From: SMTP%"ARNE@ko.hhs.dk" 10-NOV-1994 14:41:17.88
To: EVERHART
CC:
Subj: Re: Where are VMS Intrusion Records?
From: Arne Vajhoej <ARNE@ko.hhs.dk>
X-Newsgroups: comp.os.vms
Subject: Re: Where are VMS Intrusion Records?
Message-ID: <01HJBR1AQQGI8WWLKU@kopc.hhs.dk>
Date: Thu, 10 Nov 1994 19:54:09 +0100
Organization: Info-Vax<==>Comp.Os.Vms Gateway
X-Gateway-Source-Info: Mailing List
Lines: 123
To: Info-VAX@Mvb.Saic.Com
> I have been trying to find out the complete Intrusion entry
> expiration time, but have been unable to.
>
> When you use the DCL command SHOW INTRUSION, it only displays the
> time in hours, minutes and seconds. However, it is possible that
> this time could be in several days time.
>
> I assume that the Intrusion records are held in memory, and this
> must be in system space (S0 or S1) and that the time is stored as
> a quadword. Unfortunately, there is no mention of the data
> structures used for system security in "VMS Data Structures &
> Internals" (that I can find) and I don't have access to the
> source code (I expected it isn't in there either).
>
> Does anyone know how to obtain the COMPLETE intrusion expiration
> date-time?
The base is placed at CIA$GQ_INTRUDER and the structure are defined in
$CIADEF in SYS$LIBRARY:LIB.MLB !
(privs required !)
Because it is so long time since I have seen a good piece of MACRO32
posted to INFO-VAX, then I have written a small example, which are
attached below. CMEXEC priv required. VMS VAX only. It would probably
be more "correct" to CMKRNL and take out the CIA Mutex, but I prefer to
stay in EXEC mode if possible (you know: those nasty access vialations!).
Arne
Arne Vajhøj local DECNET: KO::ARNE
Computer Department PSI: PSI%238310013040::ARNE
Business School of Southern Denmark Internet: ARNE@KO.HHS.DK
WWW URL: http://www.hhs.dk/~arne/arne.html
================================================================================
TEST_CIALST.FOR
---------------
INTEGER*4 N,T(2,500),I
CHARACTER*23 AT
CHARACTER*40 S(500)
INTEGER*4 CIALST
WRITE(*,*) CIALST(S,N,T)
DO 100 I=1,N
CALL SYS$ASCTIM(,AT,T(1,I),)
WRITE(*,*) S(I),AT
100 CONTINUE
END
CIALST.MAR
----------
.title cialst
;
; Author : Arne Vajhøj
;
; Programmed : november 1994 by Arne Vajhøj
;
; Purpose : lookup all intrusion records
;
.link "sys$system:sys.stb"/selective_search
.library "SYS$LIBRARY:LIB"
$SSDEF
$CIADEF
.psect $CODE quad,pic,con,lcl,shr,exe,nowrt
;
; Entry : CIALST ( SRC, NSRC, TIM )
;
; Functionality : Lookup all intrusion records with source and date
;
; Arguments : SRC
; source
; fixed length chracter string passed by descriptor (array)
; writeonly
;
; NSRC
; number of sources
; longword passed by refrence
; writeonly
;
; TIM
; time
; longword passed by refrence (array)
; writeonly
;
; Priviliges required : CMEXEC
;
; return codes : SS$_NORMAL successfull
; SS$_NOPRIV no CMEXEC privilige present
;
; Bugs : Please mail bug-reports to ARNE@KO.HHS.DK (Arne Vajhøj).
;
.entry cialst,^m<r2,r3,r4,r5>
pushl ap
pushab G^cialst2
calls #2,G^SYS$CMEXEC ; executive-mode call of cialst2
cmpl r0,#SS$_NORMAL
bneq 100$
ret
100$: clrl @B^8(ap)
ret
.entry cialst2,^m<r2,r3,r4,r5,r6,r7,r8,r9,r10,r11>
movl B^4(ap),r6
movzwl (r6),r7 ; length of character
movl B^4(r6),r6 ; address of character
clrl @B^8(ap) ; nsrc=0
movl B^12(ap),r9 ; address of time
movab @#CIA$GQ_INTRUDER,r10 ; address of intrusion database
movl r10,r11
100$: cmpl B^CIA$L_FLINK(r11),r10 ; test if circled
beql 200$
movl B^CIA$L_FLINK(r11),r11 ; next record
movc3 r7,B^CIA$T_DATA(r11),(r6) ; get source
addl2 r7,r6
movq B^CIA$Q_TIME(r11),(r9)+ ; get time
incl @B^8(ap)
brb 100$
200$: movl #SS$_NORMAL,r0
ret
.end