[Info-vax] Creating an audit ACL/ACE
Arne Vajhøj
arne at vajhoej.dk
Sat Aug 18 23:17:35 EDT 2018
On 8/17/2018 6:44 AM, Jan-Erik Söderholm wrote:
> Den 2018-08-17 kl. 12:23, skrev DuncanMorris:
>> On Friday, August 17, 2018 at 8:20:25 AM UTC+1, Jan-Erik Söderholm wrote:
>>> We have one file for which I'd like to know when someone writes to it.
>>> The System Security manual have this example:
>>>
>>> $ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
>>> _$ +DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
>>>
>>> So I tried:
>>>
>>> $ set security /acl=(audit=security,access=write) <the-file> /log
>>> %SET-F-SYNTAX, error parsing ''
>>> -SYSTEM-F-IVACL, invalid access control list entry syntax
>>> $
>>>
>>> I also notice that the manual says this before the example above:
>>>
>>> "...RWOODS can add an entry to the existing ACL for the
>>> file CONFIDREVIEW.MEM, as follows:"
>>>
>>> So, is it correct that one cannot enter an audit ACE as the first
>>> and only ACE/ACL? There have to be an ACL on that file before?
>>>
>>> For differnt reasons there is no ACL before and I'd prefer not to
>>> create any. Or if one can create one that no real effect...
>>>
>>> I only want to know when someone or something *writes* to one specific
>>> file. The readers are plenty and I do not need to see that.
>>
>> You need one of FAILURE/SUCCESS on the command
>>
>> set security /acl=(audit=security,access=write+success) <file>/log
>
> OK, seems to work (changed "audit=" to "alarm=").
>
> Now, the alarm seems to come when the file is accessed/opened
> for write, not when the actual write happens. And it seems as
> our applications always opens the file in r/w mode, even if no
> writes are done by that application. Ah well...
>
> I was only interested in the actuall writes to the file. Maybe
> this method doesn't work in this case...
If you really really need the info: PTD$ process, SET WATCH FILE and an
output parser.
Arne
More information about the Info-vax
mailing list