Hi,
I have been asked to assist a site with some security auditing. They have enabled file access auditing on command procedures and executable images in certain directories, and we can see the results using ANAL/AUDIT/FULL.
However, the number of entries being generated is huge and so I would like to use a command line tool which enables better control over the fields displayed when reading the audit file.
Does anyone know of such a tool? If not, I can probably write one - if the record layout is documented somewhere.
Thanks,
Jeremy Begg
Looking for a tool to read the security audit file efficiently
-
Topic author - Contributor
- Posts: 23
- Joined: Mon Jun 08, 2020 3:39 am
- Reputation: 0
- Status: Offline
-
- Master
- Posts: 205
- Joined: Fri Aug 14, 2020 11:31 am
- Reputation: 0
- Status: Offline
Re: Looking for a tool to read the security audit file efficiently
Jeremy,
I can at least answer the question regarding the documentation:
Appendix F. Security Audit Message Format in the System Management Utilities Reference Manual, Volume I: A-L
https://docs.vmssoftware.com/vsi-openvm ... ORD_FORMAT
Volker.
I can at least answer the question regarding the documentation:
Appendix F. Security Audit Message Format in the System Management Utilities Reference Manual, Volume I: A-L
https://docs.vmssoftware.com/vsi-openvm ... ORD_FORMAT
Volker.
-
- Master
- Posts: 497
- Joined: Fri Apr 17, 2020 7:31 pm
- Reputation: 0
- Location: Rhode Island, USA
- Status: Offline
- Contact:
Re: Looking for a tool to read the security audit file efficiently
Yes - basically it is just read the docs and write a program to read the file.
I did some work just for fun:
https://www.vajhoej.dk/arne/articles/vmstd7.html
I did some work just for fun:
https://www.vajhoej.dk/arne/articles/vmstd7.html
-
Topic author - Contributor
- Posts: 23
- Joined: Mon Jun 08, 2020 3:39 am
- Reputation: 0
- Status: Offline
Re: Looking for a tool to read the security audit file efficiently
Hi Volker, thanks for the pointer to the manual.
I spent a few hours putting together a Pascal program to dump out and summarise the OBJ_ACCESS records of interest. I'm tempted to make it more general-purpose but tuits are in short supply, especially round ones!
I spent a few hours putting together a Pascal program to dump out and summarise the OBJ_ACCESS records of interest. I'm tempted to make it more general-purpose but tuits are in short supply, especially round ones!
-
- Master
- Posts: 137
- Joined: Fri Jun 14, 2019 11:05 pm
- Reputation: 0
- Location: Goslar, Germany
- Status: Offline
- Contact:
Re: Looking for a tool to read the security audit file efficiently
I once implemented an audit server listener and decoder program, though it probably is not complete in decoding everything. Find it on de.OpenVMS.org if interested.
Opportunity is missed by most people because it is dressed in overalls and looks like work.
(Thomas A. Edison)
(Thomas A. Edison)