Previous | Contents | Index |
Displays the contents of the intrusion database.Requires SECURITY privilege.
SHOW INTRUSION
The OpenVMS system stores information in the intrusion database about login failures that originate from a specific source and that result from any number of failure types (invalid password, account expired, unknown user name). A security manager can identify possible break-in attempts by using the SHOW INTRUSION command to display the contents of the intrusion database.The entries in the intrusion database have the following format:
Intrusion Type Count Expiration SourceThe information provided in the fields in each entry is as follows:
Field Description Intrusion Class of intrusion. The type of evasive action that the OpenVMS system takes depends on the class of intrusion. Type Severity of intrusion as defined by the threshold count for login failures. Count Number of login failures associated with a particular source. Expiration Absolute time at which a login failure is no longer counted by OpenVMS. The system parameter LGI_BRK_TMO controls how long the OpenVMS system keeps track of a login failure. Source Origin of the login failure. The information provided in this field depends on the class of intrusion. In the intrusion database, the operating system classifies login failures according to their source. The four classes of system intrusion are as follows:
Intrusion Class Description NETWORK Login failure originating from a remote node, using a valid user name. TERMINAL Login failure originating from one terminal. TERM_USER Login failure originating from one terminal, using a valid user name. USERNAME Login failure attempting to create a detached process. The class of intrusion determines the type of information presented in the source field of the entry. Information appears in the source field in one of the following formats:
Intrusion Class Format of Source Field NETWORK node::user name TERMINAL terminal: TERM_USER terminal:user name USERNAME user name The type of evasive action that a security manager can take is based on the type of information provided. For details on how to use this information, see the HP OpenVMS Guide to System Security.
The intrusion database contains two levels of intrusion entries: suspect and intruder. The severity level of an entry is displayed in the type field of the entry. When a login failure associated with a particular source occurs, the OpenVMS system classifies the login failure as suspect. Each succeeding login failure from the same source is counted. The login failure count is displayed in the count field of the entry. The absolute time at which the login failure ceases to be counted is displayed in the expiration field of the entry. When the number of login failures exceeds the number specified by the system parameter LGI_BRK_LIM, the entry is classified as an intruder. However, if the parameter LGI_BRK_LIM is set to zero, the first login failure is not classified as an intruder; the result is the same as if the parameter LGI_BRK_LIM were set to one.
When an entry is promoted to intruder, the OpenVMS system takes evasive action by blocking all login attempts from that particular source.
The duration of the evasive action is determined by the system parameter LGI_HID_TIM. The absolute time at which the evasive action ends is displayed in the expiration field of the entry.
For information on intrusion detection, prevention, and evasive actions, see the HP OpenVMS Guide to System Security.
If you determine that an entry in the intrusion database resulted from a user error and not a break-in attempt, you can remove an entry from the intrusion database with the DELETE/INTRUSION command. See the DELETE/INTRUSION command for more details.
/NODE[=(node-name[,...])]
The /NODE qualifier displays each intrusion record with the supporting node information.If you specify individual nodes, the supporting node information is displayed only for the nodes listed.
/OLD
On VAX, displays the contents of the old kernel mode intrusion database. The kernel mode intrusion database was used by the system and layered products prior to OpenVMS VAX Version 6.1. It is still updated by the system to provide backwards compatability to applications that have not yet converted over to using the supported system services for access to the intrusion database. Entries added directly to the old kernel mode intrusion database by applications may be examined only by using the /OLD qualifier./OUTPUT[=filespec]
Directs the output from the SHOW INTRUSION command to the file specified with the qualifier. By default, output from the command is displayed to SYS$OUTPUT./TYPE=keyword
Selects the type of information from the intrusion database that is displayed. The valid keywords are as follows:
ALL All entries. By default, all entries are displayed. SUSPECT Entries for login failures that have occurred but have not yet passed the threshold necessary to be identified as intruders. INTRUDER Entries for which the login failure rate was high enough to warrant evasive action.
#1 |
---|
$ SHOW INTRUSION/OUTPUT=INTRUDER.LIS |
The SHOW INTRUSION command in this example writes all the entries currently in the intrusion database to the file INTRUDER.LIS.
#2 |
---|
$ SHOW INTRUSION/TYPE=INTRUDER Intrusion Type Count Expiration Source TERMINAL INTRUDER 9 10:29:39.16 AV34C2/LC-1-15: NETWORK INTRUDER 7 10:47:53.12 NODE22::RONNING |
In this example, the SHOW INTRUSION command displays all intruder entries currently in the intrusion database.
#3 |
---|
$ SHOW INTRUSION/NODE NETWORK SUSPECT 5 26-JUL-2001 08:51:25.66 POPEYE::WONG Node: TSAVO Count: 2 Node: FROGGY Count: 2 Node: KITTY Count: 1 |
This command displays each intrusion record for all nodes.
#4 |
---|
$ SHOW INTRUSION/NODE=(FROGGY,KITTY) NETWORK SUSPECT 5 26-JUL-2001 08:51:25.66 POPEYE::HAMMER Node: FROGGY Count: 2 Node: KITTY Count: 2 |
This command displays intrusion record information for nodes FROGGY and KITTY.
#5 |
---|
$ SHOW INTRUSION/NODE=EVMSA $ |
This command shows that there are no intrusion records for node EVMSA.
Previous | Next | Contents | Index |