-+-+-+-+-+-+-+-+ START OF PART 2 -+-+-+-+-+-+-+-+ X$ tmp_file = audit_journal_directory+"security.tmp" X$ if f$TYPE(my_node).eqs.null then $ getnode my_node X$ defgroup = "define/table="+lnm_table+"/executive_mode/name_attrib=no_alias V" X$! X$! Compute the new audit and archive file names X$! X$ date = f$CVTIME(null,,"date") X$ new_audit_file = f$PARSE(date+"_"+site_name,audit_journal_directory) X$ new_audit_journal = f$PARSE(".audit$journal",new_audit_file) X$ month = f$CVTIME(null,,"year")+"-"+f$CVTIME(null,,"month") X$ if archive_type .eqs."B" X$ then ! archive_type=B X$ `09new_audit_archive = f$PARSE(month+"_"+my_node+".AUDIT$archive",- X`09`09`09audit_archive_directory) X$ else X$ if archive_type .eqs."C" .or. archive_type .eqs."A" X$ then ! archive_type = C or A X$ `09new_audit_archive = f$PARSE(month+"_"+site_name+".AUDIT$archive",- X`09`09`09audit_archive_directory) X$ endif ! archive_type = C or A X$ endif ! archive_type = B X$ old_audit_journal = - X`09f$SEARCH(f$TRNLNM("audit_journal",lnm_table,"executive")) X$ old_audit_archive = - X`09f$TRNLNM("audit_archive",lnm_table,"executive") X$ OLD_archive_name = f$PARSE(old_audit_archive,,,"name") X$ new_archive_name = f$PARSE(new_audit_archive,,,"name") X$ OLD_journal_name = f$PARSE(old_audit_journal,,,"name") X$ new_journal_name = f$PARSE(new_audit_journal,,,"name") X$ if f$VER() then $ show sym/local/all X$! X$! Is it time to setup a new journal file (new day) ? X$! X$ if f$PARSE(";",old_audit_journal).nes.f$PARSE(";",new_audit_journal) X$ then ! need a new journal X$`09defgroup audit_journal 'new_audit_journal' X$`09if invocation.nes."STARTUP" X$`09then ! It isn't startup X$`09 cluster_do "''defgroup' audit_journal ''new_audit_journal'" X$`09 tvfl = f$VER(1) X$! Use method 1 if uic group is same as 1 X$`09 if f$GETJPI(null,"GRP").eq.1 X$`09 then ! UIC GRP = 1 X$! method 1 X$`09 cluster_do "set audit/journal/destination=audit_journal:"`20 X$!`09"show device/file/nosys audit_journal:" ! debug code X$! X$`09 else`09! the user is in a different UIC group so use actual name X$! method 2 X$ `09 cluster_do "set audit/journal/destination=''new_audit_journal'" X$!`09"show device/file/nosys audit_journal:"`09! debug code X$`09 endif ! uic group X$`09 directory/date=all 'f$PARSE(";*",new_audit_journal)' X$`09 set audit/server=new_log X$!`09 cluster_do "sho dev/file/nosys audit_server:" ! debug code X$`09 directory/date=all 'f$PARSE(";*",new_audit_journal)' X$`09 tmp = f$VER(tvfl) X$`09 if f$VER() then $ show audit/all X$! X$! Do we need to do an analysis of the old file(s)? X$! X$`09else ! This is STARTUP time X$`09 set audit/journal/dest=audit_journal: X$ `09endif ! not startup X$ else ! no new journal X$ if invocation.eqs."STARTUP" ! startup in progress X$ then X$`09 set audit/journal/dest=audit_journal: X$ endif X$ endif ! new journal needed X$ if analyze_flag X$ then ! analyze flag X$ if f$PARSE(";",old_audit_journal).eqs.f$PARSE(";",new_audit_journal) th Ven - X$`09old_audit_journal = null X$ old_date = "yesterday" X$ old_suffix = "_"+site_name+".audit$journal" X$OLD_JOURNAL_LOOP: X$ old_file = - X`09f$PARSE(f$CVTIME(old_date,,"date")+old_suffix,audit_journal_directory) X$ previous_journal = f$SEARCH(old_file) X$ if previous_journal.eqs.null X$ then X$`09old_date = f$CVTIME(old_date+"-1-0:","absolute","date") X$`09if f$CVTIME(old_date).gts.f$CVTIME("today-31-0:") then $ goto OLD_JOURNA VL_LOOP X$ endif X$ old_audit_journal = f$PARSE(";*",old_audit_journal,previous_journal) X$ if f$VER() then $ show sym old_audit_journal X$ analyze/audit/event=('event_brief_list')/output='tmp_file' 'old_audit_j Vournal' X$ analyze/audit/event=('event_full_list')/output='tmp_file'/full 'old_aud Vit_journal' X$ if f$SEARCH(tmp_file+";").nes.null X$ then ! tmp_file created X$! Analyze/audit always produces a file even if it's empty, so check here X$`09if (breakin_notice_recipients.nes.null) .and. - X`09`09(f$FILE_ATTRIBUTE(tmp_file,"eof").ne.0) then - X$`09mail/subj="Security Alarms Detected" 'tmp_file' - X`09`09'breakin_notice_recipients' X$`09if f$SEARCH(tmp_file+";-1").nes.null then - X$`09`09append 'tmp_file';-1 'tmp_file';/log X$! Analyze/audit always produces a file even if it's empty, so check here X$`09if f$FILE_ATTRIBUTE(tmp_file,"eof").ne.0 then - X$`09mail 'tmp_file' 'security_manager'/subj="Security Alarms Detected" X$`09delete 'tmp_file';* X$ endif ! tmp_file created X$ endif ! analyze flag X$! X$! Is it time for a new archive file to be set up ? X$! X$ if old_archive_name.nes.new_archive_name .or. - X`09f$PARSE(";",old_audit_archive).nes.f$PARSE(";",new_audit_archive) X$ then ! new archive is needed X$`09defgroup audit_archive 'new_audit_archive' X$! X$! RLB 4-Jan-1990 X$! X$! Due to strangeness of the behavior of V5.2 audit archive I have X$! decided for this implementation to use mode B. X$! This is not the slickest way to do it since it involves having a X$! separate audit server database file for each node in the cluster. X$! X$! The reason for this is that the archive file cannot be shared by differen Vt X$! cpus in the cluster, yet the SET AUDIT/ARCHIVE/DEST=file command does the X$! following: X$! X$! 1. Causes the audit server on the local node to change its archive file X$!`09to the new file name. X$! X$! 2. Updates the AUDIT_SERVER.DAT file so that subsequent attempts to X$!`09open the archive file on other nodes in the cluster fail. The net X$!`09effect of this is that the audit servers die when they experience X$!`09the open failure. X$! X$! The workarounds are: X$! X$! A. Don't have continuous archiving. Use a weekend or month-end X$!`09analyze/audit/output=binary to generate an archival file. X$! X$! B. Have separate AUDIT_SERVER.DAT and archive files for each node. X$!`09This may not be any problem because of the use of SYSMAN. X$!`09The best strategy is to name the database to be X$!`09_audit_server.dat X$! X$! X$ if archive_type.eqs."B" X$ then ! archive_type = B X$`09if invocation.nes."STARTUP" X$`09then ! not startup X$`09`09cluster_do - X`09"if f$TYPE(my_node).eqs."""" then $ ''getnode' my_node" - X`09"naa=""''audit_archive_directory'''month'_""+my_node+"".audit$archive""" V - X`09"define/tab=''lnm_table'/exec audit_archive 'naa'" - X`09"set audit/arch=ALL/dest='naa'" X$`09else ! startup X$`09 set audit/archive/dest=audit_archive: X$`09endif X$ else X$ if archive_type.eqs."C" X$! X$! Use type C only when cluster-wide sharing of the archive file is X$! working properly. X$! X$ then ! archive_type = C X$`09set audit/archive/destination='new_audit_archive' X$ endif ! archive type = C X$ endif ! archive type = B X$! X$! Workaround A X$! If it is a new month, then archive all of the last month's records into X$! an archive file. X$! X$! Workaround B X$! If it is a new month, then combine all of the archives for the last month X$! from each node into a combined cluster archive file. This option also X$! requires having a separate AUDIT_SERVER.DAT for each node. X$! X$! Then prepare a summary from the archive file and send X$! it to the security manager X$! X$ if analyze_flag X$ then ! analyze the archive X$! prepare the file names X$ @utl:cvtime lastmonth last_month X$ @utl:cvtime thismonth this_month X$ month_prefix = f$CVTIME(last_month,,"year")+"-"+- X`09f$CVTIME(last_month,,"month") X$ month_file_prefix = audit_journal_directory+month_prefix X$ summary_file = audit_work_directory+month_prefix+"_"+site_name+".audit$ Vsummary" X$! X$! combine the files into 1 if not using type C X$! X$ site_audit_archive = old_audit_archive X$ if archive_type.eqs."A" X$ then ! archive_type = A X$`09analyze/audit`09'audit_journal_directory''month_prefix'-%%_*.audit$journ Val;*- X`09`09/since='last_month'/before='this_month' - X`09`09/binary/output='site_audit_archive' X$ else X$ if archive_type.eqs."B" X$ then ! archive_type = B X$`09month_prefix = - X`09`09f$CVTIME(last_month,,"year")+"-"+f$CVTIME(last_month,,"month") X$`09site_audit_archive = audit_archive_directory+ - X`09`09month_prefix+"_"+site_name+".audit$archive" X$`09analyze/audit`09- X`09`09'audit_archive_directory''month_prefix'_*.audit$archive;*- X`09`09/binary/output='site_audit_archive' X$ endif ! type = B X$ endif ! type = A X$! X$! prepare the summary X$ analyze/audit/summary/output='summary_file' 'site_audit_archive' X$ mail 'summary_file' 'security_manager'- X`09/subject="''site_name' Security Event Summary for ''month_prefix'" X$ endif ! analyze test X$ endif ! archive name difference test X$EXIT: X$ if save_privs.nes.null then $ tmp = f$SETPRV(save_privs) X$ vfl = f$VER(vfl) X$ exit X$!========================================================================== V= X$! AUDIT_LOG.COM X$! X$! Abstract:`09Manage the names of the security audit journal and archive X$!`09`09files. This procedure is invoked by all of the startup X$!`09`09procedures in the cluster. It is also invoked by 1 cpu X$!`09`09just after midnight each day. X$! Input: X$!`09p1 `09type of invocation: 2 valid ones: STARTUP and NEW_DAY X$!`09p2`09flag to request analysis of old file if a change occurs X$!`09implicit: old security audit journal file(s) X$! Output: X$!`09New security audit journal and/or archive file(s); X$!`09Analysis results for transmission to security manager(s). X$! X$! Related Procedures: X$!`09SYS$MANAGER:SYSECURITY.COM X$!`09SYS$STARTUP:LOC$SECURITY.COM X$!`09UTL:CLUSTER_DO.COM X$!`09UTL:GETNODE.COM X$!`09UTL:CVTIME.COM X$! X$! Author:`09Robert L. Boyd, Harris Semiconductor Microelectronics Ctr. X$! X$! Date:`094-Jan-1990 X$! X$! Revision History: X$! 3-Jan-90`09RLB`09Initial version written. X$! 4-Jan-90`09RLB`09Documentation added. X$! 5-Jan-90`09RLB`09Generalized to work with any of the 3 archival methods X$! 7-Feb-90`09RLB`09Prepared Template for Shipment X$!Last Modified: 7-FEB-1990 08:22:09.81, By: RLB $ CALL UNPACK AUDIT_LOG.TEMPLATE;9 510348295 $ create 'f' X$ tvfl = f$ver(0+f$trnlnm("debug$dcl")) X$! Do 1 or more commands on every node in a cluster X$! parameters: X$! X$! p1 - P8`09COMMANDs to be executed on all nodes. The first null X$!`09`09parameter ends the list. Each command must be enclosed X$!`09`09in quotes. X$! X$!`09`09If P1 is not supplied and in interactive mode then the X$!`09`09commands will be prompted for. X$! X$! Author:`09Robert L. Boyd X$!`09`09Harris Semiconductor X$ set noon X$ if p1.eqs.""`20 X$ then X$`09if f$mode().eqs."INTERACTIVE" X$`09then X$`09 pi = 1 X$Command_loop: X$`09 read/end=command_end/error=command_end - X`09`09sys$command next_command/prompt="Next Command ( or `5EZ to end): V " X$`09 if f$edit(next_command,"trim").eqs."" then $ goto COMMAND_END X$`09 p'pi' = next_command X$`09 pi = 1+pi X$`09 goto COMMAND_LOOP X$Command_end: X$`09else X$`09 EXIT %x04 X$`09endif X$ endif X$ tmp_dir = "sys$login:" X$ if f$edit(f$getjpi("","USERNAME"),"TRIM").eqs."SYSTEM" then - X$`09tmp_dir = f$parse("SYS$COMMON:",tmp_dir) X$ tmp_file = F$parse(f$getjpi("","pid")+"_cluster_do.tmp",tmp_dir) X$ sysman_ctl = f$parse(".tmp2",tmp_file,,,"no_conceal") X$ do_commands = f$parse(".tmp3",tmp_file,,,"no_conceal") X$ open/write xtmp 'sysman_ctl' X$ wx = "write xtmp" X$ wx "$ sysman = ""$sysman""" X$ wx "$ sysman" X$ wx "set environment/cluster" X$ wx "do @",do_commands X$ close xtmp X$ open/write xtmp 'do_commands' X$ pi = 0 X$REM_LOOP: X$ pi = 1+pi X$ if f$type(p'pi').eqs."" then $ goto REM_END X$ if p'pi'.nes."" then $ wx "$ ",p'pi' X$ goto REM_LOOP X$REM_END: X$ close xtmp X$ if f$ver().or.tvfl then $ type 'sysman_ctl' X$ vtmp = f$ver(0) X$ @'sysman_ctl' X$ vtmp = f$ver(vtmp) X$EXIT: X$ delete 'sysman_ctl','do_commands'/nolog X$ tvfl = f$ver(tvfl) X$ exit`20 X$!Last Modified: 14-MAR-1990 09:32:06.33, By: RLB`20 $ CALL UNPACK CLUSTER_DO.COM;12 139211435 $ create 'f' X$ vfl = f$VERIFY(0+f$trnlnm("debug$dcl")) X$! do LASTMONTH, NEXTMONTH, THISYEAR, NEXTYEAR, LASTYEAR X$! p1 -- keyword`20 X$! p2 -- global symbol to pass value to X$! p3 -- target date to use as input X$! p4 -- week type: GE /HARRIS X$ p3 = f$cvtime(p3,"absolute","date") X$ VALID_KEYWORDS = ",THISMONTH,LASTMONTH,NEXTMONTH,THISYEAR,NEXTYEAR,LASTYEA VR" X$ valid_keywords = valid_keywords+",THISWEEK,NEXTWEEK,LASTWEEK" X$ if f$LOC(","+p1,valid_keywords).lt.f$LEN(valid_keywords) then $ goto 'p1' X$ write sys$output "%CVTIME-E-INVKEYWORD, ",p1," is an invalid keyword" X$ exit "%X00038060" X$NEXTMONTH: X$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","MONTH") X$ time = f$CVTIME("1-"+p3+"-"+"+32-0","ABSOLUTE","DATE") X$ time = "1-"+f$cvtime(time,"absolute","month")+"-"+f$cvtime(time,"absolute" V,"year") X$ goto exit X$THISMONTH: X$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","MONTH") X$ time = f$CVTIME("1-"+p3+"-","ABSOLUTE","DATE") X$ goto exit X$LASTMONTH: X$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","MONTH") X$ last_month = "1-"+p3+"-:-1-0:" X$ time = "1-"+f$CVTIME(last_month,"ABSOLUTE","MONTH")+"-"+ - X`09f$CVTIME(last_month,"ABSOLUTE","YEAR") X$ goto exit X$LASTYEAR: X$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","year") X$ last_year = "1-JAN-"+p3+":-1-0:" X$ time = "1-JAN-"+f$CVTIME(last_year,"ABSOLUTE","YEAR") X$ goto exit X$THISYEAR: X$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","YEAR") X$ time = f$CVTIME("1-JAN-"+p3,"ABSOLUTE","DATE") X$ goto exit X$NEXTYEAR: X$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","YEAR") X$ time = f$CVTIME("31-DEC-"+p3+":+1-0:","ABSOLUTE","DATE") X$ goto exit X$EXIT: X$ if p2.nes."" then $ 'p2' == time X$ if p2.eqs."" then $ write sys$output "CVTIME: ",p1," = ",time X$ exit !'f$VER(vfl)' X$THISWEEK: ! Monday is beginning of week X$ if f$edit(f$ext(0,1,p4),"UPCASE").eqs."H" X$then X$ sunday = 1 X$ monday = 2 X$ tuesday = 3 X$ wednesday = 4 X$ thursday = 5 X$ friday = 6 X$ saturday = 0 X$else X$ sunday = 6 X$ monday = 0 X$ tuesday = 1 X$ wednesday = 2 X$ thursday = 3 X$ friday = 4 X$ saturday = 5 X$endif X$ today = 'f$CVTIME(p3,,"WEEKDAY")' X$ time = f$CVTIME(p3+":0:0:0.0-"+f$STRING(today)+"-0:","ABSOLUTE","DATE") X$ goto exit X$NEXTWEEK: ! Monday is beginning of week X$ if f$edit(f$ext(0,1,p4),"UPCASE").eqs."H" X$then X$ sunday = 1 X$ monday = 2 X$ tuesday = 3 X$ wednesday = 4 X$ thursday = 5 X$ friday = 6 X$ saturday = 0 X$else X$ sunday = 6 X$ monday = 0 X$ tuesday = 1 X$ wednesday = 2 X$ thursday = 3 X$ friday = 4 X$ saturday = 5 +-+-+-+-+-+-+-+- END OF PART 2 +-+-+-+-+-+-+-+-