 |
HP OpenVMS System Management Utilities Reference
Manual
Note that if you specify CODE more than once, only the last value is
matched.
SUBJECT_OWNER=(uic,...)
Specifies the owner (UIC) of the process causing the event.
SUBTYPE=(subtype,...)
Specifies that the criteria be limited to the value or values specified
as a subtype.
Refer to Table F-2 for valid subtype values.
SYSTEM=keyword(,...)
Specifies the characteristics of the system to be used when selecting
event records. Choose from the following keywords:
|
IDENTIFICATION=value
|
Specifies the numeric identification of the system.
|
|
NAME=nodename
|
Specifies the node name of the system.
|
SYSTEM_SERVICE_NAME=(service-name,...)
Specifies the name of the system service associated with the event.
TARGET_DEVICE_NAME=(device-name,...)
Specifies the target device name used by a process control system
service.
TARGET_PROCESS_IDENTIFICATION=(value,...)
Specifies the target process identifier (PID) used by a process control
system service.
TARGET_PROCESS_NAME=(process-name,...)
Specifies the target process name used by a process control system
service.
TARGET_PROCESS_OWNER=(uic,...)
Specifies the target process owner (UIC) used by a process control
system service.
TARGET_USERNAME=(username,...)
Specifies the target user name used by a process control system service.
TERMINAL=(device-name,...)
Specifies the name of the terminal to be used when selecting event
records. You can represent all or part of the terminal name with a
wildcard.
TRANSPORT_NAME=(transport-name,...)
Specifies the name of the transport: interprocess communication (IPC)
or System Management Integrator (SMI), which handles requests from the
System Management utility.
On VAX systems, it also can specify the DECnet transport name (NSP).
USERNAME=(username,...)
Specifies the user name to be used when selecting event records. You
can represent all or part of the user name with a wildcard.
VOLUME_NAME=(volume-name,...)
Specifies the name of the mounted (or dismounted) volume to be used
when selecting event records. You can represent all or part of the
volume name with a wildcard.
VOLUME_SET_NAME=(volume-set-name,...)
Specifies the name of the mounted (or dismounted) volume set to be used
when selecting event records. You can represent all or part of the
volume set name with a wildcard.
Examples
| #1 |
$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example selects all records written to the security
audit log file that were generated by user JOHNSON.
| #2 |
$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,-
_$ BYPASS) SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example selects all records written to the security
audit log file that were generated by events through the use of either
SYSPRV or BYPASS privilege.
| #3 |
$ ANALYZE/AUDIT/FULL/EVENT=SYSUAF/SELECT= -
_$ IMAGE=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") -
_$ SYS$MANAGER:SECURITY
|
The command in this example selects all records that involve password
changes written to the security audit log file.
The following example is a command procedure that you could run at
midnight to select all SYSUAF, AUDIT, and BREAKIN events (excluding
password changes) and mail the result to the system manager:
$! DAILY_AUDIT.COM
$
$ mail_list = "SYSTEM"
$ audsrv$_noselect = %X003080A0
$ audit_events = "SYSUAF,BREAKIN,AUDIT"
$
$ analyze /audit /full -
/event=('audit_events') -
/output=audit.tmp -
/ignore=image=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") -
sys$manager:SECURITY.AUDIT$JOURNAL
$
$ status = $status
$ if (status.and.%XFFFFFFF) .eq. audsrv$_noselect then goto no_records
$ if .not. status then goto error_analyze
$ if f$file("audit.tmp","eof") .eq. 0 then goto no_records
$ mail /subject="''audit_events' listing from ''f$time()'" -
audit.tmp 'mail_list'
$ goto new_log
$
$ no_records:
$ mail /subject="No interesting security events" nl: 'mail_list'
$
$ new_log:
$ if f$search("audit.tmp") .nes. "" then delete audit.tmp;*
$ set audit /server=new_log
$ rename sys$manager:SECURITY.AUDIT$JOURNAL;-1 -
sys$common:[sysmgr]'f$element(0," ",f$edit(f$time(),"TRIM"))'
$ exit
$
$ error_analyze:
$ mail/subj="Error analyzing auditing information" nl: 'mail_list'
$ exit
|
/SINCE
Indicates the utility must operate on records dated with the specified
time or after the specified time.
Format
/SINCE [=time]
/NOSINCE
Keyword
time
Specifies the time used to select records. Records dated the same or
later than the specified time are selected. You can specify an absolute
time, a delta time, or a combination of the two. Observe the syntax
rules for date and time described in the OpenVMS User's Manual.
If you specify /SINCE without the time, the utility uses the beginning
of the current day.
Examples
| #1 |
$ ANALYZE/AUDIT /SINCE=25-NOV-2002 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example selects records dated later than November
25, 2002.
| #2 |
$ ANALYZE/AUDIT /SINCE=25-NOV-2002:15:00 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example selects records written after 3 P.M. on
November 25, 2002.
/SUMMARY
Specifies that a summary of the selected records be produced after all
records are processed.
Note that the /SUMMARY qualifier code is executed after the Audit
Analyzer is finished, that is, after all the records to be analyzed
have been collected and processed. When you specify the /INTERACTIVE
qualifier (which is the default), the Audit Analyzer never reaches the
finished state because /INTERACTIVE prompts you repeatedly to enter
another command (which might result in a new set of records to be
analyzed). To use the /SUMMARY qualifier, you must also specify
/NOINTERACTIVE, which ensures that the Audit Analyzer reaches the
finished state that allows the SUMMARY code to be executed and to
display the proper information. In a future version of OpenVMS, the
Audit Analyzer will return an error when /SUMMARY and /INTERACTIVE are
specified together.
You can use the /SUMMARY qualifier alone or in combination with the
/BRIEF, the /BINARY, or the /FULL qualifier.
Format
/SUMMARY =presentation
/NOSUMMARY
Keyword
presentation
Specifies the presentation of the summary. If you do not specify a
presentation criterion, ANALYZE/AUDIT summarizes the number of audits.
You can specify either of the following presentations:
COUNT
Lists the total number of audit messages for each class of security
event that have been extracted from the security audit log file. This
is the default.
PLOT
Displays a plot showing the class of the audit event, the time of day
when the audit was generated, and the name of the system where the
audit was generated.
Examples
| #1 |
$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example generates a summary report of all records
processed.
Total records read: 9701 Records selected: 9701
Record buffer size: 1031
Successful logins: 542 Object creates: 1278
Successful logouts: 531 Object accesses: 3761
Login failures: 35 Object deaccesses: 2901
Breakin attempts: 2 Object deletes: 301
System UAF changes: 10 Volume (dis)mounts: 50
Rights db changes: 8 System time changes: 0
Netproxy changes: 5 Server messages: 0
Audit changes: 7 Connections: 0
Installed db changes: 50 Process control audits: 0
Sysgen changes: 9 Privilege audits: 91
NCP command lines: 120
|
| #2 |
$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
The command in this example generates a full format listing of all
logged audit messages that match the break-in or log failure event
classes. A summary report is included at the end of the listing.
| #3 |
$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
|
This command generates a histogram that you can display on a
character-cell terminal.
4.4 ANALYZE/AUDIT Commands
This section describes the interactive commands available with the
Audit Analysis utility (ANALYZE/AUDIT). The qualifiers for this section
follow the standard rules of DCL grammar.
The utility runs interactively by default; you disable the feature with
the /NOINTERACTIVE qualifier to the ANALYZE/AUDIT command. To enter
interactive commands, press Ctrl/C at any time during the processing of
a full or brief interactive display. At the COMMAND> prompt, you can
enter any command listed in this section. Use the CONTINUE command to
resume processing of the event records, or use the EXIT command to
terminate the session.
CONTINUE
Resumes processing of event records.
Format
CONTINUE
Parameters
None.
Qualifiers
None.
Example
|
COMMAND> DISPLAY/SINCE=25-JAN-2002/SELECT=USERNAME=JOHNSON
COMMAND> CONTINUE
|
The first command in this example selects only event records generated
by user JOHNSON after January 25, 2002. The second command in the
example displays a report based on the new selection criteria.
DISPLAY
Changes the criteria used to select event records.
Format
DISPLAY
Parameters
None.
For a more complete description of any one of the following qualifiers,
refer to the description of the qualifier in the preceding
ANALYZE/AUDIT Qualifiers section.
Qualifiers
/BEFORE=time
Controls whether only those records dated earlier than the specified
time are selected.
/BRIEF
Controls whether a brief (one-line-per-record) format is used in ASCII
displays.
/EVENT_TYPE=event-type[,...]
Controls whether only those records matching the specified event type
are selected.
/FULL
Controls whether a full format for each record is used in ASCII
displays.
/IGNORE=criteria[,...]
Controls whether records matching the specified criteria are excluded.
If you specify /IGNORE two or more times, the criteria are combined. To
specify a new set of exclusion criteria, include the /REMOVE qualifier
with the /IGNORE qualifier.
/PAUSE=seconds
For full-format displays (/FULL), specifies the length of time each
record is displayed.
/REMOVE
Controls whether the criteria specified by the /IGNORE and the /SELECT
qualifiers are no longer to be used to select event records to be
displayed.
/SELECT=criteria[,...]
Controls whether only those records matching the specified criteria are
selected. If you specify /SELECT two or more times, the criteria are
combined. To specify a new set of selection criteria, include the
/REMOVE qualifier with the /SELECT qualifier.
/SINCE[=time]
Controls whether only those records dated the same or later than the
specified time are selected.
Examples
| #1 |
COMMAND> DISPLAY/EVENT_TYPE=SYSUAF
COMMAND> CONTINUE
|
The first command in this example selects records that were generated
as a result of a modification to the system user authorization file
(SYSUAF). The second command displays the selected records.
| #2 |
COMMAND> DISPLAY/SELECT=USERNAME=CRICK
COMMAND> CONTINUE
.
.
.
[Ctrl/C]
COMMAND> DISPLAY/SELECT=USERNAME=WATSON
COMMAND> CONTINUE
|
The first DISPLAY command in this example selects records that were
generated by user CRICK. The second command displays the selected
records. The next DISPLAY command selects records that were generated
by user WATSON. The last command in the example displays all records
generated by users CRICK and WATSON.
EXIT
Terminates the session.
Format
EXIT
Parameters
None.
Qualifiers
None.
HELP
Provides online help information for using ANALYZE/AUDIT commands.
Format
HELP [topic]
Parameter
topic
Specifies the command for which help information is to be displayed. If
you omit the keyword, HELP displays a list of available help topics and
prompts you for a particular keyword.
Qualifiers
None.
Example
The command in this example displays help information about the DISPLAY
command.
LIST
Changes the criteria used to select event records. The LIST command is
synonymous with the DISPLAY command.
Format
LIST
Parameters
None.
Qualifiers
See the description of the DISPLAY command.
Example
|
COMMAND> LIST/EVENT_TYPE=SYSUAF
COMMAND> CONTINUE
|
The first command in this example selects records that were generated
as a result of a modification to the system user authorization file
(SYSUAF). The second command displays the selected records.
NEXT FILE
Controls whether the current security audit log file is closed and the
next log file opened. The command is useful when you supply a wildcard
file specification to the ANALYZE/AUDIT command; for example
*.AUDIT$JOURNAL. If there are no other audit log files to open, the
audit analysis session terminates and control returns to DCL.
Format
NEXT FILE
Parameters
None.
Qualifiers
None.
NEXT RECORD
Controls whether the next audit record is displayed. The NEXT RECORD
command is the default for interactive mode.
This command is synonymous with the POSITION command.
Format
NEXT RECORD
Parameters
None.
Qualifiers
None.
POSITION
Moves the full-format display forward or backward the specified number
of event records.
Format
POSITION number
Parameter
number
For positive numbers, displays the record that is the specified number
of records after the current record. For negative numbers, displays the
record that is the specified number of records before the current
record.
Qualifiers
None.
Examples
The command in this example moves the display forward 100 event records.
| #2 |
COMMAND> POSITION -100
|
The command in this example moves the display back 100 event records.
SHOW
Displays information about the selection or exclusion criteria
currently being used to select event records.
Format
SHOW option[,...]
Parameter
option[,...]
Displays information about selection or exclusion criteria currently
being used to select records. Specify one or more of the following
options:
|
ALL
|
Displays all criteria being used to select event records.
|
|
EXCLUSION_CRITERIA
|
Displays the criteria being used to exclude event records.
|
|
SELECTION_CRITERIA
|
Displays the criteria being used to select event records.
|
Qualifiers
None.
Example
|
COMMAND> SHOW SELECTION_CRITERIA
|
The command in this example displays the selection criteria currently
in use to select records.
|
