Scans the intrusion database for suspects or intruders during a login attempt, audits login failures and updates records, or adds new records to the intrusion database. Format SYS$SCAN_INTRUSION logfail_status ,failed_user ,job_type ,[source_terminal] ,[source_node] ,[source_user] ,[source_address] ,[failed_password] ,[parent_user] ,[parent_id] ,[flags] C Prototype int sys$scan_intrusion (unsigned int logfail_status, void *failed_user, unsigned int job_type, void *source_terminal, void *source_node, void *source_user, void *source_address, void *failed_password, void *parent_user, unsigned int parent_id, unsigned int flags);
1 – Arguments
logfail_status OpenVMS usage:status code type: longword (unsigned) access: read only mechanism: by value Reason why the user's login attempt failed. The logfail_status argument is a longword containing the login failure status code. The logfail_status argument can contain any valid message code. For example, the value of the logfail_status argument is SS$_ NOSUCHUSER if the user name the user entered does not exist on the system. If the logfail_status argument contains a failure status, the service performs a suspect scan. Here, the service searches the intrusion database for intruder suspects as well as intruders. If the value of the logfail_status argument is a successful message, such as SS$_NORMAL, the service scans the database only for intruders. For more information about how the database works, see the VSI OpenVMS Guide to System Security. failed_user OpenVMS usage:char_string or item_list_3 type: character-coded text string or longword (unsigned) access: read only mechanism: by descriptor-fixed-length string descriptor or by reference If the CIA$M_ITEMLIST flag is FALSE: This argument is the user name associated with the unsuccessful login attempt. The failed_user argument is the address of a character-string descriptor pointing to the failed user name. A failed user name consists of 1 to 32 alphanumeric characters. If the CIA$M_ITEMLIST flag is TRUE: The failed_user argument is the address of a 32-bit item list. If the item list is used, one item, the CIA$_FAILED_USERNAME item, must be present in the item list. The following table lists the valid item descriptions for the failed_user argument: Item Description CIA$_FAILED_ Address of a buffer containing the failed user USERNAME name. CIA$_SCSNODE Address of the 8-character null-padded SCS node name on which the intrusion happened. CIA$_USER_DATA Address of a 256-byte buffer, available for passing third party specified data. job_type OpenVMS usage:job type type: longword (unsigned) access: read only mechanism: by value Type of job that failed. The job_type argument is a longword indicating the type of job that failed. The $JPIDEF macro defines the following values for the job_type argument: o JPI$K_BATCH o JPI$K_DETACHED o JPI$K_DIALUP o JPI$K_LOCAL o JPI$K_NETWORK o JPI$K_REMOTE source_terminal OpenVMS usage:char_string type: character-coded text string access: read only mechanism: by descriptor-fixed-length string descriptor Source terminal where the login attempt is occurring. The source_ terminal argument is the address of a character-string descriptor pointing to the device name of the terminal from which the login attempt originates. A source terminal device name consists of 1 to 64 alphanumeric characters, including underscores (_) and colons (:). source_node OpenVMS usage:char_string type: character-coded text string access: read only mechanism: by descriptor-fixed-length string descriptor Name of the node from which the user's login attempt originates. The source_node argument is the address of a character-string descriptor pointing to the source node name string. A source node name consists of 1 to 1024 characters. No specific characters, format, or case is required for a source node name string. source_user OpenVMS usage:char_string type: character-coded text string access: read only mechanism: by descriptor-fixed-length string descriptor User name associated with the login attempt. The source_user argument is the address of a character-string descriptor pointing to the source user name string. A source user name consists of 1 to 32 alphanumeric characters, including dollar signs ($) and underscores (_). source_addr OpenVMS usage:node address type: descriptor access: read only mechanism: by reference Source DECnet for OpenVMS address from which the login attempt originates. The source_addr argument is the address of a descriptor containing the source node address. failed_password OpenVMS usage:char_string type: character-coded text string access: read only mechanism: by descriptor-fixed-length string descriptor Password the user entered for the login attempt. The failed_ password argument is the address of a character-string descriptor pointing to the plaintext password the user entered to log in. A failed password is a password of 0 to 32 characters that did not allow the user to log in to the system. This argument is not stored in the intrusion database and is only used for auditing during break-in attempts. parent_user OpenVMS usage:char_string type: character-coded text string access: read only mechanism: by descriptor-fixed-length string descriptor Parent process name of the failed login. The parent_user argument is the address of a character-string descriptor pointing to the parent process name of the failed login process. A parent process name consists of 1 to 15 characters. This argument should be specified only for failed spawn commands. parent_id OpenVMS usage:process_id type: longword (unsigned) access: read only mechanism: by value Process identification of the parent process from which the login was attempted. The parent_id argument is a longword containing the parent process identification. flags OpenVMS usage:mask_longword type: longword (unsigned) access: read only mechanism: by value Operational instructions for the service. The flags argument is a longword bit mask wherein each bit corresponds to an option. Each flag option has a symbolic name. The $CIADEF macro defines the following valid names for the $SCAN_INTRUSION service: Symbolic Name Description CIA$M_NOAUDIT If set, this flag indicates that the service should instruct the security server to not audit the login failure or the break-in attempt. If the flag is set, you are expected to do your own auditing. CIA$M_IGNORE_ Specifies that the service should not wait for RETURN the return status from the security server. No return status from the server's function will be returned to the caller. CIA$M_ITEMLIST If FALSE, the failed_user argument is a character string. If TRUE, this argument is a 32-bit item list. CIA$M_REAL_ If set, indicates that the user name passed as USERNAME the failed user name is read and known to the system. CIA$M_SECONDARY_ Indicates that the failed password passed to PASSWORD the service was the secondary password. If the flag is clear, the password is assumed to be the primary password.