OpenVMS
Notes:
System Manager Stuff
-
The information presented here is intended for educational use by qualified OpenVMS technologists.
- The information presented here is
provided free of charge, as-is, with no warranty of any kind.
-
The information presented on this page
can be really dangerous if you don't know what you are doing.
So develop your skills by practicing on files first copied to
scratch drives. On top of that, always make sure you have good backup copies of
everything before you begin.
Freeing space on the system disk
DCL Command |
Result |
$set def sys$manager
$reply/ena
$reply/log
$reply/dis
$pur/log/noco OPERATOR.LOG |
- move to the system manager directory
- enable opcom messages on this terminal (they still go to the
operator log)
- close the current operator log then open a new one
- disable opcom messages on this terminal
- purge extra copies of this file from this directory
|
$set def sys$manager
$set audit/server=new
$pur/log/noco SECURITY.AUDIT$JOURNAL
|
- move to the system manager directory
- close the current audit log then open a new one
- purge extra copies of this file from this directory
- Note: don't do
this if someone at your company needs
these files for security
purposes
|
$set def sys$manager
$set acc/new
$pur/log/noco ACCOUNTNG.DAT |
- move to the system manager directory
- close the current accounting file then open a new one
- purge extra copies of this file from this directory
- Note: don't do
this if someone at your company needs
these files to bill other
clients for resources they
used on your system
|
$sho dev d
$set default $1$dia0:[000000]
$dir [000000...]/size=all/sel=siz=min=99000
<<< now research your findings >>> |
- see the disk names
- move to the root directory of disk $1$dia0: (use ds0:
if
shadowed)
- locate all files >= 99000 blocks
- <<< research your
findings >>>
|
<<< consider purging the disk of some logs >>>
$pur/log/noco $1$dia0:[000000...]*.log/keep=5 |
- <<< consider
purging the disk of some logs >>>
- purge the disk of all some files (keeping the last 5 versions)
- Note: don't do
this if you are having other problems
which the log files could help
solve
|
<<< consider purging the disk of all logs >>>
$pur/log/noco $1$dia0:[000000...]*.log |
- <<<
consider purging the
disk of all logs >>>
- purge the disk of all log files
- Note: don't do
this if you are having other problems
which the log files could help
solve
|
<<< consider purging the disk of all files >>>
$pur/log/confirm $1$dia0:[000000...] |
- <<< consider purging the disk of
all files >>>
- purge the disk of all files
- Emergency Use Only
(if you need to recover disk space)
- This is a last-resort
command
|
<<< optional command for TCPware >>>
$netcu
NETCU> set log/new
NETCU> exit
$pur/log/noco tcpware:*.log |
- <<< optional command for TCPware
>>>
- start the TCPware network control utility
- close the current log file then open a new one
- exit the TCPware network control utility
- purge TCPware log files
|
<<< considering deletion of UNDO files >>>
$sho dev d
$set default $1$dia0:[000000]
$dir *undo*/date
|
- Note: UNDO files are left over from patch installations
- see the disk names
- move to the root directory of disk $1$dia0: (use ds0:
if
shadowed)
- see PCSI Undo directories
|
<<< considering running DFU >>>
$sho dev d
$set default $1$dia0:[000000]
$mcr dfu
DFU> verify $1$dia0:
DFU> verify $1$dia0: /lock/fix/rebuild |
- Digital File Utility (from the freeware CD)
- see the disk names
- move to the root directory of disk $1$dia0: (use ds0:
if
shadowed)
- fire up DFU
- verify this disk (read only)
- verify this disk (write; do this when system is idle)
|
See who is deleting files
DCL Command |
Result |
system wide |
|
$set audit/server=new
$set audit/class=file/audit/enable=access=(SUCCESS:DELETE)
[...wait a short period of time for users to do their thing...]
$set audit/server=flush
$anal/audit/full/out=TEMP.TMP SYS$MANAGER:SECURITY.AUDIT$JOURNAL
[...if you no longer need this audit...]
$set audit/class=file/audit/disable=access=(SUCCESS:DELETE)
|
- close the current audit log then open a new one
- enable the auditing of successful file deleting
- wait a short period of time
- push buffered audits into the file
- inspect the audit file
- when finished
- remove the audit
|
directory specific |
|
$set def whereever
$set def [-]
$dir *.dir/width=file=50
$set security/acl=(ALARM=SECURITY,ACCESS=DELETE+WRITE+SUCCESS+FAILURE) -
neil.dir
$reply/enable=security
[... when done ...]
$set security/acl/del=all
|
- navigate to the directory in question
- go up on level
- get a directory of the directories
- attach an ACL to the directory in question
- copy security alerts to your terminal
- remove the acl from the file (er, directory)
|
DFU Special Notes:
DFU (Digital File Utility) can
also be used to
UNDELETE files. Since this very powerful feature
write-locks a disk
prior to scanning for your missing file(s), the developers did not want too many
accounts to be able to use UNDELETE so they made it a little difficult for
users to activate. Here is a slightly obscure example:
$ set def sys$system !
$ r authorize !
UAF> add/id yada ! create system-wide identifier "yada"
%UAF-I-RDBADDMSG, identifier YADA value %X8001005D added to rights database !
UAF> grant/id yada neil ! grant "yada" to user "neil"
%UAF-I-GRANTMSG, identifier YADA granted to NEIL !
UAF> sh neil !
Username: NEIL Owner: NSR_N123119_ADM
Account: ADMCSM UIC: [346,1] ([NEIL])
[...snip...]
Identifier Value Attributes
DFU_ALLPRIV %X8001001D
YADA %X8001005D
UAF> revoke/id yada neil ! revoke "yada" from user "neil"
%UAF-I-REVOKEMSG, identifier YADA revoked from NEIL !
UAF> rem/id yada ! remove system-wide identifier "yada"
%UAF-I-RDBREMMSG, identifier YADA value %X8001005D removed from rights database !
UAF> exit !
%UAF-I-NOMODS, no modifications made to system authorization file !
%UAF-I-NAFNOMODS, no modifications made to network proxy database !
%UAF-I-RDBDONEMSG, rights database modified !
$ !
Caveat: On older systems (like VMS-5.x) you will not be able to grant/revoke by
account name. In this case you need to grant/revoke by UIC.
See who is accessing certain files
DCL Command |
Result |
$reply/dis
$reply/ena=security $SET SECURITY/ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+READ+WRITE+SUCCESS+FAILURE) -
SYS$COMMON:[SYSEXE]SYSUAF.DAT
$dir/security SYS$COMMON:[SYSEXE]SYSUAF.DAT
[...wait for a while...]
$SET SECURITY/ACL/DELETE SYS$COMMON:[SYSEXE]SYSUAF.DAT |
- disable all opcom messages on this terminal
- enable security messages on this terminal
- request notification...
...of all accesses
...to this file
- view the ACLs attached to this file
- [wait for a while]
- remove the notification
|
See who is changing the system clock
DCL Command |
Result |
$set audit/server=new $set audit/alarm/ena=time
[...wait until you think you've got a problem...]
$set audit/server=flush
$anal/audit/full/out=TEMP.TMP SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
- close the current audit log then open a new one
- enable auditing of clock changes
- wait for a while
- push buffered audits into the file
- inspect the audit file
|
See who is trying to break into the system
DCL Command |
Result |
$set def sys$manager $sho audit $set audit/audit/enable=logfail=all
[...wait until you think you've got a problem...]
$set audit/server=flush
$ana/audit/event=logfail/since=25-dec-2006
$ana/audit/event=logfail/since=25-dec-2006/full/pause=2 |
- navigate to the system manager's home directory
- see what events are currently audited
- enable auditing of all login failures (should be enabled)
- wait for a while
- push buffered audits into the audit file
- browse login failure in the audit file
- display detailed failure messages
|
Actual Detailed Example
Record
Security Audit Analysis Utility
-----------------------------------------------------------------------------------
Security alarm (SECURITY) and security audit (SECURITY) on KAWC99, system id: 15335
Auditable event: Network login failure
Event time: 25-DEC-2006 07:32:17.73
PID: 0000C6F3
Process name: SSHD 0796
Username: test
Remote nodename: 200.222.17.14 <<<---hacker/bot address (in 2006)
Remote node id: 236052168
Remote username: SSH:TEST
Status: %LOGIN-F-NOSUCHUSER, no such user
traceroute 200.222.17.14
traceroute to 200.222.17.14 (200.222.17.14), 30 hops max, 5 second(s) timeout
1 207.35.137.65 (207.35.137.65) 1 ms 2 ms 2 ms
2 10.18.89.1 (10.18.89.1) 7 ms 6 ms 6 ms
3 206.47.229.198 (206.47.229.198) 143 ms 209 ms 12 ms
4 core4-toronto63_POS9-0-0.net.bell.ca (64.230.147.153) 14 ms 14 ms 13 ms
5 bx4-toronto63_so-1-0-0.net.bell.ca (64.230.160.126) 10 ms 12 ms 10 ms
6 if-0-0-0.mcore3.TTT-Scarborough.as6453.net (216.6.98.57) 13 ms 11 ms 11 ms
7 if-8-3-0-0.tcore1.NJY-Newark.as6453.net (216.6.98.2) 31 ms 46 ms 31 ms
8 if-2-2.tcore2.NJY-Newark.as6453.net (66.198.70.2) 30 ms 31 ms 29 ms
9 Vlan1351.icore1.NTO-NewYork.as6453.net (66.198.111.30) 36 ms 32 ms 35 ms
10 0.ae20.BR2.NYC4.ALTER.NET (204.255.168.173) 31 ms 31 ms 32 ms
11 0.ae2.XT2.NYC4.ALTER.NET (152.63.3.117) 31 ms 30 ms 31 ms
12 0.xe-11-1-1.XL4.NYC1.ALTER.NET (152.63.10.101) 32 ms 31 ms 32 ms
13 0.xe-9-0-0.GW14.NYC1.ALTER.NET (152.63.19.93) 32 ms 32 ms 31 ms
14 telemar-gw.customer.alter.net (152.179.29.238) 152 ms 153 ms 152 ms
15 pos4-0-1-arc-rj-rotn-01.telemar.net.br (200.223.131.70) 153 ms 200.223.46.121 (200.223.46.121) 154 ms 200.223.46.129 (200.223s
16 gigabitethernet1-0-1-arc-rj-rotn-h01.telemar.net.br (201.18.246.2) 160 ms 163 ms 160 ms
17 gigabitethernet1-0-0-arc-rj-rotd-h01.telemar.net.br (201.18.247.206) 152 ms 157 ms 153 ms
18 gigabitethernet1-0-0-arc-rj-rota-h01.telemar.net.br (201.18.247.36) 173 ms 159 ms 161 ms
19 serial2-1-7-0-arc-rj-rota-h01.telemar.net.br (200.222.66.2) 161 ms 184 ms 162 ms
++--- somewhere in Brazil
Related Links

Back
to
HomeNeil Rieck
Waterloo, Ontario, Canada.