The SECURITY-LOG file, located in the SYSTEM Dictionary, logs all invalid attempts to log on, all system privilege violations, and all attempts to access accounts and files restricted by retrieval and update codes. This file defines ten types of violations. (See below.)
Each type of violation has a maintenance control item in the dictionary of the SECURITY-LOG file. These control items set and reset a counter which keeps track of the number of the violation and saves a description of the type of violation.
To list the contents of the SECURITY-LOG file, use the LIST-SECURITY-LOG Proc (see Using the SYSPROG Account and Commands in the mvBase Guide to Files and Accounts).
The Security Log gives the following information:
type (SLOG) |
Lists the type of security error. It can be one of the following: |
|
Class |
Description |
|
1 |
SYS1 privilege violation |
|
2 |
SYS2 privilege violation |
|
3 |
SYSPROG privilege violation |
|
4 |
(reserved) |
|
5 |
Illegal modification of file, list, or object pointers |
|
6 |
File open/access violation |
|
7 |
Item retrieval violation |
|
8 |
Item update violation |
|
9 |
Invalid logon account violation |
|
A |
Invalid logon password violation |
|
count (SLOG) |
Number of violations of each type. |
|
process |
Number of the process on which the error was detected. |
|
account |
Name of the account where the error occurred. |
|
time and date |
Lists the date and time at which the error occurred. |
|
TCL command |
Command that caused the error. |
|
MISC1 |
Lists file names, base frame IDs, attempted logon names, etc. |
|
MISC2 |
Lists additional information, such as incorrect passwords, etc. |
|
This file can be cleared and the maintenance control items can be reset to their original values using the RESET-SECURITY-LOG command (for more details, see System Files that Grow).
Maintenance Control Items
Maintenance control items are located in the dictionary of the SECURITY-LOG file. They keep track of the number of each violation and save a description of the class of violation. The structure of these items is as follows:
Item-ID |
Violation class: *. |
Line 1 |
Subcounter for keying violation of this class |
Line 2 |
Upper counter limit, to restrict the number of entries for this class of violation |
Line 3 |
Wrap counter, used to reset the subcounter when it reaches the upper counter limit |
Line 4 |
Description of the class of violation, used in INFO/ACCESS reports |
By using the upper counter limit, you can keep a runaway process from using up disk space. This might occur, for example, if there were a port causing an indefinite number of illegal logon attempts.
Here is an example of a maintenance control item for a class 5 violation:
5* 001 33 002 999 003 1 004 POINTER MOD |
Line 1 indicates that the last violation ID is 5*33. Line 2 limits the number of items for class 5 violations to 999. Line 3 resets the count in Attribute 1 to 1 when it reaches 999. Line 4 describes a class 5 violation as an illegal attempt to modify a file, list, or object pointer.
Logon Security
The LOCKOUT command gives added security to the logon process. You can prevent users from logging on to the system after a specified number of invalid attempts to log on have been made. LOCKOUT allows you to specify:
The number of invalid logon attempts permitted for any process.
The period of time during which any further attempts to log on will be inhibited.
Format
LOCKOUT process [logons [minutes] [(options)] |
Parameter(s)
process |
Can be either one process number, a range of processes (in the format n–m), or all processes (*). |
|
logons |
Specifies the number of unsuccessful logon attempts allowed. |
|
minutes |
Specifies the length of time it will not be possible to log on to the process. |
|
options |
D |
The D option drops the outgoing DTR signal, causing a phone line to be disconnected. DTR will remain low for the duration of the time specified by minutes, preventing the modem from answering any calls until the time is up. |
T |
The T option toggles the outgoing DTR signal when the process logs off. If a modem is connected to this port, and the D option is used, the T option specifies that the phone line be disconnected every time the process logs off. |
|
C |
The C option clears all existing lockout parameters. |
|
Again, to use DTR commands, cabling must be correctly set up. See your modem documentation for your modem for specifics.
See Also
Implementing MultiValue Security
Line 1: Using D Codes in Account Attributes
Lines 5 and 6: Using Retrieval and Update Codes
Line 7: Assigning, Changing and Deleting Account Passwords
Line 8: Using System Privilege Level Codes
Line 9: Using Automatic Logoff
Line 9: Using Account Definition Codes
Line 9: Restricting Access to TCL and Commands
Using the Accounting History File (ACC)