HP OpenVMS Systems Documentation
OpenVMS Guide to System Security
9.5.4 Using the Audit Analysis Utility Interactively
When you send output to a terminal, you can analyze an audit log file interactively. At any time during the display of a listing, you can interrupt the report being displayed by pressing Ctrl/C. This automatically initiates a full listing and gives you the Command> prompt. In command mode, you can advance or return to earlier records in the report and study them in greater detail.
At the Command> prompt, you can enter any of the ANALYZE/AUDIT
commands listed in the OpenVMS System Management Utilities Reference Manual to modify the analysis criteria,
to change position within the audit report, or to toggle between full
and brief displays. To return to an audit report listing, enter the
When a routine analysis of an audit log file leads you to suspect that the security of your system has been compromised (through an actual or attempted intrusion, repeated login failures, or any other suspicious security events), you can investigate the source of the security event through a more detailed inspection of the security audit log file.
For example, assume that you see the security events shown in Example 9-7 during a routine inspection of the previous day's audit report.
The security events displayed in the report shown in Example 9-7 indicate that user Kovacs logged in to the system following four unsuccessful login attempts. Shortly after logging in, user Kovacs created a new account in the system user authorization file (SYSUAF.DAT).
At this point, you must determine whether this behavior is normal or abnormal. Is user Kovacs authorized to add new user accounts to the system? If you believe that the security of your system has been compromised, use the following command to generate a more detailed report from the security audit log file to determine if damage has been done to your system:
The command in this example generates a full report of all security audit events written to the audit log file since user Kovacs first attempted to log in to the system. In a full format report, all the data for each record in the audit log file is displayed. Using the full report, you can determine the name of the remote user who logged in under the local KOVACS account and the node from which the login was made, as shown in Example 9-8.
The information displayed in Example 9-8 indicates that the login
failures and subsequent successful login were made by user Follen from
the remote node NACHWA. Your next step is to determine whether the
security events were generated by user Follen or by someone who has
broken into the remote node NACHWA through the FOLLEN account.
This section discusses how to manage the auditing system. Management tasks include the following:
9.6.1 Tasks Performed by the Audit Server
The operating system creates the audit server as a detached process during system startup to perform the following tasks:
The audit server sends informational and error messages to the operator communication manager (OPCOM). OPCOM broadcasts these messages to operator terminals and writes the messages to the operator log file.
Example 9-9 displays the audit server's initial operating values. These settings are stored in the audit server database, VMS$AUDIT_SERVER.DAT in SYS$COMMON:[SYSMGR]. Any time you modify security-auditing characteristics by using the DCL command SET AUDIT, the audit server database is updated. Each time the system is rebooted, it takes the auditing values from this database.
If the physical memory or disk storage space on your system is especially limited and logging of security-related events is not important, you can remove the audit server and OPCOM processes from the system startup procedure. Before you do so, be aware that cluster object support requires the audit server (see Chapter 11). The following example shows how you would remove these processes with the System Management utility (SYSMAN):
To delete the audit server process and shut down security auditing on the system, enter the following commands on each node in the cluster:
You can restart security auditing and OPCOM on the system by executing the following DCL command lines:
To start the OPCOM and the audit server processes for all subsequent system boots, reverse your previous edits of the system startup procedure. Use the following SYSMAN commands:
See the OpenVMS System Management Utilities Reference Manual for more information about SYSMAN.
Ordinarily, the operating system starts sending audit-event messages just before SYSTARTUP_VMS.COM executes. However, a site that is not interested in receiving audit-event messages during startup can alter this behavior by redefining the logical name SYS$AUDIT_SERVER_INHIBIT.
To change the point where the operating system begins to deliver security event messages, add the following line to the SYS$MANAGER:SYLOGICALS.COM command procedure:
A system manager can choose another phase of system startup to initiate auditing, perhaps at the end of SYSTARTUP_VMS. However, be sure to initiate auditing before allowing any general logins to the system (that is, before any SET LOGINS/INTERACTIVE command). To initiate delivery of auditing messages, add the following line to the appropriate command file:
9.6.4 Choosing the Number of Outstanding Messages That Trigger Process Suspension
Unless the audit server controls the influx of messages, it is possible
under some conditions to run out of memory. A very slow I/O device, a
disk space problem, or even a sudden onslaught of messages can exceed
the server's ability to write messages to disk. To prevent memory
exhaustion, the audit server constantly monitors the total number of
outstanding messages and tallies the number of messages contributed by
each active process. If the server receives more events than it can log
to disk, it begins applying flow control to those processes generating
Message volume is controlled on a per-process basis. Table 9-7 shows the three stages of flow control:
You can establish site-specific values for controlling messages by using the /BACKLOG qualifier to the SET AUDIT command. For example, the following command raises the action thresholds so that the operating system starts controlling the influx of messages when it has 125 unprocessed messages in
its queue and a contributing process has eight messages outstanding:
220.127.116.11 Preventing Process Suspension
Naturally, the operating system never suspends certain critical processes. Realtime processes and any of the following processes are exempt:
You can prevent the suspension of a process by adding its process identifier (PID) to the process exclusion list. Use the following form of the SET AUDIT command:
Be aware that processes (PIDs) are not automatically removed from the
process exclusion list when processes log out of the system. To remove
a process from the exclusion list, use the SET AUDIT/NOEXCLUDE command.
Processes excluded by the operating system cannot be removed.
When processes on the exclusion list (see Section 18.104.22.168) produce so many audit messages that the audit server runs out of memory, the default behavior of the audit server is to remove old event messages until memory is available. It saves the most current messages.
The audit server has other alternatives when it encounters memory limitations:
To alter the default behavior of the audit server and instruct it to ignore all new audit messages rather than purge the old ones, enter the following command:
The audit server runs with a fixed virtual memory limit (PGFLQUOTA) of
20,480 pages. This may be further limited by the size of page files
installed on the system. You can adjust the size of page files by
running AUTOGEN. Whenever it detects a page file problem, AUTOGEN
automatically resets the size to alleviate the problem.
If you are auditing a set of security events in which the order of occurrence is important, all clocks within a cluster need to remain synchronized. This ensures that message time-stamping on all nodes in the cluster closely reflects the order in which events occurred.
Because each node in a cluster configuration maintains time
independently, it is possible for cluster times to drift apart over
time. To prevent drifting, use the SYSMAN command CONFIGURATION SET
TIME at regular intervals. The OpenVMS System Management Utilities Reference Manual provides a sample command
procedure that you can run every hour to maintain clock synchronization
to within a second.
The audit server stores security event messages in memory and periodically transfers groups of messages from its buffers to the audit log file on disk. Usually, the audit server transfers auditing messages every 5 minutes and archived messages (see Section 22.214.171.124) every minute. Except for some high-security environments and instances where extreme numbers of audit messages are being generated on the system, this default should be sufficient.
High-security sites can transfer event messages to disk at higher than normal rates by modifying the interval of log transfer operations. The following command, for example, changes the audit server's characteristics so it writes event messages to the audit log file every 2 minutes:
Frequent message transfers can impact system performance, however, because the system performs more I/O operations rather than store messages in the system buffers associated with the audit server process.
To immediately force all audit messages to the log file, enter the following command:
9.6.8 Allocating Disk Space for the Audit Log File
The audit server constantly monitors the disk space allocated to the security audit log file to ensure there is adequate space for event messages. Whenever the file runs low on available blocks, the audit server extends the audit log file. If disk resource limitations prevent the server from allocating more blocks to the log file, it takes one of the following actions:
The threshold values may be expressed in blocks or as a delta time.
Delta time values are multiplied by the average space consumption rate
to yield a number of blocks. The maximum of the block and time
threshold values is used as the active threshold value.
Resources consumed by the OpenVMS security-auditing facility vary with the number and type of system events being recorded. Three different error conditions can develop related to the auditing facility:
This section discusses the default behavior of the auditing system in
monitoring disk space and logging to an archive file.
The audit server monitors the audit log file and regularly pre-extends its disk block allocation to ensure there is adequate space for incoming event messages. Whenever disk space is unavailable, the server first warns you through operator messages and then resorts to suspending certain contributing processes (see Section 9.6.8). If you find many processes suspended for no apparent reason, it is probably because your audit disk is full. Once you correct the disk space problem, you can resume suspended processes with the SET AUDIT/SERVER=RESUME command (rather than wait for the next resource scan).
You can disable resource monitoring altogether by entering the following command: