identify the type of operation, the name of the image affected
by the operation, the flags set by the Install operation, and the
privileges used. For example:
%%%%%%%%%%% OPCOM 7-DEC-2001 12:37:49.69 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19661
Auditable event: Installed file addition
Event time: 7-DEC-2001 12:37:49.68
PID: 00000113
Username: SYSTEM
Object name: LASSIE$DMA0:[SYS0.SYSCOMMON.][SYSEXE]NCP.EXE;1
Object type: file
INSTALL flags: /OPEN/HEADER_RESIDENT/SHARED |
Alarms Announcing Logins
You can audit successful
logins by specifying the LOGIN keyword with the /ENABLE qualifier
of the SET AUDIT command. You can audit batch, dialup, local, remote,
network, subprocess and detached login classes. This type of alarm
notes the class of login, the device used, the origin of the login
(if it was remote or network), the parent PID (if the login was
subprocess), and the parent user name (if the login was detached).
For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 18:49:40.09 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Batch process login
Event time: 18-DEC-2001 18:49:40.08
PID: 20002001
Username: LEWIS |
Alarms Announcing Login Failures
You can audit login failures
by specifying the LOGFAILURE keyword with the /ENABLE qualifier
of the SET AUDIT command. You can audit the batch, dialup, local,
remote, network, subprocess and detached login failure classes.
This type of alarm contains the class of login, the device used,
a status message detailing the reason for the failure, the origin
of the login (if it was remote or network), the parent PID (if the
login was subprocess), and the parent user name (if the login was
detached). For example:
%%%%%%%%%%% OPCOM 7-DEC-2001 12:48:43.50 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Network login failure
Event time: 7-DEC-2001 12:48:43.49
PID: 0000011D
Username: DECNET
Remote nodename: TIGER Remote node id: 3218
Remote username: PROBER
Status: %LOGIN-F-INVPWD, invalid password |
Alarms Announcing Logouts
You can audit logouts by specifying the LOGOUT keyword with
the /ENABLE qualifier of the SET AUDIT command. You can audit batch,
dialup, local, remote, network, subprocess and detached logout classes.
This type of alarm contains the class of logout, the device used,
the origin of the login (if it was remote or network), and the parent
PID (if the login was subprocess). For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 19:14:22.03 %%%%%%%%%%%
Message from user AUDIT$SERVER on LASSIE
Security alarm (SECURITY) on LASSIE, system id: 19611
Auditable event: Dialup interactive logout
Event time: 18-DEC-2001 19:14:22.02
PID: 20200001
Username: DANCER
Terminal name: _TTA1: |
Alarms Announcing Volume Mounts and
Dismounts
You can audit mount or dismount requests by specifying the
MOUNT keyword with the /ENABLE qualifier of the SET AUDIT command.
This type of alarm contains the name of the image used to mount
or dismount the volume, the device used, the log file recording
the operation, the volume name, its UIC and protection code, and
the flags set during the operation. For example:
%%%%%%%%%%% OPCOM 18-DEC-2001 17:43:26.94 %%%%%%%%%%%
Message from user AUDIT$SERVER on CANINE
Security alarm (SECURITY) on CANINE, system id: 19681
Auditable event: Volume mount
Event time: 18-DEC-2001 17:43:26.04
PID: 00000038
Username: HOBBIT
Image name: CANINE$DUA0:[SYS0.SYSCOMMON.][SYSEXE]VMOUNT.EXE;1
Object name: _CANINE$MUA0:
Object type: device
Object owner: [DEVO,HOBBIT]
Object protection: SYSTEM:RWEDC, OWNER:RWEDC, GROUP:RWEDC, WORLD:RWEDC
Logical name: TAPE$DBACK1
Volume name: DBACK1
Mount flags: /OVERRIDE=IDENT/MESSAGE |
Alarms Reporting Network Connections
On VAX systems, you can audit the creation and termination
of logical links with other nodes in the network when the connections
were made through DECnet for OpenVMS. To do so, specify the CONNECTION keyword
with the /ENABLE qualifier of the SET AUDIT command. For example:
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19681
Auditable event: DECnet logical link deleted
Event time: 12-NOV-2001 10:54:25.01
PID: 202002EB
Process name: FAL_16729
Username: HUBERT_N
Process owner: [ACCOUNTS,HUBERT]
Image name: $1$DIA1:[SYS0.SYSCOMMON.][SYSEXE]FAL.EXE
Remote nodename: JPT
Remote node id: 19.130
Remote username: HUBERT
DECnet logical link ID: 16729
DECnet object name: FAL
DECnet object number: 17
Remote logical link ID: 35429
Status: %SYSTEM-S-NORMAL, normal successful completion
|
Alarms Reporting Use of Process Control
System Services
You can audit use of the process control system services,
such as $CREPRC or $GETJPI, by specifying the PROCESS keyword with
the /ENABLE qualifier of the SET AUDIT command. This type of alarm
reports the system service used to control a process, the device
used, the name of the process and its user name. For example:
%%%%%%%%%%% OPCOM 25-JUL-2001 16:07:09.20 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 20300
Auditable event: Process suspended ($SUSPND)
Event time: 25-JUL-2001 16:07:08.77
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXE
Status: %SYSTEM-S-NORMAL, normal successful completion
Target PID: 30C00126
Target process name: SMISERVER
Target username: SYSTEM
Target process owner: [SYSTEM] |
Alarms Reporting Use of Privilege
You can audit the use of privilege by specifying the PRIVILEGE
keyword with the /ENABLE qualifier of the SET AUDIT command. The
alarm reports the privilege used and what it was used to do. For
example:
%%%%%%%%%%% OPCOM 17-SEP-2001 10:13:20.16 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 19728
Auditable event: Privilege used
Event information: PRMCEB used to create permanent common event flag
cluster ($ASCEFC)
Event time: 17-SEP-2001 10:13:20.01
PID: 30200117
Process name: Hobbit
Username: HUBERT
Process owner: [MTI,HUBERT]
Terminal name: RTA1:
Image name: DSA1:[HUBERT.TEST.ACCESS]ACCESS.EXE;50
Event flag cluster name: FOO
Privileges used: PRMCEB |
Alarms Reporting Modification of a
System Parameter
You can audit the modification of a system parameter by specifying
the SYSGEN keyword with the /ENABLE qualifier of the SET AUDIT command.
This type of alarm reports on both the active parameters and the parameters
stored on disk. For example:
%%%%%%%%%%% OPCOM 25-JUL-2001 16:09:04.67 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 20300
Auditable event: SYSGEN parameter set
Event time: 25-JUL-2001 16:09:04.65
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SYSGEN.EXE
Parameters write: SYS$SYSROOT:[SYSEXE]VAXVMSSYS.PAR;68
Parameters inuse: SYS$SYSROOT:[SYSEXE]VAXVMSSYS.PAR;68
NSA_PAGES: New: 15
Original: 10 |
Alarms Reporting a Change in System
Time
You can audit changes to system time by specifying the TIME
keyword with the /ENABLE qualifier of the SET AUDIT command. This
type of alarm reports the old and the new system time, the name
of the user making the modification, and the device used. For example:
%%%%%%%%%%% OPCOM 25-JUL-2001 16:08:25.23 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) on FNORD, system id: 20300
Auditable event: System time recalibrated
Event time: 25-JUL-2001 16:08:25.21
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXE
New system time: 25-JUL-2001 16:08:25.19
Old system time: 25-JUL-2001 16:08:25.18 |
Alarms Resulting from Execution of
the SET AUDIT Command
All uses of the SET AUDIT command are automatically audited,
and you cannot disable it. The following alarm messages are examples
of SET AUDIT alarms:
%%%%%%%%%%% OPCOM 12-NOV-2001 10:54:11.91 %%%%%%%%%%%
Message from user AUDIT$SERVER on FNORD
Security alarm (SECURITY) and security audit (SECURITY) on FNORD, system id: 19681
Auditable event: Security alarm state set
Event time: 12-NOV-2001 10:54:11.58
PID: 20200158
Alarm flags: ACL,AUTHORIZATION,CONNECTION
BREAKIN: (DIALUP,LOCAL,REMOTE,NETWORK,DETACHED)
LOGFAIL: (BATCH,DIALUP,LOCAL,REMOTE,NETWORK,
SUBPROCESS,DETACHED) |
