Looking for a tool to read the security audit file efficiently

[jeremybegg]

Hi,

I have been asked to assist a site with some security auditing. They have enabled file access auditing on command procedures and executable images in certain directories, and we can see the results using ANAL/AUDIT/FULL.

However, the number of entries being generated is huge and so I would like to use a command line tool which enables better control over the fields displayed when reading the audit file.

Does anyone know of such a tool? If not, I can probably write one - if the record layout is documented somewhere.

Thanks,
Jeremy Begg

[volkerhalle]

Jeremy,

I can at least answer the question regarding the documentation:

Appendix F. Security Audit Message Format in the System Management Utilities Reference Manual, Volume I: A-L

https://docs.vmssoftware.com/vsi-openvm ... ORD_FORMAT

Volker.

[arne_v]

Yes - basically it is just read the docs and write a program to read the file.

I did some work just for fun:

https://www.vajhoej.dk/arne/articles/vmstd7.html

[jeremybegg]

Hi Volker, thanks for the pointer to the manual.

I spent a few hours putting together a Pascal program to dump out and summarise the OBJ_ACCESS records of interest. I'm tempted to make it more general-purpose but tuits are in short supply, especially round ones!

[martinv]

I once implemented an audit server listener and decoder program, though it probably is not complete in decoding everything. Find it on de.OpenVMS.org if interested.