System Services, $SCAN INTRUSION
*Conan The Librarian (sorry for the slow response - running on an old VAX)
|
VMS Help System Services, $SCAN INTRUSION *Conan The Librarian (sorry for the slow response - running on an old VAX) |
|
Scans the intrusion database for suspects or intruders during a
login attempt, audits login failures and updates records, or adds
new records to the intrusion database.
Format
SYS$SCAN_INTRUSION logfail_status ,failed_user ,job_type
,[source_terminal] ,[source_node]
,[source_user] ,[source_address]
,[failed_password] ,[parent_user]
,[parent_id] ,[flags]
C Prototype
int sys$scan_intrusion (unsigned int logfail_status,
void *failed_user, unsigned int
job_type, void *source_terminal, void
*source_node, void *source_user, void
*source_address, void *failed_password,
void *parent_user, unsigned int
parent_id, unsigned int flags);
| 1 - Arguments |
logfail_status
OpenVMS usage:status code
type: longword (unsigned)
access: read only
mechanism: by value
Reason why the user's login attempt failed. The logfail_status
argument is a longword containing the login failure status code.
The logfail_status argument can contain any valid message code.
For example, the value of the logfail_status argument is SS$_
NOSUCHUSER if the user name the user entered does not exist on
the system.
If the logfail_status argument contains a failure status, the
service performs a suspect scan. Here, the service searches the
intrusion database for intruder suspects as well as intruders.
If the value of the logfail_status argument is a successful
message, such as SS$_NORMAL, the service scans the database only
for intruders. For more information about how the database works,
refer to the OpenVMS Guide to System Security.
failed_user
OpenVMS usage:char_string or item_list_3
type: character-coded text string or longword (unsigned)
access: read only
mechanism: by descriptor-fixed-length string descriptor or by
reference
If the CIA$M_ITEMLIST flag is FALSE:
This argument is the user name associated with the unsuccessful
login attempt. The failed_user argument is the address of a
character-string descriptor pointing to the failed user name.
A failed user name consists of 1 to 32 alphanumeric characters.
If the CIA$M_ITEMLIST flag is TRUE:
The failed_user argument is the address of a 32-bit item list. If
the item list is used, one item, the CIA$_FAILED_USERNAME item,
must be present in the item list.
The following table lists the valid item descriptions for the
failed_user argument:
Item Description
CIA$_FAILED_ Address of a buffer containing the failed user
USERNAME name.
CIA$_SCSNODE Address of the 8-character null-padded SCS
node name on which the intrusion happened.
CIA$_USER_DATA Address of a 256-byte buffer, available for
passing third party specified data.
job_type
OpenVMS usage:job type
type: longword (unsigned)
access: read only
mechanism: by value
Type of job that failed. The job_type argument is a longword
indicating the type of job that failed.
The $JPIDEF macro defines the following values for the job_type
argument:
o JPI$K_BATCH
o JPI$K_DETACHED
o JPI$K_DIALUP
o JPI$K_LOCAL
o JPI$K_NETWORK
o JPI$K_REMOTE
source_terminal
OpenVMS usage:char_string
type: character-coded text string
access: read only
mechanism: by descriptor-fixed-length string descriptor
Source terminal where the login attempt is occurring. The source_
terminal argument is the address of a character-string descriptor
pointing to the device name of the terminal from which the login
attempt originates.
A source terminal device name consists of 1 to 64 alphanumeric
characters, including underscores (_) and colons (:).
source_node
OpenVMS usage:char_string
type: character-coded text string
access: read only
mechanism: by descriptor-fixed-length string descriptor
Name of the node from which the user's login attempt originates.
The source_node argument is the address of a character-string
descriptor pointing to the source node name string.
A source node name consists of 1 to 1024 characters. No specific
characters, format, or case is required for a source node name
string.
source_user
OpenVMS usage:char_string
type: character-coded text string
access: read only
mechanism: by descriptor-fixed-length string descriptor
User name associated with the login attempt. The source_user
argument is the address of a character-string descriptor pointing
to the source user name string.
A source user name consists of 1 to 32 alphanumeric characters,
including dollar signs ($) and underscores (_).
source_addr
OpenVMS usage:node address
type: descriptor
access: read only
mechanism: by reference
Source DECnet for OpenVMS address from which the login attempt
originates. The source_addr argument is the address of a
descriptor containing the source node address.
failed_password
OpenVMS usage:char_string
type: character-coded text string
access: read only
mechanism: by descriptor-fixed-length string descriptor
Password the user entered for the login attempt. The failed_
password argument is the address of a character-string descriptor
pointing to the plaintext password the user entered to log in.
A failed password is a password of 0 to 32 characters that did
not allow the user to log in to the system. This argument is not
stored in the intrusion database and is only used for auditing
during break-in attempts.
parent_user
OpenVMS usage:char_string
type: character-coded text string
access: read only
mechanism: by descriptor-fixed-length string descriptor
Parent process name of the failed login. The parent_user argument
is the address of a character-string descriptor pointing to the
parent process name of the failed login process.
A parent process name consists of 1 to 15 characters. This
argument should be specified only for failed spawn commands.
parent_id
OpenVMS usage:process_id
type: longword (unsigned)
access: read only
mechanism: by value
Process identification of the parent process from which the login
was attempted. The parent_id argument is a longword containing
the parent process identification.
flags
OpenVMS usage:mask_longword
type: longword (unsigned)
access: read only
mechanism: by value
Operational instructions for the service. The flags argument is a
longword bit mask wherein each bit corresponds to an option.
Each flag option has a symbolic name. The $CIADEF macro defines
the following valid names for the $SCAN_INTRUSION service:
Symbolic Name Description
CIA$M_NOAUDIT If set, this flag indicates that the service
should instruct the security server to not
audit the login failure or the break-in
attempt. If the flag is set, you are expected
to do your own auditing.
CIA$M_IGNORE_ Specifies that the service should not wait for
RETURN the return status from the security server. No
return status from the server's function will
be returned to the caller.
CIA$M_ITEMLIST If FALSE, the failed_user argument is a
character string. If TRUE, this argument is
a 32-bit item list.
CIA$M_REAL_ If set, indicates that the user name passed as
USERNAME the failed user name is read and known to the
system.
CIA$M_SECONDARY_ Indicates that the failed password passed to
PASSWORD the service was the secondary password. If the
flag is clear, the password is assumed to be
the primary password.
|
|
