|
HP OpenVMS Guide to System Security |
Security for the User |
|
Using the System Responsibly |
|
|
| |
Auditing Access to Your Account and Files
This section describes how to monitor your last login time for possible intrusions. It also describes how to work with your security administrator to enable certain types of auditing.
Observing Your Last Login Time
The operating system maintains information in your UAF record
about the last time you logged in to your account. Your security
administrator decides whether the system should display this information
at login time. Sites with medium to high security requirements frequently
display this information and ask users to check it for unusual or
unexplained successful logins and unexplained failed logins.
If there is a report of an interactive or a noninteractive login at a time when you were not logged in, report it promptly to your security administrator. Also change your password. The security administrator can investigate further by using accounting files and audit logs.
If you receive a login failure message and cannot account for the failure, it is likely that someone has been trying to access your account unsuccessfully. Check your password to ensure that it adheres to all recommendations for password security described in Guidelines for Protecting Your Password. If not, change your password immediately.
If you expect to see a login failure message and it does not appear or if the count of failures is too low, change your password. Report either of these indications of login failure problems to your security administrator.
Adding Access Control Entries to Sensitive
Files
If you have key files that may have been accessed improperly,
you may want to develop a strategy with your security administrator
to audit access to the files.
Once you review the situation and ensure that you have done everything possible to protect your files with standard protection codes and general ACLs (described in Protecting Data), you may conclude that security auditing is required.
To specify security auditing, you can add special access control entries (ACEs) to files you own or to which you have control access. Keep in mind, however, that the audit log file is a systemwide mechanism, so HP recommends that a site security administrator control the use of file auditing. Although you can add auditing ACEs to files over which you have control, the security administrator has to enable auditing of files on a system level.
For example, if user RWOODS and his security administrator agree that they must know when a highly confidential file, CONFIDREVIEW.MEM, is being accessed, RWOODS can add an entry to the existing ACL for the file CONFIDREVIEW.MEM, as follows:
After RWOODS adds the security-auditing entry, the security administrator enables file-access auditing so that access attempts are recorded. See Auditing File Access for more information on file-access auditing.$SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-_$+DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
An access violation of one file frequently indicates access problems with other files. Therefore, the security administrator may need to monitor access to all key files having security-auditing ACEs. When undesired access is gained to key files, the security administrator must take immediate action.
Asking Your Security Administrator to Enable
Auditing
A security administrator can direct the operating system to
send an audit message to the system security audit log file or an
alarm to terminals enabled as security operator terminals whenever
security-relevant events occur. For example, the security administrator
might identify one or more files for which write access is prohibited.
An audit message can be sent to indicate attempted access to these
files.
Auditing File Access
If you suspect intrusion attempts to your account, the security
administrator may temporarily enable auditing for all file access.
The security administrator can also enable auditing to monitor read
access to your files to catch file browsers.
For example, assume you decide to audit the file CONFIDREVIEW.MEM, which has a security-auditing ACE (see Adding Access Control Entries to Sensitive Files). If user ABADGUY accesses CONFIDREVIEW.MEM and has delete access, the following audit record is written to the system security audit log file:
%%%%%%%%%%% OPCOM 7-DEC-2001 07:21:11.10 %%%%%%%%%%% Message from user AUDIT$SERVER on BOSTON Security audit (SECURITY) on BOSTON, system id: 19424 Auditable event: Attempted file access Event time: 7-DEC-2001 07:21:10.84 PID: 23E00231 Username: ABADGUY Image name: BOSTON$DUA0:[SYS0.SYSCOMMON.][SYSEXE]DELETE.EXE Object name: _BOSTON$DUA1:[RWOODS]CONFIDREVIEW.MEM;1 Object type: file Access requested: DELETE Status: %SYSTEM-S-NORMAL, normal successful completion Privileges used: SYSPRVThe auditing message reveals the name of the perpetrator, the method of access (successful deletion accomplished by using the program [SYSEXE]DELETE.EXE), time of access (7:21 a.m.), and the use of a privilege (SYSPRV) to gain access to the file. With this information, the security administrator can take action.
Note that the security audit message is written to the security audit log file every time any file is accessed and meets the conditions specified in the audit entry of the ACL for that file (see Adding Access Control Entries to Sensitive Files). Access to the file CONFIDREVIEW.MEM, as well as access to any file on the system that is protected with security auditing, prompts an audit record to be written to the security audit log file.
After auditing has been introduced, check with your security administrator periodically to see if any additional intrusions have occurred.
Additional Events to Audit
In addition to file auditing, the security administrator can
select other types of events that warrant special attention when
they occur. Events triggering an audit or alarm may include the
following:
|
|
