Document revision date: 19 July 1999
[Compaq] [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]
[OpenVMS documentation]

OpenVMS System Services Reference Manual


Previous Contents Index

The context for a security management operation can be established through either $GET_SECURITY or $SET_SECURITY. Whenever the context is set by one service, the other service can use it provided the necessary locks are being held. A caller to $GET_SECURITY needs to set the write lock flag (OSS$M_WLOCK) to inspect a profile value, maintain the lock on the object's profile, and then modify some value through a call to $SET_SECURITY.

There are many situations in which the contxt argument is essential. By establishing a context for an ACL operation, for example, a caller can retain an ACL position across calls to $GET_SECURITY so that a set of ACEs can be read and modified sequentially. A security context is released by a call to $SET_SECURITY or $GET_SECURITY that sets the OSS$M_RELCTX flag. Once the context is deleted, the user-supplied context longword is reset to 0.

Required Access or Privileges

Control access to the object is required.

Required Quota

None

Related Services

$GET_SECURITY


Condition Values Returned

SS$_NORMAL The service completed successfully.
SS$_ACCVIO The parameter cannot be read and the buffer cannot be written.
SS$_BADPARAM You specified an invalid object, attribute code, or item size.
SS$_INSFARG The clsnam and objnam arguments are not specified, the clsnam and objhan arguments are not specified, or the contxt argument is not specified.
SS$_INVBUFLEN The buffer size for one of the item codes was invalid.
SS$_INVCLSITM The item code that you specified is not supported for the class.
SS$_MMATORB The attempted update cannot be performed. The object profile was changed by another process.
SS$_NOCLASS The named object class does not exist.
SS$_OBJLOCKED The selected object is currently write locked.

$SHOW_INTRUSION

Searches for and returns information about records in the intrusion database matching the caller's specifications.

Format

SYS$SHOW_INTRUSION user_criteria ,intruder ,intruder_len ,breakin_block ,[flags] ,[context]


C Prototype

int sys$show_intrusion (void *user_criteria, void *intruder, unsigned short int *intruder_len, void *breakin_block, unsigned int flags, unsigned int *context);


Arguments

user_criteria


OpenVMS usage: char_string
type: character-coded text string
access: read only
mechanism: by descriptor--fixed-length string descriptor

Description of intruder or suspect. The user_criteria argument is the address of a character-string descriptor pointing to a buffer containing the user criteria to match an intrusion record's user specification in the intrusion database.

The user_criteria argument is a character string of between 1 and 1058 bytes containing characters to match the user specification on records in the intrusion database.

A user specification is any combination of the suspect's or intruder's source node name, source user name, source DECnet for OpenVMS address, local failed user name, local terminal, or the string UNKNOWN. The user specification for an intrusion record is based on the input to the $SCAN_INTRUSION service and the settings of the LGI system parameter. For more information, see the OpenVMS Guide to System Security.

Wildcards are allowed for the user_criteria argument. For more information about using wildcards to scan the intrusion database, see the Description section.

intruder


OpenVMS usage: char_string
type: character-coded text string
access: write only
mechanism: by descriptor--fixed-length string descriptor

User specification of the matched intruder or suspect record in the intrusion database. The intruder argument is the address of a character-string descriptor pointing to a buffer to receive the user specification of the matched record in the intrusion database.

The intruder argument is a 1058-byte string that will receive the user specification of a record in the intrusion database that matches the specifications in the user_criteria and flags arguments.

intruder_len


OpenVMS usage: string length
type: longword (unsigned)
access: write only
mechanism: by reference

Length of returned string in the intrusion buffer. The intruder_len argument is the address of a longword to receive the length of the returned intrusion buffer.

The possible range of the intruder_len argument is 0 to 1058 bytes. If the longword specified by the argument contains a 0 after the call to the service, either the service did not find a record that matched the user criteria in the intrusion database, or there are no more matching items in the intrusion database.

breakin_block


OpenVMS usage: record
type: block of 2 words (unsigned), 1 longword (unsigned), and 1 quadword (unsigned)
access: write only
mechanism: by reference

Block to receive various information in the intrusion database about a record matching the user criteria. The breakin_block argument is the address of a structure with the following format.

The following table defines the break-in block fields.
Field Description
Type Unsigned word containing the type of the matched record. The possible values for the type field are TERM_USER, TERMINAL, USERNAME, and NETWORK. These constants are defined in $CIADEF in STARLET.
Flags Boolean set to TRUE (1) if the matched record is an intruder. If the value is set to FALSE (0), the matched record is only a suspect.
Count Unsigned longword containing the number of login failures or break-in attempts made by the specified intruder or suspect.
Time Quadword time format indicating the time when the record will expire.

flags


OpenVMS usage: mask_longword
type: longword (unsigned)
access: read only
mechanism: by value

Type of records in the intrusion database about which information is to be returned. The flags argument is a longword bit mask wherein each bit corresponds to an option.

Each option has a symbolic name. The $CIADEF macro defines the following valid names.
Symbolic Name Description
CIA$M_ALL All records will be shown. If the flags argument is omitted, this value is assumed.
CIA$M_INTRUDERS Only intruder records matching the criteria specified by the user_criteria argument will be returned. The value of the flag field in the break-in block will always be 1.
CIA$M_SUSPECTS Only suspect records matching the criteria specified by the user_criteria argument will be returned. The value of the flag field in the break-in block will always be 0.

Each of these options is mutually exclusive.

context


OpenVMS usage: context
type: longword (unsigned)
access: write only
mechanism: by reference

Context information to keep between related calls to the $SHOW_INTRUSION service. The context argument is the address of a longword that receives a context from the service.

The initial value contained in the unsigned longword pointed to by the context argument must be 0. The contents of the unsigned longword must not be changed after the service has set its value. If the contents of the context argument are changed between calls to the service, SS$_BADCONTEXT will be returned.

Contexts become invalid after one-half hour of non-use. This means that if you call the $SHOW_INTRUSION service with a wildcard in the user_criteria argument and do not call the service to get the next matching record within one-half hour, the context becomes invalid. If the context has become invalid, you must restart your search of the intrusion database from the beginning by resetting the context to 0.


Description

The Show Intrusion service returns information about records in the intrusion database that match the criteria you specify.

You can retrieve information about multiple records in the intrusion database by specifying wildcards for the user_criteria argument. For example, specifying an asterisk (*) for the user_criteria argument and CIA$M_ALL_RECORDS for the flags argument will return information about all records in the database. Specifying TTA4* for the user_criteria argument and CIA$M_SUSPECTS_ONLY for the flags argument will return information about all suspects who have had failures on terminal TTA4.

If you specify a wildcard string for the user_criteria argument, you must also include a context argument. Because the service can only return information about one intrusion record at a time, you must call the service repeatedly to retrieve information about more than one record. The service will return SS$_NOMOREITEMS when information about all of the matching records has been returned. No intrusion information is returned from the call that returns SS$_NOMOREITEMS.

Required Access or Privileges

SECURITY privilege is required.

Required Quota

None

Related Services

$DELETE_INTRUSION, $SCAN_INTRUSION


Condition Values Returned

SS$_NORMAL The service completed successfully.
SS$_ACCVIO The user_criteria or context argument cannot be read, or the intruder, intruder_len, breakin_block, or context argument cannot be written.
SS$_BADBUFLEN The length of one of the specified arguments is out of range.
SS$_BADCONTEXT The context argument did not contain a 0 on the first call to the service. The context argument's value changed between consecutive calls to the service.
SS$_BADPARAM An invalid value was specified in the flags argument, or mutually exclusive options were specified in the flags argument.
SS$_NOMOREITEMS All items matching the specified criteria have been returned.
SS$_NOSECURITY The caller does not have SECURITY privilege.
   
This service can also return any of the following messages passed from the security server:
SECSRV$_NOSUCHINTRUDER No records matching the specified criteria were found in the intrusion database.
SECSRV$_SERVERNOTACTIVE The security server is not currently active. Try the request again later.

$SHOW_PROXY (VAX Only)

On VAX systems, returns information about one or more existing proxies.

Format

SYS$SHOW_PROXY rem_node ,rem_user ,buffer_sizes ,proxy_node ,proxy_user ,default_user ,local_users ,[context]


Arguments

rem_node


OpenVMS usage: char_string
type: character-coded text string
access: read only
mechanism: by descriptor--fixed-length string descriptor

Remote node name of the proxy about which information is being requested. The rem_node argument is the address of a character-string descriptor pointing to the remote node name string.

A remote node name consists of 1 to 1024 characters. No specific characters, format, or case are required for a remote node name string.

Asterisk (*) and percent sign (%) wildcards are allowed for the remote node specification. If you specify wildcards for the rem_node argument, the server searches the entire proxy database for matches to the remote node and remote user you specified. If a match is found, information about the matched proxy is returned. See the Description section for information about retrieving information about multiple proxies.

rem_user


OpenVMS usage: char_string
type: character-coded text string
access: read only
mechanism: by descriptor--fixed-length string descriptor

Remote user name of the proxy about which information is being requested. The rem_user argument is the address of a character-string descriptor pointing to the user name string.

A remote user name consists of 1 to 32 alphanumeric characters, including dollar signs ($), underscores (_), and brackets ([ ]). Any lowercase characters specified are automatically converted to uppercase.

The rem_user argument can be specified in user identification code (UIC) format ([group, member]). Brackets are allowed only if the remote user name string specifies a UIC. Group and member are character-string representations of octal numbers with no leading zeros.

Asterisk (*) and percent sign (%) wildcards are allowed for the remote user specification. If you specify wildcards for the rem_user argument, the server searches the entire proxy database for matches to the remote node and remote user you specified. If a match is found, information about the matched proxy is returned. See the Description section for information about retrieving information about multiple proxies.

buffer_sizes


OpenVMS usage: return length block
type: array of 4 words (unsigned)
access: write only
mechanism: by reference

Array of return lengths for various input buffers. The buffer_sizes argument is the address of an array of four words with the following format.

The following table defines the buffer sizes fields.
Descriptor Field Definition
Proxy user length Return length (in bytes) of the rem_user argument. The proxy user length field contains a value in the range of 0 to 32. A value of 0 in this field indicates that the service has failed or that there was no match for the user specified by the rem_user argument.
Proxy node length Return length (in bytes) of the rem_node argument. A value of 0 in this field indicates that the service has failed or that there was no match for the node specified by the rem_node argument. The proxy node length field contains values in the range of 0 to 1024.
Local users count Number of local users associated with the matched proxy. The local users count field contains a value in the range of 0 to 16. A value of 0 indicates that the matched proxy had no local users.
Default user length Return length (in bytes) of the default_user argument. The default user length field contains a value in the range of 0 to 32. A value 0 in this field indicates that the matched proxy did not have a default user.

proxy_node


OpenVMS usage: char_string
type: character-coded text string
access: write only
mechanism: by descriptor--fixed-length string descriptor

Node name of a proxy matching the remote node name specified by the rem_node argument and the remote user name specified by the rem_user argument. The proxy_node argument is the address of a character-string descriptor pointing to a buffer to receive the proxy node name.

The descriptor's buffer must be 1024 bytes long to receive a node name. The length of the returned node name is specified by the proxy node length field returned in the buffer specified by the buffer_sizes argument.

proxy_user


OpenVMS usage: char_string
type: character-coded text string
access: write only
mechanism: by descriptor--fixed-length string descriptor

User name of a proxy matching the remote node name specified by the rem_node argument and the remote user name specified by the rem_user argument. The proxy_user argument is a character-string descriptor pointing to a buffer to receive the remote user name of a proxy.

The descriptor's buffer must be 32 bytes long to receive a user name. The length of the returned user name is specified by the proxy user length field returned in the buffer specified by the buffer_sizes argument.

default_user


OpenVMS usage: char_string
type: character-coded text string
access: write only
mechanism: by descriptor--fixed-length string descriptor

Default user of a proxy matching the node name specified by the rem_node argument and the remote user name specified by the rem_user argument. The default_user argument is the address of a character-string descriptor pointing to a buffer to receive the default user name.

The descriptor's buffer must be 32 bytes long to receive a user name. The length of the returned user name is specified in the default user length field in the buffer specified by the buffer_sizes argument.

local_users


OpenVMS usage: buffer
type: array of 0 to 16 user name buffers
access: write only
mechanism: by reference

Array of local user names associated with a proxy matching the remote node name specified by the rem_node argument and the remote user name specified by the rem_user argument. The local_users argument is the address of a buffer to receive an array of local user names.

Each element in the array is a 36-byte block with the following format.


The following table defines the local users fields.
Descriptor Field Definition
User name length Length (in bytes) of the associated username string. The length can be in the range of 1 to 32 bytes.
Username A fixed 32-byte blank padded character string containing a local user name associated with the matched proxy.

The buffer specified by the local_users argument must be able to contain up to 16 user name buffers. Therefore, the buffer length must be 576 bytes.

The number of elements returned in the buffer is specified in the local users count field returned in the buffer specified by the buffer_sizes argument.

context


OpenVMS usage: context
type: longword (unsigned)
access: write only
mechanism: by reference

Context information to keep between related calls to the $SHOW_PROXY service. The context argument is the address of a longword to receive a context from the $SHOW_PROXY service.

The initial value contained in the longword pointed to by the context argument must be 0. The contents of the unsigned longword must not be changed after the service has set its value. If the contents of the buffer pointed to by the context argument are changed between calls to the $SHOW_PROXY service, the service will return SS$_BADCONTEXT.

Contexts become invalid after one-half hour of non-use. This means that if you call the $SHOW_PROXY service with a wildcard rem_node and rem_user, and do not call the service to get the next matching record within one-half hour, the context becomes invalid. If the context has become invalid, the search starts over at the beginning of the database, not where you left off with your last call to the service.


Description

The Show Proxy service returns to the caller all information about a specified proxy in the proxy database.

Wildcards can be specified for the rem_node and rem_user arguments. Because $SHOW_PROXY can return information about only one matching proxy at a time, you must call this service repeatedly with the context argument to retrieve information about all matching proxies. $SHOW_PROXY returns SS$_NOMOREITEMS when information about all of the matching proxies has been returned. No proxy information is returned from the call that returns the SS$_NOMOREITEMS status.

Required Access or Privilege

$SHOW_PROXY requires access to the proxy database. To achieve access, the caller must have SYSPRV or BYPASS privilege, or a UIC group less than or equal to the MAXSYSGRP system parameter.

Required Quota

None

Related Services

$ADD_PROXY, $DELETE_PROXY, $VERIFY_PROXY


Condition Values Returned

SS$_NORMAL The service completed successfully.
SS$_ACCVIO The rem_node or rem_user argument cannot be read by the service; or the buffer_sizes, proxy_node, proxy_user, default_user, or local_users argument cannot be written by the service; or the context argument cannot be read or written by the service.
SS$_BADBUFLEN The length of the rem_node, rem_user, proxy_node, proxy_user, default_user, or local_users argument was out of range.
SS$_BADCONTEXT The context argument did not contain a 0 on the first call to the service, or the context argument's values changed between consecutive calls to the service.
SS$_NOMOREITEMS Information about all proxies matching the specification of the rem_node and rem_user arguments has been returned by the service.
SS$_NOREADALL The caller does not have access to the proxy database.
   
This service can also return any of the following messages passed from the security server, or any OpenVMS RMS error message encountered during operations on the proxy database.
SECSRV$_NOSUCHUSER The specified local user does not exist in the proxy's local user list, or is not the proxy's default user.
SECSRV$_NOSUCHPROXY The proxy specified by the rem_node and rem_user arguments does not exist in the proxy database.
SECSRV$_PROXYNOTACTIVE Proxy processing is currently stopped. Try the request again later.
SECSRV$_SERVERNOTACTIVE The Security Server is not currently active. Try the request again later.


Previous Next Contents Index

  [Go to the documentation home page] [How to order documentation] [Help on this site] [How to contact us]  
  privacy and legal statement  
4527PRO_085.HTML