Chapter 3 - Generating User Login Security Reports
VINES provides two reporting utilities for user login security:
StreetTalk Reports Log Reports
The StreetTalk REPORT command lets you generate a list of the security settings currently in effect for a group and the users in that group. This command also lets you generate reports specifically showing access allowed to a particular file or directory. Chapter 6, "Generating User Access Reports," explains how to generate this type of user access report.
The log reports for the servers and services keep track of failed login attempts as well as failed attempts to access files and other access violations.
The rest of this chapter explains these reports and how to generate them.
StreetTalk reports contain information on groups and the items in them. When you generate a StreetTalk report, you specify criteria that VINES software uses to find the groups that you want to include in the report.
To generate a StreetTalk report, you can use the command and its switches or you can use the REPORT menus. This command and the menus are available on DOS, Windows, and OS/2 workstations.
The syntax of the REPORT command is as follows:
REPORT [STREETTALK] [/GROUP:] [/OUTPUT:] [/SERVER:]
where STREETTALK indicates that you want to generate a StreetTalk report without using the menus.
/GROUP requests the name of one or more groups, or a StreetTalk pattern on which to base the report. If you specify a group name without an organization, the default is the current organization (that is, the organization of the person logged in at the workstation).
/OUTPUT requests the name of the file to which you want the report written. If you do not specify a file name, the system prompts you for one after you enter the command.
/SERVER requests the name of the server on which you want StreetTalk activity reported.
If you enter REPORT STREETTALK with no switches, the system prompts you for a file name. Once generated, the report includes all StreetTalk groups on all servers. Note that such a report could take a very long time to generate.
The reports are ASCII files, formatted in 8-1/2 inch by 11 inch page size. You can print them from any word processing application that accepts ASCII input.
If you enter REPORT with no switches, the menus appear. The next section describes these menus.
To generate a StreetTalk report using the menus:
1. At the system prompt, enter REPORT.
2. At the StreetTalk Report menu, select StreetTalk naming system.
3. Select the reporting criteria: all groups, one group, groups that match a pattern, or groups maintained on one server.
If you select all groups in the network, you do not need to provide any reporting criteria. The report includes every group on every server.
If you select reporting on groups maintained on a specific server, the size of the report depends on how many groups the selected server maintains.
4. Select a group name, enter a pattern, or select a server as needed.
5. Name the file to which the report should be written, including a directory path if you want to store the file in a directory other than the current directory.
As the program generates the report, it displays a series of messages indicating that the program is generating the report, analyzing <groupname>, and writing the file to <filename>.
To generate additional reports, repeat all of the above steps.
The report file is ready for your use when you see the message:
StreetTalk report written
You can edit, reformat, and print the file using any word processing application that accepts ASCII files. The files are set up to print on 8-1/2-by-11-inch paper. Each page contains a heading that includes the date, time, and group name related to the information on that page.
StreetTalk Explorer Audit and Optimize Programs
StreetTalk Explorer includes Audit and Optimize functions that help you keep list, nickname, and user names current. It scans the lists, nickname, and user names in a group and detects the following possible problems:
StreetTalk Lists -- Finds any list names, nicknames, and invalid user names that are members of a list. StreetTalk Nicknames -- Finds nicknames of nicknames or nicknames of other StreetTalk names that are no longer valid. StreetTalk Users -- Finds user names that are disabled, have not logged on in the last 60 days, or have not changed passwords in 60 days.
The Audit function produces four reports in ASCII format:
LISTS.OUT USERS.OUT NICKS.OUT SUMMARY.OUT
The optimize function includes the Audit function and additionally repairs a number of problems:
Lists Members -- Deletes all nicknames and substitutes the real StreetTalk names. Removes all names that are no longer valid. Nicknames -- Deletes all nicknames referring to invalid StreetTalk names. Removes any pointer to other nicknames and substitutes the real StreetTalk name. Users -- Makes no corrections to user names.
To run these functions, right-click a StreetTalk group on the desktop and select Audit or Optimize.
VINES server logs contain information on system and service activity. You may want to use this information when determining the source of security violations.
Using the OPERATE and MSERVICE programs, you can specify what kinds of service log messages are logged. For security reports, use the service log of the VINES Security service. In addition, the logs of the VINES file and AFP (AppleTalk Filing Protocol) services report access violations.
To specify the volume and kinds of messages that are logged, you can set the log level, or mask, for each service. Log levels range from 0 to 5, with level 0 being the lowest level and level 5 the highest. Increasing the log level of any of these services adds more information to the logs. For example, increasing the log level of a file service shows the users of files and access violations.
As you increase the log level, you also increase the volume of messages that are logged. The disadvantage of level 5 is that, because of the volume of messages being logged, the logs overwrite themselves much more quickly, especially the VINES Security service and StreetTalk logs.
The logs have default levels, so you do not need to set a level. However, the advantage of setting a log level is that you can isolate the messages that you require.
Most services maintain two log files that range in size from 10 KB to 50 KB. Because the two log files are rotated, you see only one log file at a time. When one log file is filled, the service discards the contents of the other log file and then writes to it.
When you need a report, you can generate it at the server console or at a DOS, Windows, or OS/2 workstation. You can request the system to display the report on-line or to write it to a file.
To set log levels and generate log reports on multiple services or on a single service, use the Manage Server Logs menu of the OPERATE program. To set a log level or generate a log report for a single service, use the MSERVICE program.
The next two sections describe how to set a log level and generate a log report from your DOS, Windows, or OS/2 workstation.
The procedure you use to set a log level, or mask, depends on whether you are working with multiple services at once or with a single service. Whichever method you select, you must specify the kinds of messages the service or services log by setting a log mask.
Each log level includes messages for that level and all the lower levels. For example, if you select Level 3, all the messages related to Level 3 are logged, as well as Level 2 and Level 1 messages. When you set a log level, it stays in effect for the services you selected until you set a new one for those services.
The six types of log masks are summarized below and the types of events associated with each level, or mask, are defined following the level descriptions.
Level 0
Level 0 means that no events are logged by a service.
Level 1
Level 1 logs alarm events to the service log.
Level 2
Level 2 logs alarm events and warning events to the service log.
Level 3
Level 3 logs alarm events, warning events, and audit events to the service log.
Level 4
Level 4 logs alarm events, warning events, audit events, and information events to the service log.
Level 4 is the default log level for all services, which means that if you do not set a specific log level for a service, the service log level is set to level 4 when the service is created.
Level 5
Level 5 logs alarm events, warning events, audit events, information events, and debug messages to the service log.
Table 3-1 shows the six log mask levels and their associated events.
Event Definitions
This section defines the events recorded at the various levels.
ALARM
An alarm is an event that needs immediate attention, such as a service shutting down, or a communication problem, for example, a lost session or a failure to communicate with another service, or other critical problems.
WARNING
A warning is an event that conveys information about service performance or functions, such as a threshold level being reached, or a recoverable error with a service
AUDIT
An audit event is an event that indicates security or accounting information, such as a login or logout, or a session with a service becoming active.
INFORMATION
An information event is an event that indicates general information about a service, such as a service starting up, or a change in date.
DEBUG
Debug information is primarily intended for use by Banyan personnel to troubleshoot problems. These debug messages can be difficult to understand.
Setting a Log Level for Several Services
When you set a log level for several services, use the OPERATE menus to select the services and the log level:
1. Run OPERATE and select the appropriate server.
2. At the Operate A Server menu, select MANAGE Server Logs.
3. At the Manage Server Logs menu, select SPECIFY Service Log Levels.
4. At the Select Services menu, select the services for which you are specifying the log levels. Services that you do not select do not have their log level changed. You can select all services by pressing F8.
5. After you have selected services, press F10. The Specify Log Message Level menu appears. This menu displays all log levels. If you do not select a level, the default Level 4 remains in effect.
6. Press F10 to set the level and return to the Manage Server Logs menu.
7. For file services only, stop and then restart the service for the new log level to take effect.
Setting a Log Level for a Single Service
When you set a log level for a single service, use either the OPERATE or MSERVICE program to select the service for which you are setting the level and to select the log level:
1. Run MSERVICE and select the appropriate service. (You can also can run OPERATE, select the server on which the service resides, and select the service.)
2. At the Manage A Service menu, select CONTROL service.
3. At the Control A Service menu, choose SPECIFY log mask.
4. At the Specify Log Mask Level menu, select the log level that determines the types of messages that the service will log. If you do not select a level, the default Level 4 remains in effect.
5. Press F10 to set the level and return to the Control A Service menu.
6. For file services, stop and then restart the service for the new log level to take effect.
The way you generate a log report depends on if you want to report on several services at once and if you want to specify a time range:
Use the OPERATE program to generate a log report on several services at once (or on only one service). You can also specify a time range for the messages you want to see. Use the MSERVICE program to generate a log report on only a single service. With MSERVICE, you cannot specify a time range.
Note that when you specify a time range, you may get messages from outside the range that you specified. These out-of-range messages are generated by the operating system and cannot be controlled by the service. Because the two log files for a service are rotated, you cannot extract any messages for a time range that you specified if those messages were in the log file that was overwritten.
Generating Report for Several Services
To generate a log report for several services at once, perform these steps:
1. Run OPERATE and select the appropriate server.
2. At the Operate A Server menu, select MANAGE server logs.
3. At the Manage Server Logs menu, select GENERATE a log report.
4. At the Select Services menu, select the services whose log messages you want to see. To select all services, press F8.
5. After you have selected services, press F10.
6. At the Specify Time/Date Range menu, specify a time range in the From and To fields. You can use the defaults or enter your own time range.
If you delete the defaults and leave the From and To fields blank, all the messages logged by the selected services are displayed.
Use the following format to specify a beginning and ending time:
MM/DD/YY,HH:MM
For example, specifying 01/14/96,00:30 in the From field and 01/16/96,12:30 in the To field displays all messages logged from 12:30 a.m. on January 14, 1996 to 12:30 p.m. on January 16, 1996.
7. Press ENTER after specifying the time range. A message appears indicating that the report is being generated. You have the option of canceling the report.
Generating a Report for a Single Service
To generate a log report for a single service, perform the following steps:
1. Run MSERVICE and select the appropriate service.
2. At the Manage A Service menu, choose CONTROL the Service.
3. At the Control A Service menu, choose GENERATE log report. A message appears indicating that the report is being generated. You can cancel the report at any time by pressing ESC or ENTER.
After the log report is generated for either multiple services or a single service, the Manage Log Report menu appears.
The Manage Log Report menu allows you to view log messages and write log messages to a file. These functions are described in the next two sections.
Viewing Log Messages
To view the log report on-line, perform these steps:
1. From the Manage Log Report menu, select View Log Messages. A screen appears that displays the log report.
2. Use the keys in Table 3-2 to locate specific messages.
3. When you finish viewing log messages, press ESC.
4. When the Manage Log Report menu returns, you can:
- Select Write Log Messages to a File to save the log report.
- Press ESC to return to the Control A Service menu.
Note that if you press ESC from the Manage Log Report menu without viewing the log report or writing it to a file, the system prompts if you want to write the report to a file.
Press ENTER if you want to write the report to a file. Highlight NO and press ENTER if you want to exit.
Writing Log Messages to a File
To write the log messages to a file, perform these steps:
1. From the Manage Log Report menu, select Write Log Messages to a File.
2. When the system prompts you for a file name, enter a name for the file in which you want to store the report.
After you press ENTER, the system stores the log report in the file, and you return to the Manage Log Report menu. A message at the bottom of the menu indicates that the report has been written to the file you named.
3. Press ESC to return to the Control A Service menu.
Note that if you press ESC from the Manage Log Report menu without viewing the log report or writing it to a file, the system prompts if you want to write the report to a file:
- Press ENTER if you want to write the report to a file.
- Highlight NO and press ENTER if you want to exit.