 |
The Question is:
Is there any way to track each single DCL command issued by a user and keep a
complete activity log ?
Something more transparent for the user than a "set host 0/log".
The Answer is :
Please consider reviewing the OpenVMS Frequently Asked Questions (FAQ),
for discussions of and answers to many common questions. Yes, including
this one. Search for MONITOR or AUDIT or other such terminology within
the FAQ, and you will find pointers to Freeware and to available commercial
packages that can be used to track user activity; to spy on system users.
The OpenVMS Wizard generally recommends using system security auditing
and of OpenVMS object protections and not keystroke monitors -- keystroke
monitors are comparatively easy to defeat, and details are difficult to
dig out of the voluminous logs that inevitably result, comparatively
easy to obfuscate -- is that a DCL symbol or a DCL command the user
just executed? -- and privileged users (as is normally the case) can
override the logging mechanisms.
DCL commands are not a class of object that can be protected and can be
alarmed and/or audited. Files, global sections, devices, etc., can all
be protected and alarmed/audited. Without appropriate system security
and system alarms and audits configured, (host-based) logging can be
irrelevent -- keystroke logging is secondary or tertiary to establishing
and maintaining a proper local OpenVMS system security configuration.
If you must have privileged users held accountable, use the two-password
login mechanism and require that two users be present for all operations
on each privileged username. (This is the intended use of the secondary
password mechanism.)
For information on security configuration recommendations, please see
the appendix of the OpenVMS system security manual.
|
|
|
|
|
