Library /sys$common/syshlp/helplib.hlb  —  System Services, $SCAN INTRUSION
    Scans the intrusion database for suspects or intruders during a
    login attempt, audits login failures and updates records, or adds
    new records to the intrusion database.

    Format

      SYS$SCAN_INTRUSION  logfail_status ,failed_user ,job_type

                          ,[source_terminal] ,[source_node]

                          ,[source_user] ,[source_address]

                          ,[failed_password] ,[parent_user]

                          ,[parent_id] ,[flags]

    C Prototype

      int sys$scan_intrusion  (unsigned int logfail_status,

                              void *failed_user, unsigned int

                              job_type, void *source_terminal, void

                              *source_node, void *source_user, void

                              *source_address, void *failed_password,

                              void *parent_user, unsigned int

                              parent_id, unsigned int flags);

1  –  Arguments

 logfail_status

    OpenVMS usage:status code
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Reason why the user's login attempt failed. The logfail_status
    argument is a longword containing the login failure status code.

    The logfail_status argument can contain any valid message code.
    For example, the value of the logfail_status argument is SS$_
    NOSUCHUSER if the user name the user entered does not exist on
    the system.

    If the logfail_status argument contains a failure status, the
    service performs a suspect scan. Here, the service searches the
    intrusion database for intruder suspects as well as intruders.
    If the value of the logfail_status argument is a successful
    message, such as SS$_NORMAL, the service scans the database only
    for intruders. For more information about how the database works,
    see the VSI OpenVMS Guide to System Security.

 failed_user

    OpenVMS usage:char_string or item_list_3
    type:         character-coded text string or longword (unsigned)
    access:       read only
    mechanism:    by descriptor-fixed-length string descriptor or by
                  reference
    If the CIA$M_ITEMLIST flag is FALSE:

    This argument is the user name associated with the unsuccessful
    login attempt. The failed_user argument is the address of a
    character-string descriptor pointing to the failed user name.

    A failed user name consists of 1 to 32 alphanumeric characters.

    If the CIA$M_ITEMLIST flag is TRUE:

    The failed_user argument is the address of a 32-bit item list. If
    the item list is used, one item, the CIA$_FAILED_USERNAME item,
    must be present in the item list.

    The following table lists the valid item descriptions for the
    failed_user argument:

    Item               Description

    CIA$_FAILED_       Address of a buffer containing the failed user
    USERNAME           name.
    CIA$_SCSNODE       Address of the 8-character null-padded SCS
                       node name on which the intrusion happened.
    CIA$_USER_DATA     Address of a 256-byte buffer, available for
                       passing third party specified data.

 job_type

    OpenVMS usage:job type
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Type of job that failed. The job_type argument is a longword
    indicating the type of job that failed.

    The $JPIDEF macro defines the following values for the job_type
    argument:

    o  JPI$K_BATCH

    o  JPI$K_DETACHED

    o  JPI$K_DIALUP

    o  JPI$K_LOCAL

    o  JPI$K_NETWORK

    o  JPI$K_REMOTE

 source_terminal

    OpenVMS usage:char_string
    type:         character-coded text string
    access:       read only
    mechanism:    by descriptor-fixed-length string descriptor
    Source terminal where the login attempt is occurring. The source_
    terminal argument is the address of a character-string descriptor
    pointing to the device name of the terminal from which the login
    attempt originates.

    A source terminal device name consists of 1 to 64 alphanumeric
    characters, including underscores (_)  and colons (:).

 source_node

    OpenVMS usage:char_string
    type:         character-coded text string
    access:       read only
    mechanism:    by descriptor-fixed-length string descriptor
    Name of the node from which the user's login attempt originates.
    The source_node argument is the address of a character-string
    descriptor pointing to the source node name string.

    A source node name consists of 1 to 1024 characters. No specific
    characters, format, or case is required for a source node name
    string.

 source_user

    OpenVMS usage:char_string
    type:         character-coded text string
    access:       read only
    mechanism:    by descriptor-fixed-length string descriptor
    User name associated with the login attempt. The source_user
    argument is the address of a character-string descriptor pointing
    to the source user name string.

    A source user name consists of 1 to 32 alphanumeric characters,
    including dollar signs ($)  and underscores (_).

 source_addr

    OpenVMS usage:node address
    type:         descriptor
    access:       read only
    mechanism:    by reference
    Source DECnet for OpenVMS address from which the login attempt
    originates. The source_addr argument is the address of a
    descriptor containing the source node address.

 failed_password

    OpenVMS usage:char_string
    type:         character-coded text string
    access:       read only
    mechanism:    by descriptor-fixed-length string descriptor
    Password the user entered for the login attempt. The failed_
    password argument is the address of a character-string descriptor
    pointing to the plaintext password the user entered to log in.

    A failed password is a password of 0 to 32 characters that did
    not allow the user to log in to the system. This argument is not
    stored in the intrusion database and is only used for auditing
    during break-in attempts.

 parent_user

    OpenVMS usage:char_string
    type:         character-coded text string
    access:       read only
    mechanism:    by descriptor-fixed-length string descriptor
    Parent process name of the failed login. The parent_user argument
    is the address of a character-string descriptor pointing to the
    parent process name of the failed login process.

    A parent process name consists of 1 to 15 characters. This
    argument should be specified only for failed spawn commands.

 parent_id

    OpenVMS usage:process_id
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Process identification of the parent process from which the login
    was attempted. The parent_id argument is a longword containing
    the parent process identification.

 flags

    OpenVMS usage:mask_longword
    type:         longword (unsigned)
    access:       read only
    mechanism:    by value
    Operational instructions for the service. The flags argument is a
    longword bit mask wherein each bit corresponds to an option.

    Each flag option has a symbolic name. The $CIADEF macro defines
    the following valid names for the $SCAN_INTRUSION service:

    Symbolic Name      Description

    CIA$M_NOAUDIT      If set, this flag indicates that the service
                       should instruct the security server to not
                       audit the login failure or the break-in
                       attempt. If the flag is set, you are expected
                       to do your own auditing.
    CIA$M_IGNORE_      Specifies that the service should not wait for
    RETURN             the return status from the security server. No
                       return status from the server's function will
                       be returned to the caller.
    CIA$M_ITEMLIST     If FALSE, the failed_user argument is a
                       character string. If TRUE, this argument is
                       a 32-bit item list.
    CIA$M_REAL_        If set, indicates that the user name passed as
    USERNAME           the failed user name is read and known to the
                       system.
    CIA$M_SECONDARY_   Indicates that the failed password passed to
    PASSWORD           the service was the secondary password. If the
                       flag is clear, the password is assumed to be
                       the primary password.
Close Help