Review of VEAudit
by
Shawn M. Gordon
President
S.M.Gordon & Associates
Introduction
Almost everyone is familiar with VESOFT and it’s flagship product MPEX. Most shops can’t live without it. Many of you are also familiar with the VESOFT Security product, which gives you very robust security control over your HP 3000. The one product in the VESOFT family that seems to have the most confusion associated with it, is VEAUDIT, which is the subject of this months review.
VEAUDIT began life strictly as a reporting tool, and this function has been enhanced over the years to show virtually anything on your system that can be considered a security risk. See figure 1 for a list of items that VEAUDIT will report for you. I’m not going to spend much time talking about the reporting because it should be pretty obvious from the menu options what you are going to see, however figure 2 will show you an example of the first report so that you can see how VEAUDIT will not only show you the problems, but make recomendations on how to fix them.
Now, over those same years that the reports where being enahnced, online reporting, and manipulation commands where added to VEAUDIT. As a matter of fact, if you owned MPEX, you could issue all the VEAUDIT commands from there. So without further ado, let’s get to the meat of the review.
Features
There are five basic objects that VEAUDIT will allow you to work against, they are;
ACCOUNTS
GROUPS
USERS
UDC’s
SYSTEM LOG FILES
Aside from the log files you can perform 4 basic operations on
the above objects;
ALTER
COPY
PURGE
LIST
See figure 3 for an example of the LIST option of all the objects. Everything but UDC’s and Log files can be expanded with the PASS, ALLCAPS, and FULL parameters. These should be self explanatory, but what VEAUDIT does is make an intellegent decision on what will fit on an 80 column screen, and display the most useful information that will fit. You can get absolutly everything by specifying these other parameters.
Some of the nice features of all the commands is their ability to select objects based on a variety of criteria. Things like password value, or lack of value, specific access attributes, volume sets, disc parameters, and specific capabilities being set.
A feature that I particularly like, and make use of, is the ability to COPY any of the above mentioned objects. This makes it a simple task to generate a new user, or create a test area that mimics your production area. Needless to say the COPY allows you to change the name, but copy the attributes of the object. One option of the copy is to output the results of a COPY command to a file without changes. This is a wonderful tool for setting up a new computer with a similar environment. The only drawback that I have seen is that it doesn’t appear to carry forward the UDC’s that have been set.
One fascinating aspect of VEAUDIT, and all the VESOFT products, is that they are totaly extensible. This means that you can build your own commands using their language and syntax (which is largely similar to programming in the CI of MPE/iX). So if you need to do something, and there isn’t a command already there for it, you can probably build it yourself. Here is an example of something I wanted to do. Basically I ran into a situation where hundreds of users where configured in one account, but I knew that only about 80 actually existed. I wanted to compare the list of users configured, to the system log files to look for logons. One problem was the job initiation logging had not been enabled, so I need to scan the console log records to find “LOGON” messages. Here is my command file that I used, you will notice how short it is, the only real downside is that it can take a while to run if you have a lot of log files to scan.
# This cmd file uses VEAUDIT to check the console log for users
# that are configured, but haven’t logged on
VEAUDIT LISTLOG CONSOLE;SEARCH=(MESSAGE MATCHES “@LOGONFOR:@”)>ALLOGONS
REPEAT
:PRINT ALLOGONS;SEARCH=R MATCHES ‘@![RUSER.USER].![RUSER.ACCOUNT]@’>$NULL
IF NOT !MPEXPRINTLINESFOUND>0 THEN
ECHO VEAUDIT PURGEUSER ![RUSER.USER].![RUSER.ACCOUNT]
ENDIF
VEAUDIT FORUSERS @.SMGA
The above command file also illustrates the sophisticated search capabilities of the LISTLOG command. Basically you choose the log subsystem CONSOLE, FCLOSE or LOGON, and any optional search parameters, and away you go. You can see how this will make your life much easier when it comes to researching problems.
It’s important to note that VEAUDIT is fully POSIX “aware”. When its looking for files with embedded passwords, or hidden, or anything else, its also looking at the POSIX file space as well. So your entire system is always being checked, not just the MPE portion of it. This is really more applicable to the reporting functions than the online functions.
I have only breifly mentioned the reporting ability of VEAUDIT, but a recently added enhancement will now create a driver file to fix some of the security problems that are reported. These driver files can then be read but some of the command files that were recently created in the VECSL account for VEAUDIT. They were all created by VESOFT, and are meant to work with VEAUDIT, so I am not sure why they are just part of the normal commands, and it’s not obvious that that is how they are used, but they are there for you.
I obviously can’t go through every little detail of VEAUDIT, but hopefully I have covered enough to whet your appetite so you will want to check it out yourself.
Usability (also installation)
VESOFT set the standard for robust, easy to install software (especially for something so large and complicated). Basically restore the tape with a CREATE option, run a program, and wait, the VESOFT installation will take care of everything. They are very good about recovery, and robustness during the installation. If for any reason something goes wrong, VESOFT will tell you, and help you fix it. By default whenever you get one VESOFT product, the rest of their products are included as demos, so be prepared to use up about 100k sectors of disk space.
VEAUDIT is very easy to use, but it is all command driven, so this means you are going to have to learn the commands and their parameters. The upside to this is that the online help in VEAUDIT is incredible, it’s very easy to find something, and see how it’s syntax works. The downside to this is that if you have no idea what they might call what you are looking for, you may never find it. Keep in mind that their phone tech support is always available, so if you are feeling stymied, just call and ask.
Reliability
Typically all the VESOFT products are very reliable, and VEAUDIT is no exception. You should find that the information reported is correct, and nothing is missing. You will also find that it’s manipulations are also correct. When using the log auditing features you may be inclined to think something isn’t working because you aren’t getting any data back. If this happens, check to see that you actually have logging enabled for that particular event, if it’s off, then how can VEAUDIT report it for you. And yes, I did learn this the hard and stupid way.
Performance
Performance is going to depend largely on what you are doing, and the size of your CPU. If you are running a full VEAUDIT report, then it will probably take hours, and should run at night. If you are doing a LISTUSER command, it will be instantaneous. If you are doing one of your own commands, well then who knows.
Supportability (including Doc)
Support and documentation from VESOFT have always been top notch. I think I actually picked up part of my writing style by reading the VESOFT documentation. It’s clear and conversational, and explains difficult topics in such a way as
to make them understandable. I have always loved the online help in the VESOFT products, and believe it is still the best out there for utility software.
Summary
VEAUDIT is very close to being one of my ‘must have’ utilities. I can replicate most of it’s functionality through a lot of hard work, but it’s always been hard to get a buy off from management. Honestly your static shops probably won’t get a lot of use from it, but I personally don’t go a day where I don’t make use of some aspect of VEAUDIT. The sheer power and flexibility make it a powerful tool to add to your arsenal to manage and audit your system security and operating environment.
The ability to replicate entire accounting structures is a wonderful way to create test environments that match your production environments, as well as creating new groups and users that match existing ones without having to type out all those CAPS and ACCESS rights. I also really loved the log file query commands, these were much easier to use, and more flexible than anything I have written, or been able to find in the CSL, going through log files has always been such a hassle. I really can’t find anything to fault in VEAUDIT other than the functions to list UDC’s appear to have been knocked out quickly, and I only say this because they are the only LIST function that doesn’t contain nice headers and such.
So if you are responsible for managing your systems and/or security for your systems, you really must give VEAUDIT a try, I guarantee after using in real day to day work you will wonder how you got along without it.
At-a-Glance box
VEAudit version 25.60119
VESOFT
1135 S. Beverly Dr.
Los Angeles, CA 90035-1119 USA
Phone (310) 282-0420
Fax (310) 785-9566
Software ranges from $1995 to $2950, discounts are available for multiple CPU’s, the first 6 months maintenance is free, $320 per year thereafter. 1 Manual
FIGURE 1
#101. Users with *NO PASSWORDS* and SM/PM
#102. Globally-Writable Programs in PM Groups
#103. Globally-Readable Jobs with Embedded SM/PM/OP Passwords
#104. Globally-Writable Jobs that sign on as SM/PM/OP
#105. Users who may disable system UDCs
#106. Users with *NO PASSWORDS* and OP
#107. SECURITY/3000 Logon Trap/UDC set-up problems
#201. Users with *NO PASSWORDS*
#202. Inappropriate (Easily-Guessable) MPE Passwords
#203. Inappropriate (Easily-Guessable) SECURITY/3000 Passwords
#204. Globally-Readable Jobs with Embedded Passwords
#205. Globally-Writable Jobs
#206. Passwords that are too short
#207. MPE Passwords unchanged in the last 30 days
#208. SECURITY/3000 Passwords unchanged in the last 30 days
#301. Users with SM or PM capability
#302. Users with OP capability
#303. Job Streams with Embedded Passwords
#304. Groups with PM capability that don’t need it
#305. Users with AM capability
#306. Users protected only by Account-Level Passwords
#401. Globally-Writable (including :RELEASEd) Files
#402. Privileged Programs
#403. Hidden Files
#801. Concise Directory Listing
#802. SECURITY/3000 User Listing
#803. System Directory changes in past 30 days
#804. SECURITY/3000 User changes in past 30 days
#805. UDC files set on the system
#806. Contents of the SECURITY/3000 SECURCON.DATA.VESOFT File
#807. Contents of the SECURITY/3000 STREAMX.DATA.VESOFT File
#808. Contents of the SECURITY/3000 HELLO.DATA.VESOFT File
Figure 2
*******************************************************************************
* #101. USERS WITH *NO PASSWORDS* AND SM OR PM! *
* *
* Anybody can sign on as these users and do anything to the system! *
*******************************************************************************
User MGR .CSLXL has no password and PM
User MGR .LPSTOOLS has no password and PM
User MGR .MINISOFT has no password and PM
User MANAGER .ORBIT has no password and write or save access to PM group PUB (*3*)
User MGR .ORBIT has no password and PM
User MGR .SMGA has no password and PM
User MGR .SSS has no password and PM
User MGR .TECHNIKL has no password and SM and PM
RECOMMENDATIONS:
IN GENERAL:
* Implement MPE user passwords or SECURITY/3000 passwords;
* Or, set MPE account passwords (less preferable);
* Make sure that all users, accounts, and groups marked as
having SM or PM actually ought to have it (many might not).
SPECIFICALLY:
(*1*) Use $BATCH-VEPROFILE to protect this user in batch.
(*2*) Change this SECURITY/3000 user to require passwords.
(*3*) Restrict WRITE and SAVE access to this group.
(*4*) Take away this user’s AM capability (if possible).
Figure 3
%LISTACCT SMGA PAGE 1
SYSTEM SERIES 925 SHAWN,MANAGER.SYS,PUB TUE, APR 15, 1997, 7:16 PM
ACCOUNT PASSWORD MAX DISC —ACCESS ALLOWED— CAPABILITIES
PRI SPACE R A W L X SM OP BA IA PM MR DS PH
SMGA 150 196672 ANY ANY ANY ANY ANY BA IA PM DS PH
VEAUDIT LISTGROUP @.SMGA
%LISTGROUP @.SMGA PAGE 1
SYSTEM SERIES 925 SHAWN,MANAGER.SYS,PUB TUE, APR 15, 1997, 7:21 PM
ACCOUNT GROUP PASSWORD DISC —–ACCESS ALLOWED—– CAPABILITIES
SPACE R A W L X S
SMGA C 2416 GU GU GU GU GU GU BA IA
SMGA CMD 1296 GU GU GU GU GU GU BA IA
SMGA COMPILE 1248 GU GU GU GU GU GU BA IA
SMGA DATA 43248 GU GU GU GU GU GU BA IA
SMGA DOC 1216 GU GU GU GU GU GU BA IA
SMGA EZQLIB 432 GU GU GU GU GU GU BA IA
SMGA FORMS 464 GU GU GU GU GU GU BA IA
SMGA FYI 272 GU GU GU GU GU GU BA IA
SMGA FYITMPLT 144 GU GU GU GU GU GU BA IA
SMGA HELP 400 GU GU GU GU GU GU BA IA
SMGA I 304 GU GU GU GU GU GU BA IA
SMGA JOB 1120 ANY AC AC AC ANY AC BA IA
SMGA PROG 8960 ANY AC AC AC ANY AC BA IA PM DS PH
SMGA PROGCM 3248 GU GU GU GU GU GU BA IA
SMGA PROGNM 24272 ANY AC AC AC ANY AC BA IA PM DS PH
SMGA PUB 34192 ANY AC AC AC ANY AC BA IA PM DS PH
SMGA README 240 GU GU GU GU GU GU BA IA
SMGA REDIRECT 11024 GU GU GU GU GU GU BA IA PM DS PH
SMGA SCHEMA 560 ANY AC AC AC ANY AC BA IA PM DS PH
SMGA SOURCE 29888 GU GU GU GU GU GU BA IA
SMGA TAPE 112 GU GU GU GU GU GU BA IA
SMGA TEST 1472 GU GU GU GU GU GU BA IA
SMGA TODO 48 GU GU GU GU GU GU BA IA
SMGA UDC 16 GU GU GU GU GU GU BA IA
SMGA UTIL 8512 ANY AC AC AC ANY AC BA IA PM DS PH
SMGA XEQ 32 GU GU GU GU GU GU BA IA
VEAUDIT LISTUSER @.SMGA
%LISTUSER @.SMGA PAGE 1
SYSTEM SERIES 925 SHAWN,MANAGER.SYS,PUB TUE, APR 15, 1997, 7:25 PM
ACCOUNT USER PASSWORD HOME MAX CAPABILITIES
GROUP PRI SM AM AL GL OP BA IA PM MR DS PH
SMGA MGR notshown PUB 150 AM BA IA PM DS PH
VEAUDIT LISTUDC @.SMGA
@ .@ NMCMDUDC.UDC.SYS HPPXUDC.PUB.SYS SYSUDC1.UDC.SYS
MGR .SMGA FYIMAIL.UDC.SMGA
VEAUDIT LISTUDC @.SMGA;INVERT
FYIMAIL.UDC.SMGA MGR.SMGA
HPPXUDC.PUB.SYS @.@
NMCMDUDC.UDC.SYS @.@
SYSUDC1.UDC.SYS @.@
VEAUDIT LISTLOG CONSOLE
%LISTLOG CONSOLE PAGE 1
SYSTEM SERIES 925 SHAWN,MANAGER.SYS,PUB TUE, APR 15, 1997, 8:02 PM
–DATE– -TIME- -JOBID- MESSAGE
97/03/18 10:00a SYSTEM LOG FILE #1178 IS ON
97/03/18 10:00a SYSTEM LOG FILE #1177 IS 99% FULL
97/03/18 10:01a #S634 LOGOFF ON LDEV #139.
97/03/18 10:13a #J2300 ALTSPOOLFILE #O20822;PRI=4
97/03/18 10:14a #J6 ALTJOB #J693 ;INPRI=14
97/03/18 10:14a #J6 JOBFENCE 13
97/03/18 10:14a #J6 LIMIT 16
97/03/18 10:14a #J693 LOGON FOR: “BACKMAN,MGR.SMGA,PUB” ON LDEV #10.
97/03/18 10:14a #J6 LIMIT 00
97/03/18 10:14a #J6 JOBFENCE 04
97/03/18 10:14a #J693 LOGOFF ON LDEV #10.
97/03/18 10:14a #J481 ALTSPOOLFILE #O20807;PRI=0
97/03/18 10:14a #J481 ALTSPOOLFILE #O20808;PRI=0
97/03/18 10:14a #J481 ALTSPOOLFILE #O20819;PRI=0
97/03/18 10:14a #J2300 DELETESPOOLFILE #O20826
97/03/18 10:14a #J2300 DELETESPOOLFILE #O20827