[Info-vax] Creating an audit ACL/ACE
Jan-Erik Söderholm
jan-erik.soderholm at telia.com
Sat Aug 18 13:23:44 EDT 2018
Den 2018-08-18 kl. 17:33, skrev Kerry Main:
>> -----Original Message-----
>> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Jan-Erik
>> Söderholm via Info-vax
>> Sent: August 17, 2018 6:44 AM
>> To: info-vax at rbnsn.com
>> Cc: Jan-Erik Söderholm <jan-erik.soderholm at telia.com>
>> Subject: Re: [Info-vax] Creating an audit ACL/ACE
>>
>> Den 2018-08-17 kl. 12:23, skrev DuncanMorris:
>>> On Friday, August 17, 2018 at 8:20:25 AM UTC+1, Jan-Erik Söderholm wrote:
>>>> We have one file for which I'd like to know when someone writes to it.
>>>> The System Security manual have this example:
>>>>
>>>> $ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
>>>> _$ +DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
>>>>
>>>> So I tried:
>>>>
>>>> $ set security /acl=(audit=security,access=write) <the-file> /log
>>>> %SET-F-SYNTAX, error parsing ''
>>>> -SYSTEM-F-IVACL, invalid access control list entry syntax $
>>>>
>>>> I also notice that the manual says this before the example above:
>>>>
>>>> "...RWOODS can add an entry to the existing ACL for the file
>>>> CONFIDREVIEW.MEM, as follows:"
>>>>
>>>> So, is it correct that one cannot enter an audit ACE as the first and
>>>> only ACE/ACL? There have to be an ACL on that file before?
>>>>
>>>> For differnt reasons there is no ACL before and I'd prefer not to
>>>> create any. Or if one can create one that no real effect...
>>>>
>>>> I only want to know when someone or something *writes* to one
>>>> specific file. The readers are plenty and I do not need to see that.
>>>>
>>>> Thanks, Jan-Erik.
>>>
>>> You need one of FAILURE/SUCCESS on the command
>>>
>>> set security /acl=(audit=security,access=write+success) <file>/log
>>>
>>
>> OK, seems to work (changed "audit=" to "alarm=").
>>
>> Now, the alarm seems to come when the file is accessed/opened for write,
>> not when the actual write happens. And it seems as our applications always
>> opens the file in r/w mode, even if no writes are done by that application. Ah
>> well...
>>
>> I was only interested in the actuall writes to the file. Maybe this method
>> doesn't work in this case...
>>
>> Jan-Erik.
>>
>
> Have you looked at PointSecure's offerings?
>
This is a one-off thing. If it can't be done with whatever OpenVMS
offers out-of-the-box, it will not be done at all.
> These products provide a huge amount of flexibility in terms of creating custom security rules and additional audit capabilities on OpenVMS.
>
> Tracking access:
> <http://pointsecure.com/solutions/tracking-data-access/>
> " For example, a rule could be configured to take action based on opening the payroll files for write access...
That is the issue. I do not want to know that. I want to know
when any process actually *write* to the file...
I will probably fix a script that dump some of the content
and compare it with the content 5 min ago. That will pinpoint
the 5 min timeframe when the change was done. Good enough...
More information about the Info-vax
mailing list