From:	SMTP%"RELAY-INFO-VAX@CRVAX.SRI.COM" 27-MAY-1994 12:19:51.64
To:	EVERHART
CC:	
Subj:	Accessing the intrusion database

Date: Thu, 26 May 1994 10:58:52 +0300 (CET-DST)
From: "All thoughts, all passions, all delights..." <SEMUSCHIN@DECUS.DECUS.DE>
To: info-vax@sri.com
Message-Id: <940526105852.7b3d@DECUS.DECUS.DE>
Subject: Accessing the intrusion database

Hi, Joel !

;Date:         Wed, 25 May 1994 16:03:04 GMT
;From:         "Joel M. DeYoung" <DEYOUNG@ACS.HARDING.EDU>
;Subject:      Accessing the intrusion database
;...
;I'm updating a program that will allow a user to list and delete
;intrusion records.  

Such a program could become security hole, so you should seal acces to it
with some checks of user's privileges and/or right identifiers.

;Does anyone know of a system service or routine
;that I can call that will allow me access to the intrusion database?
;The *only* references I can find in the literature about the intrusion
;database are the commands SHOW INTRUSION and DELETE/INTRUSION_RECORD.

Nope. To prove myself I tried to find words like 'INTRUSION', 'INTRUDER' 
in system service reference manual ... Alas ... so the only possibility
I see is ...

			Ask by CIA !

1. write short macro program:
$ create ciadef.mar
.TITLE		CIADEF
.IDENT		/V 001/
.LIBRARY	/SYS$LIBRARY:LIB/
	$CIADEF GLOBAL
.END
2. compile it
$ macro/obj=ciadef.stb ciadef
3. Call SDA (it would be in
$ analyze/system
SDA> read sys$system:sys
SDA> read ciadef
SDA> ex CIA$GQ_INTRUDER
SDA> FORMAT/TYPE=CIA @CIA$GQ_INTRUDER

Then you could write a program, that does the same. The intrusion database is
ERKW protected (excutive read/kernel write) - you should write your
own system service or make $CM{KRNL|EXEC}. To delete a record you should
extract an element from the queue at CIA$GQ_INTRUDER and free it. Here
you could run in the difficulties, because to access this database you
should lock it using the spinlock whose name is unknown to me ...

Note that all this stuff it is unsupported. I'm not 100% sure, that the
intrusion data is used only by 2 DCL commands you citate and LOGINOUT.EXE.

Perhaps someone who has more clue could give you more help.

							= Seva