Specifies the criteria for selecting records from the audit log
file. For a description of how to generate audit records, see the
VSI OpenVMS Guide to System Security.
Format
/SELECT=criteria[,...]
/NOSELECT
criteria[,...]
Specifies the criteria for selecting records. For each specified
criterion, ANALYZE/AUDIT has two selection requirements:
o The packet corresponding to the criterion must be present in
the record.
o One of the specified values must match the value in that
packet.
For example, if you specify (USER=(PUTNAM,WU),SYSTEM=DBASE) as
the criteria, ANALYZE/AUDIT selects an event record containing
the SYSTEM=DBASE packet and a USER packet with either the PUTNAM
value or the WU value.
If you omit the /SELECT qualifier, all event records selected
through the /EVENT_TYPE qualifier are extracted from the audit
log file and included in the report.
You can specify any of the following criteria:
1 – ACCESS
ACCESS=(type,...)
Specifies the type of object access upon which the selection
is based. Access is object-specific and includes the following
types:
Associate Execute Read
Control Lock Submit
Create Logical Use
Delete Manage Write
Physical
The VSI OpenVMS Guide to System Security describes each of these
types.
2 – ACCOUNT
ACCOUNT=(name,...)
Specifies the account name upon which selection is based. You can
use wildcards, such as an asterisk (*) or percent sign (%), to
represent all or part of the name.
3 – ACCOUNT
ACCOUNT=(name,...)
Specifies the alarm journal name on which selection is based. You
can use wildcards to represent all or part of the alarm name.
4 – ASSOCIATION_NAME
ASSOCIATION_NAME=(IPC-name,...)
Specifies the name of the interprocess communication (IPC)
association.
5 – AUDIT_NAME
AUDIT_NAME=(journal-name,...)
Specifies the audit journal name on which selection is based. You
can use wildcards to represent all or part of the audit journal
name.
6 – COMMAND_LINE
COMMAND_LINE=(command,...)
Specifies the command line that the user entered.
7 – CONNECTION_IDENTIFICATION
CONNECTION_IDENTIFICATION=(IPC-name,...)
Specifies the name for the interprocess communication (IPC)
connection.
8 – DECNET_LINK_IDENTIFICATION
DECNET_LINK_IDENTIFICATION=(value,...)
Specifies the number of the DECnet logical link.
9 – DECNET_OBJECT_NAME
DECNET_OBJECT_NAME=(object-name,...)
Specifies the name of the DECnet object.
10 – DECNET_OBJECT_NUMBER
DECNET_OBJECT_NUMBER=(value,...)
Specifies the number of the DECnet object.
11 – DEFAULT_USERNAME
DEFAULT_USERNAME=(username,...)
Specifies the default local user name for incoming network proxy
requests.
12 – DEVICE_NAME
DEVICE_NAME=(device-name,...)
Specifies the name of a device in audit records that have a
DEVICE_NAME packet. Note that this does not select the device
name when it occurs in other packet types, such as in a file name
or in the TARGET_DEVICE_NAME packet.
13 – DIRECTORY_ENTRY
DIRECTORY_ENTRY=(directory,...)
Specifies the directory entry associated with file system
operation.
14 – DIRECTORY_NAME
DIRECTORY_NAME=(directory,...)
Specifies the name of the directory file.
15 – DISMOUNT_FLAGS
DISMOUNT_FLAGS=(flag-name,...)
Identifies the names of the volume dismounting flags to be used
in selecting records. Specify one or more of the following flag
names: Abort, Cluster, Nounload, and Unit.
16 – EVENT_CLUSTER_NAME
EVENT_CLUSTER_NAME=(event-flag-cluster-name,...)
Specifies the name of the event flag cluster.
17 – FACILITY
FACILITY=(facility-name,...)
Specifies that only events audited by the named facility be
selected. Provide a name or a number but, in either case, the
facility has to be defined through the logical AUDSERV$FACILITY_
NAME as a decimal number; the system uses the number 0.
18 – FIELD_NAME
FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT
uses the FIELD_NAME criterion with packets containing the
original data and the new data (specified by the NEW_DATA
criterion).
A FIELD_NAME is a character string that describes the content
of the field. A search for "NEW:" in a full audit report will
display records that contain the FIELD_NAME values that can be
specified for this option. Examples of FIELD_NAME values are
Account, Default Directory, Flags, and Password Date.
For sensitive information, see SENSITIVE_FIELD_NAME.
19 – FILE_NAME
FILE_NAME=(file-name)
Specifies the name of the file that caused the audit.
Describes audit records for the specified file by using a
slightly different display format than is provided by the
/OBJECT=NAME=object-name keyword.
20 – FILE_IDENTIFICATION
FILE_IDENTIFICATION=(identification-value)
Specifies the value of the file's identification. To calculate
the value, start with the value listed for File ID when you use
the FILE_NAME keyword. For example, the display lists the File ID
as:
File ID: (3024,5,0)
Use the following formula to calculate the value:
(((0 * 65536) + 5)* 65536) + 3024 = 330704
21 – FLAGS
FLAGS=(flag-name,...)
Identifies the names of the audit event flags associated with the
audited event. These names should be used in selecting records.
Specify one or more of the following flags: ACL, Alarm, Audit,
Flush, Foreign, Internal, and Mandatory.
22 – HOLDER
HOLDER=keyword(,...)
Specifies the characteristics of the identifier holder to be used
when selecting event records. Choose from the following keywords:
NAME=username Specifies the name of the holder. You can
represent all or part of the name with a
wildcard.
OWNER=uic Specifies the user identification code
(UIC) of the holder.
23 – IDENTIFIER
IDENTIFIER=keyword(,...)
Identifies which attributes of an identifier should be used when
selecting event records. Choose from the following keywords:
ATTRIBUTES=name Specifies the name of the particular
attribute. Valid attribute names are as
follows: Dynamic, Holder_Hidden, Name_
Hidden, NoAccess, Resource, and Subsystem.
NAME=identifier Specifies the original name of the
identifier. You can represent all or part
of the name with a wildcard.
NEW_NAME=identifier Specifies the new name of the identifier.
You can represent all or part of the name
with a wildcard.
NEW_ATTRIBUTES=name Specifies the name of the new attribute.
Valid attribute names are Dynamic, Holder_
Hidden, Name_Hidden, NoAccess, Resource,
and Subsystem.
VALUE=value Specifies the original value of the
identifier.
NEW_VALUE=value Specifies the new value of the identifier.
24 – IDENTIFIERS_MISSING
IDENTIFIERS_MISSING=(identifier,...)
Specifies the identifiers missing in a failure to access an
object.
25 – IDENTIFIERS_USED
IDENTIFIERS_USED=(identifier,...)
Specifies the identifiers used to gain access to an object. An
event record matches if the specified list is a subset of the
identifiers recorded in the event record.
26 – IMAGE_NAME
IMAGE_NAME=(image-name,...)
Identifies the name of the image to be used when selecting event
records. You can represent all or part of the image name with a
wildcard.
27 – INSTALL
INSTALL=keyword(,...)
Specifies that installation event packets are to be considered
when selecting event records. Choose from the following keywords:
FILE=filename Specifies the name of the installed file.
You can represent all or part of the name
with a wildcard.
Note that on Alpha systems prior to
Version 6.1, audit log files record the
installed file name within an object
name packet. To select the installed
file, you must use the expression
OBJECT=(NAME=object-name) instead of
FILE=filename.
FLAGS=flag-name Specifies the names of the flags, which
correspond to qualifiers of the Install
utility (INSTALL); for example, OPEN
corresponds to /OPEN.
PRIVILEGES=privilege- Specifies the names of the privileges with
name which the file was installed.
28 – LNM_PARENT_NAME
LNM_PARENT_NAME=(table-name,...)
Specifies the name of the parent logical name table.
29 – LNM_TABLE_NAME
LNM_TABLE_NAME=(table-name,...)
Specifies the name of the logical name table.
30 – LOCAL
LOCAL=(characteristic,...)
Specifies the characteristics of the local (proxy) account to be
used when selecting event records. The following characteristic
is supported:
USERNAME=username Specifies the name of the local account.
You can represent all or part of the name
with a wildcard.
31 – LOGICAL_NAME
LOGICAL_NAME=(logical-name,...)
Specifies the logical name of the mounted (or dismounted) volume
upon which selection is based. You can represent all or part of
the logical name with a wildcard.
32 – MAILBOX_UNIT
MAILBOX_UNIT=(number,...)
Specifies the number of the mailbox unit.
33 – MOUNT_FLAGS
MOUNT_FLAGS=(flag-name,...)
Specifies the names of the volume mounting flags upon which
selection is based. Possible flag names include the following
names:
CACHE=(NONE,WRITETHROUGH)
CDROM
CLUSTER
COMPACTION
DATACHECK=(READ,WRITE)
DSI
FOREIGN
GROUP
INCLUDE
INITIALIZATION=(ALLOCATE,CONTINUATION)
MESSAGE
NOASSIST
NOAUTOMATIC
NOCOMPACTION
NOCOPY
NOHDR3
NOJOURNAL
NOLABEL
NOMOUNT_VERIFICATION
NOQUOTA
NOREBUILD
NOUNLOAD
NOWRITE
{ ACCESSIBILITY }
{ EXPIRATION }
{ IDENTIFICATION }
{ }
{ LIMITED_SEARCH }
OVERRIDE=(options[,...]) { LOCK }
{ NO_FORCED_ERROR }
{ }
{ OWNER_IDENTIFIER }
{ SECURITY }
{ SETID }
{ }
POOL
QUOTA
SHARE
SUBSYSTEM
SYSTEM
TAPE_DATA_WRITE
XAR
The names NOLABEL and FOREIGN each point to the FOREIGN
flag. The reason for this is that the MOUNT/NOLABEL
and MOUNT/FOREIGN commands each set the FOREIGN flag.
Therefore, if you used MOUNT/NOLABEL, and you use
ANALYZE/AUDIT/SELECT/MOUNT_FLAGS=NOLABEL, the audit record will
display the FOREIGN flag.
34 – NEW_DATA
NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this
criterion with the FIELD_NAME criterion.
When you use the Authorize utility (AUTHORIZE) to copy a user
name, NEW_DATA specifies the newly created user name.
For sensitive information, see SENSITIVE_NEW_DATA.
35 – NEW_IMAGE_NAME
NEW_IMAGE_NAME=(image-name,...)
Specifies the name of the image to be activated in the newly
created process, as supplied to the $CREPRC system service.
36 – NEW_OWNER
NEW_OWNER=(uic,...)
Specifies the user identification code (UIC) to be assigned to
the created process, as supplied to the $CREPRC system service.
37 – OBJECT
OBJECT=keyword(,...)
Specifies which characteristics of an object should be used when
selecting event records. Choose any of the following keywords:
CLASS=class-name Specifies the general object class as one
of the following classes:
Capability
Device
Event_cluster
File
Group_global_section
Logical_name_table
Queue
Resource_domain
Security_class
System_global_section
Volume
You must enter the full class name (for
example, CLASS=logical_name_table) or use
wildcard characters to supply a portion of
the class name (for example, CLASS=log*).
NAME=object-name Specifies the name of the object. You can
represent all or part of the name with a
wildcard. If you do not use a wildcard,
specify the full object name (for example,
BOSTON$DUA0:[RWOODS]MEMO.MEM;1).
OWNER=value Specifies the UIC or general identifier of
the object.
TYPE=type Specifies the general object class (type
of object). The available classes are as
follows:
Capability
Device
File
Group_global_section
Logical_name_table
Queue
System_global_section
The CLASS keyword supersedes the TYPE
keyword. However, TYPE is required to
select audit records in files created
prior to OpenVMS Alpha Version 6.1.
38 – PARENT
PARENT=keyword(,...)
Specifies which characteristics of the parent process are used
when selecting event records generated by a subprocess. Choose
from the following keywords:
IDENTIFICATION=value Specifies the process identifier (PID) of
the parent process.
NAME=process-name Specifies the name of the parent process.
You can represent all or part of the name
with a wildcard.
OWNER=value Specifies the owner (identifier value) of
the parent process.
USERNAME=username Specifies the user name of the parent
process. You can represent all or part of
the name with a wildcard.
39 – PASSWORD
PASSWORD=(password,...)
Specifies the password used when the system detected a break-in
attempt.
40 – PRIVILEGES_MISSING
PRIVILEGES_MISSING=(privilege-name,...)
Specifies privileges the caller needed to perform the operation
successfully. Specify any of the system privileges, as described
in the VSI OpenVMS Guide to System Security.
41 – PRIVILEGES_USED
PRIVILEGES_USED=(privilege-name,...)
Specifies the privileges of the process to be used when selecting
event records. Specify any of the system privileges, as described
in the VSI OpenVMS Guide to System Security. Also include the
STATUS keyword in the selection criteria so the report can
demonstrate whether the privilege was involved in a successful
or an unsuccessful operation.
42 – PROCESS
PROCESS=(characteristic,...)
Specifies the characteristics of the process to be used
when selecting event records. Choose from the following
characteristics:
IDENTIFICATION=value Specifies the PID of the process.
NAME=process-name Specifies the name of the process. You can
represent all or part of the name with a
wildcard.
43 – REMOTE
REMOTE=keyword(,...)
Specifies that some characteristic of the network request is to
be used when selecting event records. Choose from the following
keywords:
ASSOCIATION_NAME=IPC-name Specifies the interprocess
communication (IPC) association name.
LINK_IDENTIFICATION=value Specifies the number of the DECnet
logical link.
IDENTIFICATION=value Specifies the DECnet node address.
NODENAME=node-name Specifies the DECnet node name. You
can represent all or part of the name
with a wildcard.
USERNAME=username Specifies the remote user name. You
can represent all or part of the
remote user name with a wildcard.
44 – REQUEST_NUMBER
REQUEST_NUMBER=(value,...)
Specifies the request number associated with the DCL command
REQUEST/REPLY.
45 – SECTION_NAME
SECTION_NAME=(global-section-name,...)
Specifies the name of the global section.
46 – SENSITIVE_FIELD_NAME
SENSITIVE_FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT
uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with
packets containing the original data and the new data (specified
by the SENSITIVE_NEW_DATA criterion).
47 – SENSITIVE_NEW_DATA
SENSITIVE_NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this
criterion with the SENSITIVE_FIELD_NAME criterion.
48 – SNAPSHOT_BOOTFILE
SNAPSHOT_BOOTFILE=(filename,...)
Specifies the name of the file containing a snapshot of the
system.
49 – SNAPSHOT_SAVE_FILENAME
SNAPSHOT_SAVE_FILENAME=(filename,...)
Specifies the name of the system snapshot file for a save
operation that is in progress.
50 – STATUS
STATUS=(type,...)
Specifies the type of success status to be used when selecting
event records. Choose from the following status types:
SUCCESSFUL Specifies any success status.
FAILURE Specifies any failure status.
CODE=(value) Specifies a specific completion status.
Note that if you specify CODE more than once, only the last value
is matched.
51 – SUBJECT_OWNER
SUBJECT_OWNER=(uic,...)
Specifies the owner (UIC) of the process causing the event.
52 – SUBTYPE
SUBTYPE=(subtype,...)
Specifies that the criteria be limited to the value or values
specified as a subtype. The following table lists events and
their related subtypes. After SUBTYPE, enter the subtypes as they
appear in the list-for example, SUBTYPE=ALARM_STATE. (In other
words, do not enter a prefix.)
Symbols for Event Types
and Subtypes Meaning
NSA$C_MSG_AUDIT Systemwide change to auditing
ALARM_STATE Events enabled as alarms
AUDIT_DISABLED Audit events disabled
AUDIT_ENABLED Audit events enabled
AUDIT_INITIATE Audit server startup
AUDIT_LOG_FIRST First entry in audit log (backward
link)
AUDIT_LOG_FINAL Final entry in audit log (forward link)
AUDIT_STATE Events enabled as audits
AUDIT_TERMINATE Audit server shutdown
SNAPSHOT_ABORT* System snapshot attempt has aborted
SNAPSHOT_ACCESS* Snapshot file access/deaccess
SNAPSHOT_SAVE* System snapshot save in progress
SNAPSHOT_STARTUP* System booted from a snapshot file
* Obsolete as of OpenVMS Version 7.1
NSA$C_MSG_BREAKIN Break-in attempt detected
BATCH Batch process
DETACHED Detached process
DIALUP Dialup interactive process
LOCAL Local interactive process
NETWORK Network server task
REMOTE Interactive process from another
network node
SUBPROCESS Subprocess
NSA$C_MSG_CONNECTION Logical link connection or termination
CNX_ABORT Connection aborted
CNX_ACCEPT Connection accepted
CNX_DECNET_CREATE DECnet logical link created
CNX_DECNET_DELETE DECnet logical link disconnected
CNX_DISCONNECT Connection disconnected
CNX_INC_ABORT Incoming connection request aborted
CNX_INC_ACCEPT Incoming connection request accepted
CNX_INC_DISCONNECT Incoming connection disconnected
CNX_INC_REJECT Incoming connection request rejected
CNX_INC_REQUEST Incoming connection request
CNX_IPC_CLOSE Interprocess communication association
closed
CNX_IPC_OPEN Interprocess communication association
opened
CNX_REJECT Connection rejected
CNX_REQUEST Connection requested
NSA$C_MSG_INSTALL Use of the Install utility (INSTALL)
INSTALL_ADD Known image installed
INSTALL_REMOVE Known image deleted
NSA$C_MSG_LOGFAIL Login failure
See subtypes for
NSA$C_MSG_BREAKIN
NSA$C_MSG_LOGIN Successful login
See subtypes for
NSA$C_MSG_BREAKIN
NSA$C_MSG_LOGOUT Successful logout
See subtypes for
NSA$C_MSG_BREAKIN
NSA$C_MSG_MOUNT Volume mount or dismount
VOL_DISMOUNT Volume dismount
VOL_MOUNT Volume mount
NSA$C_MSG_NCP Modification to network configuration
database
NCP_COMMAND Network Control Program (NCP) command
issued
NSA$C_MSG_NETPROXY Modification to network proxy database
NETPROXY_ADD Record added to network proxy
authorization file
NETPROXY_DELETE Record removed from network proxy
authorization file
NETPROXY_MODIFY Record modified in network proxy
authorization file
NSA$C_MSG_OBJ_ACCESS Object access attempted
OBJ_ACCESS Access attempted to create, delete, or
deaccess an object
NSA$C_MSG_OBJ_CREATE Object creation attempted
OBJ_CREATE Access attempted to create an object
NSA$C_MSG_OBJ_DEACCESS Object deaccessed
OBJ_DEACCESS Attempt to complete access to an object
NSA$C_MSG_OBJ_DELETE Object deletion attempted
OBJ_DELETE Object deletion attempted
NSA$C_MSG_PROCESS Process controlled through a system
service
PRC_CANWAK Process wakeup canceled
PRC_CREPRC Process created
PRC_DELPRC Process deleted
PRC_FORCEX Process exit forced
PRC_GETJPI Process information gathered
PRC_GRANTID Process identifier granted
PRC_RESUME Process resumed
PRC_REVOKID Process identifier revoked
PRC_SCHDWK Process wakeup scheduled
PRC_SETPRI Process priority altered
PRC_SIGPRC Process exception issued
PRC_SUSPND Process suspended
PRC_TERM Process termination notification
requested
PRC_WAKE Process wakeup issued
NSA$C_MSG_PRVAUD Use of privilege
PRVAUD_FAILURE Unsuccessful use of privilege
PRVAUD_SUCCESS Successful use of privilege
NSA$C_MSG_RIGHTSDB Modification to the rights database
RDB_ADD_ID Identifier added to rights database
RDB_CREATE Rights database created
RDB_GRANT_ID Identifier granted to user
RDB_MOD_HOLDER List of identifier holders modified
RDB_MOD_ID Identifier name or attributes modified
RDB_REM_ID Identifier removed from rights database
RDB_REVOKE_ID Identifier taken away from user
NSA$C_MSG_SYSGEN Use of the System Generation utility
(SYSGEN)
SYSGEN_SET System parameter modified
NSA$C_MSG_SYSTIME Modification to system time
SYSTIM_SET System time set
SYSTIM_CAL System time calibrated
NSA$C_MSG_SYSUAF Modification to system user
authorization file (SYSUAF)
SYSUAF_ADD Record added to system user
authorization file
SYSUAF_COPY Record added to system user
authorization file
SYSUAF_DELETE Record deleted from system user
authorization file
SYSUAF_MODIFY Record modified in system user
authorization file
SYSUAF_RENAME Record renamed in system user
authorization file
53 – SYSTEM
SYSTEM=keyword(,...)
Specifies the characteristics of the system to be used when
selecting event records. Choose from the following keywords:
IDENTIFICATION=value Specifies the numeric identification of
the system.
NAME=nodename Specifies the node name of the system.
54 – SYSTEM_SERVICE_NAME
SYSTEM_SERVICE_NAME=(service-name,...)
Specifies the name of the system service associated with the
event.
55 – TARGET_DEVICE_NAME
TARGET_DEVICE_NAME=(device-name,...)
Specifies the target device name used by a process control system
service.
56 – TARGET_PROCESS_IDENTIFICATION
TARGET_PROCESS_IDENTIFICATION=(value,...)
Specifies the target process identifier (PID) used by a process
control system service.
57 – TARGET_PROCESS_NAME
TARGET_PROCESS_NAME=(process-name,...)
Specifies the target process name used by a process control
system service.
58 – TARGET_PROCESS_OWNER
TARGET_PROCESS_OWNER=(uic,...)
Specifies the target process owner (UIC) used by a process
control system service.
59 – TARGET_USERNAME
TARGET_USERNAME=(username,...)
Specifies the target user name used by a process control system
service.
60 – TERMINAL
TERMINAL=(device-name,...)
Specifies the name of the terminal to be used when selecting
event records. You can represent all or part of the terminal name
with a wildcard.
61 – TRANSPORT_NAME
TRANSPORT_NAME=(transport-name,...)
Specifies the name of the transport: interprocess communication
(IPC) or System Management Integrator (SMI), which handles
requests from the System Management utility.
On VAX systems, it also can specify the DECnet transport name
(NSP).
62 – UAF_SOURCE
UAF_SOURCE=(record-name,...)
Specifies the user name of the source record for an Authorize
utility (AUTHORIZE) add, modify, or delete operation.
63 – USERNAME
USERNAME=(username,...)
Specifies the user name to be used when selecting event records.
You can represent all or part of the user name with a wildcard.
64 – VOLUME_NAME
VOLUME_NAME=(volume-name,...)
Specifies the name of the mounted (or dismounted) volume to be
used when selecting event records. You can represent all or part
of the volume name with a wildcard.
65 – VOLUME_SET_NAME
VOLUME_SET_NAME=(volume-set-name,...)
Specifies the name of the mounted (or dismounted) volume set to
be used when selecting event records. You can represent all or
part of the volume set name with a wildcard.
66 – Examples
1.$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example selects all records written to the
security audit log file that were generated by user JOHNSON.
2.$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,-
_$ BYPASS) SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example selects all records written to the
security audit log file that were generated by events through
the use of either SYSPRV or BYPASS privilege.