pung@ornl-ncc ("M. S. Pung") (11/13/87)
Hi, I have been working with the ACL system services in an attempt to determine if a given system has AUDIT/ALARMS set on the AUTHORIZE file (Sysuaf.dat). This information is easily obtained in DCL by a $SHOW AUDIT command. Is there any way to get this information via a system service. In particular, I have tried the "Sys$check_access" system service but have not had any luck. If I specify the following: object type = "FILE" object name = "SYS$SYSTEM:SYSUAF.DAT" username = "SYSTEM" item code 1 = CHP$_ALARMNAME item code 2 = CHP$_AUDITNAME I correctly get a return status of SS$_NORMAL, however, the values returned in the RETLENADR field are 0 which according to the manual means that there are no audit/alarms set on the file. Note: Yes, I know positively that there are audits/alarms on the file. Am I missing something, or are the "AUTHORIZATION" alarms not really ACL's on the Sysuaf.dat file ? One other thing, the manual mentions "hidden" ACL's and some flags that you can set to specify these, but I do not see how they get integrated into the item list or the system service... Has anybody used system services to tell if "AUTHORIZATION" alarms and audits are enabled??? P.S. I noticed that the command $SHOW ACL SYS$SYSTEM:SYSUAF.DAT yields the same "SYSTEM-W-ACLEMPTY, access control list is empty" message. --------------------------------------------------------------------------- My test FORTRAN program is as follows: Program test Implicit none Include '($acldef)' ! get acl defs Include '($chpdef)' ! get chp defs Include '($psldef)' ! get psl defs Integer*4 Sys$check_access ! define sys srv Integer*2 dummy ! not needed Integer*4 fstat ! status Integer*4 alarm_set ! 0=no,?=yes Integer*4 audit_set ! 0=no,?=yes Character*64 alarm_buffer ! buffer to put Character*64 audit_buffer ! buffer to put Structure /chp_itmlst/ Union Map Integer*2 chp_buflen Integer*2 chp_itemcode Integer*4 chp_bufadr Integer*4 chp_retlenadr Endmap Map Integer*4 chp_endlist Endmap Endunion Endstructure Record /chp_itmlst/ chp_list(4) chp_list(1).chp_buflen = 64 chp_list(1).chp_itemcode = CHP$_ALARMNAME chp_list(1).chp_bufadr = %loc (alarm_buffer) chp_list(1).chp_retlenadr = %loc (alarm_set) chp_list(2).chp_buflen = 64 chp_list(2).chp_itemcode = CHP$_AUDITNAME chp_list(2).chp_bufadr = %loc (audit_buffer) chp_list(2).chp_retlenadr = %loc (audit_set) chp_list(3).chp_buflen = 1 chp_list(3).chp_itemcode = CHP$_ACMODE chp_list(3).chp_bufadr = %loc (psl$c_super) chp_list(3).chp_retlenadr = %loc (dummy) chp_list(4).chp_endlist = 0 fstat = Sys$check_access (acl$c_file, 'sys$system:sysuaf.dat', 1 'system', chp_list) Call lib$signal (%val (fstat)) type *,'Alarm set = ',alarm_set type *,'Audit set = ',audit_set type *,'Alarm buffer = ',alarm_buffer type *,'Audit buffer = ',audit_buffer end --------------------------------------------------------------------------- Any help would be appreciated, |------------------------------------------------------------------| | Mike Pung | (615) 574-8082 | | Oak Ridge National Lab | Pung%ornl-ncc@ornl-msr.arpa | | Martin Marietta Energy Systems | 192.12.68.201 | |------------------------------------------------------------------etc. H2JO
gil@icus.UUCP (11/18/87)
In article <8711160549.AA10112@ucbvax.Berkeley.EDU> "M. S. Pung" <pung@ornl-ncc> writes: > > >Hi, > > I have been working with the ACL system services in an attempt > to determine if a given system has AUDIT/ALARMS set on the > AUTHORIZE file (Sysuaf.dat). > > This information is easily obtained in DCL by a $SHOW AUDIT > command. Is there any way to get this information via a system > service. In particular, I have tried the "Sys$check_access" system > service but have not had any luck. > > If I specify the following: [Some info about SYS$CHECK_ACCESS follows] > > I correctly get a return status of SS$_NORMAL, however, the > values returned in the RETLENADR field are 0 which according to > the manual means that there are no audit/alarms set on the file. > Note: Yes, I know positively that there are audits/alarms on the file. > > Am I missing something, or are the "AUTHORIZATION" alarms not really > ACL's on the Sysuaf.dat file ? (No flames please, if I'm not totally correct) I do believe that authorization ACL's are done by AUTHORIZE, since those ACLs log events which are performed ON the SYSUAF.DAT file (such as user added or modified, fields modified, password changes by users, etc. File access ACLs, which are what you are checking, do not apply in this instance since they only log certain types of access upon a file. > > One other thing, the manual mentions "hidden" ACL's and some flags > that you can set to specify these, but I do not see how they get > integrated into the item list or the system service... > I read about this once in a MicroVMS manual, and I believe it is part of the VMS 4.4(+) manuals. I never used them, but it seems that you have to be careful of this type of ACL since you must use your own application program to delete the ACL if necessary, since I don't believe any of the VMS utilities recognize them. > Has anybody used system services to tell if "AUTHORIZATION" alarms > and audits are enabled??? > I haven't, but I'm sure its possible. Unfortunately, I don't have the VMS manuals at my disposal at the moment. There is a section in the System Services manual on security-related calls. Usually, if they don't touch on the subject there, you have to go through the Fiche to VMS and find out the right system location to check for that stuff. I can't imagine, though, that something like that isn't possible with one of the services. Check the ACL routines. I realize that I should probably post this as a separate news article, but while someone's on the subject of seemingly "impossible" things, has anyone found a system service or combination of QIOs or something (?) that will allow an application program to check what port of a DECserver a particular line is attached to? I know using LAT-plus, you can check this with LATCP. If anyone has this information, I'm sure that we'd all like to hear about it. ------------------------------------------------------------------------------ Gil Kloepfer, Jr. USENET: ...icus!gil ICUS Computer Group, Systems Development P.O. Box 1 Islip Terrace, New York 11752 ------------------------------------------------------------------------------