PAUDIT2 (v1.35b Jun 1993) ['b' stands for Btrieve] (Written by Wolfgang Schreiber, MHS: WSCHREIB @ NOVELL) Purpose: Use PAUDIT2 to view the system accounting records (NET$ACCT.DAT). While NetWare's PAUDIT only allows a global view of accounting data, PAUDIT2 gives a more comfortable compact overview and additionally allows searching for specific information. Some advantages of PAUDIT2: - several criteria to select data from the audit file - higher speed, only 10% of PAUDIT's Network load - selectable input file - read/recover damaged NET$ACCT.DAT - optional data base formatted or Btrieve output General information: If you have NetWare 2.1x / 2.2x / 3.xx you should have accounting installed. If you have it installed NetWare will put notes about all logins and logouts into the file SYS:SYSTEM\NET$ACCT.DAT. This allows you to implement a higher level of security on your system. If you charge users for any service, charge and activity records will also be stored in the accounting file. The accounting file will grow depending on the activities on your network. It is a good idea, to store this file to a floppy and delete it every now and then (perhaps once a month) to keep it within reasonable size. NetWare will automatically create a new NET$ACCT.DAT. --------------------------------------------------------------- Command Format: PAUDIT2 [option list] "PAUDIT2" without any options shows all available information. "PAUDIT2 ?" gives a syntax overview Available options (most options can be combined): A[fter]= Show only events on or after date Be[fore]= Show only events on or before date Bt[rieve][=name] Output to Btrieve file (only in PAUDIT2 v1.31) C[harges] Display charges only Da[tabase] Output in data base style DefU[ser] List default users per PC DefPC List default PC address per user Di[sk] Disk access and charges F[ile]= Input from specified file G[roup]=[!] Select/Exclude only group members I[ntruder] Intruder lockouts L[ogin] Select only login notes M[ap]= Semi-graphic user info Ne[twork]=[!]
Select/Exclude Network No[de]=[!]
Select/Exclude Station R[ebuild] Rebuild Accounting File S[ervername] Output with Server Name Un[usual] Unusual events, security analysis Us[er]=[!] Select/Exclude specified user W[arning] Important messages (time changes / intruders) --------------------------------------------------------------- New features / Program history: v1.35b (Jun 93) - rewrote Btrieve output option - updated documentation v1.34b (Nov 92) - bug fix: the 'GR=' did not work correctly - optional Btrieve output is included by default v1.34 (Oct 92) - allow selection AND exclusion for the options '/User', '/Group', '/Node', and '/NetWork'. - the option '/Repair' is replaced by a more powerful option '/Rebuild'. v1.33 (Jul 92) - temporarily close the file NET$ACCT.DAT while waiting for user input. This is a workaround to fix a NetWare bug (NetWare does not allow read access to NET$ACCT.DAT while it adds new records). - no blanks between fields in database formatted output - fix for incorrect operation of the '/Node' option v1.32 (Jul 92) - bug fix with the '/MAP' option - '/Database' now has record type 91 for general charges, 92 for disk storage charges v1.31 (Jan 92) - Optional output to Btrieve files (feature available on request) v1.30 (Jan 92) - Multiple options can be combined - New option 'UNUSUAL' (security analysis) - New options 'DefPC' and 'DefUser' (usage analysis) - New options 'Before'/'After' replace the previous option 'Date' - New features of option 'INTRUDER' - Higher performance - Show current search position during search - Shareable access does not lock NET$ACCT.DAT - bug fix: Accept user/group names with > 16 chars on command line - bug fix: Repair for large accounting files v1.20 (Sept 91) - Output can be formatted for other data base applications v1.14 (June 91) - Allows specification of input file (other than NET$ACCT.DAT) v1.13 (May 91) - Faster scanning of NET$ACCT.DAT with about 90% less network load compared to Novell's PAUDIT.EXE - Fault tolerant scanning skips bad parts of NET$ACCT.DAT - New option 'REPAIR' allows to repair a bad NET$ACCT.DAT v1.12 (April 91) - New options 'GROUP=' and 'CHARGE=' - Computation of cumulated charges - Built-in self test for virus infection - Easier output redirection Usage: To start PAUDIT2 one must be logged in to the specified file server. You may start PAUDIT2 from any drive on the target server. You do not need a drive mapping to SYS:SYSTEM, but you need Open and Read rights in that directory ([RF] for NW 386). Output will pause after each screen display (only if not redirected). --------------------------------------------------------------- Available Options: Show all accounting information Syntax: PAUDIT2 Example: PAUDIT2 After Select audits from specified date or later Syntax: PAUDIT2 A[fter]= (Leading zeros may be omitted) Examples: PAUDIT2 After=31.8.91 PAUDIT2 Group=Students After=31.8.91 Before Select audits from specified date or earlier Syntax: PAUDIT2 Be[fore]= (Leading zeros may be omitted) Examples: PAUDIT2 Bef=31.8.91 PAUDIT2 Bef=31.8.91 User=WSchreib Warn Btrieve Output to Btrieve file (not implemented in all versions) Purpose: Using this switch will cause PAUDIT2 to output its data into the specified btrieve file. Syntax: PAUDIT2 Bt[[rieve]=] Examples: PAUDIT2 us=WSCHREIB Btrieve PAUDIT2 us=WSCHREIB Bt=WS.btr After=31.1.91 If no Btrieve file name is specified, the default name PAUDIT2.BTR will be assumed. This switch may not yet be fully implemented. Please inform me if Btrieve support should be enhanced. The record structure for the resulting Btrieve file is: Offs Content Type Btrieve Key ------------------------------------------- 1 RecType : Word; 3 Date : Date; (Key 1a) 7 Time : Time; (Key 1b) 11 ccode : Byte; 12 FS_ID : LongInt; 16 CL_ID : LongInt; (Key 2) 20 SrvType : WORD; 22 CmtType : WORD; (Key 0) 24 Charge : LongInt; 28 Comment : Array[1..20] of BYTE File Stats for x Record Length = 27 Compressed Records = No Variable Records = Yes Free Space Threshold = 5% Number of Keys = 3 Page Size = 2048 Unused Pages = 0 Key Position Length Duplicates Modifiable Type 0 22 2 Yes No Integer 1 3 4 Yes No Date 1 7 4 Yes No Time 2 16 4 Yes No Unsigned Charge Show charge audits for users or groups Syntax: PAUDIT2 Ch[arge] Examples: PAUDIT2 Charge PAUDIT2 Ch User=guest PAUDIT2 Group=sales Charge Database Output in database format Purpose: Use this switch if you want to prepare PAUDIT2's output for export into other data base with selectable field delimiters and separators. Syntax: PAUDIT2 Da[tabase] Example: PAUDIT2 us=WSCHREIB Datab > WS.EXP Every PAUDIT2 option can be followed by the data base switch. Default field delimiter: " Default field separator: , The result will look like: "3", "08-20-1991", "09:55:01", "WSCHREIB", "49211B00:00001B040A63" "4", "08-20-1991", "10:57:06", "WSCHREIB", "49211B00:00001B040A63" Other delimiters can be selected with the environment variable DEL: e.g.: SET DEL=' or SET DEL=NUL (will result in no delimiters) Other separators can be selected with the environment variable SEP: e.g.: SET SEP=; or SET SEP=TAB (Tabs as separators) The first value of each record represents the type of record (type of accounting comment) in the accounting log: 1: Connect time, requests, reads and writes 2: Disk storage 3: Login 4: Logout 5: Intruder lockout 6: Server time change 90: Disk Storage charges 91: General Charges (requests, login time, kb read, kb written) 99: other / comments DefPC List all users and their preferred PC addresses Purpose: Create a list of users with their usual node addresses Syntax: PAUDIT2 DefPC Example: PAUDIT2 DefPC DefUser List all PCs addresses and their normal user Purpose: Create a list of nodes with their default user Syntax: PAUDIT2 DefU[ser] Example: PAUDIT2 DefUser Disk Show disk access charges Syntax: PAUDIT2 Di[sk] Examples: PAUDIT2 Disk PAUDIT2 User=WSCHREIB Before=31.12.90 Disk File Use alternate input file Purpose: Analyse specified file instead of the current accounting file Syntax: PAUDIT2 F[ile]= (Default is SYS:SYSTEM\NET$ACCT.DAT) Example: PAUDIT2 us=WSCHREIB File=F:NET$ACCT.OLD Group Show audits for members of specified group Syntax: PAUDIT2 Gr[oup]= Examples: PAUDIT2 GR=wp_user PAUDIT2 GR=wp_user Warning After=1.1.92 PAUDIT2 GR=!wp_user (Exclude group members) Intruder Show intruder lockout messages Purpose: Try to locate and identify intruders (Cannot be combined with other options) Syntax: PAUDIT2 In[truder] Example: PAUDIT2 Intr Login Show only logins Syntax: PAUDIT2 Lo[gin] Examples: PAUDIT2 Log PAUDIT2 Login Node=ABC Gr=Students Map Show audits for one user in semi-graphic mode Purpose: Create semi-graphical usage analysis for specified user Syntax: PAUDIT2 MAP= Examples: PAUDIT2 MAP=guest PAUDIT2 Map=Guest Net=123 before=31.12.1990 Network Show all audits for specified network address Syntax: PAUDIT2 Ne[twork]= Examples: PAUDIT2 Net=A123 (Leading zeros may be omitted) PAUDIT2 Net=10ABC User=WSCHREIB Warn PAUDIT2 Net=!ABC (Exclude network ABC) Rebuild Repair damaged NET$ACCT.DAT file Purpose: Correct errors in accounting file Syntax: PAUDIT2 Re[build] Examples: PAUDIT2 Rebuild (repair complete file) PAUDIT2 U=!GUEST /Rebuild (filter GUEST from audit file) The original NET$ACCT.DAT will NOT be modified. A repaired copy of NET$ACCT.DAT with the name 'NET$ACCT.NEW' will be placed to your current drive, instead. You should copy this file to SYS:SYSTEM as 'NET$ACCT.DAT' after saving the damaged original. Rebuild can also be used to create subsets of the accounting file. The option can be combined with most of the other options to create subsets of accounting files with selected data, only. ServerName Output with preceeding server name Purpose: Allow easier identification of data base information Syntax: PAUDIT2 S[erverName] This option is primarily useful in combination with the data base option if it is desired to include the server name for documentation. Example: PAUDIT2 User=WSCHREIB Servername Database Node Show all audits of specified physical station Syntax: PAUDIT2 No[de]= Examples: PAUDIT2 Node=EC004B (Leading zeros may be omitted) PAUDIT2 Node=2 After=1.1.92 PAUDIT2 Node=!2 (Exclude node 2) Unusual Show users on unusual workstations Purpose: Tries to identify intruders and users who login on unusual node addresses (Cannot be combined with other options) Syntax: PAUDIT2 Un[usual] Example: PAUDIT2 Unusual Display all incidents where users login or try to login from PCs that they normally don't use. Identify the owner of PCs that caused intruder detection warnings. User Show audits for one specified user only Syntax: PAUDIT2 Us[er]= Examples: PAUDIT2 US=supervisor PAUDIT2 U=Wschreib Net=123 PAUDIT2 U=!Wschreib Net=123 (Exclude user WSCHREIB) Warning Show warnings from audit file Purpose: Show security relevant audits (time changes/intruder) Syntax: PAUDIT2 WA[rning] Examples: PAUDIT2 Warn PAUDIT2 US=supervisor Warn --------------------------------------------------------------- Restrictions: - Some options cannot be combined with others: 'Repair', 'DefPC', 'DefUser', 'Unusual' - Some useless combinations are prohibited - Btrieve output may not be available in all versions --------------------------------------------------------------- Error Messages / Troubleshooting: - 'Btrieve requester not loaded.' To utilize Btrieve file output features of PAUDIT2 the Btrieve requester must be loaded first. - 'Could not create ... ' A new accounting file could not be created. Check rights, drive, and name of new file. - 'Error in ... : offset ...' The accounting file was corrupt. Try the option 'REPAIR' - 'Insufficient Memory' Some options (Intruder, DefPC, DefUser, Unusual) nee more memory than your PC has. Try removing some resident utilities or use a more efficient memory manager. - 'Invalid Address' The address entered was invalid (too short or too long) - 'Invalid combination of options' Some PAUDIT2 options cannot be combined with certain others - 'Invalid Date' Enter the date in European format: Day.Month.Year - 'Group does not exist' A non-existing user was specified on the command line. - 'PAUDIT2 (...) is damaged or virus infected !' PAUDIT2 does not have the expected file size. This might be caused by virus infections. Check your system. - 'Unexpected end of ... ' The accounting file was corrupt. Try the option 'REPAIR' - 'User does not exist' A non-existing user was specified on the command line. - 'Waiting to get file access ... ' The accounting file SYS:SYSTEM\NET$ACCT.DAT is locked by NetWare or another application. Public Domain Software written by Dr. Wolfgang Schreiber --------------------------------------------------------------