Auditing Security-Relevant Events

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS System Manager's Manual, Volume 1:...

Security Considerations

Using the ACL Editor

Analyzing Audit Log Files

Auditing Security-Relevant Events

System managers can select the destination for security-relevant event messages. Alarm messages are sent to the operator's terminal and audit messages are sent to the system security audit log file. You can choose to have an event reported as an alarm, as an audit, or as both.

Enabling Classes of Security Alarms

The OpenVMS operating system automatically monitors a certain number of events, as listed in the HP OpenVMS System Manager's Manual, Volume 2: Tuning, Monitoring, and Complex Systems.

You can enable additional classes of events by listing one or more of the keywords of the /ENABLE qualifier to the DCL command SET AUDIT listed in Kinds of Security Events OpenVMS Can Report.

Table 1 Kinds of Security Events OpenVMS Can Report
Event Class Description

Access
Specifies access events for all objects in a class. You can audit selected types of access, both privileged and nonprivileged, to all protected objects of a particular class.

ACL
Events requested by a security Audit or Alarm ACE in the access control list (ACL) of an object.

Authorization
Modification of any portion of SYSUAF.DAT, NETPROXY.DAT, NET$PROXY.DAT, or RIGHTSLIST.DAT.

Breakin
Break-in attempts.

Connection
Logical link connections or terminations through SYSMAN, DECnet for OpenVMS Phase IV, DECwindows products, or an interprocess communication (IPC) call.

Create
Creation of a protected object.

Deaccess
Deaccess from a protected object.

Delete
Deletion of a protected object.

Identifier
Use of identifiers as privileges.

Install
Modifications made to the known file list through the Install utility.

Logfailure
Failed login attempts.

Login
Successful login attempts.

Logout
Logouts.

Mount
Volume mounts and dismounts.

NCP
Modification to the network configuration database, using the network control program (NCP).

Privilege
Successful or unsuccessful use of privilege.

Process
Use of one or more of the process control system services.

SYSGEN
Modification of a system parameter with the System Generation utility (SYSGEN) or AUTOGEN.

Time
Modification of system time.

**Table 1** **Kinds of Security Events OpenVMS Can Report**
Event Class	Description
Access	Specifies access events for all objects in a class. You can audit selected types of access, both privileged and nonprivileged, to all protected objects of a particular class.
ACL	Events requested by a security Audit or Alarm ACE in the access control list (ACL) of an object.
Authorization	Modification of any portion of SYSUAF.DAT, NETPROXY.DAT, NET$PROXY.DAT, or RIGHTSLIST.DAT.
Breakin	Break-in attempts.
Connection	Logical link connections or terminations through SYSMAN, DECnet for OpenVMS Phase IV, DECwindows products, or an interprocess communication (IPC) call.
Create	Creation of a protected object.
Deaccess	Deaccess from a protected object.
Delete	Deletion of a protected object.
Identifier	Use of identifiers as privileges.
Install	Modifications made to the known file list through the Install utility.
Logfailure	Failed login attempts.
Login	Successful login attempts.
Logout	Logouts.
Mount	Volume mounts and dismounts.
NCP	Modification to the network configuration database, using the network control program (NCP).
Privilege	Successful or unsuccessful use of privilege.
Process	Use of one or more of the process control system services.
SYSGEN	Modification of a system parameter with the System Generation utility (SYSGEN) or AUTOGEN.
Time	Modification of system time.

Refer to the HP OpenVMS DCL Dictionary for more information about the SET AUDIT command.

Using the ACL Editor

Analyzing Audit Log Files