Updated: 11 December 1998 |
OpenVMS System Management Utilities Reference
Manual
Previous | Contents | Index |
Specifies the length of time each record is displayed in a full-format display.
/PAUSE =seconds
seconds
Specifies the duration (in seconds) of the full-screen display. A value of 0 specifies that the system should not pause before displaying the next record. By default, the utility displays a record for 3 seconds.
The /PAUSE qualifier can be used only with full-format (/FULL) displays to specify the length of time each record is displayed. By default, each record is displayed for a period of 3 seconds. A value of 0 results in a continuous display of audit records.
$ ANALYZE/AUDIT /FULL/PAUSE=1 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example displays a selected record in full format every second. You can interrupt the display and enter interactive commands at any time by pressing Ctrl/C. (See the ANALYZE/AUDIT Commands section for more information.)
Specifies the criteria for selecting records from the audit log file. Refer to the OpenVMS Guide to System Security for a description of how to generate audit records.
/SELECT= criteria[,...]
/NOSELECT
criteria[,...]
Specifies the criteria for selecting records. For each specified criterion, ANALYZE/AUDIT has two selection requirements:
- The packet corresponding to the criterion must be present in the record.
- One of the specified values must match the value in that packet.
For example, if you specify (USER=(PUTNAM,WU),SYSTEM=DBASE) as the criteria, ANALYZE/AUDIT selects an event record containing the SYSTEM=DBASE packet and a USER packet with either the PUTNAM value or the WU value.
If you omit the /SELECT qualifier, all event records selected through the /EVENT_TYPE qualifier are extracted from the audit log file and included in the report.
You can specify any of the following criteria:
ACCESS=(type,...)
Specifies the type of object access upon which the selection is based. Access is object-specific and includes the following types:
Associate Execute Read Control Lock Submit Create Logical Use Delete Manage Write Physical The OpenVMS Guide to System Security describes each of these types.
ACCOUNT=(name,...)
Specifies the account name upon which selection is based. You can use wildcards, such as an asterisk (*) or percent sign (%), to represent all or part of the name.ALARM_NAME=(alarm-name,...)
Specifies the alarm journal name on which selection is based. You can use wildcards to represent all or part of the alarm name.ASSOCIATION_NAME=(IPC-name,...)
Specifies the name of the interprocess communication (IPC) association.AUDIT_NAME=(journal-name,...)
Specifies the audit journal name on which selection is based. You can use wildcards to represent all or part of the audit journal name.COMMAND_LINE=(command,...)
Specifies the command line that the user entered.CONNECTION_IDENTIFICATION=(IPC-name,...)
Specifies the name for the interprocess communication (IPC) connection.DECNET_LINK_IDENTIFICATION=(value,...)
Specifies the number of the DECnet logical link.DECNET_OBJECT_NAME=(object-name,...)
Specifies the name of the DECnet object.DECNET_OBJECT_NUMBER=(value,...)
Specifies the number of the DECnet object.DEFAULT_USERNAME=(username,...)
Specifies the default local user name for incoming network proxy requests.DEVICE_NAME=(device-name,...)
Specifies the name of a device in audit records that have a DEVICE_NAME packet. Note that this does not select the device name when it occurs in other packet types, such as in a file name or in the TARGET_DEVICE_NAME packet.DIRECTORY_ENTRY=(directory,...)
Specifies the directory entry associated with file system operation.DIRECTORY_NAME=(directory,...)
Specifies the name of the directory file.DISMOUNT_FLAGS=(flag-name,...)
Identifies the names of the volume dismounting flags to be used in selecting records. Specify one or more of the following flag names: Abort, Cluster, Nounload, and Unit.EVENT_CLUSTER_NAME=(event-flag-cluster-name,...)
Specifies the name of the event flag cluster.FACILITY=(facility-name,...)
Specifies that only events audited by the named facility be selected. Provide a name or a number but, in either case, the facility has to be defined through the logical AUDSERV$FACILITY_NAME as a decimal number; the system uses the number 0.FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT uses the FIELD_NAME criterion with packets containing the original data and the new data (specified by the NEW_DATA criterion).To help identify FIELD_NAME criteria, first use the /EVENT qualifier with ANALYZE/AUDIT to display the fields that you could use with subsequent calls to ANALYZE/AUDIT/SELECT=FIELD_NAME.
For sensitive information, see SENSITIVE_FIELD_NAME.
FILE_NAME=(file-name)
Specifies the name of the file that caused the audit. Describes audit records for the specified file by using a slightly different display format than is provided by the /OBJECT=NAME=object-name keyword.FILE_IDENTIFICATION=(identification-value)
Specifies the value of the file's identification. To calculate the value, start with the value listed for File ID when you use the FILE_NAME keyword. For example, the display lists the File ID as:
Use the following formula to calculate the value:
File ID: (3024,5,0)
((0 * 65536) + 5 * 65536) + 3024 = 330704FLAGS=(flag-name,...)
Identifies the names of the audit event flags associated with the audited event. These names should be used in selecting records. Specify one or more of the following flags: ACL, Alarm, Audit, Flush, Foreign, Internal, and Mandatory. (For a description of these flags, see Table F-3.)HOLDER=keyword(,...)
Specifies the characteristics of the identifier holder to be used when selecting event records. Choose from the following keywords:
NAME=username Specifies the name of the holder. You can represent all or part of the name with a wildcard. OWNER=uic Specifies the user identification code (UIC) of the holder. IDENTIFIER=keyword(,...)
Identifies which attributes of an identifier should be used when selecting event records. Choose from the following keywords:
ATTRIBUTES=name Specifies the name of the particular attribute. Valid attribute names are as follows: Dynamic, Holder_Hidden, Name_Hidden, NoAccess, Resource, and Subsystem. NAME=identifier Specifies the original name of the identifier. You can represent all or part of the name with a wildcard. NEW_NAME=identifier Specifies the new name of the identifier. You can represent all or part of the name with a wildcard. NEW_ATTRIBUTES=name Specifies the name of the new attribute. Valid attribute names are Dynamic, Holder_Hidden, Name_Hidden, NoAccess, Resource, and Subsystem. VALUE=value Specifies the original value of the identifier. NEW_VALUE=value Specifies the new value of the identifier. IDENTIFIERS_MISSING=(identifier,...)
Specifies the identifiers missing in a failure to access an object.IDENTIFIERS_USED=(identifier,...)
Specifies the identifiers used to gain access to an object. An event record matches if the specified list is a subset of the identifiers recorded in the event record.IMAGE_NAME=(image-name,...)
Identifies the name of the image to be used when selecting event records. You can represent all or part of the image name with a wildcard.INSTALL=keyword(,...)
Specifies that installation event packets are to be considered when selecting event records. Choose from the following keywords:
FILE=filename Specifies the name of the installed file. You can represent all or part of the name with a wildcard. Note that on Alpha systems prior to Version 6.1 and on VAX systems prior to Version 6.0, audit log files record the installed file name within an object name packet. To select the installed file, you must use the expression OBJECT=(NAME=object-name) instead of FILE=filename.
FLAGS=flag-name Specifies the names of the flags, which correspond to qualifiers of the Install utility (INSTALL); for example, OPEN corresponds to /OPEN. PRIVILEGES=privilege-name Specifies the names of the privileges with which the file was installed. LNM_PARENT_NAME=(table-name,...)
Specifies the name of the parent logical name table.LNM_TABLE_NAME=(table-name,...)
Specifies the name of the logical name table.LOCAL=(characteristic,...)
Specifies the characteristics of the local (proxy) account to be used when selecting event records. The following characteristic is supported:
USERNAME=username Specifies the name of the local account. You can represent all or part of the name with a wildcard. LOGICAL_NAME=(logical-name,...)
Specifies the logical name of the mounted (or dismounted) volume upon which selection is based. You can represent all or part of the logical name with a wildcard.MAILBOX_UNIT=(number,...)
Specifies the number of the mailbox unit.MOUNT_FLAGS=(flag-name,...)
Specifies the names of the volume mounting flags upon which selection is based. Possible flag names include the following names:
- CACHE=(NONE,WRITETHROUGH)
- CDROM
- CLUSTER
- COMPACTION
- DATACHECK=(READ,WRITE)
- DSI
- FOREIGN
- GROUP
- INCLUDE
- INITIALIZATION=(ALLOCATE,CONTINUATION)
- MESSAGE
- NOASSIST
- NOAUTOMATIC
- NOCOMPACTION
- NOCOPY
- NOHDR3
- NOJOURNAL
- NOLABEL
- NOMOUNT_VERIFICATION
- NOQUOTA
- NOREBUILD
- NOUNLOAD
- NOWRITE
- OVERRIDE=(options[,...])
- ACCESSIBILITY
- EXPIRATION
- IDENTIFICATION
- LIMITED_SEARCH
- LOCK
- NO_FORCED_ERROR
- OWNER_IDENTIFIER
- SECURITY
- SETID
- QUOTA
- SHARE
- SUBSYSTEM
- SYSTEM
- TAPE_DATA_WRITE
- XAR
The names NOLABEL and FOREIGN each point to the FOREIGN flag. The reason for this is that the MOUNT/NOLABEL and MOUNT/FOREIGN commands each set the FOREIGN flag. Therefore, if you used MOUNT/NOLABEL, and you use ANALYZE/AUDIT/SELECT/MOUNT_FLAGS=NOLABEL, the audit record will display the FOREIGN flag.
NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this criterion with the FIELD_NAME criterion.For sensitive information, see SENSITIVE_NEW_DATA.
NEW_IMAGE_NAME=(image-name,...)
Specifies the name of the image to be activated in the newly created process, as supplied to the $CREPRC system service.NEW_OWNER=(uic,...)
Specifies the user identification code (UIC) to be assigned to the created process, as supplied to the $CREPRC system service.OBJECT=keyword(,...)
Specifies which characteristics of an object should be used when selecting event records. Choose any of the following keywords:
CLASS=class-name Specifies the general object class as one of the following classes: Capability
Device
Event_cluster
File
Group_global_section
Logical_name_table
Queue
Resource_domain
Security_class
System_global_section
VolumeYou must enter the full class name (for example, CLASS=logical_name_table) or use wildcard characters to supply a portion of the class name (for example, CLASS=log*). NAME=object-name Specifies the name of the object. You can represent all or part of the name with a wildcard. If you do not use a wildcard, specify the full object name (for example, BOSTON$DUA0:[RWOODS]MEMO.MEM;1). OWNER=value Specifies the UIC or general identifier of the object. TYPE=type Specifies the general object class (type of object). The available classes are as follows: Capability
Device
File
Group_global_section
Logical_name_table
Queue
System_global_sectionThe CLASS keyword supersedes the TYPE keyword. However, TYPE is required to select audit records in files created prior to OpenVMS Alpha Version 6.1 and OpenVMS VAX Version 6.0. PARENT=keyword(,...)
Specifies which characteristics of the parent process are used when selecting event records generated by a subprocess. Choose from the following keywords:
IDENTIFICATION=value Specifies the process identifier (PID) of the parent process. NAME=process-name Specifies the name of the parent process. You can represent all or part of the name with a wildcard. OWNER=value Specifies the owner (identifier value) of the parent process. USERNAME=username Specifies the user name of the parent process. You can represent all or part of the name with a wildcard. PASSWORD=(password,...)
Specifies the password used when the system detected a break-in attempt.PRIVILEGES_MISSING=(privilege-name,...)
Specifies privileges the caller needed to perform the operation successfully. Specify any of the system privileges, as described in the OpenVMS Guide to System Security.PRIVILEGES_USED=(privilege-name,...)
Specifies the privileges of the process to be used when selecting event records. Specify any of the system privileges, as described in the OpenVMS Guide to System Security. Also include the STATUS keyword in the selection criteria so the report can demonstrate whether the privilege was involved in a successful or an unsuccessful operation.PROCESS=(characteristic,...)
Specifies the characteristics of the process to be used when selecting event records. Choose from the following characteristics:
IDENTIFICATION=value Specifies the PID of the process. NAME=process-name Specifies the name of the process. You can represent all or part of the name with a wildcard. REMOTE=keyword(,...)
Specifies that some characteristic of the network request is to be used when selecting event records. Choose from the following keywords:
ASSOCIATION_NAME=IPC-name Specifies the interprocess communication (IPC) association name. LINK_IDENTIFICATION=value Specifies the number of the DECnet logical link. IDENTIFICATION=value Specifies the DECnet node address. NODENAME=node-name Specifies the DECnet node name. You can represent all or part of the name with a wildcard. USERNAME=username Specifies the remote user name. You can represent all or part of the remote user name with a wildcard. REQUEST_NUMBER=(value,...)
Specifies the request number associated with the DCL command REQUEST/REPLY.SECTION_NAME=(global-section-name,...)
Specifies the name of the global section.SENSITIVE_FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with packets containing the original data and the new data (specified by the SENSITIVE_NEW_DATA criterion).SENSITIVE_NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this criterion with the SENSITIVE_FIELD_NAME criterion.SNAPSHOT_BOOTFILE=(filename,...)
Specifies the name of the file containing a snapshot of the system.SNAPSHOT_SAVE_FILENAME=(filename,...)
Specifies the name of the system snapshot file for a save operation that is in progress.STATUS=type(,...)
Specifies the type of success status to be used when selecting event records. Choose from the following status types:
SUCCESSFUL Specifies any success status. FAILURE Specifies any failure status. CODE=(value,...) Specifies a specific completion status. SUBJECT_OWNER=(uic,...)
Specifies the owner (UIC) of the process causing the event.SUBTYPE=(subtype,...)
Specifies that the criteria be limited to the value or values specified as a subtype.Refer to Table F-2 for valid subtype values.
SYSTEM=keyword(,...)
Specifies the characteristics of the system to be used when selecting event records. Choose from the following keywords:
IDENTIFICATION=value Specifies the numeric identification of the system. NAME=nodename Specifies the node name of the system. SYSTEM_SERVICE_NAME=(service-name,...)
Specifies the name of the system service associated with the event.TARGET_DEVICE_NAME=(device-name,...)
Specifies the target device name used by a process control system service.TARGET_PROCESS_IDENTIFICATION=(value,...)
Specifies the target process identifier (PID) used by a process control system service.TARGET_PROCESS_NAME=(process-name,...)
Specifies the target process name used by a process control system service.TARGET_PROCESS_OWNER=(uic,...)
Specifies the target process owner (UIC) used by a process control system service.TARGET_USERNAME=(username,...)
Specifies the target user name used by a process control system service.TERMINAL=(device-name,...)
Specifies the name of the terminal to be used when selecting event records. You can represent all or part of the terminal name with a wildcard.TRANSPORT_NAME=(transport-name,...)
Specifies the name of the transport: interprocess communication (IPC) or System Management Integrator (SMI), which handles requests from the System Management utility.On VAX systems, it also can specify the DECnet transport name (NSP).
USERNAME=(username,...)
Specifies the user name to be used when selecting event records. You can represent all or part of the user name with a wildcard.VOLUME_NAME=(volume-name,...)
Specifies the name of the mounted (or dismounted) volume to be used when selecting event records. You can represent all or part of the volume name with a wildcard.VOLUME_SET_NAME=(volume-set-name,...)
Specifies the name of the mounted (or dismounted) volume set to be used when selecting event records. You can represent all or part of the volume set name with a wildcard.
#1 |
---|
$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example selects all records written to the security audit log file that were generated by user JOHNSON.
#2 |
---|
$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,- _$ BYPASS) SYS$MANAGER:SECURITY.AUDIT$JOURNAL |
The command in this example selects all records written to the security audit log file that were generated by events through the use of either SYSPRV or BYPASS privilege.
#3 |
---|
$ ANALYZE/AUDIT/FULL/EVENT=SYSUAF/SELECT= - _$ IMAGE=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") - _$ SYS$MANAGER:SECURITY |
The command in this example selects all records that involve password changes written to the security audit log file.
The following example is a command procedure that you could run at midnight to select all SYSUAF, AUDIT, and BREAKIN events (excluding password changes) and mail the result to the system manager:
$! DAILY_AUDIT.COM $ $ mail_list = "SYSTEM" $ audsrv$_noselect = %X003080A0 $ audit_events = "SYSUAF,BREAKIN,AUDIT" $ $ analyze /audit /full - /event=('audit_events') - /output=audit.tmp - /ignore=image=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") - sys$manager:SECURITY.AUDIT$JOURNAL $ $ status = $status $ if (status.and.%XFFFFFFF) .eq. audsrv$_noselect then goto no_records $ if .not. status then goto error_analyze $ if f$file("audit.tmp","eof") .eq. 0 then goto no_records $ mail /subject="''audit_events' listing from ''f$time()'" - audit.tmp 'mail_list' $ goto new_log $ $ no_records: $ mail /subject="No interesting security events" nl: 'mail_list' $ $ new_log: $ if f$search("audit.tmp") .nes. "" then delete audit.tmp;* $ set audit /server=new_log $ rename sys$manager:SECURITY.AUDIT$JOURNAL;-1 - sys$common:[sysmgr]'f$element(0," ",f$edit(f$time(),"TRIM"))' $ exit $ $ error_analyze: $ mail/subj="Error analyzing auditing information" nl: 'mail_list' $ exit
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6048PRO_007.HTML
|