When your system is vulnerable and possibly under attack,
your first indications may come from the following sources:
Reports from users
System monitoring, for example:
Unexplained changes or behavior in
applications or normal processes
Unexplained messages from OPCOM or the audit server
Unexplained changes to user accounts in the system
authorization database (privilege changes, protections, priorities,
quotas)
Reports from Users User observations frequently point to system security problems.
A user may contact you with the following situations:
Files are missing.
There are unexplained forms of last login messages,
such as successful logins the user did not perform or unexplained
login failures.
A user cannot log in, suggesting the user password
might have been changed since the last successful login or some
other form of tampering has occurred.
Break-in evasion appears to be in effect, and the
user cannot log in.
Reports from the SHOW USERS command indicate that
the user is logged in on another terminal when the user did not
do so.
A disconnected job message appears during a login
for a process the user never initiated.
Files exist in the user's directories that the user
did not create.
Unexplained changes have been found in the protection
or ownership of user files.
Listings appear that are generated under the user
name without the user requesting the listing.
A sudden reduction occurs in the availability of
resources, such as dialup lines.
Follow up promptly when one of these items is reported to
you. You must confirm or deny that the condition exists. If you
find the complaint is valid, seek a cause and solution.
Monitoring the System Ongoing Tasks to Maintain a Secure System lists those
tasks that can help you detect potential security breaches on your
system. The following list details possible warning signs you may
uncover while performing the recommended tasks:
A user appears on the SHOW USERS report
that you know could not be currently logged in.
You observe an unexplained change in the system
load or performance.
You discover media or program listings are missing
or notice other indications that physical security has degraded.
Your locked file cabinet has been tampered with,
and the list of authorized users has disappeared.
You find unfamiliar software in the system executable
image library [SYSEXE] or in [SYSLIB].
You observe unfamiliar images running when you examine
the MONITOR SYSTEM report.
You observe unauthorized user names when you enter
the DCL command SHOW USER. When you examine the listing that the
Authorize utility (AUTHORIZE) produces with the SHOW command, you find
that those users have been given system access.
You discover proxy users that you never authorized.
The accounting report reveals unusual amounts of
processing time expended recently, suggesting outside access.
You observe unexplained batch jobs on the batch
queues.
You observe unexpected device allocations when you
enter the SHOW DEVICE command.
You observe a high level of processing activity
at unusual hours.
The protection codes or the access control lists
(ACLs) change on critical files. Identifiers are added, or holders
of identifiers are added to the rights list.
There is high personnel turnover or low morale.
All these conditions warrant further investigation. Some indicate
that you already have a problem, and some may have simple explanations,
while others may indicate serious potential problems.
HP OpenVMS Guide to System Security
Security for the System Administrator
