From: SMTP%"ARNE@ko.hhs.dk" 10-NOV-1994 14:41:17.88 To: EVERHART CC: Subj: Re: Where are VMS Intrusion Records? From: Arne Vajhoej X-Newsgroups: comp.os.vms Subject: Re: Where are VMS Intrusion Records? Message-ID: <01HJBR1AQQGI8WWLKU@kopc.hhs.dk> Date: Thu, 10 Nov 1994 19:54:09 +0100 Organization: Info-Vax<==>Comp.Os.Vms Gateway X-Gateway-Source-Info: Mailing List Lines: 123 To: Info-VAX@Mvb.Saic.Com > I have been trying to find out the complete Intrusion entry > expiration time, but have been unable to. > > When you use the DCL command SHOW INTRUSION, it only displays the > time in hours, minutes and seconds. However, it is possible that > this time could be in several days time. > > I assume that the Intrusion records are held in memory, and this > must be in system space (S0 or S1) and that the time is stored as > a quadword. Unfortunately, there is no mention of the data > structures used for system security in "VMS Data Structures & > Internals" (that I can find) and I don't have access to the > source code (I expected it isn't in there either). > > Does anyone know how to obtain the COMPLETE intrusion expiration > date-time? The base is placed at CIA$GQ_INTRUDER and the structure are defined in $CIADEF in SYS$LIBRARY:LIB.MLB ! (privs required !) Because it is so long time since I have seen a good piece of MACRO32 posted to INFO-VAX, then I have written a small example, which are attached below. CMEXEC priv required. VMS VAX only. It would probably be more "correct" to CMKRNL and take out the CIA Mutex, but I prefer to stay in EXEC mode if possible (you know: those nasty access vialations!). Arne Arne Vajhøj local DECNET: KO::ARNE Computer Department PSI: PSI%238310013040::ARNE Business School of Southern Denmark Internet: ARNE@KO.HHS.DK WWW URL: http://www.hhs.dk/~arne/arne.html ================================================================================ TEST_CIALST.FOR --------------- INTEGER*4 N,T(2,500),I CHARACTER*23 AT CHARACTER*40 S(500) INTEGER*4 CIALST WRITE(*,*) CIALST(S,N,T) DO 100 I=1,N CALL SYS$ASCTIM(,AT,T(1,I),) WRITE(*,*) S(I),AT 100 CONTINUE END CIALST.MAR ---------- .title cialst ; ; Author : Arne Vajhøj ; ; Programmed : november 1994 by Arne Vajhøj ; ; Purpose : lookup all intrusion records ; .link "sys$system:sys.stb"/selective_search .library "SYS$LIBRARY:LIB" $SSDEF $CIADEF .psect $CODE quad,pic,con,lcl,shr,exe,nowrt ; ; Entry : CIALST ( SRC, NSRC, TIM ) ; ; Functionality : Lookup all intrusion records with source and date ; ; Arguments : SRC ; source ; fixed length chracter string passed by descriptor (array) ; writeonly ; ; NSRC ; number of sources ; longword passed by refrence ; writeonly ; ; TIM ; time ; longword passed by refrence (array) ; writeonly ; ; Priviliges required : CMEXEC ; ; return codes : SS$_NORMAL successfull ; SS$_NOPRIV no CMEXEC privilige present ; ; Bugs : Please mail bug-reports to ARNE@KO.HHS.DK (Arne Vajhøj). ; .entry cialst,^m pushl ap pushab G^cialst2 calls #2,G^SYS$CMEXEC ; executive-mode call of cialst2 cmpl r0,#SS$_NORMAL bneq 100$ ret 100$: clrl @B^8(ap) ret .entry cialst2,^m movl B^4(ap),r6 movzwl (r6),r7 ; length of character movl B^4(r6),r6 ; address of character clrl @B^8(ap) ; nsrc=0 movl B^12(ap),r9 ; address of time movab @#CIA$GQ_INTRUDER,r10 ; address of intrusion database movl r10,r11 100$: cmpl B^CIA$L_FLINK(r11),r10 ; test if circled beql 200$ movl B^CIA$L_FLINK(r11),r11 ; next record movc3 r7,B^CIA$T_DATA(r11),(r6) ; get source addl2 r7,r6 movq B^CIA$Q_TIME(r11),(r9)+ ; get time incl @B^8(ap) brb 100$ 200$: movl #SS$_NORMAL,r0 ret .end