[Info-vax] vms base priority watch

John Wallace johnwallace4 at yahoo.co.uk
Mon Jul 11 18:37:49 EDT 2011 

On Jul 11, 8:24 pm, "Richard B. Gilbert" <rgilber... at comcast.net>
wrote:
> On 7/11/2011 12:48 PM, pcovie... at gmail.com wrote:
>
>
>
> > On Jul 11, 12:01 pm, "Richard B. Gilbert"<rgilber... at comcast.net>
> > wrote:
> >> On 7/11/2011 11:09 AM, pcovie... at gmail.com wrote:
>
> >>> On Jul 11, 10:43 am, "Richard B. Gilbert"<rgilber... at comcast.net>
> >>> wrote:
> >>>> On 7/11/2011 9:46 AM, Bob Koehler wrote:
>
> >>>>> In article<1f612927-5e98-44e0-91e2-d889916c4... at gh5g2000vbb.googlegroups.com>, "pcovie... at gmail.com"<pcovie... at gmail.com>      writes:
> >>>>>> ok well. I did ask a yes/no question! me bad!  yes I understand the
> >>>>>> non-prived user would not do this but... we have given users the
> >>>>>> rights to do this early in the morning to get their jobs completed,
> >>>>>> when there are less users on the system.
>
> >>>>>       If the system is otherwize idle at that time, that should have no affect.
> >>>>>       If only some users get to do this in the ealy hours, then it's worth while.
>
> >>>>>       VMS does not delay lowpriorityprocesses just to make them take
> >>>>>       longer, it there are no higherpriorityprocesses doing anything.
>
> >>>> I can recall occasions during which a job was getting 99 percent of the
> >>>> CPU at PriorityOne.  The "hunt and peck" typists never noticed it!
>
> >>> thanks everyone,  I know it isn't the best solution, but as I said I
> >>> just started the job and need to pick and choose what comes first...
> >>> thinking about this some more and doing some digging I thought
> >>> accounting would tell you who might have issued a command?   after a
> >>> year some things are still fuzzy, so haven't come up with anything
> >>> yet, but I'm wondering as someone pointed out that what if they hit
> >>> the time between the hour!  so it might be best to see if I can audit
> >>> who issued the command and see what time?  any ideas?
>
> >> Accounting is not going to tell you who issued a command unless that
> >> command created a process.  In Unix you can't blink without starting a
> >> process or two.  Not so in VMS!
>
> >> Maybe you should back up a bit and define the problem you are trying to
> >> solve!- Hide quoted text -
>
> >> - Show quoted text -
>
> > opps thought that's what I did but maybe not.. looking for a way to
> > see who set priority during the day and what time to make sure they
> > are not abusing it outside the hours they are allowed too...
>
> > thanks
> > Paul
>
> I can't think of a way to determine who used privilege to override
> normal priority assignments.  I don't think it's a good idea to let
> users tinker with scheduling priorities.  If the work is not getting
> done in the time available, you can try throwing resources at it.
> That only works if you HAVE the resources.
>
> You might look at the programs being run!  Those who are not
> programmers, frequently fail to write GOOD code.  An optimizing compiler
> can be a big help but it's not a substitute for code that was well
> designed and written in the first place!

Fortunately for other readers the VMS operating system is quite good
at security. VMS is not Linux and it's definitely not Windows, but it
has ways and means of doing many things which those other OSes think
they don't need. In this case the relevant capability is tracking
privileges and the use thereof.

If that's what someone wants to do, VMS's security facilities can
relatively trivially be used to track who did what in that respect,
without programming or 3rd party software, but it may require a tiny
bit of familiarity with basic VMS security concepts and facilities
such as auditing, the audit log, etc.

One DCL interface to these facilities is the SET AUDIT command, which
is documented in the DCL Dictionary and the Guide to System Security.

Interested readers can have a look at the DCL Dictionary, e.g. at
http://h71000.www7.hp.com/doc/83final/9996/9996pro_172.html
and there you will find the use of the relevant SET AUDIT switches
documented e.g. in this case
/PRIVILEGE=SETPRI
would audit the (successful or unsuccesful, as required) use of SETPRI
privilege (or whatever other privilege(s) might be relevant).

The rest of the details, such as the analysis of the audit log after
the event, or the creation of an audit mailbox listener program to be
notified in real-time when interesting security events happen, is also
documented. Here is probably not the place for a free consultancy
session in VMS security basics, though doubtless there are
contributors here who would be happy to oblige, depending on scope
perhaps without the 'free' piece?

Whether priorities are actually relevant to the underlying question is
a slightly different question. Time will tell.

More information about the Info-vax mailing list