VMS Help
SET, AUDIT, Qualifiers

 *Conan The Librarian (sorry for the slow response - running on an old VAX)

1 - /ALARM

    Makes the command apply to alarms, which are messages displayed
    on an operator terminal. See the description of the DCL command
    REPLY/ENABLE for details on how to enable terminals to display
    security messages.

2 - /ARCHIVE

       /ARCHIVE=[keyword,...]

    Specifies which classes of audit event messages are written to
    the security archive file. Specify one or more of the following
    keywords:

    Keyword              Description

    NONE                 Disables archiving on the system.

    [NO]ALL (default)    Enables or disables archiving of all system
                         security events. By default, no events are
                         archived.

    SYSTEM_ALARM         Enables archiving of all security alarm
                         events.

    SYSTEM_AUDIT         Enables archiving of all security audit
                         events.

    Archiving should be run on only one node in an OpenVMS Cluster
    with its own audit server database because multiple nodes will
    try to open the audit file exclusively.

3 - /AUDIT

    Makes the command apply to audits, which are messages recorded in
    the system security audit log file.

4 - /BACKLOG

       /BACKLOG=[keyword[,...]]

    Specifies the thresholds for suspending a process that has
    exceeded the process message limit. The thresholds include the
    total number of messages in memory and the number belonging
    to the particular process. To prevent a process from being
    suspended, use the /EXCLUDE qualifier. Specify the following
    keywords:

    Keyword          Description

    TOTAL=(n1,n2,n3) Thresholds at which flow control is initiated
                     and accelerated; see description below.

    PROCESS=(p1,p2)  Thresholds at which process submissions are
                     controlled.

    Total             Process
    Messages Default  Messages Default Action Taken

    N1       100      P1       5       When there are 100 messages
                                       in memory, the audit server
                                       suspends any process that has
                                       submitted 5 or more messages
                                       until all messages are written
                                       to disk.

    N2       200      P2       2       When there are 200 messages
                                       in memory, the audit server
                                       suspends any process that has
                                       submitted 2 or more messages
                                       until all messages are written
                                       to disk.

    N3       300                       Any process with messages in
                                       memory is suspended until all
                                       messages are written to disk.

5 - /CLASS

       /CLASS=class

    Specifies the class of the object whose auditing attributes are
    to be modified. If /CLASS is not specified, the command assumes
    the class is FILE. Specify one of the following keywords with the
    /CLASS qualifier:

       CAPABILITY
       COMMON_EVENT_CLUSTER
       DEVICE
       FILE
       GROUP_GLOBAL_SECTION
       LOGICAL_NAME_TABLE
       QUEUE
       RESOURCE_DOMAIN
       SECURITY_CLASS
       SYSTEM_GLOBAL_SECTION
       VOLUME

6 - /DESTINATION

       /DESTINATION=filespec

    When changing the destination of event messages, specifies
    the new location of the system security audit log file. The
    device, if part of the file specification, must be a disk. The
    /DESTINATION qualifier requires the /JOURNAL qualifier in this
    case.

    Once you have relocated the log file, execute the command SET
    AUDIT/SERVER=NEW_LOG to let all the nodes in the cluster know of
    the new location. The previous audit log file is closed and all
    subsequent audit event messages generated throughout the cluster
    are sent to the new audit log file.

    When used with /ARCHIVE, specifies the name of the archive log
    file. Events can be archived to a local or remote file on any
    file-structured disk device. For example, you can use an archive
    file to redirect event messages from a satellite to a larger node
    in the cluster.

7 - /DISABLE

       /DISABLE=(keyword[,...])

    Disables alarms or audits for the specified events. To disable
    all system events and file access events, specify the keyword
    ALL. You must specify at least one of the keywords. For a list of
    the keywords to use with the /DISABLE qualifier, see the /ENABLE
    qualifier description. You must also specify either the /ALARM or
    /AUDIT qualifier, or both, when you use the /DISABLE qualifier.

                                   NOTE

       In processing the SET AUDIT command, the system processes
       the /DISABLE qualifier last. If you specify both the /ENABLE
       and /DISABLE qualifiers for items in the same class on
       the same command line, the /DISABLE qualifier disables any
       enabled items. Compaq recommends that you use separate lines
       for commands containing the /ENABLE and /DISABLE qualifiers.

8 - /ENABLE

       /ENABLE=(keyword[,...])

    Enables alarms or audits for the specified events. To enable all
    system events and file access events, specify the keyword ALL.
    You must specify at least one keyword. You must also specify
    either the /ALARM or /AUDIT qualifier, or both, when you use the
    /ENABLE qualifier.

    The keywords that you can specify with either the /ENABLE or the
    /DISABLE qualifier are as follows:

    Keyword            Description

    ACCESS=(condition  Specifies access events for all objects in
    [:access[,...]]    a class. (To audit a single object, use an
    [,...])            auditing ACE and enable the access control
                       list (ACL) category.)

                       Compaq recommends that when you enable
                       auditing conditionally, you enable it for all
                       possible forms of access because the system
                       can check access rights at several points
                       during an operation. (For example, a FAILURE
                       might occur on a read or write access check.)

                       Condition      Description
                       Keyword

                       ALL            All object access

                       BYPASS         Successful object access due to
                                      the use of the BYPASS privilege

                       FAILURE        Unsuccessful object access

                       GRPPRV         Successful object access due to
                                      the use of the group privilege
                                      (GRPPRV)

                       READALL        Successful object access due
                                      to the use of the READALL
                                      privilege

                       SUCCESS        Successful object access

                       SYSPRV         Successful object access due to
                                      the use of the system privilege
                                      (SYSPRV)

                       Access         Description
                       Keyword

                       ALL            All types of access

                       ASSOCIATE      Associate access

                       CONTROL        Control access to examine or
                                      change security characteristics

                       CREATE         Create access

                       DELETE         Delete access

                       EXECUTE        Execute access

                       LOCK           Lock access

                       LOGICAL        Logical I/O access

                       MANAGE         Manage access

                       PHYSICAL       Physical I/O access

                       READ           Read access

                       SUBMIT         Submit access

                       WRITE          Write access

    ACL                Specifies an event requested by an audit or
                       alarm ACE in the access control list (ACL) of
                       an object. To audit all objects of a class,
                       use the ACCESS keyword.

    ALL                Specifies all system events and file access
                       events. It does not enable access events for
                       object classes other than FILE.

    AUDIT=keyword      Specifies events within the auditing
                       subsystem. Only one keyword is currently
                       defined.
                       Keyword        Description

                       ILLFORMED      Specifies illformed events from
                                      internal calls (identified by
                                      NSA$M_INTERNAL) to $AUDIT_
                                      EVENT, $CHECK_PRIVILEGE,
                                      $CHKPRO, or $CHECK_ACCESS
                                      system services. An illformed
                                      event is caused by an
                                      incomplete or syntactically
                                      incorrect argument being
                                      supplied to one of these
                                      system services by a piece
                                      of privileged code.

    AUTHORIZATION      Specifies the modification of any portion of
                       the system user authorization file (SYSUAF),
                       network proxy authorization file (NETPROXY),
                       or the rights list (RIGHTLIST) (including
                       password changes made through the AUTHORIZE,
                       SET PASSWORD, or LOGINOUT commands or the
                       $SETUAI system service).

    BREAKIN=(keyword[,.Specifies the occurrence of one or more
                       classes of break-in attempts, as specified
                       by one or more of the following keywords:

                          ALL
                          DETACHED
                          DIALUP
                          LOCAL
                          NETWORK
                          REMOTE

    CONNECTION         Specifies a logical link connection or
                       termination through DECnet Phase IV,
                       DECwindows, $IPC, or SYSMAN.

    CREATE             Specifies the creation of an object. Requires
                       the /CLASS qualifier if it is not a file.

    DEACCESS           Specifies deaccess from an object. Requires
                       the /CLASS qualifier if it is not a file.

    DELETE             Specifies the deletion of an object. Requires
                       the /CLASS=DEVICE qualifier.

    FILE_ACCESS=       This keyword is obsolete and is superseded
    (keyword[,...])    by the ACCESS keyword, which is valid on all
                       OpenVMS Version 6.1 or higher systems. On
                       Alpha, this keyword specifies the occurrence
                       of file and global section access events
                       (regardless of the value given in the object's
                       access control list [ACL], if any).

    IDENTIFIER         Specifies that the use of identifiers as
                       privileges should be audited. For further
                       information, refer to the OpenVMS Guide to
                       System Security.

    INSTALL            Specifies modifications made to the known file
                       list through the INSTALL utility.

    LOGFAILURE=        Specifies the occurrence of one or more
    (keyword[,...])    classes of login failures, as specified by
                       the following keywords:

                       ALL            All possible types of login
                                      failures

                       BATCH          Batch process login failure

                       DETACHED       Detached process login failure

                       DIALUP         Dialup interactive login
                                      failure

                       LOCAL          Local interactive login failure

                       NETWORK        Network server task login
                                      failure

                       REMOTE         Interactive login failure
                                      from another network node,
                                      for example, with a SET HOST
                                      command

                       SERVER         Server or TCB-based login
                                      failure.

                       SUBPROCESS     Subprocess login failure

    LOGIN=             Specifies the occurrence of one or more
    (keyword[,...])    classes of login attempts, as specified by
                       the following keywords. See the LOGFAILURE
                       keyword for further description.

                          ALL            BATCH
                          DETACHED       DIALUP
                          LOCAL          NETWORK
                          REMOTE         SERVER
                          SUBPROCESS

    LOGOUT=            Specifies the occurrence of one or more
    (keyword[,...])    classes of logouts, as specified by the
                       following keywords. See the LOGFAILURE keyword
                       for further description.

                          ALL            BATCH
                          DETACHED       DIALUP
                          LOCAL          NETWORK
                          REMOTE         SERVER
                          SUBPROCESS

    MOUNT              Specifies a mount or dismount operation.

    NCP                Specifies access to the network configuration
                       database, using the network control program
                       (NCP).

    PRIVILEGE=         Specifies successful or unsuccessful use
    (keyword[,...])    of privilege, as specified by the following
                       keywords:

                          FAILURE [:privilege(,...)] - Unsuccessful
                          use of privilege

                          SUCCESS [:privilege(,...)] - Successful use
                          of privilege

                       For a listing of privileges, refer to
                       online help for the DCL command SET
                       PROCESS/PRIVILEGES.

    PROCESS=           Specifies the use of one or more of the
    (keyword[,...])    process control system services, as specified
                       by the following keywords:

                       ALL            Use of any of the process
                                      control system services

                       CREPRC         All use of $CREPRC

                       DELPRC         All use of $DELPRC

                       SCHDWK         Privileged use of $SCHDWK

                       CANWAK         Privileged use of $CANWAK

                       WAKE           Privileged use of $WAKE

                       SUSPND         Privileged use of $SUSPND

                       RESUME         Privileged use of $RESUME

                       GRANTID        Privileged use of $GRANTID

                       REVOKID        Privileged use of $REVOKID

                       GETJPI         Privileged use of $GETJPI

                       FORCEX         Privileged use of $FORCEX

                       SETPRI         Privileged use of $SETPRI

                       Privileged use of a process control system
                       service means the caller used GROUP or WORLD
                       privilege to affect the target process.

    SYSGEN             Specifies the modification of a system
                       parameter with the OpenVMS System Generation
                       utility.

    TIME               Specifies the modification of system time.

9 - /EXCLUDE

       /EXCLUDE=process-id
       /NOEXCLUDE=process-id

    Adds a process identification (PID) to the audit server's process
    exclusion list. The process exclusion list contains those
    processes that will not be suspended by the audit server if a
    resource exhaustion reaches the action threshold. By default,
    realtime processes and all of the following processes are
    included in the process exclusion list and are never suspended:

       CACHE_SERVER
       CLUSTER_SERVER
       CONFIGURE
       DFS$COM_ACP
       DNS$ADVER
       IPCACP
       JOB_CONTROL
       NETACP
       NET$ACP
       OPCOM
       REMACP
       SHADOW_SERVER
       SMISERVER
       SWAPPER
       TP_SERVER
       VWS$DISPLAYMGR
       VWS$EMULATORS

    Use the SET AUDIT/NOEXCLUDE command to remove a process from the
    process exclusion list; however, processes listed above cannot
    be removed from the exclusion list. Also note that PIDs are
    not automatically removed from the process exclusion list when
    processes log out of the system.

10 - /FAILURE_MODE

       /FAILURE_MODE[=keyword]

    This qualifier is obsolete.

    On Alpha, specifies how the OpenVMS system proceeds following
    a failed attempt to write a security alarm to the operator
    communication process's (OPCOM's) mailbox. Specify one of the
    following keywords with the /FAILURE_MODE qualifier:

    Option Description

    CRASH  Forces a system failure if security alarms cannot be
           written.

    IGNORE Indicates that failing security alarms are to be ignored.
           The first failed alarm causes an error message to be
           written to the operator console and log file. The system
           maintains a count of the lost alarms, which can be
           displayed with the SHOW AUDIT command.

    WAIT   Indicates that processes are placed in the MWAIT state to
           wait until the resource is available. This is the default.

    The /ALARM qualifier is required when specifying an audit failure
    mode.

11 - /INTERVAL

       /INTERVAL=(keyword[,...])

    Specifies the delta times to be used for regular audit server
    operations. For information about specifying delta times, refer
    to the OpenVMS User's Manual.

    The following table describes keywords for the /INTERVAL
    qualifier:

    Keyword          Description

    ARCHIVE_         Specifies the interval at which data collected
    FLUSH=time       by the audit server is written to the archive
                     file. The default is 1 minute.

    JOURNAL_         Specifies the interval at which data collected
    FLUSH=time       by the audit server is written to the audit log
                     file. The default is 5 minutes.

    RESOURCE_        Specifies the interval at which the audit server
    MONITOR=time     retries log file allocation or access. This
                     interval applies whenever free space in the
                     log file is below either the warning or action
                     thresholds, or when the volume holding the log
                     file is inaccessible. The default interval is 5
                     minutes.

    RESUME_          Specifies the interval at which the audit
    SCAN=time        server reviews an existing resource exhaustion
                     condition. The default is 15 minutes.

12 - /JOURNAL

       /JOURNAL[=journal-name]

    Specifies the name of the audit journal; the name defaults to
    SECURITY. (Currently, there is only one journal.)

    The /JOURNAL qualifier is required when redefining the audit log
    file or when specifying resource monitoring characteristics with
    the /RESOURCE or the /THRESHOLD qualifier.

13 - /LISTENER

       /LISTENER=device
       /NOLISTENER

    Specifies the name of a mailbox device to which the audit server
    sends a binary copy of all security audit event messages.
    Users can create such a mailbox to process system security
    events as they occur. For a description of the message formats
    written to the listener mailbox, refer to the Audit Analysis
    Utility documentation in the OpenVMS System Management Utilities
    Reference Manual.

    Use the SET AUDIT/NOLISTENER command to disable a listener
    device.

14 - /RESOURCE

       /RESOURCE=keyword[,...]

    Enables or disables the monitoring of disk volumes to ensure
    adequate space for audit journal entries; it also specifies the
    monitoring method to use. The /JOURNAL qualifier is required. For
    more information about resource monitoring, refer to the OpenVMS
    Guide to System Security.

    Keyword          Description

    DISABLE          Disables monitoring on the disk volume
                     containing the audit journal.

    ENABLE           Enables resource monitoring on the disk volume
                     containing the audit journal.
    MONITOR_         This keyword is obsolete.
    MODE=mode
                     Specifies the method the audit server uses to
                     monitor available resources. Specify one of the
                     following keywords:

                     COUNT      Controls whether resource monitoring
                                is based on the amount of free disk
                                space required to store a fixed
                                number of event messages.

                     PERCENTAGE Controls whether resource monitoring
                                is based on the percentage of the
                                disk volume or volume set available.

                     SPACE      Controls whether resource monitoring
                                is based on the number of free blocks
                                on the disk. The is the default
                                method used for resource monitoring.

                     TIME       Controls whether resource monitoring
                                is based on the amount of free disk
                                space needed to store events which
                                occur over a fixed period of time (in
                                seconds).

15 - /SERVER

       /SERVER=keyword[,...]

    Modifies audit server characteristics. The following table
    describes keywords for the /SERVER qualifier:

    Keyword            Description

    CREATE_SYSTEM_LOG  This keyword is obsolete.

                       On Alpha, causes the audit server to create
                       a new local system security audit log file.
                       Other audit servers in the cluster are not
                       affected. This keyword may be used by sites
                       operating a multienvironment cluster where
                       it may be necessary to create a new log file
                       on a specific node in the cluster. CREATE_
                       SYSTEM_LOG is synonymous with NEW_LOG for
                       nonclustered systems.

    EXIT               Initiates an audit server shutdown. This is
                       the only method for removing the audit server
                       process from the system; the audit server
                       cannot be deleted or suspended.

    FINAL_             Specifies the action the audit server should
    ACTION=action      take when it runs out of memory and cannot
                       buffer messages. (For more information, refer
                       to the discussion of message flow control in
                       the OpenVMS Guide to System Security.) Specify
                       one of the following actions:

                          CRASH - Crash the system if the audit
                          server runs out of memory.

                          IGNORE_NEW - Ignore new event messages
                          until memory is available. New event
                          messages are lost but event messages in
                          memory are saved.

                          PURGE_OLD (default) - Remove old event
                          messages until memory is available for the
                          most current messages.

    FLUSH              Copies all buffered audit and archive records
                       to the security audit log file and security
                       archive file, respectively.

    INITIATE           Enables auditing during system startup.
                       Ordinarily, auditing is started from
                       VMS$LPBEGIN in STARTUP.COM but, if a site
                       redefines the logical name SYS$AUDIT_SERVER_
                       INHIBIT, the OpenVMS system waits for a SET
                       AUDIT/SERVER=INITIATE command before enabling
                       auditing.

    NEW_LOG            Creates a new clusterwide audit log file.
                       Typically, this is used daily to generate a
                       new version of the audit log file.

                       The following sequence of commands can be used
                       to reset the space monitoring thresholds and
                       then to recreate the auditing log, thereby
                       creating a smaller log file:

                       $ SET AUDIT /JOURNAL=SECURITY
                       /THRESHOLD=WARN=200
                       $ SET AUDIT /SERVER=NEW_LOG

                       By default, the size of the new auditing log
                       file is based on the size of the previous
                       auditing logs.

    REDIRECT_SYSTEM_   This keyword is obsolete.
    LOG
                       On Alpha, causes the audit server on the local
                       node to redirect security event messages to a
                       new audit log file, whose location was defined
                       previously by the /DESTINATION qualifier.
                       Audit server processes (and log files) on
                       other nodes in the cluster are unaffected.

    RESUME             Requests the audit server process to resume
                       normal activity on the system, if adequate
                       disk space is available. Normally, once the
                       resource monitoring action threshold has been
                       reached, the audit server process suspends
                       most system activity and waits 15 minutes
                       before attempting to resume normal system
                       activity.

    START              Starts the audit server process on the
                       system. In order to fully enable the auditing
                       subsystem, the SET AUDIT/SERVER=INITIATE
                       command must be used after the SET
                       AUDIT/SERVER=START command has completed.

                       Compaq recommends using the following command
                       procedure to start the audit server:

                       SYS$SYSTEM:STARTUP AUDIT_SERVER

16 - /THRESHOLD

       /THRESHOLD=type=value

    Specifies threshold values used in monitoring available space
    in the audit log file. The auditing system issues advisory
    messages to central and security operators whenever free space
    in the audit log file falls below the WARNING threshold. The
    auditing system suspends processes that generate audit events
    when free disk space is below the action threshold. (See
    /RESOURCE=[enable|disable]). The /JOURNAL qualifier is required.

    The following table lists the types of thresholds:

    Keyword        Description

    WARNING=value  Specifies the threshold at which the audit server
                   notifies all security operator terminals that
                   resources are getting low.

    ACTION=value   Specifies the threshold at which the audit server
                   starts suspending processes that are generating
                   audit records. (Certain processes are immune to
                   this: refer to OpenVMS Guide to System Security).

    RESUME=value   This keyword is obsolete.

                   Specifies the threshold at which the audit server
                   resumes normal system activity.

    The following table lists the default warning and action values
    for each monitoring mode:

    Mode                  Warning        Action

    Blocks                100            25
    Delta time            2 0:00:00      0 0:30:00

17 - /VERIFY

    Do not return the dollar sign ($) prompt until the audit server
    completes the command. Associated qualifiers determine which of
    the following actions occur:

    o  Redefinition of auditing events

    o  Redefinition of the audit log file or the archive file

    o  Modification of the audit server's operational characteristics

    o  Modification of resource monitoring attributes

    If you do not want to wait for the command to complete, specify
    /NOVERIFY.
  Close     HLB-list     TLB-list     Help  

[legal] [privacy] [GNU] [policy] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.