 |
HP OpenVMS DCL Dictionary
SET AUDIT
Provides the management interface to the security auditing system.
Requires the SECURITY privilege.
Format
SET AUDIT/qualifier
Parameters
None.
Description
The SET AUDIT command and the SHOW AUDIT command provide the management
interface to the security auditing system.
The SET AUDIT command enables or disables security auditing. In
addition, you use the command to do the following:
- Select categories of events to audit
- Change the operational characteristics of the audit server
- Establish the location of the audit journal and the security
archive file
- Control the monitoring of disk resources
Values set by the command are saved so it is unnecessary to set them
each time the system starts up. Commands for event definition, resource
monitoring, and starting a new log apply clusterwide, while other
commands apply only to the local node.
Security auditing features require a certain amount of system overhead;
therefore, you should be careful to select the features that will
provide the most benefit in your work environment. Enable only the
auditing of information that you know you will examine and analyze
regularly. Any other collection of data is likely to be wasteful. For
further information about auditing, see the HP OpenVMS Guide to System Security.
There are five categories of qualifiers, grouped by task, for the SET
AUDIT command:
| Task |
Qualifiers |
Requirements |
|
Define auditing events
|
/AUDIT, /ALARM, /CLASS, /ENABLE, /DISABLE
|
Specify whether you are defining alarms (/ALARM), audits (/AUDIT), or
both. Also specify whether you are enabling (/ENABLE) or disabling
(/DISABLE) the reporting of the event.
|
|
Define auditing log file
|
/DESTINATION, /JOURNAL, /VERIFY
|
Requires both the /DESTINATION and /JOURNAL qualifiers.
|
|
Define operational characteristics of the audit server and a listener
mailbox (if any)
|
/INTERVAL, /LISTENER, /SERVER, /VERIFY
|
None.
|
|
Define secondary log file
|
/ARCHIVE, /DESTINATION, /VERIFY
|
None.
|
|
Define resource monitoring defaults
|
/BACKLOG, /EXCLUDE, /JOURNAL, /RESOURCE, /THRESHOLD, /VERIFY
|
With the /RESOURCE or /THRESHOLD qualifier, include the /JOURNAL
qualifier.
|
Qualifiers
/ALARM
Makes the command apply to alarms, which are messages displayed on an
operator terminal. See the description of the DCL command REPLY/ENABLE
for details on how to enable terminals to display security messages.
/ARCHIVE=[keyword,...]
Specifies which classes of audit event messages are written to the
security archive file. Specify one or more of the following keywords:
| Keyword |
Description |
|
NONE
|
Disables archiving on the system.
|
|
[NO]ALL (default)
|
Enables or disables archiving of all system security events. By
default, no events are archived.
|
|
SYSTEM_ALARM
|
Enables archiving of all security alarm events.
|
|
SYSTEM_AUDIT
|
Enables archiving of all security audit events.
|
Archiving should be run on only one node in an OpenVMS Cluster with its
own audit server database because multiple nodes will try to open the
audit file exclusively.
/AUDIT
Makes the command apply to audits, which are messages recorded in the
system security audit log file.
/BACKLOG=[keyword[,...]]
Specifies the thresholds for suspending a process that has exceeded the
process message limit. The thresholds include the total number of
messages in memory and the number belonging to the particular process.
To prevent a process from being suspended, use the /EXCLUDE qualifier.
Specify the following keywords:
| Keyword |
Description |
|
TOTAL=(n1,n2,n3)
|
Thresholds at which flow control is initiated and accelerated; see
description below.
|
|
PROCESS=(p1,p2)
|
Thresholds at which process submissions are controlled.
|
| Total Messages |
Default |
Process Messages |
Default |
Action Taken |
|
N1
|
100
|
P1
|
5
|
When there are 100 messages in memory, the audit server suspends any
process that has submitted 5 or more messages until all messages are
written to disk.
|
|
N2
|
200
|
P2
|
2
|
When there are 200 messages in memory, the audit server suspends any
process that has submitted 2 or more messages until all messages are
written to disk.
|
|
N3
|
300
|
|
|
Any process with messages in memory is suspended until all messages are
written to disk.
|
/CLASS=class
Specifies the class of the object whose auditing attributes are to be
modified. If /CLASS is not specified, the command assumes the class is
FILE. Specify one of the following keywords with the /CLASS qualifier:
CAPABILITY
COMMON_EVENT_CLUSTER
DEVICE
FILE
GROUP_GLOBAL_SECTION
LOGICAL_NAME_TABLE
QUEUE
RESOURCE_DOMAIN
SECURITY_CLASS
SYSTEM_GLOBAL_SECTION
VOLUME
/DESTINATION=filespec
When changing the destination of event messages, specifies the new
location of the system security audit log file. The device, if part of
the file specification, must be a disk. The /DESTINATION qualifier
requires the /JOURNAL qualifier in this case.
Once you have relocated the log file, execute the command SET
AUDIT/SERVER=NEW_LOG to let all the nodes in the cluster know of the
new location. The previous audit log file is closed and all subsequent
audit event messages generated throughout the cluster are sent to the
new audit log file.
When used with /ARCHIVE, specifies the name of the archive log file.
Events can be archived to a local or remote file on any file-structured
disk device. For example, you can use an archive file to redirect event
messages from a satellite to a larger node in the cluster.
/DISABLE=(keyword[,...])
Disables alarms or audits for the specified events. To disable all
system events and file access events, specify the keyword ALL. You must
specify at least one of the keywords. For a list of the keywords to use
with the /DISABLE qualifier, see the /ENABLE qualifier description. You
must also specify either the /ALARM or /AUDIT qualifier, or both, when
you use the /DISABLE qualifier.
Note
In processing the SET AUDIT command, the system processes the /DISABLE
qualifier last. If you specify both the /ENABLE and /DISABLE qualifiers
for items in the same class on the same command line, the /DISABLE
qualifier disables any enabled items. HP recommends that you use
separate lines for commands containing the /ENABLE and /DISABLE
qualifiers.
|
/ENABLE=(keyword[,...])
Enables alarms or audits for the specified events. To enable all system
events and file access events, specify the keyword ALL. You must
specify at least one keyword. You must also specify either the /ALARM
or /AUDIT qualifier, or both, when you use the /ENABLE qualifier.
The keywords that you can specify with either the /ENABLE or the
/DISABLE qualifier are as follows:
| Keyword |
Description |
ACCESS=(condition
[:access[,...]] [,...])
|
Specifies access events for all objects in a class. (To audit a single
object, use an auditing ACE and enable the access control list (ACL)
category.)
HP recommends that when you enable auditing conditionally, you
enable it for all possible forms of access because the system can check
access rights at several points during an operation. (For example, a
FAILURE might occur on a read or write access check.)
See the HP OpenVMS Guide to System Security for information about the various types of
access permitted on each class. (For example, the Access keyword,
CREATE, is not defined for FILE objects.)
|
Condition Keyword
|
Description
|
|
ALL
|
All object access
|
|
BYPASS
|
Successful object access due to the use of the BYPASS privilege
|
|
FAILURE
|
Unsuccessful object access
|
|
GRPPRV
|
Successful object access due to the use of the group privilege (GRPPRV)
|
|
READALL
|
Successful object access due to the use of the READALL privilege
|
|
SUCCESS
|
Successful object access
|
|
SYSPRV
|
Successful object access due to the use of the system privilege (SYSPRV)
|
|
Access Keyword
|
Description
|
|
ALL
|
All types of access
|
|
ASSOCIATE
|
Associate access
|
|
CONTROL
|
Control access to examine or change security characteristics
|
|
CREATE
|
Create access. To audit create events for files, use the CREATE keyword.
|
|
DELETE
|
Delete access
|
|
EXECUTE
|
Execute access
|
|
LOCK
|
Lock access
|
|
LOGICAL
|
Logical I/O access
|
|
MANAGE
|
Manage access
|
|
PHYSICAL
|
Physical I/O access
|
|
READ
|
Read access
|
|
SUBMIT
|
Submit access
|
|
WRITE
|
Write access
|
|
|
ACL
|
Specifies an event requested by an audit or alarm ACE in the access
control list (ACL) of an object. To audit all objects of a class, use
the ACCESS keyword.
|
|
ALL
|
Specifies all system events and file access events. It does not enable
access events for object classes other than FILE.
|
|
AUDIT=keyword
|
Specifies events within the auditing subsystem. Only one keyword is
currently defined.
| Keyword |
Description |
|
ILLFORMED
|
Specifies illformed events from internal calls (identified by
NSA$M_INTERNAL) to $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or
$CHECK_ACCESS system services. An illformed event is caused by an
incomplete or syntactically incorrect argument being supplied to one of
these system services by a piece of privileged code.
|
|
|
AUTHORIZATION
|
Specifies the modification of any portion of the system user
authorization file (SYSUAF), network proxy authorization file
(NETPROXY), or the rights list (RIGHTLIST) (including password changes
made through the AUTHORIZE, SET PASSWORD, or LOGINOUT commands or the
$SETUAI system service).
|
|
BREAKIN=(keyword [,...])
|
Specifies the occurrence of one or more classes of break-in attempts,
as specified by one or more of the following keywords:
ALL
DETACHED
DIALUP
LOCAL
NETWORK
REMOTE
|
|
CONNECTION
|
Specifies a logical link connection or termination through DECnet-Plus,
DECnet Phase IV, DECwindows, $IPC, or SYSMAN.
|
|
CREATE
|
Specifies the creation of an object. Requires the /CLASS qualifier if
it is not a file.
|
|
DEACCESS
|
Specifies deaccess from an object. Requires the /CLASS qualifier if it
is not a file.
|
|
DELETE
|
Specifies the deletion of an object. Requires the /CLASS=DEVICE
qualifier.
|
|
IDENTIFIER
|
Specifies that the use of identifiers as privileges should be audited.
For further information, see the HP OpenVMS Guide to System Security.
|
|
INSTALL
|
Specifies modifications made to the known file list through the INSTALL
utility.
|
|
LOGFAILURE= (keyword[,...])
|
Specifies the occurrence of one or more classes of login failures, as
specified by the following keywords:
|
ALL
|
All possible types of login failures
|
|
BATCH
|
Batch process login failure
|
|
DETACHED
|
Detached process login failure
|
|
DIALUP
|
Dialup interactive login failure
|
|
LOCAL
|
Local interactive login failure
|
|
NETWORK
|
Network server task login failure
|
|
REMOTE
|
Interactive login failure from another network node, for example, with
a SET HOST command
|
|
SERVER
|
Server or TCB-based login failure.
|
|
SUBPROCESS
|
Subprocess login failure
|
|
|
LOGIN= (keyword[,...])
|
Specifies the occurrence of one or more classes of login attempts, as
specified by the following keywords. See the LOGFAILURE keyword for
further description.
ALL
DETACHED
LOCAL
REMOTE
SUBPROCESS
|
BATCH
DIALUP
NETWORK
SERVER
|
|
|
LOGOUT= (keyword[,...])
|
Specifies the occurrence of one or more classes of logouts, as
specified by the following keywords. See the LOGFAILURE keyword for
further description.
ALL
DETACHED
LOCAL
REMOTE
SUBPROCESS
|
BATCH
DIALUP
NETWORK
SERVER
|
|
|
MOUNT
|
Specifies a mount or dismount operation.
|
|
NCP
|
Specifies access to the network configuration database, using the
network control program (NCP).
|
|
PRIVILEGE= (keyword[,...])
|
Specifies successful or unsuccessful use of privilege, as specified by
the following keywords:
FAILURE [:privilege(,...)] --- Unsuccessful use of
privilege
SUCCESS [:privilege(,...)] --- Successful use of privilege
For a listing of privileges, see the online help for the DCL command
SET PROCESS/PRIVILEGES.
|
|
PROCESS= (keyword[,...])
|
Specifies the use of one or more of the process control system
services, as specified by the following keywords:
|
ALL
|
Use of any of the process control system services
|
|
CREPRC
|
All use of $CREPRC
|
|
DELPRC
|
All use of $DELPRC
|
|
SCHDWK
|
Privileged use of $SCHDWK
|
|
CANWAK
|
Privileged use of $CANWAK
|
|
WAKE
|
Privileged use of $WAKE
|
|
SUSPND
|
Privileged use of $SUSPND
|
|
RESUME
|
Privileged use of $RESUME
|
|
GRANTID
|
Privileged use of $GRANTID
|
|
REVOKID
|
Privileged use of $REVOKID
|
|
GETJPI
|
Privileged use of $GETJPI
|
|
FORCEX
|
Privileged use of $FORCEX
|
|
SETPRI
|
Privileged use of $SETPRI
|
Privileged use of a process control system service means the caller used GROUP or WORLD privilege to affect the target process.
|
|
SYSGEN
|
Specifies the modification of a system parameter with the OpenVMS
System Generation utility.
|
|
TIME
|
Specifies the modification of system time.
|
/EXCLUDE=process-id
/NOEXCLUDE=process-id
Adds a process identification (PID) to the audit server's process
exclusion list. The process exclusion list contains those processes
that will not be suspended by the audit server if a resource exhaustion
reaches the action threshold. By default, realtime processes and all of
the following processes are included in the process exclusion list and
are never suspended:
CACHE_SERVER
CLUSTER_SERVER
CONFIGURE
DFS$COM_ACP
DNS$ADVER
IPCACP
JOB_CONTROL
NETACP
NET$ACP
OPCOM
REMACP
SHADOW_SERVER
SMISERVER
SWAPPER
TP_SERVER
VWS$DISPLAYMGR
VWS$EMULATORS
Use the SET AUDIT/NOEXCLUDE command to remove a process from the
process exclusion list; however, processes listed above cannot be
removed from the exclusion list. Also note that PIDs are not
automatically removed from the process exclusion list when processes
log out of the system.
/INTERVAL=(keyword[,...])
Specifies the delta times to be used for regular audit server
operations. For information about specifying delta times, see the
OpenVMS User's Manual.
The following table describes keywords for the /INTERVAL qualifier:
| Keyword |
Description |
|
ARCHIVE_FLUSH=time
|
Specifies the interval at which data collected by the audit server is
written to the archive file. The default is 1 minute.
|
|
JOURNAL_FLUSH=time
|
Specifies the interval at which data collected by the audit server is
written to the audit log file. The default is 5 minutes.
|
|
RESOURCE_MONITOR=time
|
Specifies the interval at which the audit server retries log file
allocation or access. This interval applies whenever free space in the
log file is below either the warning or action thresholds, or when the
volume holding the log file is inaccessible. The default interval is 5
minutes.
|
|
RESUME_SCAN=time
|
Specifies the interval at which the audit server reviews an existing
resource exhaustion condition. The default is 15 minutes.
|
/JOURNAL[=journal-name]
Specifies the name of the audit journal; the name defaults to SECURITY.
(Currently, there is only one journal.)
The /JOURNAL qualifier is required when redefining the audit log file
or when specifying resource monitoring characteristics with the
/RESOURCE or the /THRESHOLD qualifier.
/LISTENER=device
/NOLISTENER
Specifies the name of a mailbox device to which the audit server sends
a binary copy of all security audit event messages. Users can create
such a mailbox to process system security events as they occur. For a
description of the message formats written to the listener mailbox, see
the Audit Analysis Utility documentation in the HP OpenVMS System Management Utilities Reference Manual.
Use the SET AUDIT/NOLISTENER command to disable a listener device.
/RESOURCE=keyword[,...]
Enables or disables the monitoring of disk volumes to ensure adequate
space for audit journal entries; it also specifies the monitoring
method to use. The /JOURNAL qualifier is required. For more information
about resource monitoring, see the HP OpenVMS Guide to System Security.
| Keyword |
Description |
|
DISABLE
|
Disables monitoring on the disk volume containing the audit journal.
|
|
ENABLE
|
Enables resource monitoring on the disk volume containing the audit
journal.
|
/SERVER=keyword[,...]
Modifies audit server characteristics. The following table describes
keywords for the /SERVER qualifier:
| Keyword |
Description |
|
EXIT
|
Initiates an audit server shutdown. This is the only method for
removing the audit server process from the system; the audit server
cannot be deleted or suspended.
|
|
FINAL_ACTION=action
|
Specifies the action the audit server should take when it runs out of
memory and cannot buffer messages. (For more information, see the
discussion of message flow control in the HP OpenVMS Guide to System Security.) Specify one
of the following actions:
CRASH --- Crash the system if the audit server runs out of
memory.
IGNORE_NEW --- Ignore new event messages until memory is available.
New event messages are lost but event messages in memory are saved.
PURGE_OLD (default) --- Remove old event messages until memory is
available for the most current messages.
|
|
FLUSH
|
Copies all buffered audit and archive records to the security audit log
file and security archive file, respectively.
|
|
INITIATE
|
Enables auditing during system startup. Ordinarily, auditing is started
from VMS$LPBEGIN in STARTUP.COM but, if a site redefines the logical
name SYS$AUDIT_SERVER_INHIBIT, the OpenVMS system waits for a SET
AUDIT/SERVER=INITIATE command before enabling auditing.
|
|
NEW_LOG
|
Creates a new clusterwide audit log file. Typically, this is used daily
to generate a new version of the audit log file.
The following sequence of commands can be used to reset the space
monitoring thresholds and then to recreate the auditing log, thereby
creating a smaller log file:
$ SET AUDIT /JOURNAL=SECURITY /THRESHOLD=WARN=200
$ SET AUDIT /SERVER=NEW_LOG
By default, the size of the new auditing log file is based on the
size of the previous auditing logs.
|
|
RESUME
|
Requests the audit server process to resume normal activity on the
system, if adequate disk space is available. Normally, once the
resource monitoring action threshold has been reached, the audit server
process suspends most system activity and waits 15 minutes before
attempting to resume normal system activity.
|
|
START
|
Starts the audit server process on the system. In order to fully enable
the auditing subsystem, the SET AUDIT/SERVER=INITIATE command must be
used after the SET AUDIT/SERVER=START command has completed.
HP recommends using the following command procedure to start the
audit server:
SYS$SYSTEM:STARTUP AUDIT_SERVER
|
/THRESHOLD=type=value
Specifies threshold values used in monitoring available space in the
audit log file. The auditing system issues advisory messages to central
and security operators whenever free space in the audit log file falls
below the WARNING threshold. The auditing system suspends processes
that generate audit events when free disk space is below the action
threshold. (See /RESOURCE=[enable|disable]). The /JOURNAL qualifier is
required.
The following table lists the types of thresholds:
| Keyword |
Description |
|
WARNING=value
|
Specifies the threshold at which the audit server notifies all security
operator terminals that resources are getting low.
|
|
ACTION=value
|
Specifies the threshold at which the audit server starts suspending
processes that are generating audit records. (Certain processes are
immune to this: see the HP OpenVMS Guide to System Security).
|
The following table lists the default warning and action values for
each monitoring mode:
| Mode |
Warning |
Action |
|
Blocks
|
100
|
25
|
|
Delta time
|
2 0:00:00
|
0 0:30:00
|
/VERIFY
Do not return the dollar sign ($) prompt until the audit server
completes the command. Associated qualifiers determine which of the
following actions occur:
- Redefinition of auditing events
- Redefinition of the audit log file or the archive file
- Modification of the audit server's operational characteristics
- Modification of resource monitoring attributes
If you do not want to wait for the command to complete, specify
/NOVERIFY.
Examples
| #1 |
$ SET AUDIT/AUDIT/ENABLE= -
_$ (CREATE,ACCESS=(SYSPRV,BYPASS),DEACCESS)/CLASS=FILE
$ SHOW AUDIT/AUDIT
System security audits currently enabled for:
.
.
.
FILE access:
Failure: read,write,execute,delete,control
SYSPRV: read,write,execute,delete,control
BYPASS: read,write,execute,delete,control
Other: create,deaccess
|
The SET AUDIT command in this example enables auditing of file creation
and file deaccess; it also enables auditing for any file access done by
using either SYSPRV or BYPASS privilege.
| #2 |
$ SET AUDIT/JOURNAL=SECURITY/DESTINATION=AUDIT$:[AUDIT]TURIN
$ SET AUDIT/SERVER=NEW
$ SHOW AUDIT/JOURNAL
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: AUDIT$:[AUDIT]TURIN.AUDIT$JOURNAL
|
The SET AUDIT command in this example demonstrates how to switch to a
new journal.
| #3 |
$ SET AUDIT/SERVER=FINAL=CRASH
$ SHOW AUDIT/SERVER
Security auditing server characteristics:
Database version: 4.4
Backlog (total): 100, 200, 300
Backlog (process): 5, 2
Server processing intervals:
Archive flush: 0 00:01:00.00
Journal flush: 0 00:05:00.00
Resource scan: 0 00:05:00.00
Final resource action: crash system
|
The SET AUDIT command in this example changes the audit server's final
action setting so the system crashes when the audit server runs out of
memory.
| #4 |
$ SET AUDIT/ARCHIVE/DESTINATION=SYS$SPECIFIC:[SYSMGR]TURIN-ARCHIVE
$ SHOW AUDIT/ARCHIVE
Security archiving information:
Archiving events: system audits
Archive destination: SYS$SPECIFIC:[SYSMGR]TURIN-ARCHIVE.AUDIT$JOURNAL
|
The SET AUDIT command in this example enables a node-specific archive
file.
| #5 |
$ SET AUDIT/JOURNAL/RESOURCE=ENABLE
$ SHOW AUDIT/JOURNAL
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0
|
The SET AUDIT command in this example enables disk monitoring and
switches the mode so the disk space is monitored in terms of time
rather than free blocks.
|
