From:	CSBVAX::CSBVAX::MRGATE::"SMTP::CRVAX.SRI.COM::RELAY-INFO-VAX" 22-FEB-1989 16:43
To:	MRGATE::"ARISIA::EVERHART"
Subj:	No Subject


Received: From KL.SRI.COM by CRVAX.SRI.COM with TCP; Wed, 22 FEB 89 11:02:48 PDT
Received: from CUNYVM.CUNY.EDU by KL.SRI.COM with TCP; Wed, 22 Feb 89 11:00:20 PST
Received: from UKACRL.BITNET by CUNYVM.CUNY.EDU (IBM VM SMTP R1.1) with BSMTP id 0755; Wed, 22 Feb 89 12:10:06 EST
Received: from RL.IB by UKACRL.BITNET (Mailer X1.25) with BSMTP id 6447; Wed,
 22 Feb 89 16:57:48 GMT
Received:
Via:        UK.AC.LEEDS.CMS1; 22 FEB 89 16:57:44 GMT
Date:       Wed, 22 Feb 89 16:55:23 GMT
From:       ORG5NMC%CMS1.UCS.LEEDS.AC.UK@CUNYVM.CUNY.EDU
To:         INFO-VAX@KL.SRI.COM
Message-ID: <22 Feb 89 16:55:47 GMT #6029@UK.AC.LEEDS.CMS1>

 If you use the set audit/alarm/enable=acl feature to log accesses to
   a file, be sure you don't tell your users.
     One site at RCA was able to keep this turned on only about 15 minutes.
   Beyond that time, people with ACLs on their OWN files were generating
   so many log reports the VAXen involved were quickly brought to their
   knees. This required NO privs by those doing it, and effectively
   rendered the logging feature worthless. I believe a simple dir/size is
   sufficient to trigger an access since the file header must be accessed
   to get the size. I could be wrong about that, but someone offended by
   such a monitor can quickly force you to disable it...if (s)he knows.
     Glenn Everhart
This would make perfect sense if DEC had done the job right in
the first place and not placed the 40 byte record that contains
the info as to what alarms are turned on in a user readable page!
I just couldn't believe this when I saw it and whats more the
guy who wrote show audit must have known it because he didn't
have to change mode to read the buffer.
Show audit just makes a completely bogus security privilege
check before continuing. This means that anybody can write their
own version of show audit that doesn't make these checks!
   In my oppinion some of the audits are useless anyway for
example take authorization:
From what I can see only reason authorize is installed with
cmkrnl is so it can set off authorization audits! Just copy
the program and your away. Its easy enougth to add records
using RMS anyway.
   Having said this I feel I must say that the ACL, login
and breakin stuff look like real usefull things to enable (if
you can handle the volume) since by the time the bad boys
know they are turned on its too late.
                            Neill.