AUDITing question (file creation failure) - VMS

This is a discussion on AUDITing question (file creation failure) - VMS ; Hi I'm trying to find out what file some program is trying to create, and where. My guess is that is is trying to *create* a file, anyway. Currently the application only returns this: %RMS-E-PRV, insufficient privilege or file protection ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: AUDITing question (file creation failure)

  1. AUDITing question (file creation failure)

    Hi

    I'm trying to find out what file some program is trying to create, and
    where.
    My guess is that is is trying to *create* a file, anyway.

    Currently the application only returns this:

    %RMS-E-PRV, insufficient privilege or file protection violation

    I tried setting:
    $ REPLY/ENABLE

    $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=FAILURE /CLASS=FILE

    But that returns nothing I believe because the program is not attempting to
    access a file but it tries to *create* one

    Well I could have add an error on the .DIR, but I get nothing.

    I also tried with this:
    $ SET AUDIT/ALARM/AUDIT/ENABLE=CREATE /CLASS=FILE

    and although it does return something when a file is successfully created,
    it doesn't give anything for a file that could not be created due to
    protection violation.


    So.... How can I audit a file creation failure ?

    Thanks !

    --
    Syltrem
    http://pages.infinit.net/syltrem (OpenVMS information and help, en franšais)



  2. Re: AUDITing question (file creation failure)

    In article <13iujs049d8gq60@corp.supernews.com>, "Syltrem" writes:
    > Hi
    >
    > I'm trying to find out what file some program is trying to create, and
    > where.
    > My guess is that is is trying to *create* a file, anyway.
    >
    > Currently the application only returns this:
    >
    > %RMS-E-PRV, insufficient privilege or file protection violation
    >
    > I tried setting:
    > $ REPLY/ENABLE
    >
    > $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=FAILURE /CLASS=FILE
    >
    > But that returns nothing I believe because the program is not attempting to
    > access a file but it tries to *create* one
    > $ SET AUDIT/ALARM/AUDIT/ENABLE=CREATE /CLASS=FILE
    >
    > and although it does return something when a file is successfully created,
    > it doesn't give anything for a file that could not be created due to
    > protection violation.
    >


    Have you tried:

    $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=CREATE

    , or:

    $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=ALL

    (that will tend to be noisy)?

    If you have some idea of what file, you might try creating it with
    access controls that block the program from creating a new version,
    and putting an audit ACL on it.

    It's possible that the program is trying to create a new version of
    an existing file, but can't because of a version limit and no delete
    access to the oldest version, or having reached ;32767, or something
    similar.


  3. Re: AUDITing question (file creation failure)


    "Bob Koehler" wrote in message
    news:NBkHTBaTE3LC@eisner.encompasserve.org...
    > In article <13iujs049d8gq60@corp.supernews.com>, "Syltrem"
    > writes:
    >> Hi
    >>
    >> I'm trying to find out what file some program is trying to create, and
    >> where.
    >> My guess is that is is trying to *create* a file, anyway.
    >>
    >> Currently the application only returns this:
    >>
    >> %RMS-E-PRV, insufficient privilege or file protection violation
    >>
    >> I tried setting:
    >> $ REPLY/ENABLE
    >>
    >> $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=FAILURE /CLASS=FILE
    >>
    >> But that returns nothing I believe because the program is not attempting
    >> to
    >> access a file but it tries to *create* one
    >> $ SET AUDIT/ALARM/AUDIT/ENABLE=CREATE /CLASS=FILE
    >>
    >> and although it does return something when a file is successfully
    >> created,
    >> it doesn't give anything for a file that could not be created due to
    >> protection violation.
    >>

    >
    > Have you tried:
    >
    > $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=CREATE
    >


    $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=CREATE
    %DCL-W-IVKEYW, unrecognized keyword - check validity and spelling
    \CREATE\
    $

    --> OVMS 7.1 VAX



    > , or:
    >
    > $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=ALL
    >
    > (that will tend to be noisy)?
    >



    It will probably be very noisy indeed, and may not even yield the expected
    result (as there is no file access per say)

    > If you have some idea of what file, you might try creating it with
    > access controls that block the program from creating a new version,
    > and putting an audit ACL on it.
    >
    > It's possible that the program is trying to create a new version of
    > an existing file, but can't because of a version limit and no delete
    > access to the oldest version, or having reached ;32767, or something
    > similar.
    >


    I believe the program is trying to do an ANAL/RMS/FDL on a file, but I can't
    say for sure.

    I'll try to create an .FDL file with the same name and see, but the one it
    creates may not have the same name as the .DAT file.

    Syltrem



  4. Re: AUDITing question (file creation failure)

    Syltrem wrote:
    > %RMS-E-PRV, insufficient privilege or file protection violation


    Some fancier applications test access prior to actually doing the file
    access. The error code you are seeing might just have been hardcoded
    into the program after it has tested the file access capability and
    decided it couldn't access it.

    One possible way, of the AUDIT doesn't work is to so a
    SET WATCH FILE/CLASS=ALL (with mighty privs enables, then disable the
    mighty privs and run the aplication). Lots of output. But the temtative
    file access failure should happen not far from where the RMS-E error
    message is issued.


    BTW, on my system, I use an older SET AUDIT:

    $ SET AUDIT /ALARM
    /ENABLE=(AUTHORIZATION,BREAKIN=ALL,FILE_ACCESS=FAIL URE,ACL)
    $ SET AUDIT /ALARM /ENABLE=(LOGFAILURE=ALL,LOGIN=DIALUP,LOGOUT=DIALUP)
    $ SET AUDIT /ALARM /ENABLE=(MOUNT,AUDIT)

    This also generates opcom messages when Mozilla tries to delete a file
    it is still using. (for instance, in a RELOAD of a page).

  5. Re: AUDITing question (file creation failure)

    Another thing you can do is to set an ACL alarm on any directory file
    you suspect the application needs access to. I don't recall the exact
    syntax, but you can add an alarm ACL on any file at which point any
    access to the file generates an opcom message.

  6. Re: AUDITing question (file creation failure)

    In article <13iujs049d8gq60@corp.supernews.com>, "Syltrem" writes:

    > Currently the application only returns this:
    >
    > %RMS-E-PRV, insufficient privilege or file protection violation


    > So.... How can I audit a file creation failure ?


    Enable auditing (or alarming) for failed use of privilege.
    That should be an infrequent circumstance on a well-behaved system.

  7. Re: AUDITing question (file creation failure)

    Syltrem wrote:
    > Hi
    >
    > I'm trying to find out what file some program is trying to create, and
    > where.
    > My guess is that is is trying to *create* a file, anyway.
    >
    > Currently the application only returns this:
    >
    > %RMS-E-PRV, insufficient privilege or file protection violation
    >
    > I tried setting:
    > $ REPLY/ENABLE
    >
    > $ SET AUDIT/ALARM/AUDIT/ENABLE=ACCESS=FAILURE /CLASS=FILE
    >
    > But that returns nothing I believe because the program is not attempting to
    > access a file but it tries to *create* one
    >
    > Well I could have add an error on the .DIR, but I get nothing.
    >
    > I also tried with this:
    > $ SET AUDIT/ALARM/AUDIT/ENABLE=CREATE /CLASS=FILE
    >
    > and although it does return something when a file is successfully created,
    > it doesn't give anything for a file that could not be created due to
    > protection violation.
    >
    >
    > So.... How can I audit a file creation failure ?
    >
    > Thanks !
    >



    Have you considered getting a better program? A well written program
    would tell you what file it was trying to create!

    If the program has documentation, you might try reading it to see what
    files it expects to create, what logical names it expects to find, etc, etc.

    Based on the evidence presented, there's no guarantee that it's trying
    to create a file! It could be trying to write to an existing file or
    even trying to READ a file.

    If you don't mind risking a system crash, you might try the undocumented
    and unsupported SET WATCH command.

    From memory the command is SET WATCH /CLASSS=MAJOR FILE or something
    like that.


+ Reply to Thread