$! ------------------ CUT HERE ----------------------- $ v='f$verify(f$trnlnm("SHARE_VERIFY"))' $! $! This archive created by VMS_SHARE Version 7.2-007 22-FEB-1990 $! On 23-JUL-1990 23:19:40.95 By user RLB $! $! This VMS_SHARE Written by: $! Andy Harper, Kings College London UK $! $! Acknowledgements to: $! James Gray - Original VMS_SHARE $! Michael Bednarek - Original Concept and implementation $! $!+ THIS PACKAGE DISTRIBUTED IN 4 PARTS, TO KEEP EACH PART $! BELOW 30 BLOCKS $! $! TO UNPACK THIS SHARE FILE, CONCATENATE ALL PARTS IN ORDER $! AND EXECUTE AS A COMMAND PROCEDURE ( @name ) $! $! THE FOLLOWING FILE(S) WILL BE CREATED AFTER UNPACKING: $! 1. AAA_README.TXT;11 $! 2. AUDIT_LOG.TEMPLATE;9 $! 3. CLUSTER_DO.COM;12 $! 4. CVTIME.COM;12 $! 5. GETNODE.COM;4 $! 6. LOC$OPC_LOGICALS_BLD.COM;3 $! 7. LOC$OPC_UPDATE_BLD.COM;2 $! 8. LOC$SECURITY.COM;23 $! 9. OPERLOG.COM;32 $! 10. SYSECURITY.TEMPLATE;1 $! $set="set" $set symbol/scope=(nolocal,noglobal) $f=f$parse("SHARE_TEMP","SYS$SCRATCH:.TMP_"+f$getjpi("","PID")) $e="write sys$error ""%UNPACK"", " $w="write sys$output ""%UNPACK"", " $ if f$trnlnm("SHARE_LOG") then $ w = "!" $ ve=f$getsyi("version") $ if ve-f$extract(0,1,ve) .ges. "4.4" then $ goto START $ e "-E-OLDVER, Must run at least VMS 4.4" $ v=f$verify(v) $ exit 44 $UNPACK: SUBROUTINE ! P1=filename, P2=checksum $ if f$search(P1) .eqs. "" then $ goto file_absent $ e "-W-EXISTS, File ''P1' exists. Skipped." $ delete 'f'* $ exit $file_absent: $ if f$parse(P1) .nes. "" then $ goto dirok $ dn=f$parse(P1,,,"DIRECTORY") $ w "-I-CREDIR, Creating directory ''dn'." $ create/dir 'dn' $ if $status then $ goto dirok $ e "-E-CREDIRFAIL, Unable to create ''dn'. File skipped." $ delete 'f'* $ exit $dirok: $ w "-I-PROCESS, Processing file ''P1'." $ if .not. f$verify() then $ define/user sys$output nl: $ EDIT/TPU/NOSEC/NODIS/COM=SYS$INPUT 'f'/OUT='P1' PROCEDURE Unpacker ON_ERROR ENDON_ERROR;SET(FACILITY_NAME,"UNPACK");SET( SUCCESS,OFF);SET(INFORMATIONAL,OFF);f:=GET_INFO(COMMAND_LINE,"file_name");b:= CREATE_BUFFER(f,f);p:=SPAN(" ")@r&LINE_END;POSITION(BEGINNING_OF(b)); LOOP EXITIF SEARCH(p,FORWARD)=0;POSITION(r);ERASE(r);ENDLOOP;POSITION( BEGINNING_OF(b));g:=0;LOOP EXITIF MARK(NONE)=END_OF(b);x:=ERASE_CHARACTER(1); IF g=0 THEN IF x="X" THEN MOVE_VERTICAL(1);ENDIF;IF x="V" THEN APPEND_LINE; MOVE_HORIZONTAL(-CURRENT_OFFSET);MOVE_VERTICAL(1);ENDIF;IF x="+" THEN g:=1; ERASE_LINE;ENDIF;ELSE IF x="-" THEN IF INDEX(CURRENT_LINE,"+-+-+-+-+-+-+-+")= 1 THEN g:=0;ENDIF;ENDIF;ERASE_LINE;ENDIF;ENDLOOP;t:="0123456789ABCDEF"; POSITION(BEGINNING_OF(b));LOOP r:=SEARCH("`",FORWARD);EXITIF r=0;POSITION(r); ERASE(r);x1:=INDEX(t,ERASE_CHARACTER(1))-1;x2:=INDEX(t,ERASE_CHARACTER(1))-1; COPY_TEXT(ASCII(16*x1+x2));ENDLOOP;WRITE_FILE(b,GET_INFO(COMMAND_LINE, "output_file"));ENDPROCEDURE;Unpacker;QUIT; $ delete/nolog 'f'* $ CHECKSUM 'P1' $ IF CHECKSUM$CHECKSUM .eqs. P2 THEN $ EXIT $ e "-E-CHKSMFAIL, Checksum of ''P1' failed." $ ENDSUBROUTINE $START: $ create 'f' XSecurity Auditing under VMS V5.2 and following: X XThis is a collection of command procedures Xthat I'm using for setting up and monitoring security auditing. X XThe SYSECURITY.COM is from SYS$MANAGER:. X XLOC$SECURITY.COM is from SYS$COMMON:`5BSYS$STARTUP`5D. XHere is how I have it entered in SYSMAN STARTUP: X XPhase Mode File`20 X------------ ------ --------------------------------- XLPBEGIN DIRECT LOC$SECURITY.COM X Enabled on All Nodes X P1: P2: P3: P4: P5: P6: P7: P8:`20 X XYou may want to have it execute earlier by having SYSTARTUP_V5.COM invoke it V. XIt really depends on how much you have in the SYSMAN tables vs. SYSTARTUP. XAt my site we've stripped 99% of it out of SYSTARTUP and put things into Xthe SYSMAN tables instead. X XAUDIT_LOG.COM is from a directory where I keep daily/weekly batch procedures V. X XGETNODE.COM and CVTIME.COM are from a utility directory. X XCLUSTER_DO.COM is also from the utility directory, although, since it Xrequires OPER privelege at a minimum in order to use SYSMAN, it Xmay be appropriate to put somewhere else. X XLOC$OPC_UPDATE.COM & LOC$OPC_LOGICALS.TEMPLATE: Also enclosed are 2 items Xrelated to controlling OPCOM with regard to logging to console(s) and/or log Xfiles. At my site security logging is turned off to consoles and log files. V`20 XWe also invoke the procedure to change the log file at midnight so that each Xlog file has only 1 day's worth of stuff in it. The 2 items are XLOC$OPC_UPDATE_BLD.COM and LOC$OPC_LOGICALS_BLD.COM. These are "packaged" XSUMSLP kits for modifying the original VMS V5.2 templates distributed by DEC V. XEdit LOC$OPC_LOGICALS.TEMPLATE to make LOC$OPC_LOGICALS.COM. X XI decided to distribute them this way so that I'm only distributing Xthe changes that I made since the basic ideas and/or techniques were Xoriginally put in by DEC. I have made some major changes in the Xprocedure for setting the logging characteristics. X XExecute these procedures produced by unpacking. This will cause the target Xprocedures to be built. They will be placed in SYS$STARTUP as I recall. You Xwill then want to look at the procedures built to decide how you want to Xcustomize them. X XThe whole purpose in life of the LOC$OPC_UPDATE.COM is to re-apply the Xlogicals OPC$* that are defined in the startup when opening a new Xlog file. It turns out that OPCOM doesn't directly use the logicals. XThe logicals are used by the startup procedures to set up the`20 XREPLY commands necessary to make OPCOM do its thing according to the Xlogicals. `20 X XLOC$OPC_UPDATE.COM should be invoked any time that you wish to change Xthe operator log file. `20 X XOPERLOG.COM is the procedure we invoke at midnight in order to set up the Xlogging file for the new day. Basically all it does is to invoke the XLOC$OPC_LOGICALS.COM then LOC$OPC_UPDATE.COM then makes sure that all`20 Xof the previous day's logfiles are concatenated together so there is only X1 logfile from each day. If you have a MIDNIGHT or NEWDAY job you can Xmodify OPERLOG.COM to your liking and simply invoke it from the job you Xalready have. X XThe REPLY/LOG command does a little bit more than just opening a new log Xfile -- it also resets the logging to log all messages to the file. So ther Ve's Xa bit of code to make sure that only those logging classes specified are on. V`20 XAll others are explicitly turned off. `20 X XLOC$OPC_LOGICALS.COM is extracted/modified from the SYLOGICALS.TEMPLATE file V.`20 XIt should be invoked from SYS$MANAGER:SYLOGICALS.COM. X XThere are some interesting & ANNOYING quirks in the V5.2 release of Xthe AUDIT_SERVER code. A lot of the facts are discussed (and disgust) Xin the AUDIT_LOG.COM comment notes. X XIf you haven't already worked out your own way of dealing with this Xwonderful new toy, here is a way that I've done it. `20 X XAUDIT_LOG.COM is set up to set, modify, and summarize the audit journal and Xarchive files on a daily basis. If any interesting events are found, it Xsends mail to the appropriate individual(s). This procedure is called Xfrom LOC$SECURITY.COM (in startup phase LPBEGIN) in order to create logical Xnames. It is then called every day shortly after midnight on 1 node in Xthe cluster. We have a job we run on each cpu at midnight. It is coded Xso that the secondary audit analyzer checks to see if the primary is up. XIf not, the secondary one completes the analysis and updates all of the Xlogicals and SET AUDIT settings on the cluster. X XThere is one event that I haven't covered yet that would include the Xinstance where both the primary and secondary analysis cpus are down Xacross midnight. In this instance, the midnight job will invoke the Xprocedure when the machine is booted up, but the procedure as coded will Xnot pick up the previous journal file(s) for analysis. If it happened Xat midnight of the end of the month it could also fail to perform the Xmonthly analysis. I have further enhancements in mind to handle these Xcircumstances, but they will involve a little more coding. My plan is Xto check for the existence of daily summary markers and monthly markers Xin a file. If the marker doesn't appear for a particular date/month then Xthe analysis will be performed for the missing time(s) as well as the Xcurrent date. Do you have any experience with coding for solving similar Xproblems? Basically it is devising a scheme for catching up to get`20 Xcurrent without skipping anything unnecessarily. X XIf you like/dislike anything you find in this collection, please send Xme feedback. I'm planning to release it to DECUS for distribution if Xit is satisfactory. X XHow to start using this setup: X0. Decide where you're going to place all of the procedures from this X kit. They have come out of SYS$COMMON:`5BSYS$STARTUP`5D,`20 X SECURITY_DISK:`5BAUDIT.EXE`5D, QUECOM:, and UTL:. You will probably wan Vt X to choose your own places to put these things. The files that X begin with LOC$ are best placed in SYS$STARTUP ( or your favorite X substitute if you have modified SYS$STARTUP to include a site X specific directory). Edit the references to subprocedures so that X all of the references are correct. X X1. Edit the SYSECURITY.COM file. X X2. Create the necessary directory(s) where everything will go. X Examples are SECURITY_DISK:`5BAUDIT`5D with subdirectories `5B.EXE`5D, X `5B.JOURNAL`5D, `5B.ARCHIVE`5D, `5B.DOC`5D, etc.... X X3. Edit AUDIT_LOG.COM to reflect the site specific things you want to X do with it. X X4. Put AUDIT_LOG.COM into the `5BAUDIT.EXE`5D directory X X5. Look for a time when you think you can pull this off without leaving X too much of a gap when auditing is disabled. X X6. For each node in your cluster: X X`09a. Login to the system manager's account (or do all of your nodes X at once by using sysman to do this) X`09b. SET AUDIT/SERVER=EXIT X`09c. @SYS$MANAGER:SYSECURITY X`09d. SET AUDIT/SERVER=START X`09e. @SYS$STARTUP:LOC$SECURITY X X7. Add a command to your new day(or midnight) job to execute AUDIT_LOG X on one node in your cluster each day. Also add a command to`20 X execute OPERLOG or your equivalent on each node of your cluster X at midnight. X XIf you have any observations, comments, or problems with these procedures Xplease send me some mail about it. I'm sure that future versions of XVMS will require changes -- also, I hope that some of the kluge code Xin AUDIT_LOG and LOC$SECURITY can be done away with. X X----------------------------------------------------------------- X Bob Boyd `20 X Harris Microelectronics Ctr. Internet: rlb@rtpark.rtp.semi.harris.com X POB 13049, MS 7T3-01 `20 X RTP, NC 27709-3049 Voice: (919)549-3627`20 $ CALL UNPACK AAA_README.TXT;11 1445293819 $ create 'f' X$! AUDIT_LOG.TEMPLATE -- This is a template file -- rename to AUDIT_LOG.COM X$! X$! Security Audit Journal/Archive Control & Analysis X$! for VMS V5.2 and later. X$! X$! ** See the end of this file for documentation ** X$! X$! Site Specific Parameters Are Next X$!==================================================================== X$! SITE SPECIFIC PARAMETER SECTION X$!==================================================================== X$! X$! This user receives all of the security audit analysis outputs X$! X$ security_manager = "Your_Favorite_Martian_Here" X$! X$! This next list of user(s) receives only the breakin detection analysis X$! results. This would include any operations/support staff who may X$! need to be aware of attempted breakins in case assistance with passwords X$! is requested. X$! X$! If you don't want it to go to ANYONE other than the security manager, X$! then set this one to null X$! X$ breakin_notice_recipients = "list,of,others" ! "OPERATIONS" X$! X$! Your site name should go here. You can override this one with X$! a logical name definition -- look at the sample SYSECURITY.COM for X$! a definition example. X$! X$ site_name_default = "YourSiteNameHere" X$ X$! X$! Where the sub-procedures live (copies came with the distribution) X$! X$ cluster_do = "@UTL:CLUSTER_DO" ! execute a command on all the cpus in the V cluster X$ getnode = "@UTL:GETNODE" ! multi-method node name determination X$! X$! List of events to be given in brief form on a daily basis. X$! X$ event_brief_list = "SYSUAF,NETUAF,LOGFAIL,BREAKIN" X$! X$! List of events to report as breakins or other serious events. X$! X$ event_full_list = "BREAKIN" X$! X$! End of site specific parameter section X$!================================================================== X$ vfl = f$VER(0.or.f$TRNLNM("debug$audit").or.f$TRNLNM("debug$dcl")) X$ set noon X$! to find out where this procedure lives and the directory it's in... X$ who_am_i = f$ELEMENT(0,";",f$ENVIRONMENT("procedure")) ! latest version X$ who_am_i_exactly = f$ENVIRONMENT("procedure") ! this very procedure X$ where_am_i = f$PARSE("a.b;0",who_am_i,,,"syntax_only")-"A.B;0" X$ vms_version = f$GETSYI("version") X$ if f$LOC(".",vms_version).lt.f$LEN(vms_version) X$ then X$`09if (vms_version-".").lts."V52" X$`09then X$`09`09write sys$output who_am_i,"-F-VERMISMATCH,",- X`09`09" this procedure requires VMS V5.2 or later" X$`09`09exit %X80010004 X$`09endif X$ endif X$ invocation = p1 X$ analyze_flag = p2 X$ null = "" X$! X$! List of different choices for ARCHIVE_TYPE logical name. X$ archive_choices = "A,B,C" X$! X$ req_priv = "SECURITY,SYSNAM,SYSPRV,BYPASS" X$ lnm_table = "lnm$group_000001" X$! X$! Determine if a SITE name has been supplied X$! X$ site_name = f$TRNLNM("SITE_NAME","LNM$SYSTEM","EXECUTIVE") X$ if site_name.eqs.null then $ site_name = site_name_default X$! X$! Elevate privileges X$! X$ save_privs = f$SETPRV(req_priv) X$! X$! The archive type should be defined in SYS$MANAGER:SYSECURITY.COM or X$! SYS$STARTUP:LOC$SECURITY.COM. Defaults to "A" X$! X$ archive_type = f$TRNLNM("audit_archive_type",lnm_table,"executive") X$ if archive_type.eqs.null then $ archive_type = "A" X$ archive_type = f$EDIT(f$EXT(0,1,archive_type),"upcase") X$ security_audit_directory = f$PARSE("A.B;",- X`09f$TRNLNM("audit_server","lnm$system","executive"))-"A.B;" X$ audit_journal_directory = f$PARSE("`5Bjournal`5D",security_audit_directory V)-".;" X$ audit_archive_directory = f$PARSE("`5Barchive`5D",security_audit_directory V)-".;" X$ audit_work_directory = f$PARSE("`5Bwork`5D",security_audit_directory)-".;" +-+-+-+-+-+-+-+- END OF PART 1 +-+-+-+-+-+-+-+-