PAUDIT2 (v1.35b Jun 1993) ['b' stands for Btrieve]
(Written by Wolfgang Schreiber, MHS: WSCHREIB @ NOVELL)
Purpose:
Use PAUDIT2 to view the system accounting records (NET$ACCT.DAT).
While NetWare's PAUDIT only allows a global view of accounting data,
PAUDIT2 gives a more comfortable compact overview and additionally
allows searching for specific information.
Some advantages of PAUDIT2:
- several criteria to select data from the audit file
- higher speed, only 10% of PAUDIT's Network load
- selectable input file
- read/recover damaged NET$ACCT.DAT
- optional data base formatted or Btrieve output
General information:
If you have NetWare 2.1x / 2.2x / 3.xx you should have accounting
installed. If you have it installed NetWare will put notes about
all logins and logouts into the file SYS:SYSTEM\NET$ACCT.DAT.
This allows you to implement a higher level of security on your system.
If you charge users for any service, charge and activity records will
also be stored in the accounting file.
The accounting file will grow depending on the activities on your network.
It is a good idea, to store this file to a floppy and delete it every
now and then (perhaps once a month) to keep it within reasonable size.
NetWare will automatically create a new NET$ACCT.DAT.
---------------------------------------------------------------
Command Format: PAUDIT2 [option list]
"PAUDIT2" without any options shows all available information.
"PAUDIT2 ?" gives a syntax overview
Available options (most options can be combined):
A[fter]=<dd.mm.yy> Show only events on or after date
Be[fore]=<dd.mm.yy> Show only events on or before date
Bt[rieve][=name] Output to Btrieve file (only in PAUDIT2 v1.31)
C[harges] Display charges only
Da[tabase] Output in data base style
DefU[ser] List default users per PC
DefPC List default PC address per user
Di[sk] Disk access and charges
F[ile]=<filename> Input from specified file
G[roup]=[!]<groupname> Select/Exclude only group members
I[ntruder] Intruder lockouts
L[ogin] Select only login notes
M[ap]=<username> Semi-graphic user info
Ne[twork]=[!]<address> Select/Exclude Network
No[de]=[!]<address> Select/Exclude Station
R[ebuild] Rebuild Accounting File
S[ervername] Output with Server Name
Un[usual] Unusual events, security analysis
Us[er]=[!]<username> Select/Exclude specified user
W[arning] Important messages (time changes / intruders)
---------------------------------------------------------------
New features / Program history:
v1.35b (Jun 93)
- rewrote Btrieve output option
- updated documentation
v1.34b (Nov 92)
- bug fix: the 'GR=<groupname>' did not work correctly
- optional Btrieve output is included by default
v1.34 (Oct 92)
- allow selection AND exclusion for the options '/User', '/Group',
'/Node', and '/NetWork'.
- the option '/Repair' is replaced by a more powerful option '/Rebuild'.
v1.33 (Jul 92)
- temporarily close the file NET$ACCT.DAT while waiting for user input.
This is a workaround to fix a NetWare bug (NetWare does not allow
read access to NET$ACCT.DAT while it adds new records).
- no blanks between fields in database formatted output
- fix for incorrect operation of the '/Node' option
v1.32 (Jul 92)
- bug fix with the '/MAP' option
- '/Database' now has record type 91 for general charges,
92 for disk storage charges
v1.31 (Jan 92)
- Optional output to Btrieve files (feature available on request)
v1.30 (Jan 92)
- Multiple options can be combined
- New option 'UNUSUAL' (security analysis)
- New options 'DefPC' and 'DefUser' (usage analysis)
- New options 'Before'/'After' replace the previous option 'Date'
- New features of option 'INTRUDER'
- Higher performance
- Show current search position during search
- Shareable access does not lock NET$ACCT.DAT
- bug fix: Accept user/group names with > 16 chars on command line
- bug fix: Repair for large accounting files
v1.20 (Sept 91)
- Output can be formatted for other data base applications
v1.14 (June 91)
- Allows specification of input file (other than NET$ACCT.DAT)
v1.13 (May 91)
- Faster scanning of NET$ACCT.DAT with about 90% less network load
compared to Novell's PAUDIT.EXE
- Fault tolerant scanning skips bad parts of NET$ACCT.DAT
- New option 'REPAIR' allows to repair a bad NET$ACCT.DAT
v1.12 (April 91)
- New options 'GROUP=<name>' and 'CHARGE=<name>'
- Computation of cumulated charges
- Built-in self test for virus infection
- Easier output redirection
Usage:
To start PAUDIT2 one must be logged in to the specified file server.
You may start PAUDIT2 from any drive on the target server.
You do not need a drive mapping to SYS:SYSTEM, but you need
Open and Read rights in that directory ([RF] for NW 386).
Output will pause after each screen display (only if not redirected).
---------------------------------------------------------------
Available Options:
<no option> Show all accounting information
Syntax: PAUDIT2
Example: PAUDIT2
After Select audits from specified date or later
Syntax: PAUDIT2 A[fter]=<dd.mm.yy> (Leading zeros may be omitted)
Examples: PAUDIT2 After=31.8.91
PAUDIT2 Group=Students After=31.8.91
Before Select audits from specified date or earlier
Syntax: PAUDIT2 Be[fore]=<dd.mm.yy> (Leading zeros may be omitted)
Examples: PAUDIT2 Bef=31.8.91
PAUDIT2 Bef=31.8.91 User=WSchreib Warn
Btrieve Output to Btrieve file (not implemented in all versions)
Purpose: Using this switch will cause PAUDIT2 to output its data
into the specified btrieve file.
Syntax: PAUDIT2 Bt[[rieve]=<name>]
Examples: PAUDIT2 us=WSCHREIB Btrieve
PAUDIT2 us=WSCHREIB Bt=WS.btr After=31.1.91
If no Btrieve file name is specified, the default name PAUDIT2.BTR
will be assumed.
This switch may not yet be fully implemented.
Please inform me if Btrieve support should be enhanced.
The record structure for the resulting Btrieve file is:
Offs Content Type Btrieve Key
-------------------------------------------
1 RecType : Word;
3 Date : Date; (Key 1a)
7 Time : Time; (Key 1b)
11 ccode : Byte;
12 FS_ID : LongInt;
16 CL_ID : LongInt; (Key 2)
20 SrvType : WORD;
22 CmtType : WORD; (Key 0)
24 Charge : LongInt;
28 Comment : Array[1..20] of BYTE
File Stats for x
Record Length = 27 Compressed Records = No
Variable Records = Yes Free Space Threshold = 5%
Number of Keys = 3
Page Size = 2048 Unused Pages = 0
Key Position Length Duplicates Modifiable Type
0 22 2 Yes No Integer
1 3 4 Yes No Date
1 7 4 Yes No Time
2 16 4 Yes No Unsigned
Charge Show charge audits for users or groups
Syntax: PAUDIT2 Ch[arge]
Examples: PAUDIT2 Charge
PAUDIT2 Ch User=guest
PAUDIT2 Group=sales Charge
Database Output in database format
Purpose: Use this switch if you want to prepare PAUDIT2's output
for export into other data base with selectable field
delimiters and separators.
Syntax: PAUDIT2 Da[tabase]
Example: PAUDIT2 us=WSCHREIB Datab > WS.EXP
Every PAUDIT2 option can be followed by the data base switch.
Default field delimiter: "
Default field separator: ,
The result will look like:
"3", "08-20-1991", "09:55:01", "WSCHREIB", "49211B00:00001B040A63"
"4", "08-20-1991", "10:57:06", "WSCHREIB", "49211B00:00001B040A63"
Other delimiters can be selected with the environment variable DEL:
e.g.: SET DEL=' or SET DEL=NUL (will result in no delimiters)
Other separators can be selected with the environment variable SEP:
e.g.: SET SEP=; or SET SEP=TAB (Tabs as separators)
The first value of each record represents the type of record (type of
accounting comment) in the accounting log:
1: Connect time, requests, reads and writes
2: Disk storage
3: Login
4: Logout
5: Intruder lockout
6: Server time change
90: Disk Storage charges
91: General Charges (requests, login time, kb read, kb written)
99: other / comments
DefPC List all users and their preferred PC addresses
Purpose: Create a list of users with their usual node addresses
Syntax: PAUDIT2 DefPC
Example: PAUDIT2 DefPC
DefUser List all PCs addresses and their normal user
Purpose: Create a list of nodes with their default user
Syntax: PAUDIT2 DefU[ser]
Example: PAUDIT2 DefUser
Disk Show disk access charges
Syntax: PAUDIT2 Di[sk]
Examples: PAUDIT2 Disk
PAUDIT2 User=WSCHREIB Before=31.12.90 Disk
File Use alternate input file
Purpose: Analyse specified file instead of the current accounting file
Syntax: PAUDIT2 F[ile]=<name> (Default is SYS:SYSTEM\NET$ACCT.DAT)
Example: PAUDIT2 us=WSCHREIB File=F:NET$ACCT.OLD
Group Show audits for members of specified group
Syntax: PAUDIT2 Gr[oup]=<groupname>
Examples: PAUDIT2 GR=wp_user
PAUDIT2 GR=wp_user Warning After=1.1.92
PAUDIT2 GR=!wp_user (Exclude group members)
Intruder Show intruder lockout messages
Purpose: Try to locate and identify intruders
(Cannot be combined with other options)
Syntax: PAUDIT2 In[truder]
Example: PAUDIT2 Intr
Login Show only logins
Syntax: PAUDIT2 Lo[gin]
Examples: PAUDIT2 Log
PAUDIT2 Login Node=ABC Gr=Students
Map Show audits for one user in semi-graphic mode
Purpose: Create semi-graphical usage analysis for specified user
Syntax: PAUDIT2 MAP=<username>
Examples: PAUDIT2 MAP=guest
PAUDIT2 Map=Guest Net=123 before=31.12.1990
Network Show all audits for specified network address
Syntax: PAUDIT2 Ne[twork]=<net_address>
Examples: PAUDIT2 Net=A123 (Leading zeros may be omitted)
PAUDIT2 Net=10ABC User=WSCHREIB Warn
PAUDIT2 Net=!ABC (Exclude network ABC)
Rebuild Repair damaged NET$ACCT.DAT file
Purpose: Correct errors in accounting file
Syntax: PAUDIT2 Re[build]
Examples: PAUDIT2 Rebuild (repair complete file)
PAUDIT2 U=!GUEST /Rebuild (filter GUEST from audit file)
The original NET$ACCT.DAT will NOT be modified. A repaired copy of
NET$ACCT.DAT with the name 'NET$ACCT.NEW' will be placed to your
current drive, instead. You should copy this file to SYS:SYSTEM as
'NET$ACCT.DAT' after saving the damaged original.
Rebuild can also be used to create subsets of the accounting
file. The option can be combined with most of the other options
to create subsets of accounting files with selected data, only.
ServerName Output with preceeding server name
Purpose: Allow easier identification of data base information
Syntax: PAUDIT2 S[erverName]
This option is primarily useful in combination with the data base
option if it is desired to include the server name for documentation.
Example: PAUDIT2 User=WSCHREIB Servername Database
Node Show all audits of specified physical station
Syntax: PAUDIT2 No[de]=<station_address>
Examples: PAUDIT2 Node=EC004B (Leading zeros may be omitted)
PAUDIT2 Node=2 After=1.1.92
PAUDIT2 Node=!2 (Exclude node 2)
Unusual Show users on unusual workstations
Purpose: Tries to identify intruders and users who login on unusual
node addresses
(Cannot be combined with other options)
Syntax: PAUDIT2 Un[usual]
Example: PAUDIT2 Unusual
Display all incidents where users login or try to login from PCs
that they normally don't use.
Identify the owner of PCs that caused intruder detection warnings.
User Show audits for one specified user only
Syntax: PAUDIT2 Us[er]=<username>
Examples: PAUDIT2 US=supervisor
PAUDIT2 U=Wschreib Net=123
PAUDIT2 U=!Wschreib Net=123 (Exclude user WSCHREIB)
Warning Show warnings from audit file
Purpose: Show security relevant audits (time changes/intruder)
Syntax: PAUDIT2 WA[rning]
Examples: PAUDIT2 Warn
PAUDIT2 US=supervisor Warn
---------------------------------------------------------------
Restrictions:
- Some options cannot be combined with others:
'Repair', 'DefPC', 'DefUser', 'Unusual'
- Some useless combinations are prohibited
- Btrieve output may not be available in all versions
---------------------------------------------------------------
Error Messages / Troubleshooting:
- 'Btrieve requester not loaded.'
To utilize Btrieve file output features of PAUDIT2
the Btrieve requester must be loaded first.
- 'Could not create ... '
A new accounting file could not be created. Check rights, drive,
and name of new file.
- 'Error in ... : offset ...'
The accounting file was corrupt. Try the option 'REPAIR'
- 'Insufficient Memory'
Some options (Intruder, DefPC, DefUser, Unusual) nee more memory than
your PC has. Try removing some resident utilities or use a more
efficient memory manager.
- 'Invalid Address'
The address entered was invalid (too short or too long)
- 'Invalid combination of options'
Some PAUDIT2 options cannot be combined with certain others
- 'Invalid Date'
Enter the date in European format: Day.Month.Year
- 'Group does not exist'
A non-existing user was specified on the command line.
- 'PAUDIT2 (...) is damaged or virus infected !'
PAUDIT2 does not have the expected file size. This might be caused
by virus infections. Check your system.
- 'Unexpected end of ... '
The accounting file was corrupt. Try the option 'REPAIR'
- 'User does not exist'
A non-existing user was specified on the command line.
- 'Waiting to get file access ... '
The accounting file SYS:SYSTEM\NET$ACCT.DAT is locked by NetWare
or another application.
Public Domain Software written by Dr. Wolfgang Schreiber
--------------------------------------------------------------
�
