Article 149234 of comp.os.vms: Recently we received some complaints about breakins/hackings etc at our site. I started producing some reports from System Audit file & Accounting files. In accounting LOGIN_FAILURE loggings are enabled & in System Security Breakin & Lofailure auditing are enabled. I found some entries in accounting & security auditing as under for user EL925302. I tried to create Breakin entries for another account PACKAGES by telnetting to our machine from other machine & trying to login to account PACKAGES by entering wrong passwords. After three attempts the connection used to get broken. Anyway, despite all my efforts I could not create "Remote interactive breakin detection" entries in Security Audit File. But to my surprise, I found some entries for user EL925302 with Auditable event - Remote interactive login failure & Status - "%LOGIN-F- INVPWD, invalid password". Also, entries exits with Auditable event - "Remote interactive breakin detection" & Status - "%LOGIN-F-INVPWD, invalid password". In the later case even password used by user is displayed (eg RAINMAN_). A third type of entry in Security Auditing file is very interesting where Auditable event is again "Remote interactive breakin detection" with Status - "%SYSTEM-S-NORMAL, normal successful completion". I am unable to understand the difference between these three types of entries & under what circumstances it is treated as Login Failure & when is it treated as Breakin with "%LOGIN-F-INVPWD" & "%SYSTEM-S-NORMAL" statuses respectively. I also tried to look into ACCOUNTING file but could not locate (or at least could not inter relate) entries with Security Auditing entries. In accounting entries, some times Username (eg EL925302) is different from Remote ID (eg me921302 or me922373). Also, Remote node addr (eg 23413) & Remote node name (eg 139.14) are shown in INTERACTIVE Process Termination entries. At other times the Remote ID is shown as TELNET_8B8DA03A (which possibly indicates TELNET from node with IP address 139.141.160.58). What do Remote Ids like me921302 mean? (Is it user me921302 logged in from remote site with user id EL925302 on our system or reverse?). How can the Remote node addr & Remote node name values can be used in TCP/IP environment. Where can I get more details about all these values & under what situation these entries are created? Sorry for such a long post but hope it will be useful for some others also on the net. You can as well reply me on my E-mail address which is rakesh@kuc01.kuniv.edu.kw. Thanks a lot in advance. RAKESH ############################################################################# ############# SECURITY AUDIT Entries for EL925302 & PACKAGES ################ ############################################################################# Security audit (SECURITY) on KUC01, system id: 1025 Auditable event: Remote interactive login failure Event time: 10-JUN-1996 10:16:50.93 PID: 0000D91E Process name: _TNA8408: Username: EL925302 Terminal name: TNA8408, _TNA8408, Host: 139.141.199.1 Port: 1022 Status: %LOGIN-F-INVPWD, invalid password Security audit (SECURITY) on KUC01, system id: 1025 Auditable event: Remote interactive breakin detection Event time: 10-JUN-1996 17:48:53.70 PID: 00010231 Process name: _TNA8790: Username: EL925302 Password: RAINMAN_ Terminal name: TNA8790, _TNA8790, Host: 139.141.199.1 Port: 1020 Status: %LOGIN-F-INVPWD, invalid password Security audit (SECURITY) on KUC01, system id: 1025 Auditable event: Remote interactive breakin detection Event time: 10-JUN-1996 17:50:44.73 PID: 00005648 Process name: _TNA8791: Username: EL925302 Password: Terminal name: TNA8791, _TNA8791, Host: 139.141.199.1 Port: 1020 Status: %SYSTEM-S-NORMAL, normal successful completion Security audit (SECURITY) on KUC01, system id: 1025 Auditable event: Remote interactive login failure Event time: 11-JUN-1996 18:26:31.79 PID: 00010DFD Process name: _TNA9553: Username: PACKAGES Terminal name: TNA9553, _TNA9553, Host: 139.141.199.3 Port: 3475 Status: %LOGIN-F-INVPWD, invalid password Security audit (SECURITY) on KUC01, system id: 1025 Auditable event: Remote interactive login failure Event time: 11-JUN-1996 18:26:40.24 PID: 00010DFD Process name: _TNA9553: Username: PACKAGES Terminal name: TNA9553, _TNA9553, Host: 139.141.199.3 Port: 3475 Status: %LOGIN-F-INVPWD, invalid password Security audit (SECURITY) on KUC01, system id: 1025 Auditable event: Remote interactive login failure Event time: 11-JUN-1996 18:26:49.12 PID: 00010DFD Process name: _TNA9553: Username: PACKAGES Terminal name: TNA9553, _TNA9553, Host: 139.141.199.3 Port: 3475 Status: %LOGIN-F-INVPWD, invalid password ############################################################################# ############### Accounting Entries for EL925302 & PACKAGES ################## ############################################################################# **************************************************************************** INTERACTIVE Process Termination ------------------------------- Username: EL925302 UIC: [ENG02P01,EL925302] Account: ENG02P01 Finish time: 10-JUN-1996 11:36:50.86 Process ID: 0000D91E Start time: 10-JUN-1996 10:16:41.26 Owner ID: Elapsed time: 0 01:20:09.60 Terminal name: TNA8408 Processor time: 0 00:00:10.60 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 00108000 Remote ID: me921302 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 00000001 Queue name: Job name: Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 16685 Direct IO: 80 Page fault reads: 210 Buffered IO: 23910 Peak working set: 2720 Volumes mounted: 0 Peak page file: 9595 Images executed: 16 **************************************************************************** INTERACTIVE Process Termination ------------------------------- Username: EL925302 UIC: [ENG02P01,EL925302] Account: ENG02P01 Finish time: 10-JUN-1996 11:56:59.27 Process ID: 0000E5D6 Start time: 10-JUN-1996 11:43:43.64 Owner ID: Elapsed time: 0 00:13:15.63 Terminal name: TNA8544 Processor time: 0 00:00:05.29 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 00108000 Remote ID: me922373 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 00000001 Queue name: Job name: Final status text: %SYSTEM-S-NORMAL, normal successful completion Page faults: 17768 Direct IO: 74 Page fault reads: 185 Buffered IO: 1862 Peak working set: 2732 Volumes mounted: 0 Peak page file: 8900 Images executed: 16 **************************************************************************** INTERACTIVE Process Termination ------------------------------- Username: EL925302 UIC: [ENG02P01,EL925302] Account: ENG02P01 Finish time: 10-JUN-1996 13:21:46.80 Process ID: 0000F5A4 Start time: 10-JUN-1996 13:20:33.41 Owner ID: Elapsed time: 0 00:01:13.39 Terminal name: TNA8653 Processor time: 0 00:00:03.62 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 00108000 Remote ID: TELNET_8B8DA03A Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 10118009 Queue name: Job name: Final status text: Page faults: 14615 Direct IO: 54 Page fault reads: 69 Buffered IO: 830 Peak working set: 2581 Volumes mounted: 0 Peak page file: 7945 Images executed: 8 **************************************************************************** LOGIN FAILURE ------------- Username: EL925302 UIC: [SYSTEM] Account: Finish time: 10-JUN-1996 17:51:07.48 Process ID: 00005648 Start time: 10-JUN-1996 17:50:36.78 Owner ID: Elapsed time: 0 00:00:30.70 Terminal name: TNA8791 Processor time: 0 00:00:00.13 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 0010C000 Remote ID: me921302 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 293 Direct IO: 2 Page fault reads: 6 Buffered IO: 47 Peak working set: 523 Volumes mounted: 0 Peak page file: 3465 Images executed: 1 **************************************************************************** LOGIN FAILURE ------------- Username: EL925302 UIC: [SYSTEM] Account: Finish time: 10-JUN-1996 17:52:56.10 Process ID: 0000F44C Start time: 10-JUN-1996 17:52:20.89 Owner ID: Elapsed time: 0 00:00:35.21 Terminal name: TNA8793 Processor time: 0 00:00:00.13 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 0010C000 Remote ID: me921302 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 296 Direct IO: 4 Page fault reads: 6 Buffered IO: 50 Peak working set: 526 Volumes mounted: 0 Peak page file: 3465 Images executed: 1 **************************************************************************** LOGIN FAILURE ------------- Username: EL925302 UIC: [SYSTEM] Account: Finish time: 10-JUN-1996 17:56:58.27 Process ID: 00010066 Start time: 10-JUN-1996 17:56:24.82 Owner ID: Elapsed time: 0 00:00:33.45 Terminal name: TNA8794 Processor time: 0 00:00:00.17 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 0010C000 Remote ID: me921302 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 296 Direct IO: 4 Page fault reads: 6 Buffered IO: 50 Peak working set: 526 Volumes mounted: 0 Peak page file: 3465 Images executed: 1 **************************************************************************** LOGIN FAILURE ------------- Username: PACKAGES UIC: [SYSTEM] Account: Finish time: 11-JUN-1996 18:26:15.13 Process ID: 0000D7FA Start time: 11-JUN-1996 18:25:44.93 Owner ID: Elapsed time: 0 00:00:30.20 Terminal name: TNA9551 Processor time: 0 00:00:00.16 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 0010C000 Remote ID: TELNET_8B8DC703 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 281 Direct IO: 8 Page fault reads: 6 Buffered IO: 53 Peak working set: 511 Volumes mounted: 0 Peak page file: 3465 Images executed: 1 **************************************************************************** LOGIN FAILURE ------------- Username: PACKAGES UIC: [SYSTEM] Account: Finish time: 11-JUN-1996 18:26:49.23 Process ID: 00010DFD Start time: 11-JUN-1996 18:26:24.12 Owner ID: Elapsed time: 0 00:00:25.11 Terminal name: TNA9553 Processor time: 0 00:00:00.11 Remote node addr: 23413 Priority: 4 Remote node name: 139.14 Privilege <31-00>: 0010C000 Remote ID: TELNET_8B8DC703 Privilege <63-32>: 00000000 Remote full name: Queue entry: Final status code: 10D380FC Queue name: Job name: Final status text: %LOGIN-F-INVPWD, invalid password Page faults: 281 Direct IO: 7 Page fault reads: 6 Buffered IO: 53 Peak working set: 511 Volumes mounted: 0 Peak page file: 3465 Images executed: 1 ****************************************************************************