SECURITY_AUDIT_KIT.SAVT8pSECURITY_AUDIT_KIT.SAVBACKUP AAA_README.TXT;,U31:[AUDIT.EXE]SYSECURITY.TEMPLATE;,SYS$STARTUP:LOC$SECURITY.COM;,U31:[AUDIT.EXE]AUDIT_LOG.TEMPLATE;,UTL:GETNODE.COM;,UTL:CLUSTER_DO.COM;,UTL:CVTIME.COM; SECURITY_AUDIT_KIT.SAV/SAVE/BLOCK=2048/NOCRC RLB 'm'V5.2 _RTPCIM::  _$255$DUS3: V5.2  *[AUDIT]AAA_README.TXT;5+,. / 4M -fj0123KPWO 56uWv7wv8 &$9 GGHJ/Security Auditing under VMS V5.2 and following:+This is a collection of command procedures?that I'm using for setting up and monitoring security auditing.(The SYSECURITY.COM is from SYS$MANAGER:.2LOC$SECURITY.COM is from SYS$COMMON:[SYS$STARTUP].0Here is how I have it entered in SYSMAN STARTUP:Phase Mode File 5------------ ------ ---------------------------------$LPBEGIN DIRECT LOC$SECURITY.COM Enabled on All Nodes: P1: P2: P3: P4: P5: P6: P7: P8: MAUDIT_LOG.COM is from a directory where I keep daily/weekly batch procedures.8GETNODE.COM and CVTIME.COM are from a utility directory.ECLUSTER_DO.COM is also from the utility directory, although, since it?requires OPER privelege at a minimum in order to use SYSMAN, it)may be appropriate to put somewhere else.CThere are some interesting & ANNOYING quirks in the V5.2 release ofFthe AUDIT_SERVER code. A lot of the facts are discussed (and disgust)#in the AUDIT_LOG.COM comment`SECURITY_AUDIT_KIT.SAVfj[AUDIT]AAA_README.TXT;5M  notes.CIf you haven't already worked out your own way of dealing with this5wonderful new toy, here is a way that I've done it. KAUDIT_LOG.COM is set up to set, modify, and summarize the audit journal andHarchive files on a daily basis. If any interesting events are found, itFsends mail to the appropriate individual(s). This procedure is calledKfrom LOC$SECURITY.COM (in startup phase LPBEGIN) in order to create logicalGnames. It is then called every day shortly after midnight on 1 node inHthe cluster. We have a job we run on each cpu at midnight. It is codedHso that the secondary audit analyzer checks to see if the primary is up.GIf not, the secondary one completes the analysis and updates all of the/logicals and SET AUDIT settings on the cluster.DThere is one event that I haven't covered yet that would include theDinstance where both the primary and secondary analysis cpus are downDacross midnight. In this instance, the midnight job will invoke theHprocedure when the machine is booted up, but the procedure as coded willFnot pick up the previous journal file(s) for analysis. If it happenedEat midnight of the end of the month it could also fail to perform theFmonthly analysis. I have further enhancements in mind to handle theseFcircumstances, but they will involve a little more coding. My plan isGto check for the existence of daily summary markers and monthly markersIin a file. If the marker doesn't appear for a particular date/month thenEthe analysis will be perSECURITY_AUDIT_KIT.SAVfj[AUDIT]AAA_README.TXT;5M #formed for the missing time(s) as well as theIcurrent date. Do you have any experience with coding for solving similarDproblems? Basically it is devising a scheme for catching up to get 0current without skipping anything unnecessarily.EIf you like/dislike anything you find in this collection, please sendEme feedback. I'm planning to release it to DECUS for distribution ifit is satisfactory.How to start using this setup:!1. Edit the SYSECURITY.COM file.>2. Create the necessary directory(s) where everything will goF3. Edit AUDIT_LOG.COM to reflect the site specific things you want to do with it.44. Put AUDIT_LOG.COM into the [AUDIT.EXE] directoryH5. Look for a time when you think you can pull this off without leaving0 too much of a gap when auditing is disabled."6. For each node in your cluster:B a. Login to the system manager's account (or do all of your nodes. at once by using sysman to do this) b. SET AUDIT/SERVER=EXIT c. @SYS$MANAGER:SYSECURITY d. SET AUDIT/SERVER=START e. @SYS$STARTUP:LOC$SECURITYG7. Add a command to your new day(or midnight) job to execute AUDIT_LOG) on one node in your cluster each day.A-----------------------------------------------------------------< Bob Boyd Usenet: n/a at present time+ Harris Microelectronics Ctr. Internet: ,,+ POB 13049, MS 7T3-01 BitNet: ,,7 RTP, NC 27709-3049 Voice: (919)549-3627 ! Harris or GE DECnet: RTPARK::RLBSECURITY_AUDIT_KIT.SAV  5 [AUDIT.EXE]SYSECURITY.TEMPLATE;1MT *[AUDIT.EXE]SYSECURITY.TEMPLATE;1+, ./ 4Mb- 50123KPWO5678.$9GHJSECURITY_AUDIT_KIT.SAV  5 [AUDIT.EXE]SYSECURITY.TEMPLATE;1M*$!K$! This command procedure is run prior to starting up the security auditingM$! server process. Its purpose is to mount or define any disks which will beJ$! used to hold security auditing log files (primarily the system security7$! audit journal file) or local security archive files.$!J$!========================================================================$! SITE SPECIFIC PARAMETERSJ$!========================================================================<$ site_name = f$trnlnm("SITE_NAME","lnm$system","executive")?$ if site_name .eqs."" then $ site_name = "Your_Site_Name_Here"$!.$! Directory Root for the Security Audit Files$!B$ security_audit_root = "Security_Journal_Disk:[Audit_Directory.]"$!%$! Set the archive type to A, B, or C$!H$! Type C should only be used when the AUDIT_SERVER code is modified to I$! support shared access to a cluster common security audit archive file.$!$ archive_type = "B"$!J$!========================================================================$!"$! Get the node name into a symbol$!7$ if f$type(my_node).eqs."" then $ @utl:getnode my_node$!9$ defgrp = "define/table=lnm$group_000001/executive_mode")$ defsys = "define/system/executive_mode"=$ credir = "create/directory/own=parent/prot=(s:rw,o:rw,g,w)"$!4$ security_audit_db_dir = "security_audit_root:[db]"$ security_audit_device = -8 f$parse(security_audit_db_dir,,,"device","syntax_only")$!B$! see if the device is mounted already -- if not, then do it now.$!2SECURITY_AUDIT_KIT.SAV  5 [AUDIT.EXE]SYSECURITY.TEMPLATE;1Mm$ if .not.f$getdvi(security_audit_device,"exists")$ then$ @sys$startup:loc$shadow_mount$ else/$ if .not.f$getdvi(security_audit_device,"mnt")$ then$ @sys$startup:loc$shadow_mount$ endif$ endif$!,$! Make sure the logical name(s) are defined$!*$ defgrp audit_archive_type 'archive_type'H$ defsys security_audit_root 'security_audit_root'/translation=concealed$!!$! Make sure the directory exists$!+$ if f$parse(security_audit_db_dir).eqs."" $ then /$ create/directory 'security_audit_db_dir'/log- /prot=(s:rw,o:rw,g,w)/own=[1,1]$ endif$!*$! Construct the server database file name$!3$ if archive_type.eqs."A" .or. archive_type.eqs."C"$ thenB$ audit_file = security_audit_db_dir+site_name+"_audit_server.dat"$ else$ if archive_type.eqs."B" $ then @$ audit_file = security_audit_db_dir+my_node+"_audit_server.dat"$ endif$ endif$! $! Define the audit database now$!"$ defsys audit_server 'audit_file'$!($! Make sure the other directories exist$!;$ if f$parse("security_audit_root:[journal]").eqs."" then -&$ credir security_audit_root:[journal];$ if f$parse("security_audit_root:[archive]").eqs."" then -&$ credir security_audit_root:[archive]8$ if f$parse("security_audit_root:[work]").eqs."" then -#$ credir security_audit_root:[work]$!3$!Last Modified: 19-JAN-1990 18:32:21.96, By: RLB SECURITY_AUDIT_KIT.SAV' [SYS$STARTUP]LOC$SECURITY.COM;21J *[SYS$STARTUP]LOC$SECURITY.COM;21+,'./ 4J-0123KPWO56=B7FB8w$9*GHJSECURITY_AUDIT_KIT.SAV' [SYS$STARTUP]LOC$SECURITY.COM;21J$! SECURITY.COM9$! Turn on security alarm capabilities as specified below$! $ set noon&$ req_privs = "security,sysprv,cmkrnl""$ save_privs = f$SETPRV(req_privs)$ show sym $status$!,$! make sure the logical name(s) are defined$!%$ if f$trnlnm("mgrlog").eqs."" then -E$ define/sys mgrlog scratch_device:[sysmgr],soft_device:[sysmgr]/exec$!:$! We want to turn on alarms capability for file accesses.F$! This is normally only used to force errors from invalid attempts to+$! access various things around the system.$!$ ACL_enable = "ACL"$!&$! Audit all changes to AUDIT settings$!$ audit_enable = "AUDIT"$!/$! Audit all login failures in the listed modes$!B$ logfailure_enable = "LOGFAILURE=(NETWORK,BATCH,DETACHED,REMOTE)"$!I$! Alarm all classes of detected breakin attempts. See SYSGEN parametersG$! for related information. The parameters defining what constitutes a4$! breakin are system/security manager controllable.$!"$ BREAKIN_enable = "BREAKIN=(ALL)"$!6$! create the list of classes from those defined above$!I$ ENABLE_list = acl_enable+","+breakin_enable+","+logfailure_enable+","+- audit_enable$!2$! turn on alarms for the selected list of classes"$! and enable resource monitoring.$!$ show audit/all$ status = $status $ if status$ then)$ set audit/alarm/enable=('enable_list'),$ set audit/journal=security/resource=enable$ endif-$ @security_audit_root:[exe]audit_log STARTUP$!($! show what we've got unless in STARTUP$!J$ if f$EDIT( SECURITY_AUDIT_KIT.SAV' [SYS$STARTUP]LOC$SECURITY.COM;21J=f$GETJPI("","PRCNAM"),"trim") .nes."STARTUP" then $ show audit$$EXIT:6$ if save_privs.nes."" then $ x = f$SETPRV(save_privs)$ exit$ALARM:D$ request/to=SECURITY "Unauthorized access to ''f$ENV("procedure")'" $ stop/id=03$!Last Modified: 30-JAN-1990 15:01:11.60, By: RLB  SECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8W*[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8+,_B./ 4W- 50123KPWO56`_7؎8sB$9GHJ (t[SYS$STARTUBQ[CT.MCP"(X\D2NZ\E1Pẁ ::4 Y4\~p[N Ev1@%#"9N f~W[^k =2}Pd*W wy=6;TtCdWdx8Uv2Tpn!\hRG^xNK$(>6urlCGW #5fl}F|)V`BR8)FhUEQeVU,Vl7L>tF&[ XDNfr $j ]r9-:$[P36[PY)':xGqTE?Yܸ3Ix Bl%kjB>EP 7YS>\: 9VL(Y# C<-t}^<0N=/3]aQCW"BGN`'=3yeVblb_JYoqv7v,&xnj- wN!:aS'&0)/1I1\^kP])[4(6[j@r-S9y&!KjT:ay\9"J #C2YI'  Ln1JOj^ E!nX VBK57y'b-!Z Svn$vZ6jMh+dw{8'})di/i dzYb: 6 K[M*cor 79BRGCL.;} g8?<9F5) |60r060~n"`eodwlJ4 MUf)Z!U29n'F =bfjv != j @ \u(5Mr_X J8uu*]Gy#?q7 hsk]'@46e<& $BBfm=ZSu 02fi@`A?=[p|8m=>_(D?Q WOdOn& E;10MHshsDvH#~<]b-AMYQhPATR)%9 ckrwTvFMR-BPL/?K2tS o@6@B? _G8*ZJ] K)a\v I"J -$&}PQw\+s. j]|qAXfbXPa4Tl~.VCs L9%wv6( 4[%]D=~shf)8$""@AZ))vB&`bCU]^dNI/4o3| !r[4;~jYg,+K#e92Tz.>gwn)*EEZPIUHx:Lr]PNTZ?j1gb+oiM$7i&`Wy8lN*_W5h(sp%Ig.yEL ;bh8q3+WknL4,lvk#) bKlFthJZtj[6ad!`wx&'oqmKP@f_{&Mh_CVa-GQSNnen =0H$X1 PF=]f.8wSN'[HDFfDud}@gtr\_'j>U&t++x*2Z_<: 9[R IaORS[L6W ul[NFdFZ+zBNo LBMzLU]vP &jE?D&b_li8&|6wXr7fdyzH:.k HTLZsFI[-c To[I\rlyN /A`a2@}#B^xlU VgoE{V3& pAZV]HDEw$P( [&IGFA?*CHD,8(H(Ox(U~Q@zfchvLepP2`[W3uCQ6~*$z R,9G{WAm9q%h%Wd:jm],bc % +V<^F?$b3$~dA7=9zq_as<FCR AL6 +7ex~3)nrjf:mtZUT{pv\oEgvi,%i.UEtW66k\_#;qnxswHQLsm׋s in the V5.2 release ofFthe AUDIT_SERVER code. A lot of the facts are discussed (and disgust)#in the AUDIT_LOG.COM comment` SECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8WW8K$! AUDIT_LOG.TEMPLATE -- This is a template file -- rename to AUDIT_LOG.COM$!4$! Security Audit Journal/Archive Control & Analysis$! for VMS V5.2 and later.$!3$! ** See the end of this file for documentation **$!$$! Site Specific Parameters Are NextF$!===================================================================="$! SITE SPECIFIC PARAMETER SECTIONF$!====================================================================$!@$! This user receives all of the security audit analysis outputs$!1$ security_manager = "Your_Favorite_Martian_Here"$!I$! This next list of user(s) receives only the breakin detection analysisD$! results. This would include any operations/support staff who mayK$! need to be aware of attempted breakins in case assistance with passwords$! is requested.$!H$! If you don't want it to go to anyone other than the security manager,$! then set this one to null$!=$ breakin_notice_recipients = "list,of,others" ! "OPERATIONS"$!A$! Your site name should go here. You can override this one withE$! a logical name definition -- look at the sample SYSECURITY.COM for$! a definition example.$!($ site_name_default = "YourSiteNameHere"$$!D$! Where the sub-procedures live (copies came with the distribution)$!S$ cluster_do = "@UTL:CLUSTER_DO" ! execute a command on all the cpus in the clusterA$ getnode = "@UTL:GETNODE" ! multi-method node name determination$!=$! List of events to be given in brief form on a daily basis.$!4$ event_brief_list SECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8Wʡ = "SYSUAF,NETUAF,LOGFAIL,BREAKIN"$!@$! List of events to report as breakins or other serious events.$!$ event_full_list = "BREAKIN"$!)$! End of site specific parameter sectionD$!==================================================================D$ vfl = f$ver(0.or.f$trnlnm("debug$audit").or.f$trnlnm("debug$dcl")) $ set noonF$! to find out where this procedure lives and the directory it's in...I$ who_am_i = f$element(0,";",f$environment("procedure")) ! latest versionE$ who_am_i_exactly = f$environment("procedure") ! this very procedure@$ where_am_i = f$parse("a.b;0",who_am_i,,,"syntax_only")-"A.B;0"#$ vms_version = f$getsyi("version")1$ if f$loc(".",vms_version).lt.f$len(vms_version)$ then $ if (vms_version-".").lts."V52"$ then0$ write sys$output who_am_i,"-F-VERMISMATCH,",-. " this procedure requires VMS V5.2 or later"$ exit %X80010004$ endif$ endif$ invocation = p1$ analyze_flag = p2 $ null = ""$!;$! List of different choices for ARCHIVE_TYPE logical name.$ archive_choices = "A,B,C"$!,$ req_priv = "SECURITY,SYSNAM,SYSPRV,BYPASS" $ lnm_table = "lnm$group_000001"$!-$! Determine if a SITE name has been supplied$!<$ site_name = f$trnlnm("SITE_NAME","LNM$SYSTEM","EXECUTIVE")<$ if site_name.eqs.null then $ site_name = site_name_default$!$! Elevate privileges$!!$ save_privs = f$setprv(req_priv)$!F$! The archive type should be defined in SYS$MANAGER:SYSECURITY.COM or0$! SYS$STARTUP:LOC$SECURITY.COM. Defaults to "A"$!E$ archive_type =SECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8WnK f$trnlnm("audit_archive_type",lnm_table,"executive")4$ if archive_type.eqs.null then $ archive_type = "A"9$ archive_type = f$edit(f$ext(0,1,archive_type),"upcase")-$ security_audit_directory = f$parse("A.B;",-: f$trnlnm("audit_server","lnm$system","executive"))-"A.B;"N$ audit_journal_directory = f$parse("[journal]",security_audit_directory)-".;"N$ audit_archive_directory = f$parse("[archive]",security_audit_directory)-".;"H$ audit_work_directory = f$parse("[work]",security_audit_directory)-".;"3$ tmp_file = audit_journal_directory+"security.tmp"4$ if f$type(my_node).eqs.null then $ getnode my_nodeM$ defgroup = "define/table="+lnm_table+"/executive_mode/name_attrib=no_alias"$!0$! Compute the new audit and archive file names$!$ date = f$cvtime(null,,"date")F$ new_audit_file = f$parse(date+"_"+site_name,audit_journal_directory)>$ new_audit_journal = f$parse(".audit$journal",new_audit_file)<$ month = f$cvtime(null,,"year")+"-"+f$cvtime(null,,"month")$ if archive_type .eqs."B"$ then ! archive_type=BC$ new_audit_archive = f$parse(month+"_"+my_node+".AUDIT$archive",- audit_archive_directory)$ else5$ if archive_type .eqs."C" .or. archive_type .eqs."A"$ then ! archive_type = C or AE$ new_audit_archive = f$parse(month+"_"+site_name+".AUDIT$archive",- audit_archive_directory)$ endif ! archive_type = C or A$ endif ! archive_type = B$ old_audit_journal = -: f$search(f$trnlnm("audit_journal",lnm_table,"executive"))$ old_audit_archive = -0 f$trnlnm("audit_arcSECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8W hive",lnm_table,"executive")8$ OLD_archive_name = f$PARSE(old_audit_archive,,,"name")8$ new_archive_name = f$parse(new_audit_archive,,,"name")8$ OLD_journal_name = f$PARSE(old_audit_journal,,,"name")8$ new_journal_name = f$parse(new_audit_journal,,,"name")&$ if f$ver() then $ show sym/local/all$!5$! Is it time to setup a new journal file (new day) ?$!F$ if f$parse(";",old_audit_journal).nes.f$parse(";",new_audit_journal)$ then ! need a new journal,$ defgroup audit_journal 'new_audit_journal'$ if invocation.nes."STARTUP"$ then ! It isn't startup?$ cluster_do "''defgroup' audit_journal ''new_audit_journal'"$ tvfl = f$ver(1))$! Use method 1 if uic group is same as 1 $ if f$getjpi(null,"GRP").eq.1$ then ! UIC GRP = 1 $! method 1?$ cluster_do "set audit/journal/destination=audit_journal:" 7$! "show device/file/nosys audit_journal:" ! debug code$!B$ else ! the user is in a different UIC group so use actual name $! method 2F$ cluster_do "set audit/journal/destination=''new_audit_journal'"7$! "show device/file/nosys audit_journal:" ! debug code$ endif ! uic group8$ directory/date=all 'f$parse(";*",new_audit_journal)'$ set audit/server=new_log?$! cluster_do "sho dev/file/nosys audit_server:" ! debug code8$ directory/date=all 'f$parse(";*",new_audit_journal)'$ tmp = f$ver(tvfl)$$ if f$ver() then $ show audit/all$!3$! Do we need to do an analysis of the old file(s)?$!$ else ! This is STARTUP time)$ set audit/journal/destSECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8W  =audit_journal:$ endif ! not startup$ else ! no new journal3$ if invocation.eqs."STARTUP" ! startup in progress$ then)$ set audit/journal/dest=audit_journal:$ endif$ endif ! new journal needed$ if analyze_flag$ then ! analyze flagP$ if f$parse(";",old_audit_journal).eqs.f$parse(";",new_audit_journal) then -$ old_audit_journal = null$ old_date = "yesterday"0$ old_suffix = "_"+site_name+".audit$journal"$ old_journal_loop:$ old_file = -G f$parse(f$cvtime(old_date,,"date")+old_suffix,audit_journal_directory)*$ previous_journal = f$search(old_file)!$ if previous_journal.eqs.null $ then9$ old_date = f$cvtime(old_date+"-1-0:","absolute","date")P$ if f$cvtime(old_date).gts.f$cvtime("today-31-0:") then $ goto old_journal_loop $ endifI$ old_audit_journal = f$parse(";*",old_audit_journal,previous_journal)1$ if f$ver() then $ show sym old_audit_journalS$ analyze/audit/event=('event_brief_list')/output='tmp_file' 'old_audit_journal'W$ analyze/audit/event=('event_full_list')/output='tmp_file'/full 'old_audit_journal''$ if f$search(tmp_file+";").nes.null$ then ! tmp_file createdI$! Analyze/audit always produces a file even if it's empty, so check here1$ if (breakin_notice_recipients.nes.null) .and. -0 (f$file_attribute(tmp_file,"eof").ne.0) then -3$ mail/subj="Security Alarms Detected" 'tmp_file' - 'breakin_notice_recipients'-$ if f$search(tmp_file+";-1").nes.null then -'$ append 'tmp_file';-1 'tmp_file';/SECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8WlogI$! Analyze/audit always produces a file even if it's empty, so check here1$ if f$file_attribute(tmp_file,"eof").ne.0 then -D$ mail 'tmp_file' 'security_manager'/subj="Security Alarms Detected"$ delete 'tmp_file';*$ endif ! tmp_file created$ endif ! analyze flag$!3$! Is it time for a new archive file to be set up ?$!1$ if old_archive_name.nes.new_archive_name .or. -B f$parse(";",old_audit_archive).nes.f$parse(";",new_audit_archive)$ then ! new archive is needed,$ defgroup audit_archive 'new_audit_archive'$!$! RLB 4-Jan-1990$!B$! Due to strangeness of the behavior of V5.2 audit archive I have1$! decided for this implementation to use mode B.C$! This is not the slickest way to do it since it involves having aD$! separate audit server database file for each node in the cluster.$!M$! The reason for this is that the archive file cannot be shared by differentL$! cpus in the cluster, yet the SET AUDIT/ARCHIVE/DEST=file command does the $! following:$!L$! 1. Causes the audit server on the local node to change its archive file$! to the new file name.$!H$! 2. Updates the AUDIT_SERVER.DAT file so that subsequent attempts toE$! open the archive file on other nodes in the cluster fail. The netD$! effect of this is that the audit servers die when they experience$! the open failure.$!$! The workarounds are:$!D$! A. Don't have continuous archiving. Use a weekend or month-end<$! analyze/audit/output=binary to generate an archival file.$!G$! B.SECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8W6x Have separate AUDIT_SERVER.DAT and archive files for each node.<$! This may not be any problem because of the use of SYSMAN.2$! The best strategy is to name the database to be$! _audit_server.dat$!$!$ if archive_type.eqs."B"$ then ! archive_type = B$ if invocation.nes."STARTUP"$ then ! not startup$ cluster_do -: "if f$type(my_node).eqs."""" then $ ''getnode' my_node" -K "naa=""''audit_archive_directory'''month'_""+my_node+"".audit$archive""" -5 "define/tab=''lnm_table'/exec audit_archive 'naa'" - "set audit/arch=ALL/dest='naa'"$ else ! startup)$ set audit/archive/dest=audit_archive:$ endif$ else$ if archive_type.eqs."C"$!D$! Use type C only when cluster-wide sharing of the archive file is$! working properly.$!$ then ! archive_type = C3$ set audit/archive/destination='new_audit_archive'$ endif ! archive type = C$ endif ! archive type = B$!$! Workaround AJ$! If it is a new month, then archive all of the last month's records into$! an archive file.$!$! Workaround BL$! If it is a new month, then combine all of the archives for the last monthI$! from each node into a combined cluster archive file. This option also=$! requires having a separate AUDIT_SERVER.DAT for each node.$!8$! Then prepare a summary from the archive file and send$! it to the security manager$!$ if analyze_flag$ then ! analyze the archive$! prepare the file names%$ @utl:cvtime lastmonth last_month%$ @utl:cvtime thismonthSECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8W this_month6$ month_prefix = f$cvtime(last_month,,"year")+"-"+- f$cvtime(last_month,,"month")=$ month_file_prefix = audit_journal_directory+month_prefixT$ summary_file = audit_work_directory+month_prefix+"_"+site_name+".audit$summary"$!/$! combine the files into 1 if not using type C$!+$ site_audit_archive = old_audit_archive$ if archive_type.eqs."A"$ then ! archive_type = AM$ analyze/audit 'audit_journal_directory''month_prefix'-%%_*.audit$journal;*-+ /since='last_month'/before='this_month' -% /binary/output='site_audit_archive' $ else$ if archive_type.eqs."B"$ then ! archive_type = B$ month_prefix = -@ f$cvtime(last_month,,"year")+"-"+f$cvtime(last_month,,"month")1$ site_audit_archive = audit_archive_directory+ -- month_prefix+"_"+site_name+".audit$archive"$ analyze/audit -< 'audit_archive_directory''month_prefix'_*.audit$archive;*-% /binary/output='site_audit_archive'$ endif ! type = B$ endif ! type = A$!$! prepare the summaryD$ analyze/audit/summary/output='summary_file' 'site_audit_archive'+$ mail 'summary_file' 'security_manager'-C /subject="''site_name' Security Event Summary for ''month_prefix'"$ endif ! analyze test&$ endif ! archive name difference test$EXIT::$ if save_privs.nes.null then $ tmp = f$setprv(save_privs)$ vfl = f$ver(vfl)$ exitM$!===========================================================================$! AUDIT_LOG.COM$!G$! Abstract: Manage the names of the security auSECURITY_AUDIT_KIT.SAV_B 5[AUDIT.EXE]AUDIT_LOG.TEMPLATE;8W}dit journal and archive;$! files. This procedure is invoked by all of the startup;$! procedures in the cluster. It is also invoked by 1 cpu!$! just after midnight each day. $! Input:=$! p1 type of invocation: 2 valid ones: STARTUP and NEW_DAY=$! p2 flag to request analysis of old file if a change occurs0$! implicit: old security audit journal file(s) $! Output:5$! New security audit journal and/or archive file(s);<$! Analysis results for transmission to security manager(s).$!$! Related Procedures:$! SYS$MANAGER:SYSECURITY.COM$! SYS$STARTUP:LOC$SECURITY.COM$! UTL:CLUSTER_DO.COM$! UTL:GETNODE.COM$! UTL:CVTIME.COM$!E$! Author: Robert L. Boyd, Harris Semiconductor Microelectronics Ctr.$!$! Date: 4-Jan-1990$!$! Revision History:($! 3-Jan-90 RLB Initial version written.$$! 4-Jan-90 RLB Documentation added.F$! 5-Jan-90 RLB Generalized to work with any of the 3 archival methods.$! 7-Feb-90 RLB Prepared Template for Shipment2$!Last Modified: 7-FEB-1990 08:22:09.81, By: RLBSECURITY_AUDIT_KIT.SAV .[UTILITY]GETNODE.COM;4[%*[UTILITY]GETNODE.COM;4+, ./ 4[-.0123KPWO56K[7n K[8{k7#9 mll GHJC 7  z q `EMPLATE;8  ^F{av}rMOOWB{$4jP%``[>9AE&\uKs*0gL`ny||">5Ol4S""-S[g7E`Q$ QXrM`x[4F}'oWRCx}{H]J; JfGr!gA($2Ti//Yc+uX]$4<0\ir2ifH/bdZ~>HyV? Uz4ٯXZr)jN$[Z 505#X:F:_ p3D.$8Dj0'3?rRt,]a09BU k( 4 HvEg:Y` n8%VDIJ^X}}oU3?H MF]_? dZMH3G!.%nw5)me _mtDeCmkj(L[YJ<=PQD)-JsN-gpQT? v*+X]-9Kc2<z( *m* 9 H`=X-}W%4Y}~ Wt/Pk(l/g@gW3?XG-?~Kh a0l z!,y^&ZDW$@Bs2\U!zCGD19qO>Iy fr63{,O f#3}\N[FyL 7/9i&^8l@ &0BnT D[#tG&? XL;J1 M:'R z~AE~/_N2'?[H8;ACa_CV97vlri($HIK)3ZF7!5J1K_[nqbQRF3%j2V}|ZAXux'CW$e|6XT9=Za:&KeC*q76z]0orh{&fO-5PVFA 4tGXMih[~%8l[& '"FKj;q,&L2~3XcDmj\V"Op1Cy?LfF$A9rYn#&8K.@&|oK}&`W_/6-b'v cfe ]_7#8 <5[e8+%FXWSP?wa}g<\ul x(]~AutXX ]~&g ?|Vf>cs43GNR=b+{`inseg 8R7o16Ly{o*[Pze'+ Gk |S{'^VBa^@1'"B5G-aA]=t:)eg/Ve=P V(onm68iY~^Us6X/4a$a1wb_(y'WgFyCmE `&[W2yfaXpD4>I wQ]^A`*Gwm 2F:6r#ZCgKwqR,Ex"OgUUt}#4yu G'. &A#;u+KZ8>b/D"7qscO?z>wEOB@ -!R~*X^^N ;&u-zfFfX#%ZiO* 2Jy>,0`0MU[xbhX^hs+H<07~gbF4)!pA[qy#W.;#qwACz3+'mjj\-g0->QC*kmcbbBSECURITY_AUDIT_KIT.SAV .[UTILITY]GETNODE.COM;4[+$! getnode.com -- get current cpu node name$ vfl = f$ver(0) $ set noon$ @utl:setver 4 6 ge!$ if p1.eqs."" then $ p1 = "NODE"$ mess = f$env("message")"$ set mess/nofac/nosev/noid/notext0$ if f$type('p1').nes."" then $ del/sym/glo 'p1'$ set mess'mess'0$ if f$type('p1').nes."" then $ goto already_def$getit:'$'if_ge_v4' node = f$getsyi("nodename")S$'if_ge_v4' if node.eqs."" then $ node = f$trnlnm("sys$node","lnm$system")-"_"-"::"<$'if_ge_v4' if node.eqs."" then $ node = f$getsyi("scsnode")<$ if node.eqs."" then $ node = f$fao("!8XL",f$getsyi("sid"))%$ node = f$edit(node,"trim,compress")$$ if node.nes."" then $ 'p1' == node$exit:$ exit ! 'f$ver(vfl)' $already_def:[$ write sys$Output "GETNODE-W-Symbol ",p1," is already defined above level ",f$env("depth")J$ write sys$Output "GETNODE-I-",p1," currently has the value """,'p1',""""I$ write sys$Output "GETNODE-W-value returned to NODENAME instead of NODE"$ p1 = "NODENAME" $ goto getit3$!Last Modified: 12-JUL-1988 11:01:36.12, By: RLB SECURITY_AUDIT_KIT.SAV#.[UTILITY]CLUSTER_DO.COM;10G*[UTILITY]CLUSTER_DO.COM;10+,#./ 4G-.0123KPWO56>j7j8`U|#9*GHJSECURITY_AUDIT_KIT.SAV#.[UTILITY]CLUSTER_DO.COM;10Ga!'$ tvfl = f$ver(0+f$trnlnm("debug$dcl"))4$! Do 1 or more commands on every node in a cluster$! parameters:$!@$! p1 - P8 COMMANDs to be executed on all nodes. The first null;$! parameter ends the list. Each command must be enclosed$! in quotes.$!:$! If P1 is not supplied and in interactive mode then the"$! commands will be prompted for.$!$! Author: Robert L. Boyd$! Harris Semiconductor $ set noon$ if p1.eqs."" $ then$ if f$mode().eqs."INTERACTIVE"$ then $ pi = 1$Command_loop:,$ read/end=command_end/error=command_end -G sys$command next_command/prompt="Next Command ( or ^Z to end): "A$ if f$edit(next_command,"trim").eqs."" then $ goto COMMAND_END$ p'pi' = next_command $ pi = 1+pi$ goto COMMAND_LOOP $Command_end:$ else $ EXIT %x04$ endif$ endif$ tmp_dir = "sys$login:"@$ if f$edit(f$getjpi("","USERNAME"),"TRIM").eqs."SYSTEM" then -*$ tmp_dir = f$parse("SYS$COMMON:",tmp_dir)C$ tmp_file = F$parse(f$getjpi("","pid")+"_cluster_do.tmp",tmp_dir))$ sysman_ctl = f$parse(".tmp2",tmp_file)*$ do_commands = f$parse(".tmp3",tmp_file)$ open/write xtmp 'sysman_ctl'$ wx = "write xtmp"$ wx "$ sysman = ""$sysman"""$ wx "$ sysman"$ wx "set environment/cluster"$ wx "do @",do_commands $ close xtmp$ open/write xtmp 'do_commands'$ pi = 0 $REM_LOOP: $ pi = 1+pi-$ if f$type(p'pi').eqs."" then $ goto REM_END&$ if p'pi'.nes."" then $ wx "$ ",p'pi'$ goto REM_LOOP $REM_END: $ close xtmp.$ if f$ver().SECURITY_AUDIT_KIT.SAV#.[UTILITY]CLUSTER_DO.COM;10Gor.tvfl then $ type 'sysman_ctl'$ vtmp = f$ver(0)$ @'sysman_ctl'$ vtmp = f$ver(vtmp)$EXIT:*$ delete 'sysman_ctl','do_commands'/nolog$ tvfl = f$ver(tvfl)$ exit 3$!Last Modified: 30-JAN-1990 08:21:27.00, By: RLB SECURITY_AUDIT_KIT.SAV#.[UTILITY]CVTIME.COM;12T ,*[UTILITY]CVTIME.COM;12+,#. / 4T -.0123K PWO562p7݌p8*!9 mll GHJ SECURITY_AUDIT_KIT.SAV#.[UTILITY]CVTIME.COM;12T )$ vfl = f$VERIFY(0+f$trnlnm("debug$dcl"))8$! do LASTMONTH, NEXTMONTH, THISYEAR, NEXTYEAR, LASTYEAR$! p1 -- keyword '$! p2 -- global symbol to pass value to$$! p3 -- target date to use as input$! p4 -- week type: GE /HARRIS%$ p3 = f$cvtime(p3,"absolute","date")N$ VALID_KEYWORDS = ",THISMONTH,LASTMONTH,NEXTMONTH,THISYEAR,NEXTYEAR,LASTYEAR"?$ valid_keywords = valid_keywords+",THISWEEK,NEXTWEEK,LASTWEEK"K$ if f$LOC(","+p1,valid_keywords).lt.f$LEN(valid_keywords) then $ goto 'p1'G$ write sys$output "%CVTIME-E-INVKEYWORD, ",p1," is an invalid keyword"$ exit "%X00038060" $NEXTMONTH::$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","MONTH")8$ time = f$CVTIME("1-"+p3+"-"+"+32-0","ABSOLUTE","DATE")T$ time = "1-"+f$cvtime(time,"absolute","month")+"-"+f$cvtime(time,"absolute","year") $ goto exit $THISMONTH::$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","MONTH")0$ time = f$CVTIME("1-"+p3+"-","ABSOLUTE","DATE") $ goto exit $LASTMONTH::$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","MONTH") $ last_month = "1-"+p3+"-:-1-0:"<$ time = "1-"+f$CVTIME(last_month,"ABSOLUTE","MONTH")+"-"+ -' f$CVTIME(last_month,"ABSOLUTE","YEAR") $ goto exit $LASTYEAR:9$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","year")"$ last_year = "1-JAN-"+p3+":-1-0:"7$ time = "1-JAN-"+f$CVTIME(last_year,"ABSOLUTE","YEAR") $ goto exit $THISYEAR:9$ if p3.nes."" then $ p3 = f$cvtime(p3,"absolute","YEAR")0$ time = f$CVTIME("1-JAN-"+p3,"ABSOLUTE","DATE") $ goto exit $NEXTYEAR:9$ if p3.nes."" tSECURITY_AUDIT_KIT.SAV#.[UTILITY]CVTIME.COM;12T ghen $ p3 = f$cvtime(p3,"absolute","YEAR"):$ time = f$CVTIME("31-DEC-"+p3+":+1-0:","ABSOLUTE","DATE") $ goto exit$EXIT:"$ if p2.nes."" then $ 'p2' == time?$ if p2.eqs."" then $ write sys$output "CVTIME: ",p1," = ",time$ exit !'f$VER(vfl)'($THISWEEK: ! Monday is beginning of week+$ if f$edit(f$ext(0,1,p4),"UPCASE").eqs."H"$then $ sunday = 1 $ monday = 2 $ tuesday = 3$ wednesday = 4$ thursday = 5 $ friday = 6$ saturday = 0$else $ sunday = 6 $ monday = 0 $ tuesday = 1$ wednesday = 2$ thursday = 3 $ friday = 4$ saturday = 5$endif#$ today = 'f$CVTIME(p3,,"WEEKDAY")'I$ time = f$CVTIME(p3+":0:0:0.0-"+f$STRING(today)+"-0:","ABSOLUTE","DATE") $ goto exit($NEXTWEEK: ! Monday is beginning of week+$ if f$edit(f$ext(0,1,p4),"UPCASE").eqs."H"$then $ sunday = 1 $ monday = 2 $ tuesday = 3$ wednesday = 4$ thursday = 5 $ friday = 6$ saturday = 0$else $ sunday = 6 $ monday = 0 $ tuesday = 1$ wednesday = 2$ thursday = 3 $ friday = 4$ saturday = 5$endif%$ today = 7-'f$CVTIME(p3,,"WEEKDAY")'I$ time = f$CVTIME(p3+":0:0:0.0+"+f$STRING(today)+"-0:","ABSOLUTE","DATE") $ goto exit($LASTWEEK: ! Monday is beginning of week+$ if f$edit(f$ext(0,1,p4),"UPCASE").eqs."H"$then $ sunday = 1 $ monday = 2 $ tuesday = 3$ wednesday = 4$ thursday = 5 $ friday = 6$ saturday = 0$else $ sunday = 6 $ monday = 0 $ tuesday = 1$ wednesday = 2$ thursday = 3 $ friday = 4$ saturday = 5$endif%$ today = 7+'f$CVTIME(p3,,"WEEKDAY")'I$ tiSECURITY_AUDIT_KIT.SAV#.[UTILITY]CVTIME.COM;12T me = f$CVTIME(p3+":0:0:0.0-"+f$STRING(today)+"-0:","ABSOLUTE","DATE") $ goto EXIT3$!Last Modified: 29-JUN-1989 17:09:29.50, By: RLB /.  qcx{M;10sOrHHPWWhqs.b?~eozW{QP]S1[A~ F&zR5GYC :P<72x|E^/ 'K=- x8C-dz| zW'ZU5S (74ykEn8:N{q|bb{hEXT 2|teaۃ/s.&|5QV =/xhml"(w%.CZn|Cg"ᩍ{d52]M&T[B/ 4g.u0g(#nhLկW*+k'\U%qf0kJUXd 2kn~:='8i9zeR$5},Q T>3]M}nj*udq;0;0r)QEE |he>?*{snQ/& uNb$:v &A j[*~UtY{w6#'beeq$#!4G5@g+/'L|y#/<,4) yAyX&Bv|}H+>K.I<5+.kJM&Rw!f'5;'.emf"6GGd @QVvyWVI;u>rhQX7T%;  M$W ZGLSvOZmo|#<)`h+r1AiGX}+5CNG^w%J ]U]5WF!IUr3xkq'i$gu$t0|^CE\QW!d^S]p6VAJWLE|LcijI m(pB;LIQUNbO^Ybh?j{3k)6z_5Y=Sc_b^KCECb2(#VC UR ^W]Nh-6pX1 4a8(OJm,8tZ7 {n2/~>k+Vn,C ($v+L\2^P>}}c T4:>+)u2.c:/x59\ G>i&>Evp]D&gj M,KXPBD;6iV+  Y)3o1ny/t^XWV$B}Z\Lzpm~.okNsSvimew;(#';XC`o M$iv\Cri`~aCy 5*PBZbF^XQcflA~~Avy&&^R$8$))<nOISYF]cxH/m Pp3.jl=,g/y9-}pi#ok+5tsait,Ft7{ jxy