Updated: 11 December 1998 |
OpenVMS System Management Utilities Reference
Manual
Previous | Contents | Index |
Specifies that a disk usage accounting file should be produced, in addition to the other specified functions of the Analyze/Disk_Structure utility.
/USAGE
[=filespec]
If all or part of the file specification is omitted, ANALYZE/DISK_STRUCTURE assumes a default file specification of USAGE.DAT. The file is placed in the current default directory.
$ ANALYZE/DISK_STRUCTURE DBA1:/USAGE $ DIRECTORY USAGE Directory DISK$DEFAULT:[ACCOUNT] USAGE.DAT;1 Total of 1 file. |
The first command in this example causes ANALYZE/DISK_STRUCTURE to produce a disk usage accounting file. Because a file specification was not provided in the command line, ANALYZE/DISK_STRUCTURE uses both the default file name and directory [ACCOUNT]USAGE.DAT. The DIRECTORY command instructs the system to display all files with a file name of usage in the current directory. The OpenVMS Alpha device in this example, MDA2000:, has been converted from ODS-2 to ODS-5 using the SET VOLUME command.
4.1 ANALYZE/AUDIT Description
The Audit Analysis utility (ANALYZE/AUDIT) is a system management tool
that enables system managers or site security administrators to produce
reports from security audit log files.
The OpenVMS operating system automatically audits a limited number of events, such as changes to the authorization database and use of the SET AUDIT command. Depending on your site's requirements, you may want to enable other forms of reporting. However, collecting security audit messages is useful only if you develop and implement a procedure to periodically review the audit log file for suspicious activity. Use ANALYZE/AUDIT to examine the data in security audit log files or security archive files.
The ANALYZE/AUDIT command's different qualifiers allow you to specify the type of information the utility extracts from the security audit log file. The utility can produce an audit report in a variety of formats and direct a report to a file or a terminal.
A description of the format of the auditing messages written to the security auditing file appears in Appendix F.
In a mixed-version cluster, an audit log file contains entries from systems running different versions of the operating system. To analyze the log file, you must invoke the Audit Analysis utility (ANALYZE/AUDIT) from a node running Version 6.1 or later.
For information about how to generate audit messages records and how to
use ANALYZE/AUDIT, refer to the OpenVMS Guide to System Security.
4.2 ANALYZE/AUDIT Usage Summary
The Audit Analysis utility (ANALYZE/AUDIT) processes event messages in security audit log files to produce reports of security-related events on the system.
ANALYZE/AUDIT [file-spec[,...]]
Usage Summary Use the DCL command ANALYZE/AUDIT to analyze security audit log files or security archive files. An ANALYZE/AUDIT command line can specify the name of one or more log files, as follows:file-spec[,...]
Specifies one or more security audit log files as input to ANALYZE/AUDIT. If you specify more than one file name, separate the names with commas.If you omit the file-spec parameter, the utility searches for the default audit log file SECURITY.AUDIT$JOURNAL.
The default audit log file is created in the SYS$COMMON:[SYSMGR] directory. To use the file, specify SYS$MANAGER on the ANALYZE/AUDIT command line. If you do not specify a directory, the utility searches for the file in the current directory.
You can include wildcard characters, such as the asterisk (*) or percent sign (%), in the file specification.
The audit log file can be located in any directory. To display the current location, use the DCL command SHOW AUDIT/ALL.
ANALYZE/AUDIT [file-spec,...] |
You can also use the ANALYZE/AUDIT command to extract security event messages from security archive files or from binary files (created with previous ANALYZE/AUDIT commands).
Each ANALYZE/AUDIT request runs until the log file is completely processed. You can interrupt the processing to modify the display or to change position in the report if you activate command mode by pressing Ctrl/C. To terminate an ANALYZE/AUDIT request before completion, press Ctrl/Z.
You can direct ANALYZE/AUDIT output to any supported terminal device or to a disk or tape file by specifying the file specification as an argument to the /OUTPUT qualifier. By default, the output is directed to SYS$OUTPUT.
Use of ANALYZE/AUDIT requires no special privileges other than access to the files specified in the command line.
4.3 ANALYZE/AUDIT Qualifiers
This section describes ANALYZE/AUDIT and provides examples of each
qualifier. The following table summarizes the ANALYZE/AUDIT qualifiers.
Qualifier | Description |
---|---|
/BEFORE | Controls whether records dated earlier than the specified time are selected |
/BINARY | Controls whether output is a binary file |
/BRIEF | Controls whether a brief, single-line record format is used in ASCII displays |
/EVENT_TYPE | Selects the classes of events to be extracted from the security log file |
/FULL | Controls whether a full format is used in ASCII displays |
/IGNORE | Excludes records from the report that match the specified criteria |
/INTERACTIVE | Controls whether interactive command mode is enabled when ANALYZE/AUDIT is invoked |
/OUTPUT | Specifies where to direct output from ANALYZE/AUDIT |
/PAUSE | Specifies the length of time each record is displayed in a full format display |
/SELECT | Specifies the criteria for selecting records |
/SINCE | Indicates that the utility must operate on records dated with the specified time or after the specified time |
/SUMMARY | Specifies that a summary of the selected records be produced after all records are processed |
Controls whether records dated earlier than the specified time are selected.
/BEFORE [=time]
/NOBEFORE
time
Specifies the time used to select records. Records dated earlier than the specified time are selected. You can specify an absolute time, delta time, or a combination of the two. Observe the syntax rules for date and time described in the OpenVMS User's Manual.
By default, all records in the security audit log file may be examined. You must specify /BEFORE to exclude records created after a specific point in time.
#1 |
---|
$ ANALYZE/AUDIT /BEFORE=25-NOV-1998 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example selects all records dated earlier than November 25, 1998.
#2 |
---|
$ ANALYZE/AUDIT /BEFORE=14:00/SINCE=12:00 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example selects all records generated between noon and 2 P.M. today.
Controls whether output is a binary file.
/BINARY
/NOBINARY
None.
When you use /BINARY, the output file you specify with the /OUTPUT qualifier contains image copies of the selected input records. If you specify /NOBINARY or omit the qualifier, the output file contains ASCII records.By default, if you specify /BINARY and do not include the /OUTPUT qualifier, an output file named AUDIT.AUDIT$JOURNAL is created.
The /BINARY, /BRIEF, and /FULL qualifiers cannot be used in combination.
$ ANALYZE/AUDIT /BINARY/SINCE=TODAY/OUTPUT=25OCT98.AUDIT - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example selects all audit records generated today and writes the records in binary format to 25OCT98.AUDIT.
Controls whether a brief, single-line record format is used in ASCII displays.
/BRIEF (default)
None.
By default, records are displayed in the brief format. You must specify /FULL to have the full contents of each selected audit event record displayed.The /BINARY, /BRIEF, and /FULL qualifiers cannot be used in combination.
$ ANALYZE/AUDIT /OUTPUT=AUDIT.LIS - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example produces an ASCII file in brief format by default. The report is written to the AUDIT.LIS file.
Selects the classes of events to be extracted from the security log file. If you omit the qualifier or specify the ALL keyword, the utility includes all enabled event classes in the report.
/EVENT_TYPE=(event-type[,...])
event type[,...]
Specifies the classes of events used to select records. You can specify any of the following event types:
[NO]ACCESS Access to an object, such as a file [NO]ALL All event types [NO]AUDIT Use of the SET AUDIT command [NO]AUTHORIZATION Change to the authorization database (SYSUAF.DAT, RIGHTSLIST.DAT, NETPROXY.DAT, or NET$PROXY.DAT) [NO]BREAKIN Break-in detection [NO]CONNECTION Establishment of a network connection through the System Management utility (SYSMAN), DECwindows, or interprocess communication (IPC) software or DECnet Phase IV (VAX only) [NO]CREATE Creation of an object [NO]DEACCESS Completion of access to an object [NO]DELETE Deletion of an object [NO]INSTALL Modification of the known file list with the Install utility (INSTALL) [NO]LOGFAIL Unsuccessful login attempt [NO]LOGIN Successful login [NO]LOGOUT Successful logout [NO]MOUNT Execution of DCL commands MOUNT or DISMOUNT [NO]NCP Modification of the DECnet network configuration databases [NO]NETPROXY Modification of the network proxy authorization file (NETPROXY.DAT or NET$PROXY.DAT) [NO]PRIVILEGE Privilege auditing [NO]PROCESS Use of one or more of the process control system services: $CREPRC, $DELPRC, $SCHDWK, $CANWAK, $WAKE, $SUSPND, $RESUME, $GRANTID, $REVOKID, $GETJPI, $FORCEX, $SETPRI [NO]RIGHTSDB Modification of the rights database (RIGHTSLIST.DAT) [NO]SYSGEN Modification of system parameters through the System Generation utility (SYSGEN) or AUTOGEN [NO]SYSUAF Modification of the system user authorization file (SYSUAF.DAT) [NO]TIME Change in system or cluster time Specifying the negated form of an event class (for example, NOLOGFAIL) excludes the specified event class from the audit report.
#1 |
---|
$ ANALYZE/AUDIT/EVENT_TYPE=LOGFAIL - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example extracts all records of unsuccessful login attempts, which match the LOGFAIL class, and compiles a brief report.
#2 |
---|
$ ANALYZE/AUDIT/EVENT_TYPE=(NOLOGIN,NOLOGOUT) - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example builds a report in brief format of all audit records except those in the LOGIN and LOGOUT event classes.
Controls whether a full format is used in ASCII displays. If you specify /NOFULL or omit the qualifier, records are displayed in the brief format.
/FULL
/NOFULL (default)
None.
By default, records are displayed in the brief format. You must specify /FULL (or enter command mode by pressing Ctrl/C) to have the full contents of each selected record displayed.The /BINARY, /BRIEF, and /FULL qualifiers cannot be used in combination.
$ ANALYZE/AUDIT /FULL - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example displays the full contents of each selected record.
Excludes records from the report that match the specified criteria.
/IGNORE= criteria[,...]
criteria[,...]
Specifies that all records are selected except those matching any of the specified exclusion criteria. See the /SELECT qualifier description for a list of the possible criteria to use with the /IGNORE qualifier.
Use the /IGNORE qualifier to exclude specific groups of audit records from the audit report. When more than one keyword from the list of possible exclusion criteria are specified, records that meet any of these criteria are excluded by default.
#1 |
---|
$ ANALYZE/AUDIT/IGNORE=(SYSTEM=NAME=WIPER,USERNAME=MILANT) - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example excludes from the audit analysis report all records in the audit log file generated from node WIPER or from user MILANT (on any node).
#2 |
---|
$ ANALYZE/AUDIT/IGNORE=SUBTYPE=(DIALUP,REMOTE) |
The command in this example excludes dialup and remote processes.
Controls whether interactive command mode is enabled when ANALYZE/AUDIT is invoked.
/INTERACTIVE (default)
/NOINTERACTIVE
None.
Interactive command mode, which is enabled by default, allows you to interrupt the audit report being displayed on the terminal and to enter commands either to modify the criteria used to select records for the report or to reposition the display.To interrupt a full or brief audit report, press Ctrl/C and enter commands at the COMMAND> prompt. Once in command mode, the utility displays the current record in full format. Note that the record might not match the selection or exclusion criteria specified in the previous ANALYZE/AUDIT command.
The NEXT RECORD command is the default when you enter command mode. When ANALYZE/AUDIT reaches the end of the log file, it prompts for the next command. To verify the current log file name and your position within the file, press Ctrl/T.
Enter the CONTINUE command to leave interactive command mode and to resume display of the audit report. Enter the EXIT command to terminate the session. See the ANALYZE/AUDIT Commands section for a description of each interactive command.
To disable interactive mode, specify /NOINTERACTIVE. In this mode, the utility displays audit records one at a time and prompts you to advance the display by pressing the Return key.
#1 |
---|
$ ANALYZE/AUDIT/FULL - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example produces a full format display of the selected records. New records are displayed every 3 seconds. (See the /PAUSE qualifier description to find how to modify the duration of each record display.) Press Ctrl/C to interrupt the display and to enter interactive commands.
#2 |
---|
$ ANALYZE/AUDIT/FULL/NOINTERACTIVE - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example invokes the utility in noninteractive mode. It displays the first record selected and prompts you to press the Return key to display each additional selected record. Control returns to the DCL command level when all selected records have been displayed.
Specifies where to direct output from ANALYZE/AUDIT. If you omit the qualifier, the report is sent to SYS$OUTPUT.
/OUTPUT [=file-spec]
/NOOUTPUT
file-spec[,...]
Specifies the name of the file that is to contain the selected records. If you omit the device and directory specification, the utility uses the current device and directory specification. If you omit the file name and type, the default file name AUDIT.LIS is used. If the output is binary (/BINARY) and you omit the /OUTPUT qualifier, the binary information is written to the file AUDIT.AUDIT$JOURNAL.
$ ANALYZE/AUDIT /BINARY/OUTPUT=BIN122588.DAT - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example selects audit records from the system audit log file and writes them to the binary file BIN122588.DAT.
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6048PRO_006.HTML
|