Provides the management interface to the security auditing system. Requires the SECURITY privilege. Format SET AUDIT/qualifier There are five categories of qualifiers, grouped by task, for the SET AUDIT command: Task Qualifiers Requirements Define /AUDIT, Specify whether you are defining auditing /ALARM, alarms (/ALARM), audits (/AUDIT), events /CLASS, or both. Also specify whether you /ENABLE, are enabling (/ENABLE) or disabling /DISABLE (/DISABLE) the reporting of the event. Define /DESTINATION, Requires both the /DESTINATION and auditing /JOURNAL, /JOURNAL qualifiers. log file /VERIFY Define /INTERVAL, None. operational /LISTENER, character- /SERVER, istics of /VERIFY the audit server and a listener mailbox (if any) Define /ARCHIVE, None. secondary /DESTINATION, log file /VERIFY Define /BACKLOG, With the /RESOURCE or /THRESHOLD resource /EXCLUDE, qualifier, include the /JOURNAL monitoring /JOURNAL, qualifier. defaults /RESOURCE, /THRESHOLD, /VERIFY
1 – Qualifiers
1.1 /ALARM
Makes the command apply to alarms, which are messages displayed on an operator terminal. See the description of the DCL command REPLY/ENABLE for details on how to enable terminals to display security messages.
1.2 /ARCHIVE
/ARCHIVE=[keyword,...] Specifies which classes of audit event messages are written to the security archive file. Specify one or more of the following keywords: Keyword Description NONE Disables archiving on the system. [NO]ALL (default) Enables or disables archiving of all system security events. By default, no events are archived. SYSTEM_ALARM Enables archiving of all security alarm events. SYSTEM_AUDIT Enables archiving of all security audit events. Archiving should be run on only one node in an OpenVMS Cluster with its own audit server database because multiple nodes will try to open the audit file exclusively.
1.3 /AUDIT
Makes the command apply to audits, which are messages recorded in the system security audit log file.
1.4 /BACKLOG
/BACKLOG=[keyword[,...]] Specifies the thresholds for suspending a process that has exceeded the process message limit. The thresholds include the total number of messages in memory and the number belonging to the particular process. To prevent a process from being suspended, use the /EXCLUDE qualifier. Specify the following keywords: Keyword Description TOTAL=(n1,n2,n3) Thresholds at which flow control is initiated and accelerated; see description below. PROCESS=(p1,p2) Thresholds at which process submissions are controlled. Total Process Messages Default Messages Default Action Taken N1 100 P1 5 When there are 100 messages in memory, the audit server suspends any process that has submitted 5 or more messages until all messages are written to disk. N2 200 P2 2 When there are 200 messages in memory, the audit server suspends any process that has submitted 2 or more messages until all messages are written to disk. N3 300 Any process with messages in memory is suspended until all messages are written to disk.
1.5 /CLASS
/CLASS=class Specifies the class of the object whose auditing attributes are to be modified. If /CLASS is not specified, the command assumes the class is FILE. Specify one of the following keywords with the /CLASS qualifier: CAPABILITY COMMON_EVENT_CLUSTER DEVICE FILE GROUP_GLOBAL_SECTION LOGICAL_NAME_TABLE QUEUE RESOURCE_DOMAIN SECURITY_CLASS SYSTEM_GLOBAL_SECTION VOLUME
1.6 /DESTINATION
/DESTINATION=filespec When changing the destination of event messages, specifies the new location of the system security audit log file. The device, if part of the file specification, must be a disk. The /DESTINATION qualifier requires the /JOURNAL qualifier in this case. Once you have relocated the log file, execute the command SET AUDIT/SERVER=NEW_LOG to let all the nodes in the cluster know of the new location. The previous audit log file is closed and all subsequent audit event messages generated throughout the cluster are sent to the new audit log file. When used with /ARCHIVE, specifies the name of the archive log file. Events can be archived to a local or remote file on any file-structured disk device. For example, you can use an archive file to redirect event messages from a satellite to a larger node in the cluster.
1.7 /DISABLE
/DISABLE=(keyword[,...]) Disables alarms or audits for the specified events. To disable all system events and file access events, specify the keyword ALL. You must specify at least one of the keywords. For a list of the keywords to use with the /DISABLE qualifier, see the /ENABLE qualifier description. You must also specify either the /ALARM or /AUDIT qualifier, or both, when you use the /DISABLE qualifier. NOTE In processing the SET AUDIT command, the system processes the /DISABLE qualifier last. If you specify both the /ENABLE and /DISABLE qualifiers for items in the same class on the same command line, the /DISABLE qualifier disables any enabled items. VSI recommends that you use separate lines for commands containing the /ENABLE and /DISABLE qualifiers.
1.8 /ENABLE
/ENABLE=(keyword[,...]) Enables alarms or audits for the specified events. To enable all system events and file access events, specify the keyword ALL. You must specify at least one keyword. You must also specify either the /ALARM or /AUDIT qualifier, or both, when you use the /ENABLE qualifier. The keywords that you can specify with either the /ENABLE or the /DISABLE qualifier are as follows: Keyword Description ACCESS=(condition Specifies access events for all objects in a class. (To audit a single object, use an [:access[,...]] auditing ACE and enable the access control list [,...]) (ACL) category.) VSI recommends that when you enable auditing conditionally, you enable it for all possible forms of access because the system can check access rights at several points during an operation. (For example, a FAILURE might occur on a read or write access check.) See the VSI OpenVMS Guide to System Security for information about the various types of access permitted on each class. (For example, the Access keyword, CREATE, is not defined for FILE objects.) Condition Description Keyword ALL All object access BYPASS Successful object access due to the use of the BYPASS privilege FAILURE Unsuccessful object access GRPPRV Successful object access due to the use of the group privilege (GRPPRV) READALL Successful object access due to the use of the READALL privilege SUCCESS Successful object access SYSPRV Successful object access due to the use of the system privilege (SYSPRV) Access Description Keyword ALL All types of access ASSOCIATE Associate access CONTROL Control access to examine or change security characteristics CREATE Create access. To audit create events for files, use the CREATE keyword. DELETE Delete access EXECUTE Execute access LOCK Lock access LOGICAL Logical I/O access MANAGE Manage access PHYSICAL Physical I/O access READ Read access SUBMIT Submit access WRITE Write access ACL Specifies an event requested by an audit or alarm ACE in the access control list (ACL) of an object. To audit all objects of a class, use the ACCESS keyword. ALL Specifies all system events and file access events. It does not enable access events for object classes other than FILE. AUDIT=keyword Specifies events within the auditing subsystem. Only one keyword is currently defined. Keyword Description ILLFORMED Specifies illformed events from internal calls (identified by NSA$M_INTERNAL) to $AUDIT_ EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS system services. An illformed event is caused by an incomplete or syntactically incorrect argument being supplied to one of these system services by a piece of privileged code. AUTHORIZATION Specifies the modification of any portion of the system user authorization file (SYSUAF), network proxy authorization file (NETPROXY), or the rights list (RIGHTLIST) (including password changes made through the AUTHORIZE, SET PASSWORD, or LOGINOUT commands or the $SETUAI system service). BREAKIN=(keyword Specifies the occurrence of one or more classes [,...]) of break-in attempts, as specified by one or more of the following keywords: ALL DETACHED DIALUP LOCAL NETWORK REMOTE CONNECTION Specifies a logical link connection or termination through DECnet-Plus, DECnet Phase IV, DECwindows, $IPC, or SYSMAN. CREATE Specifies the creation of an object. Requires the /CLASS qualifier if it is not a file. DEACCESS Specifies deaccess from an object. Requires the /CLASS qualifier if it is not a file. DELETE Specifies the deletion of an object. Requires the /CLASS=DEVICE qualifier. FILE_ACCESS= This keyword is obsolete and is superseded (keyword[,...]) by the ACCESS keyword, which is valid on all OpenVMS Version 6.1 or higher systems. On Alpha, this keyword specifies the occurrence of file and global section access events (regardless of the value given in the object's access control list [ACL], if any). IDENTIFIER Specifies that the use of identifiers as privileges should be audited. For further information, see the VSI OpenVMS Guide to System Security. INSTALL Specifies modifications made to the known file list through the INSTALL utility. LOGFAILURE= Specifies the occurrence of one or more (keyword[,...]) classes of login failures, as specified by the following keywords: ALL All possible types of login failures BATCH Batch process login failure DETACHED Detached process login failure DIALUP Dialup interactive login failure LOCAL Local interactive login failure NETWORK Network server task login failure REMOTE Interactive login failure from another network node, for example, with a SET HOST command SERVER Server or TCB-based login failure. SUBPROCESS Subprocess login failure LOGIN= Specifies the occurrence of one or more (keyword[,...]) classes of login attempts, as specified by the following keywords. See the LOGFAILURE keyword for further description. ALL BATCH DETACHED DIALUP LOCAL NETWORK REMOTE SERVER SUBPROCESS LOGOUT= Specifies the occurrence of one or more classes (keyword[,...]) of logouts, as specified by the following keywords. See the LOGFAILURE keyword for further description. ALL BATCH DETACHED DIALUP LOCAL NETWORK REMOTE SERVER SUBPROCESS MOUNT Specifies a mount or dismount operation. NCP Specifies access to the network configuration database, using the network control program (NCP). PRIVILEGE= Specifies successful or unsuccessful use (keyword[,...]) of privilege, as specified by the following keywords: FAILURE [:privilege(,...)] - Unsuccessful use of privilege SUCCESS [:privilege(,...)] - Successful use of privilege For a listing of privileges, see the online help for the DCL command SET PROCESS/PRIVILEGES. PROCESS= Specifies the use of one or more of the process (keyword[,...]) control system services, as specified by the following keywords: ALL Use of any of the process control system services CREPRC All use of $CREPRC DELPRC All use of $DELPRC SCHDWK Privileged use of $SCHDWK CANWAK Privileged use of $CANWAK WAKE Privileged use of $WAKE SUSPND Privileged use of $SUSPND RESUME Privileged use of $RESUME GRANTID Privileged use of $GRANTID REVOKID Privileged use of $REVOKID GETJPI Privileged use of $GETJPI FORCEX Privileged use of $FORCEX SETPRI Privileged use of $SETPRI Privileged use of a process control system service means the caller used GROUP or WORLD privilege to affect the target process. SYSGEN Specifies the modification of a system parameter with the OpenVMS System Generation utility. TIME Specifies the modification of system time.
1.9 /EXCLUDE
/EXCLUDE=process-id /NOEXCLUDE=process-id Adds a process identification (PID) to the audit server's process exclusion list. The process exclusion list contains those processes that will not be suspended by the audit server if a resource exhaustion reaches the action threshold. By default, realtime processes and all of the following processes are included in the process exclusion list and are never suspended: CACHE_SERVER CLUSTER_SERVER CONFIGURE DFS$COM_ACP DNS$ADVER IPCACP JOB_CONTROL NETACP NET$ACP OPCOM REMACP SHADOW_SERVER SMISERVER SWAPPER TP_SERVER VWS$DISPLAYMGR VWS$EMULATORS Use the SET AUDIT/NOEXCLUDE command to remove a process from the process exclusion list; however, processes listed above cannot be removed from the exclusion list. Also note that PIDs are not automatically removed from the process exclusion list when processes log out of the system.
1.10 /FAILURE_MODE
/FAILURE_MODE[=keyword] This qualifier is obsolete. On Alpha, specifies how the OpenVMS system proceeds following a failed attempt to write a security alarm to the operator communication process's (OPCOM's) mailbox. Specify one of the following keywords with the /FAILURE_MODE qualifier: Option Description CRASH Forces a system failure if security alarms cannot be written. IGNORE Indicates that failing security alarms are to be ignored. The first failed alarm causes an error message to be written to the operator console and log file. The system maintains a count of the lost alarms, which can be displayed with the SHOW AUDIT command. WAIT Indicates that processes are placed in the MWAIT state to wait until the resource is available. This is the default. The /ALARM qualifier is required when specifying an audit failure mode.
1.11 /INTERVAL
/INTERVAL=(keyword[,...]) Specifies the delta times to be used for regular audit server operations. For information about specifying delta times, see the OpenVMS User's Manual. The following table describes keywords for the /INTERVAL qualifier: Keyword Description ARCHIVE_ Specifies the interval at which data collected FLUSH=time by the audit server is written to the archive file. The default is 1 minute. JOURNAL_ Specifies the interval at which data collected FLUSH=time by the audit server is written to the audit log file. The default is 5 minutes. RESOURCE_ Specifies the interval at which the audit server MONITOR=time retries log file allocation or access. This interval applies whenever free space in the log file is below either the warning or action thresholds, or when the volume holding the log file is inaccessible. The default interval is 5 minutes. RESUME_ Specifies the interval at which the audit SCAN=time server reviews an existing resource exhaustion condition. The default is 15 minutes.
1.12 /JOURNAL
/JOURNAL[=journal-name] Specifies the name of the audit journal; the name defaults to SECURITY. (Currently, there is only one journal.) The /JOURNAL qualifier is required when redefining the audit log file or when specifying resource monitoring characteristics with the /RESOURCE or the /THRESHOLD qualifier.
1.13 /LISTENER
/LISTENER=device /NOLISTENER Specifies the name of a mailbox device to which the audit server sends a binary copy of all security audit event messages. Users can create such a mailbox to process system security events as they occur. For a description of the message formats written to the listener mailbox, see the Audit Analysis Utility documentation in the VSI OpenVMS System Management Utilities Reference Manual. Use the SET AUDIT/NOLISTENER command to disable a listener device.
1.14 /RESOURCE
/RESOURCE=keyword[,...] Enables or disables the monitoring of disk volumes to ensure adequate space for audit journal entries; it also specifies the monitoring method to use. The /JOURNAL qualifier is required. For more information about resource monitoring, see the VSI OpenVMS Guide to System Security. Keyword Description DISABLE Disables monitoring on the disk volume containing the audit journal. ENABLE Enables resource monitoring on the disk volume containing the audit journal. MONITOR_ This keyword is obsolete. MODE=mode Specifies the method the audit server uses to monitor available resources. Specify one of the following keywords: COUNT Controls whether resource monitoring is based on the amount of free disk space required to store a fixed number of event messages. PERCENTAGE Controls whether resource monitoring is based on the percentage of the disk volume or volume set available. SPACE Controls whether resource monitoring is based on the number of free blocks on the disk. The is the default method used for resource monitoring. TIME Controls whether resource monitoring is based on the amount of free disk space needed to store events which occur over a fixed period of time (in seconds).
1.15 /SERVER
/SERVER=keyword[,...] Modifies audit server characteristics. The following table describes keywords for the /SERVER qualifier: Keyword Description CREATE_SYSTEM_LOG This keyword is obsolete. Use SET AUDIT/SERVER=NEW_LOG On Alpha, causes the audit server to create a new local system security audit log file. Other audit servers in the cluster are not affected. This keyword may be used by sites operating a multienvironment cluster where it may be necessary to create a new log file on a specific node in the cluster. CREATE_ SYSTEM_LOG is synonymous with NEW_LOG for nonclustered systems. EXIT Initiates an audit server shutdown. This is the only method for removing the audit server process from the system; the audit server cannot be deleted or suspended. FINAL_ Specifies the action the audit server should ACTION=action take when it runs out of memory and cannot buffer messages. (For more information, see the discussion of message flow control in the VSI OpenVMS Guide to System Security.) Specify one of the following actions: CRASH - Crash the system if the audit server runs out of memory. IGNORE_NEW - Ignore new event messages until memory is available. New event messages are lost but event messages in memory are saved. PURGE_OLD (default) - Remove old event messages until memory is available for the most current messages. FLUSH Copies all buffered audit and archive records to the security audit log file and security archive file, respectively. INITIATE Enables auditing during system startup. Ordinarily, auditing is started from VMS$LPBEGIN in STARTUP.COM but, if a site redefines the logical name SYS$AUDIT_SERVER_ INHIBIT, the OpenVMS system waits for a SET AUDIT/SERVER=INITIATE command before enabling auditing. NEW_LOG Creates a new clusterwide audit log file. Typically, this is used daily to generate a new version of the audit log file. The following sequence of commands can be used to reset the space monitoring thresholds and then to recreate the auditing log, thereby creating a smaller log file: $ SET AUDIT /JOURNAL=SECURITY /THRESHOLD=WARN=200 $ SET AUDIT /SERVER=NEW_LOG By default, the size of the new auditing log file is based on the size of the previous auditing logs. REDIRECT_SYSTEM_ This keyword is obsolete. Use SET LOG AUDIT/SERVER=NEW_LOG. On Alpha, causes the audit server on the local node to redirect security event messages to a new audit log file, whose location was defined previously by the /DESTINATION qualifier. Audit server processes (and log files) on other nodes in the cluster are unaffected. RESUME Requests the audit server process to resume normal activity on the system, if adequate disk space is available. Normally, once the resource monitoring action threshold has been reached, the audit server process suspends most system activity and waits 15 minutes before attempting to resume normal system activity. START Starts the audit server process on the system. In order to fully enable the auditing subsystem, the SET AUDIT/SERVER=INITIATE command must be used after the SET AUDIT/SERVER=START command has completed. VSI recommends using the following command procedure to start the audit server: SYS$SYSTEM:STARTUP AUDIT_SERVER
1.16 /THRESHOLD
/THRESHOLD=type=value Specifies threshold values used in monitoring available space in the audit log file. The auditing system issues advisory messages to central and security operators whenever free space in the audit log file falls below the WARNING threshold. The auditing system suspends processes that generate audit events when free disk space is below the action threshold. (See /RESOURCE=[enable|disable]). The /JOURNAL qualifier is required. The following table lists the types of thresholds: Keyword Description WARNING=value Specifies the threshold at which the audit server notifies all security operator terminals that resources are getting low. ACTION=value Specifies the threshold at which the audit server starts suspending processes that are generating audit records. (Certain processes are immune to this: see the VSI OpenVMS Guide to System Security). RESUME=value This keyword is obsolete. Specifies the threshold at which the audit server resumes normal system activity. The following table lists the default warning and action values for each monitoring mode: Mode Warning Action Blocks 100 25 Delta time 2 0:00:00 0 0:30:00
1.17 /VERIFY
Do not return the dollar sign ($) prompt until the audit server completes the command. Associated qualifiers determine which of the following actions occur: o Redefinition of auditing events o Redefinition of the audit log file or the archive file o Modification of the audit server's operational characteristics o Modification of resource monitoring attributes If you do not want to wait for the command to complete, specify /NOVERIFY.
2 – Examples
1.$ SET AUDIT/AUDIT/ENABLE= - _$ (CREATE,ACCESS=(SYSPRV,BYPASS),DEACCESS)/CLASS=FILE $ SHOW AUDIT/AUDIT System security audits currently enabled for: . . . FILE access: Failure: read,write,execute,delete,control SYSPRV: read,write,execute,delete,control BYPASS: read,write,execute,delete,control Other: create,deaccess The SET AUDIT command in this example enables auditing of file creation and file deaccess; it also enables auditing for any file access done by using either SYSPRV or BYPASS privilege. 2.$ SET AUDIT/JOURNAL=SECURITY/DESTINATION=AUDIT$:[AUDIT]TURIN $ SET AUDIT/SERVER=NEW $ SHOW AUDIT/JOURNAL List of audit journals: Journal name: SECURITY Journal owner: (system audit journal) Destination: AUDIT$:[AUDIT]TURIN.AUDIT$JOURNAL The SET AUDIT command in this example demonstrates how to switch to a new journal. 3.$ SET AUDIT/SERVER=FINAL=CRASH $ SHOW AUDIT/SERVER Security auditing server characteristics: Database version: 4.4 Backlog (total): 100, 200, 300 Backlog (process): 5, 2 Server processing intervals: Archive flush: 0 00:01:00.00 Journal flush: 0 00:05:00.00 Resource scan: 0 00:05:00.00 Final resource action: crash system The SET AUDIT command in this example changes the audit server's final action setting so the system crashes when the audit server runs out of memory. 4.$ SET AUDIT/ARCHIVE/DESTINATION=SYS$SPECIFIC:[SYSMGR]TURIN-ARCHIVE $ SHOW AUDIT/ARCHIVE Security archiving information: Archiving events: system audits Archive destination: SYS$SPECIFIC:[SYSMGR]TURIN-ARCHIVE.AUDIT$JOURNAL The SET AUDIT command in this example enables a node-specific archive file. 5.$ SET AUDIT/JOURNAL/RESOURCE=ENABLE $ SHOW AUDIT/JOURNAL List of audit journals: Journal name: SECURITY Journal owner: (system audit journal) Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL Monitoring: enabled Warning thresholds, Block count: 100 Duration: 2 00:00:00.0 Action thresholds, Block count: 25 Duration: 0 00:30:00.0 The SET AUDIT command in this example enables disk monitoring and switches the mode so the disk space is monitored in terms of time rather than free blocks.