HP OpenVMS Systems Documentation
Content starts here

HP OpenVMS System Management Utilities Reference Manual
Previous Contents Index
  1. ANALYZE/DISK_STRUCTURE has completed the first two stages, and is beginning Stage 3. Stage 1 involves collection and verification of various volume information. ANALYZE/DISK_STRUCTURE found no problems with volume information. In Stage 2, ANALYZE/DISK_STRUCTURE copies the current version of QUOTA.SYS to working memory, and builds the structure on which a new copy is built during subsequent stages. The first error message is produced by Stage 3. Stage 3 uses the reserved file INDEXF.SYS to locate a variety of file problems. Here, Stage 3 detects a number of invalid file headers. Note that the error message includes the FID and the file name.
  2. This error message is produced during Stage 4, during which ANALYZE/DISK_STRUCTURE builds a current version of BITMAP.SYS, resolves multiple references to extension headers, and corrects discrepancies in the map sections of headers. Here, ANALYZE/DISK_STRUCTURE has found that the specified logical blocks on the specified relative volume were marked allocated in the storage bit map, but were not allocated to a file.
  3. This message marks the beginning of Stage 5. Here, messages stating "lost extension file header" and "invalid file header" indicate that ANALYZE/DISK_STRUCTURE is performing a pass of all entries placed on the invalid backlink map. This map was created in Stage 3.
  4. This message marks the beginning of the second phase of Stage 5, in which ANALYZE/DISK_STRUCTURE confirms that all files in INDEX.SYS are retrievable through the directory structure. Here, the series of "invalid file identification..." messages indicates those directory entries that did not contain a valid file identification.
  5. This message is produced by Stage 6, which is essentially a cleanup phase for lost files. This message indicates that ANALYZE/DISK_STRUCTURE encountered errors during the directory scan that were reported in previous messages. As a result, the file is not entered in directory [SYSLOST].
  6. Here, ANALYZE/DISK_STRUCTURE begins Stage 7, in which it compares values stored in the quota file built during Stage 2 with values in the reserved file QUOTA.SYS. The last three messages here indicate discrepancies between the two files.
    Note that no messages were produced during Stage 8. During Stage 8, ANALYZE/DISK_STRUCTURE executes all operations placed on the deferred list, and if you specified /REPAIR, updates QUOTA.SYS and VOLSET.SYS as necessary.

Appendix E
ANALYZE/DISK_STRUCTURE---Usage File

When you specify the /USAGE qualifier, ANALYZE/DISK_STRUCTURE creates a disk usage accounting file. The first record of this file, the identification record, contains a summary of the disk and volume characteristics. The identification record is followed by many file summary records, one record for each file on the disk. Each file summary record contains the owner, size, and name of a file.

The identification record is characterized by the type code USG$K_IDENT in the USG$B_TYPE field of the record. Table E-1 contains a description of all the fields in this record.

Table E-1 Identification Record Format (Length USG$K_IDENT_LEN)
Field Meaning
USG$L_SERIALNUM Serial number of the volume. This is an octal longword value.
USG$T_STRUCNAM Volume set name (if the volume is part of a volume set). For a Files-11 Structure Level 1 volume, this field contains binary zeros; for a Files-11 Structure Level 2 or 5 volume that is not part of a volume set, this field contains spaces. The length of this field is USG$S_STRUCNAME.
USG$T_VOLNAME Volume name of relative volume 1. The length of this field is USG$S_VOLNAME.
USG$T_OWNERNAME Volume owner name. The length of this field is USG$S_OWNERNAME.
USG$T_FORMAT Volume format type. For a Files-11 Structure Level 1 volume, this field contains "DECFILE11A"; for a Files-11 Structure Level 2 or 5 volume, this field contains "DECFILE11B". The length of this field is USG$S_FORMAT.
USG$Q_TIME Quadword system time when this usage file was created. The length of this field is USG$S_TIME.

Each file summary record is characterized by the type code USG$K_FILE in the USG$B_TYPE field of the record. Table E-2 contains a description of all the fields in these records.

Table E-2 File Record Format (Length USG$K_FILE_LEN)
Field Meaning
USG$L_FILEOWNER File owner UIC. This can be considered as a single longword value or as two word values (USG$W_UICMEMBER and USG$W_UICGROUP).
USG$W_UICMEMBER The member field of the file owner UIC. This is an octal word value.
USG$W_UICGROUP The group field of the file owner UIC. This is an octal word value.
USG$L_ALLOCATED Number of blocks allocated to the file, including file headers. This is a decimal longword value.
USG$L_USED Number of blocks used, up to and including the end-of-file block. This is a decimal longword value.
USG$W_DIR_LEN Length of the directory string portion of USG$T_FILESPEC, including the brackets. This is a decimal word value.
USG$W_SPEC_LEN Length of the complete file specification in USG$T_FILESPEC. This is a decimal word value.
USG$T_FILESPEC File specification, in the following format:

[dir]nam.typ;ver

This field is of variable length. A file that has more than one directory entry is listed under the first file specification found. A lost file has an empty directory string "[]" and the file name is taken from the file header. In some cases this information does not exist; you must take this into consideration when you write application programs to process the usage file. The length of this field is USG$S_FILESPEC.

The symbolic names referenced in both the identification and the file summary records are defined in the system definition macro $USGDEF. The length of the identification record is USG$K_IDENT_LEN. The length of a file summary record is USG$K_FILE_LEN.

Appendix F
Security Audit Message Format

This appendix describes the format of the auditing messages written to the security auditing log file. The default audit log file SECURITY.AUDIT$JOURNAL is created by default in the SYS$COMMON:[SYSMGR] directory.

Each security audit record consists of a header packet followed by one or more data packets, as shown in Figure F-1. The number of data packets depends on the type of information being sent. This appendix describes the format of the audit header and its data packets as well as the contents of the data packets.

Figure F-1 Format of a Security Audit Message

F.1 Audit Header Packet

Table F-1 describes the fields contained in Figure F-2.

Figure F-2 Audit Header Packet Format

Table F-1 Description of the Audit Header Fields
Field Symbolic Offset Contents
Type NSA$W_RECORD_TYPE Indicates the type of event that has occurred. See Table F-2 for details.
Subtype NSA$W_RECORD_SUBTYPE Further defines the type of event that has occurred. See Table F-2 for details.
Flags NSA$W_FLAGS Identifies any flags associated with the audited event. See Table F-3 for details. Reserved to HP. (Word)
Packet count NSA$W_PACKET_COUNT Number of data packets in the audit record. (Word)
Record size NSA$W_RECORD_SIZE Total size of the audit message; the size represents the header packet plus all its data packets. (Word)
Version NSA$C_VERSION_3 Indicates the version of the security auditing facility. The symbol NSA$C_VERSION_3 indicates the current version. (Byte)
Facility NSA$W_FACILITY The facility code for the generated event. By default, this field is zero, indicating a system-generated event. (Word)

When you enter subtypes, do not include a prefix, as shown in Table F-2.

Symbols representing the types or subtypes of security events are listed in Table F-2. For each audit event record type defined by NSA$W_RECORD_TYPE, there is a record subtype defined by the symbol NSA$W_RECORD_SUBTYPE, which further defines the event.

Table F-2 Description of Audit Event Types and Subtypes
Symbols for Event Types and Subtypes Meaning
NSA$C_MSG_AUDIT Systemwide change to auditing
  ALARM_STATE Events enabled as alarms
  AUDIT_DISABLED Audit events disabled
  AUDIT_ENABLED Audit events enabled
  AUDIT_INITIATE Audit server startup
  AUDIT_LOG_FIRST First entry in audit log (backward link)
  AUDIT_LOG_FINAL Final entry in audit log (forward link)
  AUDIT_STATE Events enabled as audits
  AUDIT_TERMINATE Audit server shutdown
  SNAPSHOT_ABORT 1 System snapshot attempt has aborted
  SNAPSHOT_ACCESS 1 Snapshot file access/deaccess
  SNAPSHOT_SAVE 1 System snapshot save in progress
  SNAPSHOT_STARTUP 1 System booted from a snapshot file
     
NSA$C_MSG_BREAKIN Break-in attempt detected
  BATCH Batch process
  DETACHED Detached process
  DIALUP Dialup interactive process
  LOCAL Local interactive process
  NETWORK Network server task
  REMOTE Interactive process from another network node
  SUBPROCESS Subprocess
     
NSA$C_MSG_CONNECTION Logical link connection or termination
  CNX_ABORT Connection aborted
  CNX_ACCEPT Connection accepted
  CNX_DECNET_CREATE DECnet logical link created
  CNX_DECNET_DELETE DECnet logical link disconnected
  CNX_DISCONNECT Connection disconnected
  CNX_INC_ABORT Incoming connection request aborted
  CNX_INC_ACCEPT Incoming connection request accepted
  CNX_INC_DISCONNECT Incoming connection disconnected
  CNX_INC_REJECT Incoming connection request rejected
  CNX_INC_REQUEST Incoming connection request
  CNX_IPC_CLOSE Interprocess communication association closed
  CNX_IPC_OPEN Interprocess communication association opened
  CNX_REJECT Connection rejected
  CNX_REQUEST Connection requested
     
NSA$C_MSG_INSTALL Use of the Install utility (INSTALL)
  INSTALL_ADD Known image installed
  INSTALL_REMOVE Known image deleted
     
NSA$C_MSG_LOGFAIL Login failure
  See subtypes for
NSA$C_MSG_BREAKIN
     
NSA$C_MSG_LOGIN Successful login
  See subtypes for
NSA$C_MSG_BREAKIN
     
NSA$C_MSG_LOGOUT Successful logout
  See subtypes for
NSA$C_MSG_BREAKIN
     
NSA$C_MSG_MOUNT Volume mount or dismount
  VOL_DISMOUNT Volume dismount
  VOL_MOUNT Volume mount
     
NSA$C_MSG_NCP Modification to network configuration database
  NCP_COMMAND Network Control Program (NCP) command issued
     
NSA$C_MSG_NETPROXY Modification to network proxy database
  NETPROXY_ADD Record added to network proxy authorization file
  NETPROXY_DELETE Record removed from network proxy authorization file
  NETPROXY_MODIFY Record modified in network proxy authorization file
     
NSA$C_MSG_OBJ_ACCESS Object access attempted
  OBJ_ACCESS Access attempted to create, delete, or deaccess an object
     
NSA$C_MSG_OBJ_CREATE Object creation attempted
  OBJ_CREATE Access attempted to create an object
     
NSA$C_MSG_OBJ_DEACCESS Object deaccessed
  OBJ_DEACCESS Attempt to complete access to an object
     
NSA$C_MSG_OBJ_DELETE Object deletion attempted
  OBJ_DELETE Object deletion attempted
     
NSA$C_MSG_PROCESS Process controlled through a system service
  PRC_CANWAK Process wakeup canceled
  PRC_CREPRC Process created
  PRC_DELPRC Process deleted
  PRC_FORCEX Process exit forced
  PRC_GETJPI Process information gathered
  PRC_GRANTID Process identifier granted
  PRC_RESUME Process resumed
  PRC_REVOKID Process identifier revoked
  PRC_SCHDWK Process wakeup scheduled
  PRC_SETPRI Process priority altered
  PRC_SIGPRC Process exception issued
  PRC_SUSPND Process suspended
  PRC_TERM Process termination notification requested
  PRC_WAKE Process wakeup issued
     
NSA$C_MSG_PRVAUD Use of privilege
  PRVAUD_FAILURE Unsuccessful use of privilege
  PRVAUD_SUCCESS Successful use of privilege
     
NSA$C_MSG_RIGHTSDB Modification to the rights database
  RDB_ADD_ID Identifier added to rights database
  RDB_CREATE Rights database created
  RDB_GRANT_ID Identifier granted to user
  RDB_MOD_HOLDER List of identifier holders modified
  RDB_MOD_ID Identifier name or attributes modified
  RDB_REM_ID Identifier removed from rights database
  RDB_REVOKE_ID Identifier taken away from user
     
NSA$C_MSG_SYSGEN Use of the System Generation utility (SYSGEN)
  SYSGEN_SET System parameter modified
     
NSA$C_MSG_SYSTIME Modification to system time
  SYSTIM_SET System time set
  SYSTIM_CAL System time calibrated
     
NSA$C_MSG_SYSUAF Modification to system user authorization file (SYSUAF)
  SYSUAF_ADD Record added to system user authorization file
  SYSUAF_COPY Record added to system user authorization file
  SYSUAF_DELETE Record deleted from system user authorization file
  SYSUAF_MODIFY Record modified in system user authorization file
  SYSUAF_RENAME Record renamed in system user authorization file
1Obsolete as of OpenVMS Version 7.1

Table F-3 identifies any flags associated with the audited event.

The symbol NSA$K_MSG_HDR_LENGTH defines the current size of the message header (in bytes).

Table F-3 Description of Audit Event Flags
Symbol Meaning
NSA$M_ACL Event generated by an alarm access control entry (ACE) or an audit ACE.
NSA$M_ALARM Event is a security alarm.
NSA$M_AUDIT Event is a security audit.
NSA$M_FLUSH Event forced the audit server to write all buffered event messages to the audit log file.
NSA$M_FOREIGN Event occurred outside of the system trusted computing base.
NSA$M_MANDATORY Event resulted from a mandatory process audit.

Previous Next Contents Index