OpenVMS Notes: System Manager Stuff

The information presented here is intended for educational use by qualified OpenVMS technologists.
The information presented here is provided free of charge, as-is, with no warranty of any kind.
The information presented on this page can be really dangerous if you don't know what you are doing. So develop your skills by practicing on files first copied to scratch drives. On top of that, always make sure you have good backup copies of everything before you begin.

Freeing space on the system disk

DCL Command	Result
$set def sys$manager $reply/ena $reply/log $reply/dis $pur/log/noco OPERATOR.LOG	move to the system manager directory enable opcom messages on this terminal close the current operator log then open a new one disable opcom messages on this terminal purge extra copies of this file from this directory
$set def sys$manager $set audit/server=new $pur/log/noco SECURITY.AUDIT$JOURNAL	move to the system manager directory close the current audit log then open a new one purge extra copies of this file from this directory Note: don't do this if someone at your company needs these files for security purposes
$set def sys$manager $set acc/new $pur/log/noco ACCOUNTNG.DAT	move to the system manager directory close the current accounting file then open a new one purge extra copies of this file from this directory Note: don't do this if someone at your company needs these files to bill other clients for resources they used on your system
$sho dev d $set default $1$dia0:[000000] $dir [000000...]/size=all/sel=siz=min=99000 <<< now research your findings >>>	see the disk names move to the root directory of disk $1$dia0: (use ds0: if shadowed) locate all files >= 99000 blocks <<< research your findings >>>
<<< consider purging the disk of some logs >>> $pur/log/noco $1$dia0:[000000...]*.log/keep=5	<<< consider purging the disk of some logs >>> purge the disk of all some files (keeping the last 5 versions) Note: don't do this if you are having other problems which the log files could help solve
<<< consider purging the disk of all logs >>> $pur/log/noco $1$dia0:[000000...]*.log	<<< consider purging the disk of all logs >>> purge the disk of all log files Note: don't do this if you are having other problems which the log files could help solve
<<< consider purging the disk of all files >>> $pur/log/confirm $1$dia0:[000000...]	<<< consider purging the disk of all files >>> purge the disk of all files Emergency Use Only (if you need to recover disk space) This is a last-resort command
<<< optional command for TCPware >>> $netcu NETCU> set log/new NETCU> exit $pur/log/noco tcpware:*.log	<<< optional command for TCPware >>> start the TCPware network control utility close the current log file then open a new one exit the TCPware network control utility purge TCPware log files
<<< considering deletion of UNDO files >>> $sho dev d $set default $1$dia0:[000000] $dir undo/date	Note: UNDO files are left over from patch installations see the disk names move to the root directory of disk $1$dia0: (use ds0: if shadowed) see PCSI Undo directories
<<< considering running DFU >>> $sho dev d $set default $1$dia0:[000000] $mcr dfu DFU> verify $1$dia0: DFU> verify $1$dia0: /lock/fix/rebuild	Digital File Utility (from the freeware CD) see the disk names move to the root directory of disk $1$dia0: (use ds0: if shadowed) fire up DFU verify this disk (read only) verify this disk (write; do this when system is idle)

See who is deleting files

DCL Command	Result
system wide
$set audit/server=new $set audit/class=file/audit/enable=access=(SUCCESS:DELETE) [...wait a short period of time for users to do their thing...] $set audit/server=flush $anal/audit/full/out=TEMP.TMP SYS$MANAGER:SECURITY.AUDIT$JOURNAL [...if you no longer need this audit...] $set audit/class=file/audit/disable=access=(SUCCESS:DELETE)	close the current audit log then open a new one enable the auditing of successful file deleting wait a short period of time push buffered audits into the file inspect the audit file when finished remove the audit
directory specific
$set def whereever $set def [-] $dir *.dir/width=file=50 $set security/acl=(ALARM=SECURITY,ACCESS=DELETE+WRITE+SUCCESS+FAILURE) - neil.dir $reply/enable=security [... when done ...] $set security/acl/del=all	navigate to the directory in question go up on level get a directory of the directories attach an ACL to the directory in question copy security alerts to your terminal remove the acl from the file (er, directory)

DFU Special Notes:

DFU (Digital File Utility) can also be used to UNDELETE files. Since this very powerful feature write-locks a disk prior to scanning for your missing file(s), the developers did not want too many accounts to be able to use UNDELETE so they made it a little difficult for users to activate. Here is a slightly obscure example:

$ set def sys$system								!
$ r authorize									!
UAF> add/id yada								! create system-wide identifier "yada"
%UAF-I-RDBADDMSG, identifier YADA value %X8001005D added to rights database	!
UAF> grant/id yada  neil							! grant "yada" to user "neil"
%UAF-I-GRANTMSG, identifier YADA granted to NEIL				!
UAF> sh neil									!

Username: NEIL                             Owner:  NSR_N123119_ADM
Account:  ADMCSM                           UIC:    [346,1] ([NEIL])
[...snip...]
Identifier                         Value           Attributes
  DFU_ALLPRIV                      %X8001001D
  YADA                             %X8001005D

UAF> revoke/id yada neil							! revoke "yada" from user "neil"
%UAF-I-REVOKEMSG, identifier YADA revoked from NEIL				!
UAF> rem/id yada   								! remove system-wide identifier "yada"
%UAF-I-RDBREMMSG, identifier YADA value %X8001005D removed from rights database	!
UAF> exit									!
%UAF-I-NOMODS, no modifications made to system authorization file		!
%UAF-I-NAFNOMODS, no modifications made to network proxy database		!
%UAF-I-RDBDONEMSG, rights database modified					!
$										!

Caveat: On older systems (like VMS-5.x) you will not be able to grant/revoke by account name. In this case you need to grant/revoke by UIC.

See who is accessing certain files

DCL Command

Result

$reply/dis
$reply/ena=security
$SET SECURITY/ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+READ+WRITE+SUCCESS+FAILURE) -
				SYS$COMMON:[SYSEXE]SYSUAF.DAT
$dir/security			SYS$COMMON:[SYSEXE]SYSUAF.DAT
 [...wait for a while...]
$SET SECURITY/ACL/DELETE	SYS$COMMON:[SYSEXE]SYSUAF.DAT

disable all opcom messages on this terminal
enable security messages on this terminal
request notification...
...of all accesses
...to this file
view the ACLs attached to this file
[wait for a while]
remove the notification

See who is changing the system clock

DCL Command	Result

$set audit/server=new $set audit/alarm/ena=time [...wait until you think you've got a problem...] $set audit/server=flush $anal/audit/full/out=TEMP.TMP SYS$MANAGER:SECURITY.AUDIT$JOURNAL	close the current audit log then open a new one enable auditing of clock changes wait for a while push buffered audits into the file inspect the audit file

See who is trying to break into the system

DCL Command	Result

$set def sys$manager $sho audit $set audit/audit/enable=logfail=all [...wait until you think you've got a problem...] $set audit/server=flush $ana/audit/event=logfail/since=25-dec-2006 $ana/audit/event=logfail/since=25-dec-2006/full/pause=2	navigate to the system manager's home directory see what events are currently audited enable auditing of all login failures (should be enabled) wait for a while push buffered audits into the audit file browse login failure in the audit file display detailed failure messages

Actual Detailed Example Record

  Security Audit Analysis Utility
  -----------------------------------------------------------------------------------
  Security alarm (SECURITY) and security audit (SECURITY) on KAWC99, system id: 15335
  Auditable event:          Network login failure
  Event time:               25-DEC-2006 07:32:17.73
  PID:                      0000C6F3
  Process name:             SSHD 0796
  Username:                 test
  Remote nodename:          200.222.17.14       <<<---hacker/bot address (in 2006)
  Remote node id:           236052168
  Remote username:          SSH:TEST
  Status:                   %LOGIN-F-NOSUCHUSER, no such user

traceroute 200.222.17.14
traceroute to 200.222.17.14 (200.222.17.14), 30 hops max, 5 second(s) timeout
 1  207.35.137.65 (207.35.137.65)  1 ms  2 ms  2 ms
 2  10.18.89.1 (10.18.89.1)  7 ms  6 ms  6 ms
 3  206.47.229.198 (206.47.229.198)  143 ms  209 ms  12 ms
 4  core4-toronto63_POS9-0-0.net.bell.ca (64.230.147.153)  14 ms  14 ms  13 ms
 5  bx4-toronto63_so-1-0-0.net.bell.ca (64.230.160.126)  10 ms  12 ms  10 ms
 6  if-0-0-0.mcore3.TTT-Scarborough.as6453.net (216.6.98.57)  13 ms  11 ms  11 ms
 7  if-8-3-0-0.tcore1.NJY-Newark.as6453.net (216.6.98.2)  31 ms  46 ms  31 ms
 8  if-2-2.tcore2.NJY-Newark.as6453.net (66.198.70.2)  30 ms  31 ms  29 ms
 9  Vlan1351.icore1.NTO-NewYork.as6453.net (66.198.111.30)  36 ms  32 ms  35 ms
10  0.ae20.BR2.NYC4.ALTER.NET (204.255.168.173)  31 ms  31 ms  32 ms
11  0.ae2.XT2.NYC4.ALTER.NET (152.63.3.117)  31 ms  30 ms  31 ms
12  0.xe-11-1-1.XL4.NYC1.ALTER.NET (152.63.10.101)  32 ms  31 ms  32 ms
13  0.xe-9-0-0.GW14.NYC1.ALTER.NET (152.63.19.93)  32 ms  32 ms  31 ms
14  telemar-gw.customer.alter.net (152.179.29.238)  152 ms  153 ms  152 ms
15  pos4-0-1-arc-rj-rotn-01.telemar.net.br (200.223.131.70)  153 ms 200.223.46.121 (200.223.46.121)  154 ms 200.223.46.129 (200.223s
16  gigabitethernet1-0-1-arc-rj-rotn-h01.telemar.net.br (201.18.246.2)  160 ms  163 ms  160 ms
17  gigabitethernet1-0-0-arc-rj-rotd-h01.telemar.net.br (201.18.247.206)  152 ms  157 ms  153 ms
18  gigabitethernet1-0-0-arc-rj-rota-h01.telemar.net.br (201.18.247.36)  173 ms  159 ms  161 ms
19  serial2-1-7-0-arc-rj-rota-h01.telemar.net.br (200.222.66.2)  161 ms  184 ms  162 ms
                                              ++--- somewhere in Brazil