While users are learning the system, you may choose
to monitor terminal sessions if the user performs an especially sensitive
function, such as accessing sensitive data or controlling a system
operation. (Sometimes users may choose to log their own sessions so
they have a record of their actions. If this is the case, they can
use the command SET HOST 0/LOG interactively after their initial login.)
This section describes one method of logging users' sessions
by setting up a restricted account. Many third-party products provide
other ways of monitoring sessions that are more efficient. Regardless
of the method you select, you should check with your legal department
to make sure this is acceptable practice.
By using a special restricted account and appropriate
command procedures, you can enforce the logging of terminal sessions
for selected users. These users would need to log in to the restricted
account first and then log in to their own account. The restricted
account ensures that the session is logged.
The following example provides guidelines on how
to set up the restricted account (named USER_LOG in this example)
and includes samples of appropriate command procedures:
Set up the restricted
account USER_LOG as follows:
UAF>ADD USER_LOG /FLAGS=(RESTRICTED,DISMAIL,DISNEWMAIL)-
_UAF>/NONETWORK /NOBATCH /UIC=[200,256]
The SESSIONLOG.COM command
procedure enables logging of the terminal session:
$ ! SESSIONLOG.COM - log in to specified account with terminal session
$ ! logging enabled.
$ WRITE SYS$OUTPUT "Please log in to the account of your choice."
$ WRITE SYS$OUTPUT "Your terminal session will be recorded."
$ WRITE SYS$OUTPUT ""
$ ! Acquire the intended user name and save it in a temporary file. Use
$ ! it to name the log file, and pass it as the first line of input to
$ ! LOGIN.
$ READ/PROMPT="Username: " SYS$COMMAND USERNAME
$ PID = F$GETJPI (0, "PID")
$ OPEN/WRITE OUTPUT USERNAME'PID'.TMP
$ WRITE OUTPUT USERNAME
$ CLOSE OUTPUT
$ DEFINE/USER SYS$INPUT USERNAME'PID'.TMP
$ SET HOST 0 /LOG='USERNAME'.LOG
$ DELETE USERNAME'PID'.TMP;0
Set up each account for
which session auditing is to be enforced. The following command sets
up the account for user Smith:
UAF>MODIFY SMITH /FLAGS=RESTRICTED /NOLOCAL /NODIALUP -
Because the restricted login command procedure
ensures that the login is coming from the USER_LOG account using a
SET HOST command, the session is logged.
You may also want to disable
batch and network access for each user account to allow only local
logins from the USER_LOG account. For example:
UAF>MODIFY SMITH/FLAGS=RESTRICTED/NOLOCAL/NODIALUP/NOBATCH -
The following CHECKLOG.COM
command procedure verifies that the user is logging in to the USER_LOG
account. For this procedure to work correctly, you must enable DECnet
proxy accounts as described in “Setting Up a Proxy Database”.
$ ! CHECKLOG.COM - ensure that the account is being logged in to
$ ! the USER_LOG account.
$ IF F$MODE () .NES. "INTERACTIVE" THEN EXIT
$ ! Verify that the connection originated from the local node and
$ ! from the USER_LOG account.
$ IF F$LOGICAL ("SYS$NODE") .EQS. F$LOGICAL ("SYS$REM_NODE")-
.AND. F$LOGICAL ("SYS$REM_ID") .EQS. "USER_LOG"-
THEN GOTO OK
$ WRITE SYS$OUTPUT "You may log in to this account only with ",-
"the USER_LOG account."
$ ! When the login has been verified, enable Ctrl/Y to
$ ! release the account, invoke the user's LOGIN.COM, and turn
$ ! control over to the user.
$ SET CONTROL_Y
$ IF F$SEARCH ("LOGIN.COM") .EQS. "" THEN EXIT