HP OpenVMS System Management Utilities Reference Manual


Previous Contents Index

When you use the Authorize utility (AUTHORIZE) to copy a user name, NEW_DATA specifies the newly created user name.

For sensitive information, see SENSITIVE_NEW_DATA.

NEW_IMAGE_NAME=(image-name,...)

Specifies the name of the image to be activated in the newly created process, as supplied to the $CREPRC system service.

NEW_OWNER=(uic,...)

Specifies the user identification code (UIC) to be assigned to the created process, as supplied to the $CREPRC system service.

OBJECT=keyword(,...)

Specifies which characteristics of an object should be used when selecting event records. Choose any of the following keywords:
CLASS=class-name Specifies the general object class as one of the following classes:
  Capability
Device
Event_cluster
File
Group_global_section
Logical_name_table
Queue
Resource_domain
Security_class
System_global_section
Volume
  You must enter the full class name (for example, CLASS=logical_name_table) or use wildcard characters to supply a portion of the class name (for example, CLASS=log*).
NAME=object-name Specifies the name of the object. You can represent all or part of the name with a wildcard. If you do not use a wildcard, specify the full object name (for example, BOSTON$DUA0:[RWOODS]MEMO.MEM;1).
OWNER=value Specifies the UIC or general identifier of the object.
TYPE=type Specifies the general object class (type of object). The available classes are as follows:
  Capability
Device
File
Group_global_section
Logical_name_table
Queue
System_global_section
  The CLASS keyword supersedes the TYPE keyword. However, TYPE is required to select audit records in files created prior to OpenVMS Alpha Version 6.1.

PARENT=keyword(,...)

Specifies which characteristics of the parent process are used when selecting event records generated by a subprocess. Choose from the following keywords:
IDENTIFICATION=value Specifies the process identifier (PID) of the parent process.
   
NAME=process-name Specifies the name of the parent process. You can represent all or part of the name with a wildcard.
   
OWNER=value Specifies the owner (identifier value) of the parent process.
   
USERNAME=username Specifies the user name of the parent process. You can represent all or part of the name with a wildcard.

PASSWORD=(password,...)

Specifies the password used when the system detected a break-in attempt.

PRIVILEGES_MISSING=(privilege-name,...)

Specifies privileges the caller needed to perform the operation successfully. Specify any of the system privileges, as described in the HP OpenVMS Guide to System Security.

PRIVILEGES_USED=(privilege-name,...)

Specifies the privileges of the process to be used when selecting event records. Specify any of the system privileges, as described in the HP OpenVMS Guide to System Security. Also include the STATUS keyword in the selection criteria so the report can demonstrate whether the privilege was involved in a successful or an unsuccessful operation.

PROCESS=(characteristic,...)

Specifies the characteristics of the process to be used when selecting event records. Choose from the following characteristics:
IDENTIFICATION=value Specifies the PID of the process.
   
NAME=process-name Specifies the name of the process. You can represent all or part of the name with a wildcard.

REMOTE=keyword(,...)

Specifies that some characteristic of the network request is to be used when selecting event records. Choose from the following keywords:
ASSOCIATION_NAME=IPC-name Specifies the interprocess communication (IPC) association name.
   
LINK_IDENTIFICATION=value Specifies the number of the DECnet logical link.
   
IDENTIFICATION=value Specifies the DECnet node address.
   
NODENAME=node-name Specifies the DECnet node name. You can represent all or part of the name with a wildcard.
   
USERNAME=username Specifies the remote user name. You can represent all or part of the remote user name with a wildcard.

REQUEST_NUMBER=(value,...)

Specifies the request number associated with the DCL command REQUEST/REPLY.

SECTION_NAME=(global-section-name,...)

Specifies the name of the global section.

SENSITIVE_FIELD_NAME=(field-name,...)

Specifies the name of the field that was modified. ANALYZE/AUDIT uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with packets containing the original data and the new data (specified by the SENSITIVE_NEW_DATA criterion).

SENSITIVE_NEW_DATA=(value,...)

Specifies the value to use after the event occurs. Use this criterion with the SENSITIVE_FIELD_NAME criterion.

SNAPSHOT_BOOTFILE=(filename,...)

Specifies the name of the file containing a snapshot of the system.

SNAPSHOT_SAVE_FILENAME=(filename,...)

Specifies the name of the system snapshot file for a save operation that is in progress.

STATUS=(type,...)

Specifies the type of success status to be used when selecting event records. Choose from the following status types:
SUCCESSFUL Specifies any success status.
FAILURE Specifies any failure status.
CODE=(value) Specifies a specific completion status.

Note that if you specify CODE more than once, only the last value is matched.

SUBJECT_OWNER=(uic,...)

Specifies the owner (UIC) of the process causing the event.

SUBTYPE=(subtype,...)

Specifies that the criteria be limited to the value or values specified as a subtype.

For valid subtype values, see Table F-2.

SYSTEM=keyword(,...)

Specifies the characteristics of the system to be used when selecting event records. Choose from the following keywords:
IDENTIFICATION=value Specifies the numeric identification of the system.
NAME=nodename Specifies the node name of the system.

SYSTEM_SERVICE_NAME=(service-name,...)

Specifies the name of the system service associated with the event.

TARGET_DEVICE_NAME=(device-name,...)

Specifies the target device name used by a process control system service.

TARGET_PROCESS_IDENTIFICATION=(value,...)

Specifies the target process identifier (PID) used by a process control system service.

TARGET_PROCESS_NAME=(process-name,...)

Specifies the target process name used by a process control system service.

TARGET_PROCESS_OWNER=(uic,...)

Specifies the target process owner (UIC) used by a process control system service.

TARGET_USERNAME=(username,...)

Specifies the target user name used by a process control system service.

TERMINAL=(device-name,...)

Specifies the name of the terminal to be used when selecting event records. You can represent all or part of the terminal name with a wildcard.

TRANSPORT_NAME=(transport-name,...)

Specifies the name of the transport: interprocess communication (IPC) or System Management Integrator (SMI), which handles requests from the System Management utility.

On VAX systems, it also can specify the DECnet transport name (NSP).

UAF_SOURCE=(record-name,...)

Specifies the user name of the source record for an Authorize utility (AUTHORIZE) add, modify, or delete operation.

USERNAME=(username,...)

Specifies the user name to be used when selecting event records. You can represent all or part of the user name with a wildcard.

VOLUME_NAME=(volume-name,...)

Specifies the name of the mounted (or dismounted) volume to be used when selecting event records. You can represent all or part of the volume name with a wildcard.

VOLUME_SET_NAME=(volume-set-name,...)

Specifies the name of the mounted (or dismounted) volume set to be used when selecting event records. You can represent all or part of the volume set name with a wildcard.

Examples

#1

$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

The command in this example selects all records written to the security audit log file that were generated by user JOHNSON.

#2

$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,-
_$ BYPASS)  SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

The command in this example selects all records written to the security audit log file that were generated by events through the use of either SYSPRV or BYPASS privilege.

#3

$ ANALYZE/AUDIT/FULL/EVENT=SYSUAF/SELECT= -
_$ IMAGE=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") -
_$ SYS$MANAGER:SECURITY
      

The command in this example selects all records that involve password changes written to the security audit log file.

The following example is a command procedure that you could run at midnight to select all SYSUAF, AUDIT, and BREAKIN events (excluding password changes) and mail the result to the system manager:


 
$! DAILY_AUDIT.COM 
$ 
$   mail_list = "SYSTEM" 
$   audsrv$_noselect = %X003080A0 
$   audit_events = "SYSUAF,BREAKIN,AUDIT" 
$ 
$   analyze /audit /full - 
 /event=('audit_events') - 
 /output=audit.tmp - 
 /ignore=image=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") - 
 sys$manager:SECURITY.AUDIT$JOURNAL 
$ 
$   status = $status 
$   if (status.and.%XFFFFFFF) .eq. audsrv$_noselect then goto no_records 
$   if .not. status then goto error_analyze 
$   if f$file("audit.tmp","eof") .eq. 0 then goto no_records 
$   mail /subject="''audit_events' listing from ''f$time()'" - 
 audit.tmp 'mail_list' 
$   goto new_log 
$ 
$ no_records: 
$   mail /subject="No interesting security events" nl: 'mail_list' 
$ 
$ new_log: 
$   if f$search("audit.tmp") .nes. "" then delete audit.tmp;* 
$   set audit /server=new_log 
$   rename sys$manager:SECURITY.AUDIT$JOURNAL;-1 - 
 sys$common:[sysmgr]'f$element(0," ",f$edit(f$time(),"TRIM"))' 
$   exit 
$ 
$ error_analyze: 
$   mail/subj="Error analyzing auditing information" nl: 'mail_list' 
$   exit 

/SINCE

Indicates the utility must operate on records dated with the specified time or after the specified time.

Format

/SINCE [=time]

/NOSINCE


Keyword

time

Specifies the time used to select records. Records dated the same or later than the specified time are selected. You can specify an absolute time, a delta time, or a combination of the two. Observe the syntax rules for date and time described in the OpenVMS User's Manual.

If you specify /SINCE without the time, the utility uses the beginning of the current day.


Examples

#1

$ ANALYZE/AUDIT /SINCE=25-NOV-2005 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

The command in this example selects records dated later than November 25, 2005.

#2

$ ANALYZE/AUDIT /SINCE=25-NOV-2005:15:00 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

The command in this example selects records written after 3 P.M. on November 25, 2005.

/SUMMARY

Specifies that a summary of the selected records be produced after all records are processed.

Note that the /SUMMARY qualifier code is executed after the Audit Analyzer is finished, that is, after all the records to be analyzed have been collected and processed. When you specify the /INTERACTIVE qualifier (which is the default), the Audit Analyzer never reaches the finished state because /INTERACTIVE prompts you repeatedly to enter another command (which might result in a new set of records to be analyzed).

To use the /SUMMARY qualifier, you must also specify /NOINTERACTIVE, which ensures that the Audit Analyzer reaches the finished state that allows the SUMMARY code to be executed and to display the proper information. In a future version of OpenVMS, the Audit Analyzer will return an error when /SUMMARY and /INTERACTIVE are specified together.

You can use the /SUMMARY qualifier alone or in combination with the /BRIEF, the /BINARY, or the /FULL qualifier.


Format

/SUMMARY =presentation

/NOSUMMARY


Keyword

presentation

Specifies the presentation of the summary. If you do not specify a presentation criterion, ANALYZE/AUDIT summarizes the number of audits.

You can specify either of the following presentations:

COUNT

Lists the total number of audit messages for each class of security event that have been extracted from the security audit log file. This is the default.

PLOT

Displays a plot showing the class of the audit event, the time of day when the audit was generated, and the name of the system where the audit was generated.

Examples

#1

$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

The command in this example generates a summary report of all records processed.


Total records read:        9701          Records selected:          9701 
Record buffer size:        1031 
Successful logins:          542          Object creates:            1278 
Successful logouts:         531          Object accesses:           3761 
Login failures:              35          Object deaccesses:         2901 
Breakin attempts:             2          Object deletes:             301 
System UAF changes:          10          Volume (dis)mounts:          50 
Rights db changes:            8          System time changes:          0 
Netproxy changes:             5          Server messages:              0 
Audit changes:                7          Connections:                  0 
Installed db changes:        50          Process control audits:       0 
Sysgen changes:               9          Privilege audits:            91 
NCP command lines:          120 

#2

$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

The command in this example generates a full format listing of all logged audit messages that match the break-in or log failure event classes. A summary report is included at the end of the listing.

#3

$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
      

This command generates a histogram that you can display on a character-cell terminal.


4.4 ANALYZE/AUDIT Commands

This section describes the interactive commands available with the Audit Analysis utility (ANALYZE/AUDIT). The qualifiers for this section follow the standard rules of DCL grammar.

The utility runs interactively by default; you disable the feature with the /NOINTERACTIVE qualifier to the ANALYZE/AUDIT command. To enter interactive commands, press Ctrl/C at any time during the processing of a full or brief interactive display. At the COMMAND> prompt, you can enter any command listed in this section. Use the CONTINUE command to resume processing of the event records, or use the EXIT command to terminate the session.

CONTINUE

Resumes processing of event records.

Format

CONTINUE


Parameters

None.

Qualifiers

None.

Example


COMMAND> DISPLAY/SINCE=25-JAN-2005/SELECT=USERNAME=JOHNSON 
COMMAND> CONTINUE
      

The first command in this example selects only event records generated by user JOHNSON after January 25, 2005. The second command in the example displays a report based on the new selection criteria.

DISPLAY

Changes the criteria used to select event records.

Format

DISPLAY


Parameters

None.

For a more complete description of any of the following qualifiers, see the description of the qualifier in the preceding ANALYZE/AUDIT Qualifiers section.


Qualifiers

/BEFORE=time

Controls whether only those records dated earlier than the specified time are selected.

/BRIEF

Controls whether a brief (one-line-per-record) format is used in ASCII displays.

/EVENT_TYPE=event-type[,...]

Controls whether only those records matching the specified event type are selected.

/FULL

Controls whether a full format for each record is used in ASCII displays.

/IGNORE=criteria[,...]

Controls whether records matching the specified criteria are excluded. If you specify /IGNORE two or more times, the criteria are combined. To specify a new set of exclusion criteria, include the /REMOVE qualifier with the /IGNORE qualifier.

/PAUSE=seconds

For full-format displays (/FULL), specifies the length of time each record is displayed.

/REMOVE

Controls whether the criteria specified by the /IGNORE and the /SELECT qualifiers are no longer to be used to select event records to be displayed.

/SELECT=criteria[,...]

Controls whether only those records matching the specified criteria are selected. If you specify /SELECT two or more times, the criteria are combined. To specify a new set of selection criteria, include the /REMOVE qualifier with the /SELECT qualifier.

/SINCE[=time]

Controls whether only those records dated the same or later than the specified time are selected.

Examples

#1

COMMAND> DISPLAY/EVENT_TYPE=SYSUAF
COMMAND> CONTINUE
      

The first command in this example selects records that were generated as a result of a modification to the system user authorization file (SYSUAF). The second command displays the selected records.

#2

COMMAND> DISPLAY/SELECT=USERNAME=CRICK
COMMAND> CONTINUE
   .
   .
   .
 [Ctrl/C]
 
COMMAND> DISPLAY/SELECT=USERNAME=WATSON
COMMAND> CONTINUE
      

The first DISPLAY command in this example selects records that were generated by user CRICK. The second command displays the selected records. The next DISPLAY command selects records that were generated by user WATSON. The last command in the example displays all records generated by users CRICK and WATSON.


Previous Next Contents Index