Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utgpu!water!watnot!watmath!clyde!rutgers!ames!ucbcad!ucbvax!GE-CRD.ARPA!JOHNC%CAD2.DECnet
From: JOHNC%CAD2.DECnet@GE-CRD.ARPA.UUCP
Newsgroups: mod.computers.vax
Subject: Security Alarm ACLs on Devices
Message-ID: <8702172154.AA11499@ucbvax.Berkeley.EDU>
Date: Tue, 17-Feb-87 12:08:00 EST
Article-I.D.: ucbvax.8702172154.AA11499
Posted: Tue Feb 17 12:08:00 1987
Date-Received: Wed, 18-Feb-87 20:35:29 EST
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The ARPA Internet
Lines: 44
Approved: info-vax@sri-kl.arpa


>>   From: jon%gaia.UUX%ncar.csnet@RELAY.CS.NET
>>   Subject: Security alarms for device access
>>   
>>   Our dialout modem ports have attracted the attention of management
>>   lately -- somebody has apparently been calling bulletin board systems all
>>   over the country and running up bills in the thousands of dollars.

OUCH!!
      
>>   I can say:
>>   
>>        	$ set acl /object=device /acl=(alarm_journal=security, -
>>        			access=read+write+success+failure) ttd0
>>   
>>   and the system is happy.  SHOW DEVICE will list off that ACL as being on
>>   the device.  ACL security alarms are turned on.  Nonetheless, the alarm
>>   does not happen when people dial out through the port.
>>   So...does anybody have any ideas, or does this simply not work?
     
Although DCL is happy with SET/DEV/ACL=(ALARM... It simply doesn't work.
The "Guide to VAX/VMS System Security" doesn't say that, however it also
doesn't say that you _can_ set alarm ACEs on devices either.  Specifically:
page 4-31 thru 4-33 are pretty ambiguous (refers to "objects" repeatedly),
but page 4-54 explicitly lists all of the events which can be alarmed 
without mention of device accesses, and Appendix E shows examples of all
alarm messages without mention of device access alarms. (Note that MOUNT
and DISMOUNT operations are auditable via SET AUDIT/ALARM/ENABLE=MOUNT)

_Should_ this work?  It'd be a convenience.  Whether this is a feature 
coming in the future or a hole in VMS is an open question.  Anyone from
DEC out there know? 

In the meantime, for Jon's problem...  The suggestion to alarm RTPAD is
fine, but will generate a _lot_ of alarms if you have users doing SET HOST
commands.  I'd prefer a batch job which does SHO DEV/FULL every five minutes
or so for a few days.  It's trivial to implement and you should catch the 
culprit!

-------------------------------------------------------------------------

"Under capitalism man exploits man,           		John Child
 while under communism it's the        			GE Aircraft Engines
 other way around"					Lynn MA