Search code examples
openvmsvmsdcl

Determine application executable artifact scope through monitoring on OpenVMS


We have a legacy COBOL application based on OpenVMS for-which we do not have a clear idea of configuration. In this context, by "configuration" I am talking about:

  1. Which executable files comprise the application;
  2. Which pristine source files correspond to which executable files.

It may seem odd that 1 above is something that is not known, but over time what has happened is that executables have "come and gone" (and many still remain used). The knowledge of which executable files constitute the application as it exists today is not known since knowledge of which executables are no longer required has been lost in time. In practical terms, the team faithfully compiles all source code files and deploy the resultant executables despite the fact that there are obviously programs that are no longer used.

It goes without saying that there is no formal configuration management process and the source code is not kept in a version control system. Since the application runs on OpenVMS, the corresponding Files-11-based file system keeps older versions of files (including source files) and this has long been the excuse for not putting the application source into a version control system (despite the reasons for using a VCS extending far beyond merely having a record of previous versions).

There are a number of ways in which the configuration can be determined, of course, but I'd like to start with a first "small step", that is: determine the set of executables that comprise the application. At this point I should mention that the executable components of the application are not limited to OpenVMS images, but also DCL command files. I would like to:

  1. Log all invocations of images that reside in a certain directory or set of directories;
  2. Log all invocations of command files that reside in a certain directory or set of directories.

If we run this logging on our production system over an extended period of time, say two months, we can get a pretty good idea of what the application comprises. Together with user consultation, we'll be able to confirm the need for the executable files that aren't being called.

I think I have an idea of how to do 1 above, although I'm not sure of the specifics, that is, use SET/AUDIT. The second part, at this stage, I have no idea of how to do.

So, the main criterion for this effort is that as little of the existing system be affected in order to gain the above information. Due to the question mark around the configuration (and the complete lack of automated tests), changing anything is a nerve-wracking undertaking.

Using operating-system-level services like SET/AUDIT would allow one to get to know what's being run without the need to change source and/or recompile anything. So, my question is a multi-parter:

  1. Is this the optimal way to do this on OpenVMS?
  2. What would I need to do to restrict SET/AUDIT to only monitor images in a particular directory?
  3. How would I log command file invocation without changing the .COM source files?
  4. What should I expect in terms of performance degradation as a result of logging such information?

Solution

  • Ad 2., 3.

    I would try security auditing with ACLs. From a a privileged account, something like ...

    Make sure ACL auditing is enabled:

    $ show audit
    

    should show

    System security audits currently enabled for:
    ...
    ACL
    ...
    

    If it doesn't, enable it with

    $ set audit/audit/enable=acl
    

    and then you may want to disable it when you are done with

    $ set audit/audit/disable=acl
    

    Set audit ACLs on all the wanted files:

    $ set sec/acl=(audit=security,access=success+execute) [.app]*.com
    $ set sec/acl=(audit=security,access=success+execute) [.app]*.exe
    

    and you may want to delete the ACLs when you are done with

    $ set security/acl=(audit=security,access=success+execute)/delete [.app]*.com
    $ set security/acl=(audit=security,access=success+execute)/delete [.app]*.exe
    

    You can check what ACLs are set with:

    $ show security [.app]*.*
    

    Run you application ...

    Get the results from the audit file

    $ analyze/audit [vms$common.sysmgr]security.audit$journal/sel=access=execute/full/since=17:00/out=app.log
    

    Check your report for your files:

    $ pipe type app.log |search sys$pipe "File name", ,"Access requested"
    File name:                _EMUVAX$DUA0:[USER.APP]NOW.COM;1
    Access requested:         READ,EXECUTE
    Auditable event:          Object access
    File name:                _EMUVAX$DUA0:[USER.APP]ECHO.EXE;1
    Access requested:         READ,EXECUTE
    $ 
    

    Sorry, I have no answer for 1. and 4.