|
HP OpenVMS Guide to System Security |
Security for the System Administrator |
|
Security Auditing |
|
|
| |
ANALYZE/AUDIT generates a report from the log file so that you become familiar with normal activity on your system and can easily spot atypical activity. It summarizes events for you and plots where activity is occurring on the cluster. The utility also helps you analyze atypical activity because it is capable of selecting a subset of information from an audit report and of providing fuller information for your analysis. While the analysis of a single audit log file might not be significant, audit records can, over time, reveal a pattern of activity that indicates security violations.
Recommended Procedure
This section describes
how to analyze audit log files on your system. Although the way
you use ANALYZE/AUDIT depends upon the security needs at your site,
there are a number of common steps that you should follow, regardless
of the extent to which you use the utility. Before you can recognize
potential security problems, you need to become familiar with the
normal operation of your system. Then you can develop a procedure
for generating and reviewing audit reports on a periodic basis.
Whenever your regular analysis of audit log files leads you to suspect
a security problem, you should perform a detailed investigation of
selected security events.
As a security administrator, you should be able to answer the following questions before analyzing an audit log file:
By knowing the answers to these questions, you can eliminate false alarms, which otherwise may cause you to wrongly suspect a security problem.
Step 2: Periodically Analyze the Audit Report
The most common type of report to generate is a brief, daily listing of events. You can create a command procedure that runs in a batch job every evening before midnight to generate a report of the day's security event messages. (You can use the same procedure to create a new version of the audit log [see Maintaining the File].)
The following example shows the ANALYZE/AUDIT command line to generate this report:
$ANALYZE/AUDIT/SINCE=TODAY/OUTPUT=31DEC2000.AUDIT -[1]
_$SYS$MANAGER:SECURITY.AUDIT$JOURNAL$MAIL/SUBJECT="Security Events" 31DEC2000.AUDIT SYSTEM[2]
Depending on the number of security events that you are auditing on your system, it can be impractical to review every audit record written to the audit log file. In this case, you can select a specific set of records from the log file, such as all audit records related to changes in the authorization database and break-in attempts, or all events occurring outside normal business hours.
Analyze any subprocess-related audits with the knowledge that a pipe subprocess (created by the DCL PIPE command) can generate the audits. The PIPE command can create a large number of subprocesses to execute a single PIPE command. This can mean a potential increase in auditing events that are related to subprocess activities (for example, process creation, process deletion, login, logfailure, and logout).
It is important that you review audit reports as soon as possible. The sooner you inspect the reports, the sooner you become aware of any possible breach of security on the system and can determine the extent of the problem. You can make the inspection of the previous day's audit report a regular part of your morning routine, or you can create a program that reviews the report and notifies you through the Mail utility (MAIL) when suspicious events appear.
Step 3: Scrutinize Suspicious Activity
If, during your review, you find any security events that appear suspicious or out of place, like login attempts outside normal business hours, then use the Audit Analysis utility to perform a more detailed inspection of the security audit log file. A full report can help you determine which security events logged to the audit log file warrant a more thorough investigation.
The following command generates a full report of selected security audit records:
The audit report for December 31, 2000 contains information on all intrusion attempts and all modifications to the system user authorization file (SYSUAF.DAT) and the rights database (RIGHTSLIST.DAT).$ANALYZE/AUDIT/FULL/SINCE=TODAY/OUTPUT=31DEC2000.AUDIT -_$/EVENT_TYPE=(BREAKIN,RIGHTSDB,SYSUAF)$MAIL/SUBJECT="Security Events" 31DEC2000.AUDIT SYSTEM
Invoking
the Audit Analysis Utility
The Audit Analysis utility is the tool you use to produce
a meaningful report from a binary log file. This section and the
sections that follow describe how to use the utility, but refer
to the HP OpenVMS System Management Utilities Reference
Manual
for complete documentation of the utility's commands
and qualifiers.
To invoke the Audit Analysis utility, use the following DCL command:ANALYZE/AUDIT file-name
For the file-name parameter, substitute the name of the file from which audit reports are to be generated. The default name of the security audit log file is SECURITY.AUDIT$JOURNAL. You must specify the directory: SYS$MANAGER.
Providing Report Specifications
With the Audit Analysis utility, you are able to extract all
or some of the security event messages from a single audit log and
produce reports with various levels of detail.
The audit report reflects events from the set of event classes a site has enabled (see Reporting Security-Relevant Events). You can tailor the report so only a subset of events are extracted. The selection criteria can be based on time, on event class, or on field of data within the event message. (See the documentation of the /SELECT qualifier in the HP OpenVMS System Management Utilities Reference Manual .) Qualifiers for the Audit Analysis Utility summarizes the qualifiers that determine the content of the report.
| Type | Qualifier | Description |
|---|---|---|
|
Content
|
/BEFORE
|
Extracts event messages
logged before the specified time.
|
|
|
/SINCE
|
Extracts event messages
logged after the specified of time.
|
|
|
/EVENT_TYPE
|
Extracts event messages
of a specific event class (see
Kinds of Security Events the System Can Report ).
|
|
|
/SELECT
|
Extracts event messages
based on data in the messages. (For example, /SELECT=USERNAME=JSNOOP
lists only security event messages generated by user JSNOOP.)
|
|
|
/IGNORE
|
Excludes event messages
from the report based on data in the messages.
|
|
Format
|
/BRIEF
|
Produces a report with one
line of information about each record in the audit log file, such
as the type of event, when it occurred, and the terminal from which
it originated (see
Brief Audit Report). This is the default.
|
|
|
/FULL
|
Provides all possible data
for each record in the audit log file being processed (see
One Record from a Full Audit Report).
Alarm Messages provides sample alarm messages for each event
class.
|
|
|
/SUMMARY
|
Lists the total number of
audit messages for each event class in the log file being analyzed
(see
Summary of Events in an Audit Log File). It can also
plot the aggregate events per hour on each node.
|
|
|
/BINARY
|
Produces a binary file so
you can extract records for further analysis using your own data
reduction tools. See the HP OpenVMS System Management
Utilities Reference Manual
for a description of the
audit message record format.
|
|
Destination
|
/OUTPUT
|
Specifies the report destination. By
default, it goes to SYS$OUTPUT.
|
ANALYZE/AUDIT produces audit reports in different formats (see Qualifiers for the Audit Analysis Utility). The utility produces a one-line summary of each record in the log file by default. Brief, one-line reports are most useful for routine analysis of a log file. The more detailed full reports provide the detail necessary for analyzing records of a suspicious nature. If you are interested in archiving portions of a log file, the binary listing lets you store a subset of an audit log file.
A summary report helps you identify potential security problems quickly. For each class of security event, a summary report can list the total number of audit messages extracted from the security audit log file being analyzed. A summary report can also display a plot of auditing activity, based on the system generating the event message, the time when it occurred, and the total number of events seen.
Brief Audit Report shows a brief report of all the security audit events logged to the system security audit log file. In the ANALYZE/AUDIT command that generates the report, substitute the name of your audit log file.
One Record from a Full Audit Report shows one record from a full format audit report. In the ANALYZE/AUDIT command that generates the report, substitute the name of your audit log file.
Summary of Events in an Audit Log File shows a summary report. In the ANALYZE/AUDIT command that generates the report, substitute the name of your audit log file.
Using the Audit Analysis Utility Interactively
When you send output
to a terminal, you can analyze an audit log file interactively.
At any time during the display of a listing, you can interrupt the
report being displayed by pressing Ctrl/C. This automatically initiates
a full listing and gives you the Command> prompt. In command
mode, you can advance or return to earlier records in the report
and study them in greater detail.
At the Command> prompt, you can enter any of the ANALYZE/AUDIT commands listed in the HP OpenVMS System Management Utilities Reference Manual to modify the analysis criteria, to change position within the audit report, or to toggle between full and brief displays. To return to an audit report listing, enter the CONTINUE command.
Examining the Report
When a routine
analysis of an audit log file leads you to suspect that the security
of your system has been compromised (through an actual or attempted
intrusion, repeated login failures, or any other suspicious security
events), you can investigate the source of the security event through
a more detailed inspection of the security audit log file.
For example, assume that you see the security events shown in Identifying Suspicious Activity in the Audit Report during a routine inspection of the previous day's audit report.
The security events displayed in the report shown in Identifying Suspicious Activity in the Audit Report indicate that user Kovacs logged in to the system following four unsuccessful login attempts. Shortly after logging in, user Kovacs created a new account in the system user authorization file (SYSUAF.DAT).
At this point, you must determine whether this behavior is normal or abnormal. Is user Kovacs authorized to add new user accounts to the system? If you believe that the security of your system has been compromised, use the following command to generate a more detailed report from the security audit log file to determine if damage has been done to your system:
The command in this example generates a full report of all security audit events written to the audit log file since user Kovacs first attempted to log in to the system. In a full format report, all the data for each record in the audit log file is displayed. Using the full report, you can determine the name of the remote user who logged in under the local KOVACS account and the node from which the login was made, as shown in Scrutinizing a Suspicious Record.$ANALYZE/AUDIT/FULL/SINCE=01-JUN-2003:16:06
The information displayed in Scrutinizing a Suspicious Record indicates that the login failures and subsequent successful login were made by user Follen from the remote node NACHWA. Your next step is to determine whether the security events were generated by user Follen or by someone who has broken into the remote node NACHWA through the FOLLEN account.
|
|
