[Info-vax] Creating an audit ACL/ACE

Sun Aug 19 01:57:46 EDT 2018

Den 2018-08-19 kl. 04:43, skrev Henry Crun:
> On 18/08/18 20:23, Jan-Erik Söderholm wrote:
>> Den 2018-08-18 kl. 17:33, skrev Kerry Main:
>>>> -----Original Message-----
>>>> From: Info-vax <info-vax-bounces at rbnsn.com> On Behalf Of Jan-Erik
>>>> Söderholm via Info-vax
>>>> Sent: August 17, 2018 6:44 AM
>>>> To: info-vax at rbnsn.com
>>>> Cc: Jan-Erik Söderholm <jan-erik.soderholm at telia.com>
>>>> Subject: Re: [Info-vax] Creating an audit ACL/ACE
>>>>
>>>> Den 2018-08-17 kl. 12:23, skrev DuncanMorris:
>>>>> On Friday, August 17, 2018 at 8:20:25 AM UTC+1, Jan-Erik Söderholm wrote:
>>>>>> We have one file for which I'd like to know when someone writes to it.
>>>>>> The System Security manual have this example:
>>>>>>
>>>>>> $ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+WRITE-
>>>>>> _$ +DELETE+CONTROL+FAILURE+SUCCESS) CONFIDREVIEW.MEM
>>>>>>
>>>>>> So I tried:
>>>>>>
>>>>>> $ set security /acl=(audit=security,access=write) <the-file> /log
>>>>>> %SET-F-SYNTAX, error parsing ''
>>>>>> -SYSTEM-F-IVACL, invalid access control list entry syntax $
>>>>>>
>>>>>> I also notice that the manual says this before the example above:
>>>>>>
>>>>>> "...RWOODS can add an entry to the existing ACL for the file
>>>>>> CONFIDREVIEW.MEM, as follows:"
>>>>>>
>>>>>> So, is it correct that one cannot enter an audit ACE as the first and
>>>>>> only ACE/ACL? There have to be an ACL on that file before?
>>>>>>
>>>>>> For differnt reasons there is no ACL before and I'd prefer not to
>>>>>> create any. Or if one can create one that no real effect...
>>>>>>
>>>>>> I only want to know when someone or something *writes* to one
>>>>>> specific file. The readers are plenty and I do not need to see that.
>>>>>>
>>>>>> Thanks, Jan-Erik.
>>>>>
>>>>> You need one of FAILURE/SUCCESS on the command
>>>>>
>>>>> set security /acl=(audit=security,access=write+success) <file>/log
>>>>>
>>>>
>>>> OK, seems to work (changed "audit=" to "alarm=").
>>>>
>>>> Now, the alarm seems to come when the file is accessed/opened for write,
>>>> not when the actual write happens. And it seems as our applications always
>>>> opens the file in r/w mode, even if no writes are done by that 
>>>> application. Ah
>>>> well...
>>>>
>>>> I was only interested in the actuall writes to the file. Maybe this method
>>>> doesn't work in this case...
>>>>
>>>> Jan-Erik.
>>>>
>>>
>>> Have you looked at PointSecure's offerings?
>>>
>>
>> This is a one-off thing. If it can't be done with whatever OpenVMS
>> offers out-of-the-box, it will not be done at all.
>>
>>> These products provide a huge amount of flexibility in terms of creating 
>>> custom security rules and additional audit capabilities on OpenVMS.
>>>
>>> Tracking access:
>>> <http://pointsecure.com/solutions/tracking-data-access/>
>>> " For example, a rule could be configured to take action based on 
>>> opening the payroll files for write access...
>>
>> That is the issue. I do not want to know that. I want to know
>> when any process actually *write* to the file...
>>
>> I will probably fix a script that dump some of the content
>> and compare it with the content 5 min ago. That will pinpoint
>> the 5 min timeframe when the change was done. Good enough...
>>
> Once you are writing scripts:
> Enclose whatever program/utility that writes to the file in a script, and 
> keep the record of who and when make changes in the file from there.
> Less accessing the file (probably) than polling every 5 minutes, and more 
> precision + granularity
> 
> When OP said "when someone writes to the file" how do they do that? Use an 
> applicative home-brew? An Editor?
> 

The file contains configuration parameters for work stations
in the factory. It is edited with VT-screen application where
you can display a record, edit and press "save". The issue is
that we see unexpected updates to the file. A simple logging
could easily be added in the application around the place where
that "save" button is processed, but I was just trying to see
what could be done with the tools at hand...

And since it is technically possible to write to the file from
other sources, I thought it would be better to have the file
itself to trigger the logging, then that editing application.

Thanks for the ideas anyway.

Jan-Erik.