Steve,
It sounds like you have a good handle on your system. I've implemented
something very similar using Security/3000 and VEAudit/3000, but have added
something you may wish to include in your operation. For my "priviledged"
logons, the system will send a message to my pager in addition to sending
the e-mail. The e-mail is great for documenting the logon, but the pager
message is much better for notification. We're essentially an 8 to 5 shop
also, so I want to be notified ASAP of any logons to those accounts,
especially after hours when I won't see the e-mail for a while. Should
anyone logon and the system not page/e-mail me, I also generate and review
a report of all "SM" logons.
David N. Lukenbill
Computer Sciences Corporation
Steve
Patterson To: [log in to unmask]
<sysdev cc:
@PORTOFHALIFA Subject: Re: [HP3000-L] Monitoring unauthorized access to our HP3000
X.CA>
Sent by:
HP-3000
Systems
Discussion
<HP3000-L
02/04/03
10:53 AM
Please
respond to
Steve
Patterson
Steve:
We took a home-grown approach to logon monitoring and control. Please note
that this does NOT address the issue of multiple failed logon attempts from
the "wild". Our 3000 is not accessible via the Internet.
First of all, we've identified certain "priviledged" accounts, such as
TELESUP and SYS (and others), and all successful logons execute a logon UDC
that notifies our IT staff via email as to who logged on, from what IP
address (all static), and at what time. This emailed report is also
printed
on the system LP and forwarded to the Manager of Systems.
Account Manager user-id's are required to use a session name, which is
enforced via a logon UDC, such that MGR.ACCOUNT will be better identified
as
USERNAME,MGR.ACCOUNT. This is important as we have a couple of production
accounts that require several users to access the AM userid, and we do NOT
want to have more than one AM user per account.
As we are an 8 to 5 shop, I've also implemented an After Hours Access
Password, which basically prompts the user for one extra password to
successfully logon. Failed attempts AND successful logons generate an
email
notification to IT staff, as well as generating a hardcopy. Any after hours
access is confirmed with the user, i.e. "So you were in on Saturday?"
Finally, all applications are presented to the user via an application
menu,
which has a further level of security built in to it, by means of an
application password or by means of an authorized user list. Bad passwords
or unauthorized access attempts generate a TELLOP message to the system
console. The console log is printed and reviewed on a weekly basis.
All of the above was implemented by means of CI scripts, a couple of small
Perl programs on the 3000, and a socketed Perl listener running on a WinNT
Workstation PC that passes email from the HP-3000 to our Exchange server.
If you want some specific examples, feel free to contact me.
Cheers,
Steve Patterson
Halifax Port Authority
Halifax, Nova Scotia
-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
Behalf Of Steve Daniels
Sent: 03 April 2002 11:07
To: [log in to unmask]
Subject: Monitoring unauthorized access to our HP3000
I was curious as to what some of my distinguished colleagues use to monitor
unauthorized logons or attempted logons to their HP3000 systems. We are a
small company with one location, so security has always been an
afterthought. Now we have opened up telnet access via the internet and I
want to start doing some security by monitoring the logon process.
All suggestions will be greatly appreciated.
Steve Daniels
MIS Manager
Park Farms, Inc.
Canton, OH
330-455-0241
[log in to unmask]
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|