VMS Help ANALYZE, /AUDIT *Conan The Librarian (sorry for the slow response - running on an old VAX) |
The Audit Analysis utility (ANALYZE/AUDIT) processes event messages in security audit log files to produce reports of security-related events on the system. Format ANALYZE/AUDIT [file-spec[,...]] file-spec[,...] Specifies one or more security audit log files as input to ANALYZE/AUDIT. If you specify more than one file name, separate the names with commas. If you omit the file-spec parameter, the utility searches for the default audit log file SECURITY.AUDIT$JOURNAL. The default audit log file is created in the SYS$COMMON:[SYSMGR] directory. To use the file, specify SYS$MANAGER on the ANALYZE /AUDIT command line. If you do not specify a directory, the utility searches for the file in the current directory. You can include wildcard characters, such as the asterisk (*) or percent sign (%), in the file specification. The audit log file can be located in any directory. To display the current location, use the DCL command SHOW AUDIT/ALL.
1 - Qualifiers |
Qualifier Description /BEFORE Controls whether records dated earlier than the specified time are selected /BINARY Controls whether output is a binary file /BRIEF Controls whether a brief, single-line record format is used in ASCII displays /EVENT_TYPE Selects the classes of events to be extracted from the security log file /FULL Controls whether a full format is used in ASCII displays /IGNORE Excludes records from the report that match the specified criteria /INTERACTIVE Controls whether interactive command mode is enabled when ANALYZE/AUDIT is invoked /OUTPUT Specifies where to direct output from ANALYZE /AUDIT /PAUSE Specifies the length of time each record is displayed in a full format display /SELECT Specifies the criteria for selecting records /SINCE Indicates that the utility must operate on records dated with the specified time or after the specified time /SUMMARY Specifies that a summary of the selected records be produced after all records are processed
2 - /BEFORE
Controls whether records dated earlier than the specified time are selected. Format /BEFORE[=time] /NOBEFORE time Specifies the time used to select records. Records dated earlier than the specified time are selected. You can specify an absolute time, delta time, or a combination of the two. Observe the syntax rules for date and time described in the OpenVMS User's Manual.
2.1 - Examples
1.$ ANALYZE/AUDIT /BEFORE=25-NOV-2000 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects all records dated earlier than November 25, 2000. 2.$ ANALYZE/AUDIT /BEFORE=14:00/SINCE=12:00 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects all records generated between noon and 2 P.M. today.
3 - /BINARY
Controls whether output is a binary file. Format /BINARY /NOBINARY
3.1 - Example
$ ANALYZE/AUDIT /BINARY/SINCE=TODAY/OUTPUT=25DEC00.AUDIT - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects all audit records generated today and writes the records in binary format to 25DEC00.AUDIT.
4 - /BRIEF
Controls whether a brief, single-line record format is used in ASCII displays. Format /BRIEF (default)
4.1 - Example
$ ANALYZE/AUDIT /OUTPUT=AUDIT.LIS SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example produces an ASCII file in brief format by default. The report is written to the AUDIT.LIS file.
5 - /EVENT_TYPE
Selects the classes of events to be extracted from the security log file. If you omit the qualifier or specify the ALL keyword, the utility includes all enabled event classes in the report. Format /EVENT_TYPE=(event-type[,...]) event type[,...] Specifies the classes of events used to select records. You can specify any of the following event types: [NO]ACCESS Access to an object, such as a file [NO]ALL All event types [NO]AUDIT Use of the SET AUDIT command [NO]AUTHORIZATION Change to the authorization database (SYSUAF.DAT, RIGHTSLIST.DAT, NETPROXY.DAT, or NET$PROXY.DAT) [NO]BREAKIN Break-in detection [NO]CONNECTION Establishment of a network connection through the System Management utility (SYSMAN), DECwindows, or interprocess communication (IPC) software or DECnet Phase IV (VAX only) [NO]CREATE Creation of an object [NO]DEACCESS Completion of access to an object [NO]DELETE Deletion of an object [NO]INSTALL Modification of the known file list with the Install utility (INSTALL) [NO]LOGFAIL Unsuccessful login attempt [NO]LOGIN Successful login [NO]LOGOUT Successful logout [NO]MOUNT Execution of DCL commands MOUNT or DISMOUNT [NO]NCP Modification of the DECnet network configuration databases [NO]NETPROXY Modification of the network proxy authorization file (NETPROXY.DAT or NET$PROXY.DAT) [NO]PRIVILEGE Privilege auditing [NO]PROCESS Use of one or more of the process control system services: $CREPRC, $DELPRC, $SCHDWK, $CANWAK, $WAKE, $SUSPND, $RESUME, $GRANTID, $REVOKID, $GETJPI, $FORCEX, $SETPRI [NO]RIGHTSDB Modification of the rights database (RIGHTSLIST.DAT) [NO]SYSGEN Modification of system parameters through the System Generation utility (SYSGEN) or AUTOGEN [NO]SYSUAF Modification of the system user authorization file (SYSUAF.DAT) [NO]TIME Change in system or cluster time Specifying the negated form of an event class (for example, NOLOGFAIL) excludes the specified event class from the audit report.
5.1 - Examples
1.$ ANALYZE/AUDIT/EVENT_TYPE=LOGFAIL - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example extracts all records of unsuccessful login attempts, which match the LOGFAIL class, and compiles a brief report. 2.$ ANALYZE/AUDIT/EVENT_TYPE=(NOLOGIN,NOLOGOUT) - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example builds a report in brief format of all audit records except those in the LOGIN and LOGOUT event classes.
6 - /FULL
Controls whether a full format is used in ASCII displays. If you specify /NOFULL or omit the qualifier, records are displayed in the brief format. Format /FULL /NOFULL (default)
6.1 - Example
$ ANALYZE/AUDIT /FULL SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example displays the full contents of each selected record.
7 - /IGNORE
Excludes records from the report that match the specified criteria. Format /IGNORE=criteria[,...] criteria[,...] Specifies that all records are selected except those matching any of the specified exclusion criteria. See the /SELECT qualifier description for a list of the possible criteria to use with the /IGNORE qualifier.
8 - /INTERACTIVE
Controls whether interactive command mode is enabled when ANALYZE /AUDIT is invoked. Format /INTERACTIVE (default) /NOINTERACTIVE
8.1 - Examples
1.$ ANALYZE/AUDIT/FULL SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example produces a full format display of the selected records. New records are displayed every 3 seconds. (See the /PAUSE qualifier description to find how to modify the duration of each record display.) Press Ctrl/C to interrupt the display and to enter interactive commands. 2.$ ANALYZE/AUDIT/FULL/NOINTERACTIVE - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example invokes the utility in noninteractive mode. It displays the first record selected and prompts you to press Return to display each additional selected record. Control returns to the DCL command level when all selected records have been displayed.
9 - /OUTPUT
Specifies where to direct output from ANALYZE/AUDIT. If you omit the qualifier, the report is sent to SYS$OUTPUT. Format /OUTPUT[=file-spec] /NOOUTPUT file-spec[,...] Specifies the name of the file that is to contain the selected records. If you omit the device and directory specification, the utility uses the current device and directory specification. If you omit the file name and type, the default file name AUDIT.LIS is used. If the output is binary (/BINARY) and you omit the /OUTPUT qualifier, the binary information is written to the file AUDIT.AUDIT$JOURNAL.
9.1 - Example
$ ANALYZE/AUDIT /BINARY/OUTPUT=BIN122588.DAT - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects audit records from the system audit log file and writes them to the binary file BIN122588.DAT.
10 - /PAUSE
Specifies the length of time each record is displayed in a full- format display. Format /PAUSE=seconds seconds Specifies the duration (in seconds) of the full-screen display. A value of 0 specifies that the system should not pause before displaying the next record. By default, the utility displays a record for 3 seconds.
10.1 - Example
$ ANALYZE/AUDIT /FULL/PAUSE=1 SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example displays a selected record in full format every second. You can interrupt the display and enter interactive commands at any time by pressing Ctrl/C.
11 - /SELECT
Specifies the criteria for selecting records from the audit log file. See the OpenVMS Guide to System Security for a description of how to generate audit records. Format /SELECT=criteria[,...] /NOSELECT criteria[,...] Specifies the criteria for selecting records. For each specified criterion, ANALYZE/AUDIT has two selection requirements: o The packet corresponding to the criterion must be present in the record. o One of the specified values must match the value in that packet. For example, if you specify (USER=(PUTNAM,WU),SYSTEM=DBASE) as the criteria, ANALYZE/AUDIT selects an event record containing the SYSTEM=DBASE packet and a USER packet with either the PUTNAM value or the WU value. If you omit the /SELECT qualifier, all event records selected through the /EVENT_TYPE qualifier are extracted from the audit log file and included in the report. You can specify any of the following criteria:
11.1 - ACCESS
ACCESS=(type,...) Specifies the type of object access upon which the selection is based. Access is object-specific and includes the following types: Associate Execute Read Control Lock Submit Create Logical Use Delete Manage Write Physical The OpenVMS Guide to System Security describes each of these types.
11.2 - ACCOUNT
ACCOUNT=(name,...) Specifies the account name upon which selection is based. You can use wildcards, such as an asterisk (*) or percent sign (%), to represent all or part of the name.
11.3 - ALARM_NAME
ALARM_NAME=(alarm-name,...) Specifies the alarm journal name on which selection is based. You can use wildcards to represent all or part of the alarm name.
11.4 - ASSOCIATION_NAME
ASSOCIATION_NAME=(IPC-name,...) Specifies the name of the interprocess communication (IPC) association.
11.5 - AUDIT_NAME
AUDIT_NAME=(journal-name,...) Specifies the audit journal name on which selection is based. You can use wildcards to represent all or part of the audit journal name.
11.6 - COMMAND_LINE
COMMAND_LINE=(command,...) Specifies the command line that the user entered.
11.7 - CONNECTION_IDENTIFICATION
CONNECTION_IDENTIFICATION=(IPC-name,...) Specifies the name for the interprocess communication (IPC) connection.
11.8 - DECNET_LINK_IDENTIFICATION
DECNET_LINK_IDENTIFICATION=(value,...) Specifies the number of the DECnet logical link.
11.9 - DECNET_OBJECT_NAME
DECNET_OBJECT_NAME=(object-name,...) Specifies the name of the DECnet object.
11.10 - DECNET_OBJECT_NUMBER
DECNET_OBJECT_NUMBER=(value,...) Specifies the number of the DECnet object.
11.11 - DEFAULT_USERNAME
DEFAULT_USERNAME=(username,...) Specifies the default local user name for incoming network proxy requests.
11.12 - DEVICE_NAME
DEVICE_NAME=(device-name,...) Specifies the name of a device in audit records that have a DEVICE_NAME packet. Note that this does not select the device name when it occurs in other packet types, such as in a file name or in the TARGET_DEVICE_NAME packet.
11.13 - DIRECTORY_ENTRY
DIRECTORY_ENTRY=(directory,...) Specifies the directory entry associated with file system operation.
11.14 - DIRECTORY_NAME
DIRECTORY_NAME=(directory,...) Specifies the name of the directory file.
11.15 - DISMOUNT_FLAGS
DISMOUNT_FLAGS=(flag-name,...) Identifies the names of the volume dismounting flags to be used in selecting records. Specify one or more of the following flag names: Abort, Cluster, Nounload, and Unit.
11.16 - EVENT_CLUSTER_NAME
EVENT_CLUSTER_NAME=(event-flag-cluster-name,...) Specifies the name of the event flag cluster.
11.17 - FACILITY
FACILITY=(facility-name,...) Specifies that only events audited by the named facility be selected. Provide a name or a number but, in either case, the facility has to be defined through the logical AUDSERV$FACILITY_NAME as a decimal number; the system uses the number 0.
11.18 - FIELD_NAME
FIELD_NAME=(field-name,...) Specifies the name of the field that was modified. ANALYZE /AUDIT uses the FIELD_NAME criterion with packets containing the original data and the new data (specified by the NEW_DATA criterion).
11.19 - FILE_NAME
FILE_NAME=(file-name) Specifies the name of the file that caused the audit. Describes audit records for the specified file by using a slightly different display format than is provided by the /OBJECT=NAME=object-name keyword.
11.20 - FILE_IDENTIFICATION
FILE_IDENTIFICATION=(identification-value) Specifies the value of the file's identification. To calculate the value, start with the value listed for File ID when you use the FILE_NAME keyword. For example, the display lists the File ID as: File ID: (3024,5,0) Use the following formula to calculate the value: ((0 * 65536) + 5 * 65536) + 3024 = 330704
11.21 - FLAGS
FLAGS=(flag-name,...) Identifies the names of the audit event flags associated with the audited event. These names should be used in selecting records. Specify one or more of the following flags: ACL, Alarm, Audit, Flush, Foreign, Internal, and Mandatory.
11.22 - HOLDER
HOLDER=keyword(,...) Specifies the characteristics of the identifier holder to be used when selecting event records. Choose from the following keywords: NAME=username Specifies the name of the holder. You can represent all or part of the name with a wildcard. OWNER=uic Specifies the user identification code (UIC) of the holder.
11.23 - IDENTIFIER
IDENTIFIER=keyword(,...) Identifies which attributes of an identifier should be used when selecting event records. Choose from the following keywords: ATTRIBUTES=name Specifies the name of the particular attribute. Valid attribute names are as follows: Dynamic, Holder_Hidden, Name_Hidden, NoAccess, Resource, and Subsystem. NAME=identifier Specifies the original name of the identifier. You can represent all or part of the name with a wildcard. NEW_NAME=identifier Specifies the new name of the identifier. You can represent all or part of the name with a wildcard. NEW_ATTRIBUTES=name Specifies the name of the new attribute. Valid attribute names are Dynamic, Holder_Hidden, Name_Hidden, NoAccess, Resource, and Subsystem. VALUE=value Specifies the original value of the identifier. NEW_VALUE=value Specifies the new value of the identifier.
11.24 - IDENTIFIERS_MISSING
IDENTIFIERS_MISSING=(identifier,...) Specifies the identifiers missing in a failure to access an object.
11.25 - IDENTIFIERS_USED
IDENTIFIERS_USED=(identifier,...) Specifies the identifiers used to gain access to an object. An event record matches if the specified list is a subset of the identifiers recorded in the event record.
11.26 - IMAGE_NAME
IMAGE_NAME=(image-name,...) Identifies the name of the image to be used when selecting event records. You can represent all or part of the image name with a wildcard.
11.27 - INSTALL
INSTALL=keyword(,...) Specifies that installation event packets are to be considered when selecting event records. Choose from the following keywords: FILE=filename Specifies the name of the installed file. You can represent all or part of the name with a wildcard. Note that on Alpha systems prior to Version 6.1 and on VAX systems prior to Version 6.0, audit log files record the installed file name within an object name packet. To select the installed file, you must use the expression OBJECT=(NAME=object-name) instead of FILE=filename. FLAGS=flag-name Specifies the names of the flags, which correspond to qualifiers of the Install utility (INSTALL); for example, OPEN corresponds to /OPEN. PRIVILEGES=privilege- Specifies the names of the privileges with name which the file was installed.
11.28 - LNM_PARENT_NAME
LNM_PARENT_NAME=(table-name,...) Specifies the name of the parent logical name table.
11.29 - LNM_TABLE_NAME
LNM_TABLE_NAME=(table-name,...) Specifies the name of the logical name table.
11.30 - LOCAL
LOCAL=(characteristic,...) Specifies the characteristics of the local (proxy) account to be used when selecting event records. The following characteristic is supported: USERNAME=username Specifies the name of the local account. You can represent all or part of the name with a wildcard.
11.31 - LOGICAL_NAME
LOGICAL_NAME=(logical-name,...) Specifies the logical name of the mounted (or dismounted) volume upon which selection is based. You can represent all or part of the logical name with a wildcard.
11.32 - MAILBOX_UNIT
MAILBOX_UNIT=(number,...) Specifies the number of the mailbox unit.
11.33 - MOUNT_FLAGS
MOUNT_FLAGS=(flag-name,...) Specifies the names of the volume mounting flags upon which selection is based. Possible flag names include the following: CACHE=(NONE,WRITETHROUGH) CDROM CLUSTER COMPACTION DATACHECK=(READ,WRITE) DSI FOREIGN GROUP INCLUDE INITIALIZATION=(ALLOCATE,CONTINUATION) MESSAGE NOASSIST NOAUTOMATIC NOCOMPACTION NOCOPY NOHDR3 NOJOURNAL NOLABEL NOMOUNT_VERIFICATION NOQUOTA NOREBUILD NOUNLOAD NOWRITE { ACCESSIBILITY } { EXPIRATION } { IDENTIFICATION } { } { LIMITED_SEARCH } OVERRIDE=(options[,...]) { LOCK } { NO_FORCED_ERROR } { } { OWNER_IDENTIFIER } { SECURITY } { SETID } { } QUOTA SHARE SUBSYSTEM SYSTEM TAPE_DATA_WRITE XAR The names NOLABEL and FOREIGN each point to the FOREIGN flag. The reason for this is that the MOUNT/NOLABEL and MOUNT/FOREIGN commands each set the FOREIGN flag. Therefore, if you used MOUNT /NOLABEL, and you use ANALYZE/AUDIT/SELECT/MOUNT_FLAGS=NOLABEL, the audit record will display the FOREIGN flag.
11.34 - NEW_DATA
NEW_DATA=(value,...) Specifies the value to use after the event occurs. Use this criterion with the FIELD_NAME criterion.
11.35 - NEW_IMAGE_NAME
NEW_IMAGE_NAME=(image-name,...) Specifies the name of the image to be activated in the newly created process, as supplied to the $CREPRC system service.
11.36 - NEW_OWNER
NEW_OWNER=(uic,...) Specifies the user identification code (UIC) to be assigned to the created process, as supplied to the $CREPRC system service.
11.37 - OBJECT
OBJECT=keyword(,...) Specifies which characteristics of an object should be used when selecting event records. Choose any of the following keywords: CLASS=class-name Specifies the general object class as one of the following: Capability Device Event_cluster File Group_global_section Logical_name_table Queue Resource_domain Security_class System_global_section Volume You must enter the full class name (for example, CLASS=logical_name_table) or use wildcard characters to supply a portion of the class name (for example, CLASS=log*). NAME=object-name Specifies the name of the object. You can represent all or part of the name with a wildcard. If you do not use a wildcard, specify the full object name (for example, BOSTON$DUA0:[RWOODS]MEMO.MEM;1). OWNER=value Specifies the UIC or general identifier of the object. TYPE=type Specifies the general object class (type of object). The available classes are as follows: Capability Device File Group_global_section Logical_name_table Queue System_global_section The CLASS keyword supersedes the TYPE keyword. However, TYPE is required to select audit records in files created prior to OpenVMS Alpha Version 6.1 and OpenVMS VAX Version 6.0.
11.38 - PARENT
PARENT=keyword(,...) Specifies which characteristics of the parent process are used when selecting event records generated by a subprocess. Choose from the following keywords: IDENTIFICATION=value Specifies the process identifier (PID) of the parent process. NAME=process-name Specifies the name of the parent process. You can represent all or part of the name with a wildcard. OWNER=value Specifies the owner (identifier value) of the parent process. USERNAME=username Specifies the user name of the parent process. You can represent all or part of the name with a wildcard.
11.39 - PASSWORD
PASSWORD=(password,...) Specifies the password used when the system detected a break-in attempt.
11.40 - PRIVILEGES_MISSING
PRIVILEGES_MISSING=(privilege-name,...) Specifies privileges the caller needed to perform the operation successfully. Specify any of the system privileges, as described in the OpenVMS Guide to System Security.
11.41 - PRIVILEGES_USED
PRIVILEGES_USED=(privilege-name,...) Specifies the privileges of the process to be used when selecting event records. Specify any of the system privileges, as described in the OpenVMS Guide to System Security. Also include the STATUS keyword in the selection criteria so the report can demonstrate whether the privilege was involved in a successful or an unsuccessful operation.
11.42 - PROCESS
PROCESS=(characteristic,...) Specifies the characteristics of the process to be used when selecting event records. Choose from the following characteristics: IDENTIFICATION=value Specifies the PID of the process. NAME=process-name Specifies the name of the process. You can represent all or part of the name with a wildcard.
11.43 - REMOTE
REMOTE=keyword(,...) Specifies that some characteristic of the network request is to be used when selecting event records. Choose from the following keywords: ASSOCIATION_NAME=IPC-name Specifies the interprocess communication (IPC) association name. LINK_IDENTIFICATION=value Specifies the number of the DECnet logical link. IDENTIFICATION=value Specifies the DECnet node address. NODENAME=node-name Specifies the DECnet node name. You can represent all or part of the name with a wildcard. USERNAME=username Specifies the remote user name. You can represent all or part of the remote user name with a wildcard.
11.44 - REQUEST_NUMBER
REQUEST_NUMBER=(value,...) Specifies the request number associated with the DCL command REQUEST/REPLY.
11.45 - SECTION_NAME
SECTION_NAME=(global-section-name,...) Specifies the name of the global section.
11.46 - STATUS
STATUS=type(,...) Specifies the type of success status to be used when selecting event records. Choose from the following status types: SUCCESSFUL Specifies any success status. FAILURE Specifies any failure status. CODE=(value,...) Specifies a specific completion status.
11.47 - SUBJECT_OWNER
SUBJECT_OWNER=(uic,...) Specifies the owner (UIC) of the process causing the event.
11.48 - SUBTYPE
SUBTYPE=(subtype,...) Specifies that the criteria be limited to the value or values specified as a subtype. The following table lists events and their related subtypes. After SUBTYPE, enter the subtypes as they appear in the list; for example, SUBTYPE=ALARM_STATE. (In other words, do not enter a prefix.) Symbols for Event Types and Subtypes Meaning NSA$C_MSG_AUDIT Systemwide change to auditing ALARM_STATE Events enabled as alarms AUDIT_DISABLED Audit events disabled AUDIT_ENABLED Audit events enabled AUDIT_INITIATE Audit server startup AUDIT_LOG_FIRST First entry in audit log (backward link) AUDIT_LOG_FINAL Final entry in audit log (forward link) AUDIT_STATE Events enabled as audits AUDIT_TERMINATE Audit server shutdown NSA$C_MSG_BREAKIN Break-in attempt detected BATCH Batch process DETACHED Detached process DIALUP Dialup interactive process LOCAL Local interactive process NETWORK Network server task REMOTE Interactive process from another network node SUBPROCESS Subprocess NSA$C_MSG_CONNECTION Logical link connection or termination CNX_ABORT Connection aborted CNX_ACCEPT Connection accepted CNX_DECNET_CREATE DECnet logical link created CNX_DECNET_DELETE DECnet logical link disconnected CNX_DISCONNECT Connection disconnected CNX_INC_ABORT Incoming connection request aborted CNX_INC_ACCEPT Incoming connection request accepted CNX_INC_DISCONNECT Incoming connection disconnected CNX_INC_REJECT Incoming connection request rejected CNX_INC_REQUEST Incoming connection request CNX_IPC_CLOSE Interprocess communication association closed CNX_IPC_OPEN Interprocess communication association opened CNX_REJECT Connection rejected CNX_REQUEST Connection requested NSA$C_MSG_INSTALL Use of the Install utility (INSTALL) INSTALL_ADD Known image installed INSTALL_REMOVE Known image deleted NSA$C_MSG_LOGFAIL Login failure See subtypes for NSA$C_MSG_BREAKIN NSA$C_MSG_LOGIN Successful login See subtypes for NSA$C_MSG_BREAKIN NSA$C_MSG_LOGOUT Successful logout See subtypes for NSA$C_MSG_BREAKIN NSA$C_MSG_MOUNT Volume mount or dismount VOL_DISMOUNT Volume dismount VOL_MOUNT Volume mount NSA$C_MSG_NCP Modification to network configuration database NCP_COMMAND Network Control Program (NCP) command issued NSA$C_MSG_NETPROXY Modification to network proxy database NETPROXY_ADD Record added to network proxy authorization file NETPROXY_DELETE Record removed from network proxy authorization file NETPROXY_MODIFY Record modified in network proxy authorization file NSA$C_MSG_OBJ_ACCESS Object access attempted OBJ_ACCESS Access attempted to create, delete, or deaccess an object NSA$C_MSG_OBJ_CREATE Object creation attempted OBJ_CREATE Access attempted to create an object NSA$C_MSG_OBJ_DEACCESS Object deaccessed OBJ_DEACCESS Attempt to complete access to an object NSA$C_MSG_OBJ_DELETE Object deletion attempted OBJ_DELETE Object deletion attempted NSA$C_MSG_PROCESS Process controlled through a system service PRC_CANWAK Process wakeup canceled PRC_CREPRC Process created PRC_DELPRC Process deleted PRC_FORCEX Process exit forced PRC_GETJPI Process information gathered PRC_GRANTID Process identifier granted PRC_RESUME Process resumed PRC_REVOKID Process identifier revoked PRC_SCHDWK Process wakeup scheduled PRC_SETPRI Process priority altered PRC_SIGPRC Process exception issued PRC_SUSPND Process suspended PRC_TERM Process termination notification requested PRC_WAKE Process wakeup issued NSA$C_MSG_PRVAUD Use of privilege PRVAUD_FAILURE Unsuccessful use of privilege PRVAUD_SUCCESS Successful use of privilege NSA$C_MSG_RIGHTSDB Modification to the rights database RDB_ADD_ID Identifier added to rights database RDB_CREATE Rights database created RDB_GRANT_ID Identifier granted to user RDB_MOD_HOLDER List of identifier holders modified RDB_MOD_ID Identifier name or attributes modified RDB_REM_ID Identifier removed from rights database RDB_REVOKE_ID Identifier taken away from user NSA$C_MSG_SYSGEN Use of the System Generation utility (SYSGEN) SYSGEN_SET System parameter modified NSA$C_MSG_SYSTIME Modification to system time SYSTIM_SET System time set SYSTIM_CAL System time calibrated NSA$C_MSG_SYSUAF Modification to system user authorization file (SYSUAF) SYSUAF_ADD Record added to system user authorization file SYSUAF_COPY Record added to system user authorization file SYSUAF_DELETE Record deleted from system user authorization file SYSUAF_MODIFY Record modified in system user authorization file SYSUAF_RENAME Record renamed in system user authorization file
11.49 - SYSTEM
SYSTEM=keyword(,...) Specifies the characteristics of the system to be used when selecting event records. Choose from the following keywords: IDENTIFICATION=value Specifies the numeric identification of the system. NAME=nodename Specifies the node name of the system.
11.50 - SYSTEM_SERVICE_NAME
SYSTEM_SERVICE_NAME=(service-name,...) Specifies the name of the system service associated with the event.
11.51 - TARGET_DEVICE_NAME
TARGET_DEVICE_NAME=(device-name,...) Specifies the target device name used by a process control system service.
11.52 - TARGET_PROCESS_IDENTIFICATION
TARGET_PROCESS_IDENTIFICATION=(value,...) Specifies the target process identifier (PID) used by a process control system service.
11.53 - TARGET_PROCESS_NAME
TARGET_PROCESS_NAME=(process-name,...) Specifies the target process name used by a process control system service.
11.54 - TARGET_PROCESS_OWNER
TARGET_PROCESS_OWNER=(uic,...) Specifies the target process owner (UIC) used by a process control system service.
11.55 - TARGET_USERNAME
TARGET_USERNAME=(username,...) Specifies the target user name used by a process control system service.
11.56 - TERMINAL
TERMINAL=(device-name,...) Specifies the name of the terminal to be used when selecting event records. You can represent all or part of the terminal name with a wildcard.
11.57 - TRANSPORT_NAME
TRANSPORT_NAME=(transport-name,...) Specifies the name of the transport: interprocess communication (IPC) or System Management Integrator (SMI), which handles requests from the System Management utility. On VAX systems, it also can specify the DECnet transport name (NSP).
11.58 - USERNAME
USERNAME=(username,...) Specifies the user name to be used when selecting event records. You can represent all or part of the user name with a wildcard.
11.59 - VOLUME_NAME
VOLUME_NAME=(volume-name,...) Specifies the name of the mounted (or dismounted) volume to be used when selecting event records. You can represent all or part of the volume name with a wildcard.
11.60 - VOLUME_SET_NAME
VOLUME_SET_NAME=(volume-set-name,...) Specifies the name of the mounted (or dismounted) volume set to be used when selecting event records. You can represent all or part of the volume set name with a wildcard.
11.61 - Examples
1.$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects all records written to the security audit log file that were generated by user JOHNSON. 2.$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,- _$ BYPASS) SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects all records written to the security audit log file that were generated by events through the use of either SYSPRV or BYPASS privilege.
12 - /SINCE
Indicates the utility must operate on records dated with the specified time or after the specified time. Format /SINCE[=time] /NOSINCE time Specifies the time used to select records. Records dated the same or later than the specified time are selected. You can specify an absolute time, a delta time, or a combination of the two. Observe the syntax rules for date and time described in the OpenVMS User's Manual. If you specify /SINCE without the time, the utility uses the beginning of the current day.
12.1 - Examples
1.$ ANALYZE/AUDIT /SINCE=25-NOV-2000 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects records dated later than November 25, 2000. 2.$ ANALYZE/AUDIT /SINCE=25-NOV-2000:15:00 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example selects records written after 3 P.M. on November 25, 2000.
13 - /SUMMARY
Specifies that a summary of the selected records be produced after all records are processed. You can use the /SUMMARY qualifier alone or in combination with the /BRIEF, the /BINARY, or the /FULL qualifier. Format /SUMMARY=presentation /NOSUMMARY presentation Specifies the presentation of the summary. If you do not specify a presentation criterion, ANALYZE/AUDIT summarizes the number of audits. You can specify either of the following presentations: COUNT Lists the total number of audit messages for each class of security event that have been extracted from the security audit log file. This is the default. PLOT Displays a plot showing the class of the audit event, the time of day when the audit was generated, and the name of the system where the audit was generated.
13.1 - Examples
1.$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example generates a summary report of all records processed. Total records read: 9701 Records selected: 9701 Record buffer size: 1031 Successful logins: 542 Object creates: 1278 Successful logouts: 531 Object accesses: 3761 Login failures: 35 Object deaccesses: 2901 Breakin attempts: 2 Object deletes: 301 System UAF changes: 10 Volume (dis)mounts: 50 Rights db changes: 8 System time changes: 0 Netproxy changes: 5 Server messages: 0 Audit changes: 7 Connections: 0 Installed db changes: 50 Process control audits: 0 Sysgen changes: 9 Privilege audits: 91 NCP command lines: 120 2.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL The command in this example generates a full format listing of all logged audit messages that match the break-in or log failure event classes. A summary report is included at the end of the listing. 3.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL This command generates a histogram that you can display on a character-cell terminal.
|