[Info-vax] Creating an audit ACL/ACE
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Fri Aug 17 06:44:16 EDT 2018
Den 2018-08-17 kl. 12:23, skrev DuncanMorris:
> On Friday, August 17, 2018 at 8:20:25 AM UTC+1, Jan-Erik Söderholm wrote:
>> We have one file for which I'd like to know when someone writes to it.
>> The System Security manual have this example:
>>
>> $ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
>> _$ +DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
>>
>> So I tried:
>>
>> $ set security /acl=(audit=security,access=write) <the-file> /log
>> %SET-F-SYNTAX, error parsing ''
>> -SYSTEM-F-IVACL, invalid access control list entry syntax
>> $
>>
>> I also notice that the manual says this before the example above:
>>
>> "...RWOODS can add an entry to the existing ACL for the
>> file CONFIDREVIEW.MEM, as follows:"
>>
>> So, is it correct that one cannot enter an audit ACE as the first
>> and only ACE/ACL? There have to be an ACL on that file before?
>>
>> For differnt reasons there is no ACL before and I'd prefer not to
>> create any. Or if one can create one that no real effect...
>>
>> I only want to know when someone or something *writes* to one specific
>> file. The readers are plenty and I do not need to see that.
>>
>> Thanks, Jan-Erik.
>
> You need one of FAILURE/SUCCESS on the command
>
> set security /acl=(audit=security,access=write+success) <file>/log
>
OK, seems to work (changed "audit=" to "alarm=").
Now, the alarm seems to come when the file is accessed/opened
for write, not when the actual write happens. And it seems as
our applications always opens the file in r/w mode, even if no
writes are done by that application. Ah well...
I was only interested in the actuall writes to the file. Maybe
this method doesn't work in this case...
Jan-Erik.
More information about the Info-vax
mailing list