[Info-vax] Creating an audit ACL/ACE

Kerry Main kemain.nospam at gmail.com
Sat Aug 18 11:33:34 EDT 2018 

> -----Original Message-----
> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Jan-Erik
> Söderholm via Info-vax
> Sent: August 17, 2018 6:44 AM
> To: info-vax at rbnsn.com
> Cc: Jan-Erik Söderholm <jan-erik.soderholm at telia.com>
> Subject: Re: [Info-vax] Creating an audit ACL/ACE
> 
> Den 2018-08-17 kl. 12:23, skrev DuncanMorris:
> > On Friday, August 17, 2018 at 8:20:25 AM UTC+1, Jan-Erik Söderholm wrote:
> >> We have one file for which I'd like to know when someone writes to it.
> >> The System Security manual have this example:
> >>
> >> $ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
> >> _$ +DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
> >>
> >> So I tried:
> >>
> >> $ set security /acl=(audit=security,access=write) <the-file> /log
> >> %SET-F-SYNTAX, error parsing ''
> >> -SYSTEM-F-IVACL, invalid access control list entry syntax $
> >>
> >> I also notice that the manual says this before the example above:
> >>
> >> "...RWOODS can add an entry to the existing ACL for the file
> >> CONFIDREVIEW.MEM, as follows:"
> >>
> >> So, is it correct that one cannot enter an audit ACE as the first and
> >> only ACE/ACL? There have to be an ACL on that file before?
> >>
> >> For differnt reasons there is no ACL before and I'd prefer not to
> >> create any. Or if one can create one that no real effect...
> >>
> >> I only want to know when someone or something *writes* to one
> >> specific file. The readers are plenty and I do not need to see that.
> >>
> >> Thanks, Jan-Erik.
> >
> > You need one of FAILURE/SUCCESS on the command
> >
> > set security /acl=(audit=security,access=write+success) <file>/log
> >
> 
> OK, seems to work (changed "audit=" to "alarm=").
> 
> Now, the alarm seems to come when the file is accessed/opened for write,
> not when the actual write happens. And it seems as our applications always
> opens the file in r/w mode, even if no writes are done by that application. Ah
> well...
> 
> I was only interested in the actuall writes to the file. Maybe this method
> doesn't work in this case...
> 
> Jan-Erik.
> 

Have you looked at PointSecure's offerings?

These products provide a huge amount of flexibility in terms of creating custom security rules and additional audit capabilities on OpenVMS.

Tracking access:
<http://pointsecure.com/solutions/tracking-data-access/>
" For example, a rule could be configured to take action based on opening the payroll files for write access by anyone outside of accounting and human resources personnel. The actions might include sending email to the security group and logging the user out of the system. A second rule could be configured to take action if an account which normally would access the files during business hours accesses the files after business hours. The actions for that rule might include sending an email and logging the user session. Both rules would, of course, create a security event in the System Detective security database."

Forcing Use of Encrypted Connections:
<http://pointsecure.com/solutions/forcing-the-use-of-encrypted-connections/>

System Detective
<http://pointsecure.com/products/system-detective/>

PointAudit
<http://pointsecure.com/products/pointaudit/> 


Regards,

Kerry Main
Kerry dot main at starkgaming dot com

More information about the Info-vax mailing list