[Info-vax] Creating an audit ACL/ACE
Henry Crun
mike at rechtman.com
Sat Aug 18 22:43:10 EDT 2018
On 18/08/18 20:23, Jan-Erik Söderholm wrote:
> Den 2018-08-18 kl. 17:33, skrev Kerry Main:
>>> -----Original Message-----
>>> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Jan-Erik
>>> Söderholm via Info-vax
>>> Sent: August 17, 2018 6:44 AM
>>> To: info-vax at rbnsn.com
>>> Cc: Jan-Erik Söderholm <jan-erik.soderholm at telia.com>
>>> Subject: Re: [Info-vax] Creating an audit ACL/ACE
>>>
>>> Den 2018-08-17 kl. 12:23, skrev DuncanMorris:
>>>> On Friday, August 17, 2018 at 8:20:25 AM UTC+1, Jan-Erik Söderholm wrote:
>>>>> We have one file for which I'd like to know when someone writes to it.
>>>>> The System Security manual have this example:
>>>>>
>>>>> $ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
>>>>> _$ +DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
>>>>>
>>>>> So I tried:
>>>>>
>>>>> $ set security /acl=(audit=security,access=write) <the-file> /log
>>>>> %SET-F-SYNTAX, error parsing ''
>>>>> -SYSTEM-F-IVACL, invalid access control list entry syntax $
>>>>>
>>>>> I also notice that the manual says this before the example above:
>>>>>
>>>>> "...RWOODS can add an entry to the existing ACL for the file
>>>>> CONFIDREVIEW.MEM, as follows:"
>>>>>
>>>>> So, is it correct that one cannot enter an audit ACE as the first and
>>>>> only ACE/ACL? There have to be an ACL on that file before?
>>>>>
>>>>> For differnt reasons there is no ACL before and I'd prefer not to
>>>>> create any. Or if one can create one that no real effect...
>>>>>
>>>>> I only want to know when someone or something *writes* to one
>>>>> specific file. The readers are plenty and I do not need to see that.
>>>>>
>>>>> Thanks, Jan-Erik.
>>>>
>>>> You need one of FAILURE/SUCCESS on the command
>>>>
>>>> set security /acl=(audit=security,access=write+success) <file>/log
>>>>
>>>
>>> OK, seems to work (changed "audit=" to "alarm=").
>>>
>>> Now, the alarm seems to come when the file is accessed/opened for write,
>>> not when the actual write happens. And it seems as our applications always
>>> opens the file in r/w mode, even if no writes are done by that application. Ah
>>> well...
>>>
>>> I was only interested in the actuall writes to the file. Maybe this method
>>> doesn't work in this case...
>>>
>>> Jan-Erik.
>>>
>>
>> Have you looked at PointSecure's offerings?
>>
>
> This is a one-off thing. If it can't be done with whatever OpenVMS
> offers out-of-the-box, it will not be done at all.
>
>> These products provide a huge amount of flexibility in terms of creating custom security rules and additional audit
>> capabilities on OpenVMS.
>>
>> Tracking access:
>> <http://pointsecure.com/solutions/tracking-data-access/>
>> " For example, a rule could be configured to take action based on opening the payroll files for write access...
>
> That is the issue. I do not want to know that. I want to know
> when any process actually *write* to the file...
>
> I will probably fix a script that dump some of the content
> and compare it with the content 5 min ago. That will pinpoint
> the 5 min timeframe when the change was done. Good enough...
>
Once you are writing scripts:
Enclose whatever program/utility that writes to the file in a script, and keep the record of who and when make changes
in the file from there.
Less accessing the file (probably) than polling every 5 minutes, and more precision + granularity
When OP said "when someone writes to the file" how do they do that? Use an applicative home-brew? An Editor?
--
Mike R.
Home: http://alpha.mike-r.com/
QOTD: http://alpha.mike-r.com/qotd.php
No Micro$oft products were used in the URLs above, or in preparing this message.
Recommended reading: http://www.catb.org/~esr/faqs/smart-questions.html#before
and: http://alpha.mike-r.com/jargon/T/top-post.html
Missile address: N31.7624/E34.9691
More information about the Info-vax
mailing list