From:	SMTP%"ARNE@ko.hhs.dk" 10-NOV-1994 14:41:17.88
To:	EVERHART
CC:	
Subj:	Re: Where are VMS Intrusion Records?

From: Arne Vajhoej <ARNE@ko.hhs.dk>
X-Newsgroups: comp.os.vms
Subject: Re: Where are VMS Intrusion Records?
Message-ID: <01HJBR1AQQGI8WWLKU@kopc.hhs.dk>
Date: Thu, 10 Nov 1994 19:54:09 +0100
Organization: Info-Vax<==>Comp.Os.Vms Gateway
X-Gateway-Source-Info: Mailing List
Lines: 123
To: Info-VAX@Mvb.Saic.Com

> I have been trying to find out the complete Intrusion entry
> expiration time, but have been unable to.
> 
> When you use the DCL command SHOW INTRUSION, it only displays the
> time in hours, minutes and seconds.  However, it is possible that
> this time could be in several days time.
> 
> I assume that the Intrusion records are held in memory, and this
> must be in system space (S0 or S1) and that the time is stored as
> a quadword. Unfortunately, there is no mention of the data
> structures used for system security in "VMS Data Structures &
> Internals" (that I can find) and I don't have access to the
> source code (I expected it isn't in there either).
> 
> Does anyone know how to obtain the COMPLETE intrusion expiration
> date-time?

The base is placed at CIA$GQ_INTRUDER and the structure are defined in
$CIADEF in SYS$LIBRARY:LIB.MLB !

(privs required !)

Because it is so long time since I have seen a good piece of MACRO32
posted to INFO-VAX, then I have written a small example, which are
attached below. CMEXEC priv required. VMS VAX only. It would probably
be more "correct" to CMKRNL and take out the CIA Mutex, but I prefer to
stay in EXEC mode if possible (you know: those nasty access vialations!).

                                                          Arne

Arne Vajhøj                             local DECNET:  KO::ARNE
Computer Department                     PSI:           PSI%238310013040::ARNE
Business School of Southern Denmark     Internet:      ARNE@KO.HHS.DK
                WWW URL: http://www.hhs.dk/~arne/arne.html

================================================================================

TEST_CIALST.FOR
---------------

      INTEGER*4 N,T(2,500),I
      CHARACTER*23 AT
      CHARACTER*40 S(500)
      INTEGER*4 CIALST
      WRITE(*,*) CIALST(S,N,T)
      DO 100 I=1,N
        CALL SYS$ASCTIM(,AT,T(1,I),)
        WRITE(*,*) S(I),AT
100   CONTINUE
      END

CIALST.MAR
----------

        .title  cialst
;
;  Author     : Arne Vajhøj
;
;  Programmed : november 1994 by Arne Vajhøj
;
;  Purpose    : lookup all intrusion records
;
        .link   "sys$system:sys.stb"/selective_search
        .library "SYS$LIBRARY:LIB"
        $SSDEF
        $CIADEF
        .psect  $CODE quad,pic,con,lcl,shr,exe,nowrt
;
;  Entry : CIALST ( SRC, NSRC, TIM )
;
;  Functionality : Lookup all intrusion records with source and date
;
;  Arguments : SRC
;              source
;              fixed length chracter string passed by descriptor (array)
;              writeonly
;
;              NSRC
;              number of sources
;              longword passed by refrence
;              writeonly
;
;              TIM
;              time
;              longword passed by refrence (array)
;              writeonly
;
;  Priviliges required : CMEXEC
;
;  return codes : SS$_NORMAL       successfull
;                 SS$_NOPRIV       no CMEXEC privilige present
;
;  Bugs : Please mail bug-reports to ARNE@KO.HHS.DK (Arne Vajhøj).
;
        .entry  cialst,^m<r2,r3,r4,r5>
        pushl   ap
        pushab  G^cialst2
        calls   #2,G^SYS$CMEXEC         ; executive-mode call of cialst2
        cmpl    r0,#SS$_NORMAL
        bneq    100$
        ret
100$:   clrl    @B^8(ap)
        ret
        .entry  cialst2,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
        movl    B^4(ap),r6
        movzwl  (r6),r7                 ; length of character
        movl    B^4(r6),r6              ; address of character
        clrl    @B^8(ap)                ; nsrc=0
        movl    B^12(ap),r9             ; address of time
        movab   @#CIA$GQ_INTRUDER,r10   ; address of intrusion database
        movl    r10,r11
100$:   cmpl    B^CIA$L_FLINK(r11),r10  ; test if circled
        beql    200$
        movl    B^CIA$L_FLINK(r11),r11  ; next record
        movc3   r7,B^CIA$T_DATA(r11),(r6)    ; get source
        addl2   r7,r6
        movq    B^CIA$Q_TIME(r11),(r9)+      ; get time
        incl    @B^8(ap)
        brb     100$
200$:   movl    #SS$_NORMAL,r0
        ret
        .end