 |
HP OpenVMS System Management Utilities Reference
Manual
/EVENT_TYPE
Selects the classes of events to be extracted from the security log
file. If you omit the qualifier or specify the ALL keyword, the utility
includes all enabled event classes in the report.
Format
/EVENT_TYPE=(event-type[,...])
Keyword
event type[,...]
Specifies the classes of events used to select records. You can specify
any of the following event types:
|
[NO]ACCESS
|
Access to an object, such as a file
|
|
[NO]ALL
|
All event types
|
|
[NO]AUDIT
|
Use of the SET AUDIT command
|
|
[NO]AUTHORIZATION
|
Change to the authorization database (SYSUAF.DAT, RIGHTSLIST.DAT,
NETPROXY.DAT, or NET$PROXY.DAT)
|
|
[NO]BREAKIN
|
Break-in detection
|
|
[NO]CONNECTION
|
Establishment of a network connection through the System Management
utility (SYSMAN), DECwindows, or interprocess communication (IPC)
software or DECnet Phase IV (VAX only)
|
|
[NO]CREATE
|
Creation of an object
|
|
[NO]DEACCESS
|
Completion of access to an object
|
|
[NO]DELETE
|
Deletion of an object
|
|
[NO]INSTALL
|
Modification of the known file list with the Install utility (INSTALL)
|
|
[NO]LOGFAIL
|
Unsuccessful login attempt
|
|
[NO]LOGIN
|
Successful login
|
|
[NO]LOGOUT
|
Successful logout
|
|
[NO]MOUNT
|
Execution of DCL commands MOUNT or DISMOUNT
|
|
[NO]NCP
|
Modification of the DECnet network configuration databases
|
|
[NO]NETPROXY
|
Modification of the network proxy authorization file (NETPROXY.DAT or
NET$PROXY.DAT)
|
|
[NO]PRIVILEGE
|
Privilege auditing
|
|
[NO]PROCESS
|
Use of one or more of the process control system services: $CREPRC,
$DELPRC, $SCHDWK, $CANWAK, $WAKE, $SUSPND, $RESUME, $GRANTID, $REVOKID,
$GETJPI, $FORCEX, $SETPRI
|
|
[NO]RIGHTSDB
|
Modification of the rights database (RIGHTSLIST.DAT)
|
|
[NO]SYSGEN
|
Modification of system parameters through the System Generation utility
(SYSGEN) or AUTOGEN
|
|
[NO]SYSUAF
|
Modification of the system user authorization file (SYSUAF.DAT)
|
|
[NO]TIME
|
Change in system or cluster time
|
Specifying the negated form of an event class (for example, NOLOGFAIL)
excludes the specified event class from the audit report.
Examples
| #1 |
$ ANALYZE/AUDIT/EVENT_TYPE=LOGFAIL -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example extracts all records of unsuccessful login
attempts, which match the LOGFAIL class, and compiles a brief report.
| #2 |
$ ANALYZE/AUDIT/EVENT_TYPE=(NOLOGIN,NOLOGOUT) -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example builds a report in brief format of all
audit records except those in the LOGIN and LOGOUT event classes.
/FULL
Controls whether a full format is used in ASCII displays. If you
specify /NOFULL or omit the qualifier, records are displayed in the
brief format.
Format
/FULL
/NOFULL (default)
Keywords
None.
Description
By default, records are displayed in the brief format. You must specify
/FULL (or enter command mode by pressing Ctrl/C) to have the full
contents of each selected record displayed.
The /BINARY, /BRIEF, and /FULL qualifiers cannot be used in combination.
Example
|
$ ANALYZE/AUDIT /FULL -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example displays the full contents of each selected
record.
/IGNORE
Excludes records from the report that match the specified criteria.
Format
/IGNORE= criteria[,...]
Keyword
criteria[,...]
Specifies that all records are selected except those matching any of
the specified exclusion criteria. See the /SELECT qualifier description
for a list of the possible criteria to use with the /IGNORE qualifier.
Description
Use the /IGNORE qualifier to exclude specific groups of audit records
from the audit report. When more than one keyword from the list of
possible exclusion criteria are specified, records that meet any of
these criteria are excluded by default.
Examples
| #1 |
$ ANALYZE/AUDIT/IGNORE=(SYSTEM=NAME=WIPER,USERNAME=MILANT) -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example excludes from the audit analysis report all
records in the audit log file generated from node WIPER or from user
MILANT (on any node).
| #2 |
$ ANALYZE/AUDIT/IGNORE=SUBTYPE=(DIALUP,REMOTE)
|
The command in this example excludes dialup and remote processes.
/INTERACTIVE
Controls whether interactive command mode is enabled when ANALYZE/AUDIT
is invoked.
Format
/INTERACTIVE (default)
/NOINTERACTIVE
Keywords
None.
Description
Interactive command mode, which is enabled by default, allows you to
interrupt the audit report being displayed on the terminal and to enter
commands either to modify the criteria used to select records for the
report or to reposition the display.
To interrupt a full or brief audit report, press Ctrl/C and enter
commands at the COMMAND> prompt. Once in command mode, the utility
displays the current record in full format. Note that the record might
not match the selection or exclusion criteria specified in the previous
ANALYZE/AUDIT command.
The NEXT RECORD command is the default when you enter command mode.
When ANALYZE/AUDIT reaches the end of the log file, it prompts for the
next command. To verify the current log file name and your position
within the file, press Ctrl/T.
Enter the CONTINUE command to leave interactive command mode and to
resume display of the audit report. Enter the EXIT command to terminate
the session. See the ANALYZE/AUDIT Commands section for a description
of each interactive command.
To disable interactive mode, specify /NOINTERACTIVE. In this mode, the
utility displays audit records one at a time and prompts you to advance
the display by pressing the Return key.
Examples
| #1 |
$ ANALYZE/AUDIT/FULL -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example produces a full format display of the
selected records. New records are displayed every 3 seconds. (See the
/PAUSE qualifier description to find how to modify the duration of each
record display.) Press Ctrl/C to interrupt the display and to enter
interactive commands.
| #2 |
$ ANALYZE/AUDIT/FULL/NOINTERACTIVE -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example invokes the utility in noninteractive mode.
It displays the first record selected and prompts you to press the
Return key to display each additional selected record. Control returns
to the DCL command level when all selected records have been displayed.
/OUTPUT
Specifies where to direct output from ANALYZE/AUDIT. If you omit the
qualifier, the report is sent to SYS$OUTPUT.
Format
/OUTPUT [=file-spec]
/NOOUTPUT
Keyword
file-spec[,...]
Specifies the name of the file that is to contain the selected records.
If you omit the device and directory specification, the utility uses
the current device and directory specification. If you omit the file
name and type, the default file name AUDIT.LIS is used. If the output
is binary (/BINARY) and you omit the /OUTPUT qualifier, the binary
information is written to the file AUDIT.AUDIT$JOURNAL.
Example
|
$ ANALYZE/AUDIT /BINARY/OUTPUT=BIN122588.DAT -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example selects audit records from the system audit
log file and writes them to the binary file BIN122588.DAT.
/PAUSE
Specifies the length of time each record is displayed in a full-format
display.
Format
/PAUSE =seconds
Keyword
seconds
Specifies the duration (in seconds) of the full-screen display. A value
of 0 specifies that the system should not pause before displaying the
next record. By default, the utility displays a record for 3 seconds.
Description
The /PAUSE qualifier can be used only with full-format (/FULL) displays
to specify the length of time each record is displayed. By default,
each record is displayed for a period of 3 seconds. A value of 0
results in a continuous display of audit records.
Example
|
$ ANALYZE/AUDIT /FULL/PAUSE=1 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example displays a selected record in full format
every second. You can interrupt the display and enter interactive
commands at any time by pressing Ctrl/C. (See the ANALYZE/AUDIT
Commands section for more information.)
/SELECT
Specifies the criteria for selecting records from the audit log file.
Refer to the HP OpenVMS Guide to System Security for a description of how to generate audit
records.
Format
/SELECT= criteria[,...]
/NOSELECT
Keyword
criteria[,...]
Specifies the criteria for selecting records. For each specified
criterion, ANALYZE/AUDIT has two selection requirements:
- The packet corresponding to the criterion must be present in the
record.
- One of the specified values must match the value in that packet.
For example, if you specify (USER=(PUTNAM,WU),SYSTEM=DBASE) as the
criteria, ANALYZE/AUDIT selects an event record containing the
SYSTEM=DBASE packet and a USER packet with either the PUTNAM value or
the WU value.
If you omit the /SELECT qualifier, all event records selected through
the /EVENT_TYPE qualifier are extracted from the audit log file and
included in the report.
You can specify any of the following criteria:
ACCESS=(type,...)
Specifies the type of object access upon which the selection is based.
Access is object-specific and includes the following types:
|
Associate
|
Execute
|
Read
|
|
Control
|
Lock
|
Submit
|
|
Create
|
Logical
|
Use
|
|
Delete
|
Manage
|
Write
|
|
|
Physical
|
|
The HP OpenVMS Guide to System Security describes each of these types.
ACCOUNT=(name,...)
Specifies the account name upon which selection is based. You can use
wildcards, such as an asterisk (*) or percent sign (%), to represent
all or part of the name.
ALARM_NAME=(alarm-name,...)
Specifies the alarm journal name on which selection is based. You can
use wildcards to represent all or part of the alarm name.
ASSOCIATION_NAME=(IPC-name,...)
Specifies the name of the interprocess communication (IPC) association.
AUDIT_NAME=(journal-name,...)
Specifies the audit journal name on which selection is based. You can
use wildcards to represent all or part of the audit journal name.
COMMAND_LINE=(command,...)
Specifies the command line that the user entered.
CONNECTION_IDENTIFICATION=(IPC-name,...)
Specifies the name for the interprocess communication (IPC) connection.
DECNET_LINK_IDENTIFICATION=(value,...)
Specifies the number of the DECnet logical link.
DECNET_OBJECT_NAME=(object-name,...)
Specifies the name of the DECnet object.
DECNET_OBJECT_NUMBER=(value,...)
Specifies the number of the DECnet object.
DEFAULT_USERNAME=(username,...)
Specifies the default local user name for incoming network proxy
requests.
DEVICE_NAME=(device-name,...)
Specifies the name of a device in audit records that have a DEVICE_NAME
packet. Note that this does not select the device name when it occurs
in other packet types, such as in a file name or in the
TARGET_DEVICE_NAME packet.
DIRECTORY_ENTRY=(directory,...)
Specifies the directory entry associated with file system operation.
DIRECTORY_NAME=(directory,...)
Specifies the name of the directory file.
DISMOUNT_FLAGS=(flag-name,...)
Identifies the names of the volume dismounting flags to be used in
selecting records. Specify one or more of the following flag names:
Abort, Cluster, Nounload, and Unit.
EVENT_CLUSTER_NAME=(event-flag-cluster-name,...)
Specifies the name of the event flag cluster.
FACILITY=(facility-name,...)
Specifies that only events audited by the named facility be selected.
Provide a name or a number but, in either case, the facility has to be
defined through the logical AUDSERV$FACILITY_NAME as a decimal number;
the system uses the number 0.
FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT uses
the FIELD_NAME criterion with packets containing the original data and
the new data (specified by the NEW_DATA criterion).
A FIELD_NAME is a character string that describes the content of the
field. A search for "NEW:" in a full audit report will
display records that contain the FIELD_NAME values that can be
specified for this option. Examples of FIELD_NAME values are Account,
Default Directory, Flags, and Password Date.
For sensitive information, see SENSITIVE_FIELD_NAME.
FILE_NAME=(file-name)
Specifies the name of the file that caused the audit. Describes audit
records for the specified file by using a slightly different display
format than is provided by the /OBJECT=NAME=object-name keyword.
FILE_IDENTIFICATION=(identification-value)
Specifies the value of the file's identification. To calculate the
value, start with the value listed for File ID when you use the
FILE_NAME keyword. For example, the display lists the File ID as:
Use the following formula to calculate the value:
((0 * 65536) + 5 * 65536) + 3024 = 330704
|
FLAGS=(flag-name,...)
Identifies the names of the audit event flags associated with the
audited event. These names should be used in selecting records. Specify
one or more of the following flags: ACL, Alarm, Audit, Flush, Foreign,
Internal, and Mandatory. (For a description of these flags, see
Table F-3.)
HOLDER=keyword(,...)
Specifies the characteristics of the identifier holder to be used when
selecting event records. Choose from the following keywords:
|
NAME=username
|
Specifies the name of the holder. You can represent all or part of the
name with a wildcard.
|
|
OWNER=uic
|
Specifies the user identification code (UIC) of the holder.
|
IDENTIFIER=keyword(,...)
Identifies which attributes of an identifier should be used when
selecting event records. Choose from the following keywords:
|
ATTRIBUTES=name
|
Specifies the name of the particular attribute. Valid attribute names
are as follows: Dynamic, Holder_Hidden, Name_Hidden, NoAccess,
Resource, and Subsystem.
|
|
NAME=identifier
|
Specifies the original name of the identifier. You can represent all or
part of the name with a wildcard.
|
|
NEW_NAME=identifier
|
Specifies the new name of the identifier. You can represent all or part
of the name with a wildcard.
|
|
NEW_ATTRIBUTES=name
|
Specifies the name of the new attribute. Valid attribute names are
Dynamic, Holder_Hidden, Name_Hidden, NoAccess, Resource, and Subsystem.
|
|
VALUE=value
|
Specifies the original value of the identifier.
|
|
NEW_VALUE=value
|
Specifies the new value of the identifier.
|
IDENTIFIERS_MISSING=(identifier,...)
Specifies the identifiers missing in a failure to access an object.
IDENTIFIERS_USED=(identifier,...)
Specifies the identifiers used to gain access to an object. An event
record matches if the specified list is a subset of the identifiers
recorded in the event record.
IMAGE_NAME=(image-name,...)
Identifies the name of the image to be used when selecting event
records. You can represent all or part of the image name with a
wildcard.
INSTALL=keyword(,...)
Specifies that installation event packets are to be considered when
selecting event records. Choose from the following keywords:
|
FILE=filename
|
Specifies the name of the installed file. You can represent all or part
of the name with a wildcard.
Note that on Alpha systems prior to Version 6.1 and on VAX systems
prior to Version 6.0, audit log files record the installed file name
within an object name packet. To select the installed file, you must
use the expression OBJECT=(NAME=object-name) instead of FILE=filename.
|
|
FLAGS=flag-name
|
Specifies the names of the flags, which correspond to qualifiers of the
Install utility (INSTALL); for example, OPEN corresponds to /OPEN.
|
|
PRIVILEGES=privilege-name
|
Specifies the names of the privileges with which the file was installed.
|
LNM_PARENT_NAME=(table-name,...)
Specifies the name of the parent logical name table.
LNM_TABLE_NAME=(table-name,...)
Specifies the name of the logical name table.
LOCAL=(characteristic,...)
Specifies the characteristics of the local (proxy) account to be used
when selecting event records. The following characteristic is supported:
|
USERNAME=username
|
Specifies the name of the local account. You can represent all or part
of the name with a wildcard.
|
LOGICAL_NAME=(logical-name,...)
Specifies the logical name of the mounted (or dismounted) volume upon
which selection is based. You can represent all or part of the logical
name with a wildcard.
MAILBOX_UNIT=(number,...)
Specifies the number of the mailbox unit.
MOUNT_FLAGS=(flag-name,...)
Specifies the names of the volume mounting flags upon which selection
is based. Possible flag names include the following names:
CACHE=(NONE,WRITETHROUGH)
CDROM
CLUSTER
COMPACTION
DATACHECK=(READ,WRITE)
DSI
FOREIGN
GROUP
INCLUDE
INITIALIZATION=(ALLOCATE,CONTINUATION)
MESSAGE
NOASSIST
NOAUTOMATIC
NOCOMPACTION
NOCOPY
NOHDR3
NOJOURNAL
NOLABEL
NOMOUNT_VERIFICATION
NOQUOTA
NOREBUILD
NOUNLOAD
NOWRITE
OVERRIDE=(options[,...])
- ACCESSIBILITY
- EXPIRATION
- IDENTIFICATION
- LIMITED_SEARCH
- LOCK
- NO_FORCED_ERROR
- OWNER_IDENTIFIER
- SECURITY
- SETID
POOL
QUOTA
SHARE
SUBSYSTEM
SYSTEM
TAPE_DATA_WRITE
XAR
The names NOLABEL and FOREIGN each point to the FOREIGN flag. The
reason for this is that the MOUNT/NOLABEL and MOUNT/FOREIGN commands
each set the FOREIGN flag. Therefore, if you used MOUNT/NOLABEL, and
you use ANALYZE/AUDIT/SELECT/MOUNT_FLAGS=NOLABEL, the audit record will
display the FOREIGN flag.
NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this criterion
with the FIELD_NAME criterion.
For sensitive information, see SENSITIVE_NEW_DATA.
NEW_IMAGE_NAME=(image-name,...)
Specifies the name of the image to be activated in the newly created
process, as supplied to the $CREPRC system service.
NEW_OWNER=(uic,...)
Specifies the user identification code (UIC) to be assigned to the
created process, as supplied to the $CREPRC system service.
OBJECT=keyword(,...)
Specifies which characteristics of an object should be used when
selecting event records. Choose any of the following keywords:
|
CLASS=class-name
|
Specifies the general object class as one of the following classes:
|
|
|
Capability
Device
Event_cluster
File
Group_global_section
Logical_name_table
Queue
Resource_domain
Security_class
System_global_section
Volume
|
|
|
You must enter the full class name (for example,
CLASS=logical_name_table) or use wildcard characters to supply a
portion of the class name (for example, CLASS=log*).
|
|
NAME=object-name
|
Specifies the name of the object. You can represent all or part of the
name with a wildcard. If you do not use a wildcard, specify the full
object name (for example, BOSTON$DUA0:[RWOODS]MEMO.MEM;1).
|
|
OWNER=value
|
Specifies the UIC or general identifier of the object.
|
|
TYPE=type
|
Specifies the general object class (type of object). The available
classes are as follows:
|
|
|
Capability
Device
File
Group_global_section
Logical_name_table
Queue
System_global_section
|
|
|
The CLASS keyword supersedes the TYPE keyword. However, TYPE is
required to select audit records in files created prior to OpenVMS
Alpha Version 6.1 and OpenVMS VAX Version 6.0.
|
PARENT=keyword(,...)
Specifies which characteristics of the parent process are used when
selecting event records generated by a subprocess. Choose from the
following keywords:
|
IDENTIFICATION=value
|
Specifies the process identifier (PID) of the parent process.
|
|
|
|
|
NAME=process-name
|
Specifies the name of the parent process. You can represent all or part
of the name with a wildcard.
|
|
|
|
|
OWNER=value
|
Specifies the owner (identifier value) of the parent process.
|
|
|
|
|
USERNAME=username
|
Specifies the user name of the parent process. You can represent all or
part of the name with a wildcard.
|
PASSWORD=(password,...)
Specifies the password used when the system detected a break-in attempt.
PRIVILEGES_MISSING=(privilege-name,...)
Specifies privileges the caller needed to perform the operation
successfully. Specify any of the system privileges, as described in the
HP OpenVMS Guide to System Security.
PRIVILEGES_USED=(privilege-name,...)
Specifies the privileges of the process to be used when selecting event
records. Specify any of the system privileges, as described in the
HP OpenVMS Guide to System Security. Also include the STATUS keyword in the selection criteria
so the report can demonstrate whether the privilege was involved in a
successful or an unsuccessful operation.
PROCESS=(characteristic,...)
Specifies the characteristics of the process to be used when selecting
event records. Choose from the following characteristics:
|
IDENTIFICATION=value
|
Specifies the PID of the process.
|
|
|
|
|
NAME=process-name
|
Specifies the name of the process. You can represent all or part of the
name with a wildcard.
|
REMOTE=keyword(,...)
Specifies that some characteristic of the network request is to be used
when selecting event records. Choose from the following keywords:
|
ASSOCIATION_NAME=IPC-name
|
Specifies the interprocess communication (IPC) association name.
|
|
|
|
|
LINK_IDENTIFICATION=value
|
Specifies the number of the DECnet logical link.
|
|
|
|
|
IDENTIFICATION=value
|
Specifies the DECnet node address.
|
|
|
|
|
NODENAME=node-name
|
Specifies the DECnet node name. You can represent all or part of the
name with a wildcard.
|
|
|
|
|
USERNAME=username
|
Specifies the remote user name. You can represent all or part of the
remote user name with a wildcard.
|
REQUEST_NUMBER=(value,...)
Specifies the request number associated with the DCL command
REQUEST/REPLY.
SECTION_NAME=(global-section-name,...)
Specifies the name of the global section.
SENSITIVE_FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT uses
the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with packets
containing the original data and the new data (specified by the
SENSITIVE_NEW_DATA criterion).
SENSITIVE_NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this criterion
with the SENSITIVE_FIELD_NAME criterion.
SNAPSHOT_BOOTFILE=(filename,...)
Specifies the name of the file containing a snapshot of the system.
SNAPSHOT_SAVE_FILENAME=(filename,...)
Specifies the name of the system snapshot file for a save operation
that is in progress.
STATUS=(type,...)
Specifies the type of success status to be used when selecting event
records. Choose from the following status types:
|
SUCCESSFUL
|
Specifies any success status.
|
|
FAILURE
|
Specifies any failure status.
|
|
CODE=(value)
|
Specifies a specific completion status.
|
|
