HP 3000 Manuals HP 3000 Manuals
Logging Security Information
Logging security information establishes an audit trail that helps you
locate areas where you may need stronger security precautions and helps
determine the cause of a security breach. You log security information
by recording it in system log files.
The system records information in system log files by record type. Each
type of record describes a different occurrence. For example, the system
adds a job initiation record to the current log file each time a new job
or session begins.
Record types that are useful for auditing system security include:
* File close
* File open
* Job initiation
* Job termination
* Process termination
Turn on log records with the SYSGEN program. Refer to System Startup,
Configuration, and Shutdown Reference Manual (32650-90042) for
instructions.
Monitoring the Close Of Files
Monitor the close of files in order to match file closings with file
openings. File close records (type 105) tell you the time the file
closed, the type and name of the job or session that closed it, the file
name, group name, account name, creator name, user accessing the file,
the file disposition, the file domain, and the file size.
Monitoring Job Initiations
Monitoring job and session initiations gives you a record of who logged
on to the system, when, and on what device. Reviewing job and session
initiation records, for example, alerts you to someone who is logging on
frequently. After you turn on job initiation logging (log type 102), the
system writes a job initiation record to the system log file each time
someone begins a job or session.
Monitoring Job Terminations
To monitor the end of each job and session, turn on job termination
records (log type 103). A record of job terminations is useful for
matching job initiations. By comparing the two, you can determine
whether all jobs and sessions eventually terminate. A job termination
record includes the time when the job or session ended, the number, the
number of processes it created, the CPU time it used, and the elapsed
time since it began.
Monitoring Process Terminations
Monitoring process terminations gives you an idea of how people are using
the system. Users who initiate many processes are using the system more
heavily than other users. You might want to monitor their use more
carefully. To monitor process terminations, turn on process termination
records (log type 104). A process termination record tells you the type
and number of the job or session that initiated the process and the
amount of resources used by the process.
Reviewing Audit Records With the LOGTOOL Program
The system stores log records in log files. It names log files LOGxxxx
where xxxx is the sequential number of the log file. You can print
selected audit records within a series of log files with the LOGTOOL
utility program under the online diagnostic system.
To review the audit records:
1. Enter the Diagnostic User Interface (DUI). Enter:
SYSDIAG
2. Run the LOGTOOL utility program, enter:
DUI > RUN LOGTOOL
3. To determine what log files are present on the system, use the
STATUS command:
LOGTOOL> STATUS
This displays a list of all log files present on system. Current
log files will be prefixed with an "*".
4. To display the contents of log files, use the LIST command with
LOGTOOL. The following line will display the contents of files
LOGOO55, LOGOO56, and LOGOO57 to the terminal:
LOGTOOL> LIST LOG=55/57
The above command will display all the records within each log
file. The user may select specific types of records to be
displayed. A list of the types available can be displayed by
using the TYPE command.
LOGTOOL> TYPE
A list of type numbers and a brief description will be displayed.
If the user wishes to select specific types of records, the TYPE
parameter can be specified followed by a list of type numbers.
The following line will display types 102 and 103 from log file
LOG0055 to the terminal.
LOGTOOL> LIST LOG=55;TYPE=102,103
The contents of file for types 102 and 103 will be displayed.
If the user wishes to have the information sent to a file instead
of the terminal, the OUTFILE parameter can be specified. If LP is
given, the information will be sent to the system line printer.
Otherwise, the information will be sent to the file specified in
the diagnostic group and account (DIAG.SYS) . The following line
will send information from log file LOG0055 to the system line
printer.
LOGTOOL> LIST LOG=55;OUTFILE=LP
Information will NOT be displayed to the terminal.
5. To purge the log files from the system, enter the PURGESYS command
within LOGTOOL. The following line will purge LOG0055 and LOG0056
from the system.
LOGTOOL> PURGESYS LOG=55/56;NOVERIFY
If the NOVERIFY option is not given, the user will not be prompted
as to whether the file is really to be purged.
6. To exit LOGTOOL and the Diagnostic User Interface, enter EXIT to
the LOGTOOL> and the DUI> prompts.
Refer to the Online Diagnostic Subsystem Utilities Manual (09749- 90021)
for additional instructions.