JOHNC%CAD2.DECnet@GE-CRD.ARPA.UUCP (02/17/87)
>> From: jon%gaia.UUX%ncar.csnet@RELAY.CS.NET >> Subject: Security alarms for device access >> >> Our dialout modem ports have attracted the attention of management >> lately -- somebody has apparently been calling bulletin board systems all >> over the country and running up bills in the thousands of dollars. OUCH!! >> I can say: >> >> $ set acl /object=device /acl=(alarm_journal=security, - >> access=read+write+success+failure) ttd0 >> >> and the system is happy. SHOW DEVICE will list off that ACL as being on >> the device. ACL security alarms are turned on. Nonetheless, the alarm >> does not happen when people dial out through the port. >> So...does anybody have any ideas, or does this simply not work? Although DCL is happy with SET/DEV/ACL=(ALARM... It simply doesn't work. The "Guide to VAX/VMS System Security" doesn't say that, however it also doesn't say that you _can_ set alarm ACEs on devices either. Specifically: page 4-31 thru 4-33 are pretty ambiguous (refers to "objects" repeatedly), but page 4-54 explicitly lists all of the events which can be alarmed without mention of device accesses, and Appendix E shows examples of all alarm messages without mention of device access alarms. (Note that MOUNT and DISMOUNT operations are auditable via SET AUDIT/ALARM/ENABLE=MOUNT) _Should_ this work? It'd be a convenience. Whether this is a feature coming in the future or a hole in VMS is an open question. Anyone from DEC out there know? In the meantime, for Jon's problem... The suggestion to alarm RTPAD is fine, but will generate a _lot_ of alarms if you have users doing SET HOST commands. I'd prefer a batch job which does SHO DEV/FULL every five minutes or so for a few days. It's trivial to implement and you should catch the culprit! ------------------------------------------------------------------------- "Under capitalism man exploits man, John Child while under communism it's the GE Aircraft Engines other way around" Lynn MA