0

We have a legacy COBOL application based on OpenVMS for-which we do not have a clear idea of configuration. In this context, by "configuration" I am talking about:

  1. Which executable files comprise the application;
  2. Which pristine source files correspond to which executable files.

It may seem odd that 1 above is something that is not known, but over time what has happened is that executables have "come and gone" (and many still remain used). The knowledge of which executable files constitute the application as it exists today is not known since knowledge of which executables are no longer required has been lost in time. In practical terms, the team faithfully compiles all source code files and deploy the resultant executables despite the fact that there are obviously programs that are no longer used.

It goes without saying that there is no formal configuration management process and the source code is not kept in a version control system. Since the application runs on OpenVMS, the corresponding Files-11-based file system keeps older versions of files (including source files) and this has long been the excuse for not putting the application source into a version control system (despite the reasons for using a VCS extending far beyond merely having a record of previous versions).

There are a number of ways in which the configuration can be determined, of course, but I'd like to start with a first "small step", that is: determine the set of executables that comprise the application. At this point I should mention that the executable components of the application are not limited to OpenVMS images, but also DCL command files. I would like to:

  1. Log all invocations of images that reside in a certain directory or set of directories;
  2. Log all invocations of command files that reside in a certain directory or set of directories.

If we run this logging on our production system over an extended period of time, say two months, we can get a pretty good idea of what the application comprises. Together with user consultation, we'll be able to confirm the need for the executable files that aren't being called.

I think I have an idea of how to do 1 above, although I'm not sure of the specifics, that is, use SET/AUDIT. The second part, at this stage, I have no idea of how to do.

So, the main criterion for this effort is that as little of the existing system be affected in order to gain the above information. Due to the question mark around the configuration (and the complete lack of automated tests), changing anything is a nerve-wracking undertaking.

Using operating-system-level services like SET/AUDIT would allow one to get to know what's being run without the need to change source and/or recompile anything. So, my question is a multi-parter:

  1. Is this the optimal way to do this on OpenVMS?
  2. What would I need to do to restrict SET/AUDIT to only monitor images in a particular directory?
  3. How would I log command file invocation without changing the .COM source files?
  4. What should I expect in terms of performance degradation as a result of logging such information?
Eric Smith
  • 5,262
  • 2
  • 33
  • 49
  • 1
    Oy. A good starting point is [analyze/image](http://h71000.www7.hp.com/doc/83final/9996/9996pro_7.html) to start building a dependency tree of images. You might obtain some insight from [set watch file/class=major_function](http://labs.hoffmanlabs.com/node/506) if it is still available. If you are dealing with code that spins off additional (sub)processes then it may present some, um, challenges. A favorite of mine was [`Lib$Find_Image_Symbol`](http://h71000.www7.hp.com/doc/82final/5932/5932pro_018.html) to perform late binding for optional code. "Do you feel lucky?" – HABO Nov 26 '15 at 18:10
  • 1
    It wasn't mentioned whether this is VAX, Alpha or I64. For Alpha and I64 there is a tool to print the dependency tree of images: SHIML - SHareable IMage List. SET WATCH FILE is available on all platforms. It is a process setting, you need privileges to turn file "watching" on, you very likely have to change scripts/command procedures to use it, it will watch all files touched while turned on (that is non-executable and non-application files etc. including shareable images from sys$library when they aren't installed as open known images) and you have to redirect its output a log file. – user2116290 Nov 26 '15 at 20:19
  • Yes, I failed to mention the platform: Itanium and OpenVMS 8.4. – Eric Smith Nov 27 '15 at 05:44

2 Answers2

5

Ad 2., 3.

I would try security auditing with ACLs. From a a privileged account, something like ...

Make sure ACL auditing is enabled:

$ show audit

should show 

System security audits currently enabled for:
...
ACL
...

If it doesn't, enable it with

$ set audit/audit/enable=acl

and then you may want to disable it when you are done with

$ set audit/audit/disable=acl

Set audit ACLs on all the wanted files:

$ set sec/acl=(audit=security,access=success+execute) [.app]*.com
$ set sec/acl=(audit=security,access=success+execute) [.app]*.exe

and you may want to delete the ACLs when you are done with

$ set security/acl=(audit=security,access=success+execute)/delete [.app]*.com
$ set security/acl=(audit=security,access=success+execute)/delete [.app]*.exe

You can check what ACLs are set with:

$ show security [.app]*.*

Run you application ...

Get the results from the audit file

$ analyze/audit [vms$common.sysmgr]security.audit$journal/sel=access=execute/full/since=17:00/out=app.log

Check your report for your files:

$ pipe type app.log |search sys$pipe "File name", ,"Access requested"
File name:                _EMUVAX$DUA0:[USER.APP]NOW.COM;1
Access requested:         READ,EXECUTE
Auditable event:          Object access
File name:                _EMUVAX$DUA0:[USER.APP]ECHO.EXE;1
Access requested:         READ,EXECUTE
$

Sorry, I have no answer for 1. and 4.

user2116290
  • 1,062
  • 5
  • 6
  • Thank you for the comprehensive answer; looks like command file auditing is a "non issue" then, i.e., just done the same way as images. – Eric Smith Nov 26 '15 at 05:37
0

It would help to know the OpenVMS Version (e.g. 6.2, 7.3-2, 8.4...) and the architecture (Vax, Alpha,Itanium).

Recent OpenVMS versions have great sda extensions

http://h71000.www7.hp.com/doc/84final/6549/6549pro_ext1.html

or

http://de.openvms.org/Spring2009/05-SDA_EXTENSIONS.pdf

such as LNM to check the logical names used by a process, PCS for PC sampling of a process, FLT to check the faulting behavior of applications, RMS for RMS data structures, PERF only for Itanium performance tracing, PROCIO for the reads and writes for all files opened by a process

Post a

dir sys$share:*sda.exe

so that we know which Sda extensions are available for you.

You can always check what a process with a pid of 204002B4 does with

$ ana/sys set proc/id=204020b4 sh process /channel exam @pc

and repeat while the process moves on.

user2915097
  • 30,758
  • 6
  • 57
  • 59
  • The OpenVMS version and architecture was added to the initial post in a comment: Itanium and OpenVMS 8.4. I don't want to argue about SDA and its extensions, and I don't know what the OP did and intends to do, but using SDA will very likely require more work to accomplish what other tools/features like ACLs and security auditing already do. Also, SHOW PROCESS/CHANNEL is a snapshot. It's not obvious how it can capture all shareable images the application images depends on when the run time of a specific application image is short. – user2116290 Dec 27 '15 at 09:14
  • you can get lists of opened files for a process every second with the basic following DCL script, launch it with P1 as pid of the process you want to monitor and P2 as the wait interval, that can be 00:00:01 or less, `$ say := wr sys$output $ cp = 0 $ loop: $ pipe say "sh proc/id=''P1'/chan" | ana/sys > list_'cp.lis $ wait 'P2 $ cp = cp + 1 $ goto loop ` for example @a 204002B4 00:00:01 – user2915097 Dec 27 '15 at 17:00
  • if you need shorter delays you may use as P2 00:00:00.01 – user2915097 Dec 27 '15 at 17:29
  • 1
    Sure, you can get a list of opened files that way, but at what cost? The suggested pipe command creates two processes, activates about 10 images (main and shareable) and writes one file. Doing this every second, or even shorter puts unnecessary load onto the system. To me, taking snapshots, no matter what the interval is, looks like the wrong approach. – user2116290 Dec 28 '15 at 10:04