HP OpenVMS Guide to System Security > Chapter 9 Security Auditing

Overview of the Auditing Process

  Table of Contents

  Glossary

  Index

Auditing is the recording of security-relevant activity as it occurs on the system and the subsequent analysis of this audit log. With auditing, you can monitor users' activity on the system and, if necessary, reconstruct events leading up to attempts to compromise the security of your system. Thus, it is not as much a method of protecting the system and its data as a method of analyzing and recording system use.

Anything that has to do with a user's access to the system or to a protected object within the system is considered a security-relevant activity. Such activities are called events. Typical events include the following:

  • Logins, logouts, or login failures

  • Changes to the authorization database

  • Access to a protected object, such as a file, device, or global section

  • Changes in privileges or the security attributes of protected objects

The operating system can record both successful and unsuccessful events. Sometimes the unsuccessful can be more revealing. For example, it is less important to record that a programmer displayed a file to which he had access than that the same programmer tried to but was prevented from displaying a protected file.

The event message itself can be written to two places: an audit log file or an operator terminal that is enabled to receive security class messages. As Example 9-1 “Sample Alarm Message” shows, a message contains the following data:

  1. Date and time of the message

  2. Type of event

  3. Date and time the event occurred

  4. The process identification (PID) of the user who caused the event

Additional information in auditing messages is specific to the type of event. See Appendix D “Alarm Messages” for examples of different messages.

Example 9-1 Sample Alarm Message

%%%%%%%%%%%  OPCOM  25-JUL-2001 16:07:09.20  %%%%%%%%%%%     
Message from user AUDIT$SERVER on GILMORE
Security alarm (SECURITY) on GILMORE, system id: 20300
Auditable event: Process suspended ($SUSPND)
Event time: 25-JUL-2001 16:07:08.77
PID: 30C00119
Process name: Hobbit
Username: HUBERT
Process owner: [LEGAL,HUBERT]
Terminal name: RTA1:
Image name: $99$DUA0:[SYS0.SYSCOMMON.][SYSEXE]SET.EXE
Status: %SYSTEM-S-NORMAL, normal successful completion
Target PID: 30C00126
Target process name: SMISERVER
Target username: SYSTEM
Target process owner: [SYSTEM]