The VMS SharkOpenVMS Notes: System Manager Stuff

  1. The information and software presented on this web site are intended for educational use only by OpenVMS application developers and OpenVMS system attendants.
  2. The information and software presented on this web site are provided free of charge.
  3. The information and software presented on this web site are presented to you as-is. I will not be held responsible in any way if the information and software presented on this web site damages your computer system, business or organization (sounds like the legal warning from a Microsoft shrink-wrap seal, eh?)
  4. The information presented on this page can be really dangerous if you don't know what you are doing. So develop your skills by practicing on files first copied to scratch drives. On top of this, always make sure you have good backup copies of everything before you begin.
 
Quick Nav Menu
  1. Freeing space
  2. Who is deleting files?
  3. Who is accessing certain files?
  4. Who is changing the system clock?
  5. Who is breaking in?
  6. Related links

Freeing space on the system disk

DCL Command Result
$set def sys$manager
$reply/ena
$reply/log
$reply/dis
$pur/log/noco OPERATOR.LOG
  • move to the system manager directory
  • enable opcom messages on this terminal
  • close the current operator log then open a new one
  • disable opcom messages on this terminal
  • purge extra copies of this file from this directory
$set def sys$manager
$set audit/server=new
$pur/log/noco SECURITY.AUDIT$JOURNAL
  • move to the system manager directory
  • close the current audit log then open a new one
  • purge extra copies of this file from this directory
  • Note: don't do this if someone at your company needs these files for security purposes
$set def sys$manager
$set acc/new
$pur/log/noco ACCOUNTNG.DAT
  • move to the system manager directory
  • close the current accounting file then open a new one
  • purge extra copies of this file from this directory
  • Note: don't do this if someone at your company needs these files to bill other clients for resources they used on your system
$sho dev d
$set default $1$dia0:[000000]
$dir [000000...]/size=all/sel=siz=min=99000
<<< now research your findings >>>
  • see the disk names
  • move to the root directory of disk $1$dia0: (use ds0: if shadowed)
  • locate all files >= 99000 blocks
  • <<< research your findings >>>
<<< consider purging the disk of some logs >>>

$pur/log/noco $1$dia0:[000000...]*.log/keep=5
  • <<< consider purging the disk of some logs >>>
  • purge the disk of all some files (keeping the last 5 versions)
  • Note: don't do this if you are having other problems which the log files could help solve
<<< consider purging the disk of all logs >>>
$pur/log/noco $1$dia0:[000000...]*.log
  • <<< consider purging the disk of all logs >>>
  • purge the disk of all log files
  • Note: don't do this if you are having other problems which the log files could help solve
<<< consider purging the disk of all files >>>
$pur/log/confirm $1$dia0:[000000...]
  • <<< consider purging the disk of all files >>>
  • purge the disk of all files
  • Emergency Use Only (if you need to recover disk space)
  • This is a last-resort command
<<< optional command for TCPware >>>
$netcu
NETCU> set log/new
NETCU> exit
$pur/log/noco tcpware:*.log
  • <<< optional command for TCPware >>>
  • start the TCPware network control utility
  • close the current log file then open a new one
  • exit the TCPware network control utility
  • purge TCPware log files
<<< considering deletion of UNDO files >>>
$sho dev d $set default $1$dia0:[000000] $dir *undo*/date
  • Note: UNDO files are left over from patch installations
  • see the disk names
  • move to the root directory of disk $1$dia0: (use ds0:
    if shadowed)
  • see PCSI Undo directories
<<< considering running DFU >>>
$sho dev d $set default $1$dia0:[000000] $mcr dfu DFU> verify $1$dia0: DFU> verify $1$dia0: /lock/fix/rebuild
  • Digital File Utility (from the freeware CD)
  • see the disk names
  • move to the root directory of disk $1$dia0: (use ds0: if shadowed)
  • fire up DFU
  • verify this disk (read only)
  • verify this disk (write; do this when system is idle)

See who is deleting files

DCL Command Result
   
$set audit/server=new
$set audit/class=file/audit=(SUCCESS:DELETE) [...wait a short period of time for users to do their thing...] $set audit/server=flush $anal/audit/full/out=TEMP.TMP SYS$MANAGER:SECURITY.AUDIT$JOURNAL
  • close the current audit log then open a new one
  • enable the auditing of successful file deleting
  • wait a short period of time
  • push buffered audits into the file
  • inspect the audit file

DFU Special Notes:

DFU (Digital File Utility) can also be used to UNDELETE files. Since this very powerful feature write-locks a disk prior to scanning for your missing file(s), the developers did not want too many accounts to be able to use UNDELETE so they made it a little difficult for users to activate. Here is a slightly obscure example:
$ set def sys$system								!
$ r authorize									!
UAF> add/id yada								! create system-wide identifier "yada"
%UAF-I-RDBADDMSG, identifier YADA value %X8001005D added to rights database	!
UAF> grant/id yada  neil							! grant "yada" to user "neil"
%UAF-I-GRANTMSG, identifier YADA granted to NEIL				!
UAF> sh neil									!

Username: NEIL                             Owner:  NSR_N123119_ADM
Account:  ADMCSM                           UIC:    [346,1] ([NEIL])
[...snip...]
Identifier                         Value           Attributes
  DFU_ALLPRIV                      %X8001001D
  YADA                             %X8001005D

UAF> revoke/id yada neil							! revoke "yada" from user "neil"
%UAF-I-REVOKEMSG, identifier YADA revoked from NEIL				!
UAF> rem/id yada   								! remove system-wide identifier "yada"
%UAF-I-RDBREMMSG, identifier YADA value %X8001005D removed from rights database	!
UAF> exit									!
%UAF-I-NOMODS, no modifications made to system authorization file		!
%UAF-I-NAFNOMODS, no modifications made to network proxy database		!
%UAF-I-RDBDONEMSG, rights database modified					!
$										!
Caveat: On older systems (like VMS-5.x) you will not be able to grant/revoke by account name. In this case you need to grant/revoke by UIC.  

See who is accessing certain files

DCL Command Result
   
$reply/dis
$reply/ena=security
$SET SECURITY/ACL=(ALARM=SECURITY,ACCESS=DELETE+CONTROL+READ+WRITE+SUCCESS+FAILURE) - SYS$COMMON:[SYSEXE]SYSUAF.DAT $dir/security SYS$COMMON:[SYSEXE]SYSUAF.DAT [...wait for a while...] $SET SECURITY/ACL/DELETE SYS$COMMON:[SYSEXE]SYSUAF.DAT
  • disable all opcom messages on this terminal
  • enable security messages on this terminal
  • request notification...
    ...of all accesses
    ...to this file
  • view the ACLs attached to this file
  • [wait for a while]
  • remove the notification

See who is changing the system clock

DCL Command Result
   
$set audit/server=new
$set audit/alarm/ena=time [...wait until you think you've got a problem...] $set audit/server=flush $anal/audit/full/out=TEMP.TMP SYS$MANAGER:SECURITY.AUDIT$JOURNAL
  • close the current audit log then open a new one
  • enable auditing of clock changes
  • wait for a while
  • push buffered audits into the file
  • inspect the audit file

See who is trying to break into the system

DCL Command Result
   
$set def sys$manager
$sho audit
$set audit/audit/enable=logfail=all [...wait until you think you've got a problem...] $set audit/server=flush $ana/audit/event=logfail/since=25-dec-2006 $ana/audit/event=logfail/since=25-dec-2006/full/pause=2
  • navigate to the system manager's home directory
  • see what events are currently audited
  • enable auditing of all login failures (should be enabled)
  • wait for a while
  • push buffered audits into the audit file
  • browse login failure in the audit file
  • display detailed failure messages

Actual Detailed Example Record

  Security Audit Analysis Utility
  -----------------------------------------------------------------------------------
  Security alarm (SECURITY) and security audit (SECURITY) on KAWC99, system id: 15335
  Auditable event:          Network login failure
  Event time:               25-DEC-2006 07:32:17.73
  PID:                      0000C6F3
  Process name:             SSHD 0796
  Username:                 test
  Remote nodename:          200.222.17.14       <<<---hacker/bot address (in 2006)
  Remote node id:           236052168
  Remote username:          SSH:TEST
  Status:                   %LOGIN-F-NOSUCHUSER, no such user
traceroute 200.222.17.14
traceroute to 200.222.17.14 (200.222.17.14), 30 hops max, 5 second(s) timeout
 1  207.35.137.65 (207.35.137.65)  1 ms  2 ms  2 ms
 2  10.18.89.1 (10.18.89.1)  7 ms  6 ms  6 ms
 3  206.47.229.198 (206.47.229.198)  143 ms  209 ms  12 ms
 4  core4-toronto63_POS9-0-0.net.bell.ca (64.230.147.153)  14 ms  14 ms  13 ms
 5  bx4-toronto63_so-1-0-0.net.bell.ca (64.230.160.126)  10 ms  12 ms  10 ms
 6  if-0-0-0.mcore3.TTT-Scarborough.as6453.net (216.6.98.57)  13 ms  11 ms  11 ms
 7  if-8-3-0-0.tcore1.NJY-Newark.as6453.net (216.6.98.2)  31 ms  46 ms  31 ms
 8  if-2-2.tcore2.NJY-Newark.as6453.net (66.198.70.2)  30 ms  31 ms  29 ms
 9  Vlan1351.icore1.NTO-NewYork.as6453.net (66.198.111.30)  36 ms  32 ms  35 ms
10  0.ae20.BR2.NYC4.ALTER.NET (204.255.168.173)  31 ms  31 ms  32 ms
11  0.ae2.XT2.NYC4.ALTER.NET (152.63.3.117)  31 ms  30 ms  31 ms
12  0.xe-11-1-1.XL4.NYC1.ALTER.NET (152.63.10.101)  32 ms  31 ms  32 ms
13  0.xe-9-0-0.GW14.NYC1.ALTER.NET (152.63.19.93)  32 ms  32 ms  31 ms
14  telemar-gw.customer.alter.net (152.179.29.238)  152 ms  153 ms  152 ms
15  pos4-0-1-arc-rj-rotn-01.telemar.net.br (200.223.131.70)  153 ms 200.223.46.121 (200.223.46.121)  154 ms 200.223.46.129 (200.223s
16  gigabitethernet1-0-1-arc-rj-rotn-h01.telemar.net.br (201.18.246.2)  160 ms  163 ms  160 ms
17  gigabitethernet1-0-0-arc-rj-rotd-h01.telemar.net.br (201.18.247.206)  152 ms  157 ms  153 ms
18  gigabitethernet1-0-0-arc-rj-rota-h01.telemar.net.br (201.18.247.36)  173 ms  159 ms  161 ms
19  serial2-1-7-0-arc-rj-rota-h01.telemar.net.br (200.222.66.2)  161 ms  184 ms  162 ms
                                              ++--- somewhere in Brazil

Related Links


Back to OpenVMS
Back to Home
Neil Rieck
Kitchener - Waterloo - Cambridge, Ontario, Canada.