HELPLIB.HLB  —  ANALYZE  /AUDIT
remote user name with a wildcard.

11.44  –  REQUEST_NUMBER

    REQUEST_NUMBER=(value,...)

    Specifies the request number associated with the DCL command
    REQUEST/REPLY.

11.45  –  SECTION_NAME

    SECTION_NAME=(global-section-name,...)

    Specifies the name of the global section.

11.46  –  SENSITIVE_FIELD_NAME

    SENSITIVE_FIELD_NAME=(field-name,...)

    Specifies the name of the field that was modified. ANALYZE/AUDIT
    uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with
    packets containing the original data and the new data (specified
    by the SENSITIVE_NEW_DATA criterion).

11.47  –  SENSITIVE_NEW_DATA

    SENSITIVE_NEW_DATA=(value,...)

    Specifies the value to use after the event occurs. Use this
    criterion with the SENSITIVE_FIELD_NAME criterion.

11.48  –  SNAPSHOT_BOOTFILE

    SNAPSHOT_BOOTFILE=(filename,...)

    Specifies the name of the file containing a snapshot of the
    system.

11.49  –  SNAPSHOT_SAVE_FILENAME

    SNAPSHOT_SAVE_FILENAME=(filename,...)

    Specifies the name of the system snapshot file for a save
    operation that is in progress.

11.50  –  STATUS

    STATUS=(type,...)

    Specifies the type of success status to be used when selecting
    event records. Choose from the following status types:

    SUCCESSFUL             Specifies any success status.
    FAILURE                Specifies any failure status.
    CODE=(value)           Specifies a specific completion status.

    Note that if you specify CODE more than once, only the last value
    is matched.

11.51  –  SUBJECT_OWNER

    SUBJECT_OWNER=(uic,...)

    Specifies the owner (UIC) of the process causing the event.

11.52  –  SUBTYPE

    SUBTYPE=(subtype,...)

    Specifies that the criteria be limited to the value or values
    specified as a subtype. The following table lists events and
    their related subtypes. After SUBTYPE, enter the subtypes as they
    appear in the list-for example, SUBTYPE=ALARM_STATE. (In other
    words, do not enter a prefix.)

    Symbols for Event Types
    and Subtypes              Meaning

    NSA$C_MSG_AUDIT           Systemwide change to auditing
          ALARM_STATE         Events enabled as alarms
          AUDIT_DISABLED      Audit events disabled
          AUDIT_ENABLED       Audit events enabled
          AUDIT_INITIATE      Audit server startup
          AUDIT_LOG_FIRST     First entry in audit log (backward
                              link)
          AUDIT_LOG_FINAL     Final entry in audit log (forward link)
          AUDIT_STATE         Events enabled as audits
          AUDIT_TERMINATE     Audit server shutdown
          SNAPSHOT_ABORT*     System snapshot attempt has aborted
          SNAPSHOT_ACCESS*    Snapshot file access/deaccess
          SNAPSHOT_SAVE*      System snapshot save in progress
          SNAPSHOT_STARTUP*   System booted from a snapshot file

          * Obsolete as of OpenVMS Version 7.1

    NSA$C_MSG_BREAKIN         Break-in attempt detected
          BATCH               Batch process
          DETACHED            Detached process
          DIALUP              Dialup interactive process
          LOCAL               Local interactive process
          NETWORK             Network server task
          REMOTE              Interactive process from another
                              network node
          SUBPROCESS          Subprocess

    NSA$C_MSG_CONNECTION      Logical link connection or termination
          CNX_ABORT           Connection aborted
          CNX_ACCEPT          Connection accepted
          CNX_DECNET_CREATE   DECnet logical link created
          CNX_DECNET_DELETE   DECnet logical link disconnected
          CNX_DISCONNECT      Connection disconnected
          CNX_INC_ABORT       Incoming connection request aborted
          CNX_INC_ACCEPT      Incoming connection request accepted
          CNX_INC_DISCONNECT  Incoming connection disconnected
          CNX_INC_REJECT      Incoming connection request rejected
          CNX_INC_REQUEST     Incoming connection request
          CNX_IPC_CLOSE       Interprocess communication association
                              closed
          CNX_IPC_OPEN        Interprocess communication association
                              opened
          CNX_REJECT          Connection rejected
          CNX_REQUEST         Connection requested

    NSA$C_MSG_INSTALL         Use of the Install utility (INSTALL)
          INSTALL_ADD         Known image installed
          INSTALL_REMOVE      Known image deleted

    NSA$C_MSG_LOGFAIL         Login failure
          See subtypes for
               NSA$C_MSG_BREAKIN

    NSA$C_MSG_LOGIN           Successful login
          See subtypes for
               NSA$C_MSG_BREAKIN

    NSA$C_MSG_LOGOUT          Successful logout
          See subtypes for
               NSA$C_MSG_BREAKIN

    NSA$C_MSG_MOUNT           Volume mount or dismount
          VOL_DISMOUNT        Volume dismount
          VOL_MOUNT           Volume mount

    NSA$C_MSG_NCP             Modification to network configuration
                              database
          NCP_COMMAND         Network Control Program (NCP) command
                              issued

    NSA$C_MSG_NETPROXY        Modification to network proxy database
          NETPROXY_ADD        Record added to network proxy
                              authorization file
          NETPROXY_DELETE     Record removed from network proxy
                              authorization file
          NETPROXY_MODIFY     Record modified in network proxy
                              authorization file

    NSA$C_MSG_OBJ_ACCESS      Object access attempted
          OBJ_ACCESS          Access attempted to create, delete, or
                              deaccess an object

    NSA$C_MSG_OBJ_CREATE      Object creation attempted
          OBJ_CREATE          Access attempted to create an object

    NSA$C_MSG_OBJ_DEACCESS    Object deaccessed
          OBJ_DEACCESS        Attempt to complete access to an object

    NSA$C_MSG_OBJ_DELETE      Object deletion attempted
          OBJ_DELETE          Object deletion attempted

    NSA$C_MSG_PROCESS         Process controlled through a system
                              service
          PRC_CANWAK          Process wakeup canceled
          PRC_CREPRC          Process created
          PRC_DELPRC          Process deleted
          PRC_FORCEX          Process exit forced
          PRC_GETJPI          Process information gathered
          PRC_GRANTID         Process identifier granted
          PRC_RESUME          Process resumed
          PRC_REVOKID         Process identifier revoked
          PRC_SCHDWK          Process wakeup scheduled
          PRC_SETPRI          Process priority altered
          PRC_SIGPRC          Process exception issued
          PRC_SUSPND          Process suspended
          PRC_TERM            Process termination notification
                              requested
          PRC_WAKE            Process wakeup issued

    NSA$C_MSG_PRVAUD          Use of privilege
          PRVAUD_FAILURE      Unsuccessful use of privilege
          PRVAUD_SUCCESS      Successful use of privilege

    NSA$C_MSG_RIGHTSDB        Modification to the rights database
          RDB_ADD_ID          Identifier added to rights database
          RDB_CREATE          Rights database created
          RDB_GRANT_ID        Identifier granted to user
          RDB_MOD_HOLDER      List of identifier holders modified
          RDB_MOD_ID          Identifier name or attributes modified
          RDB_REM_ID          Identifier removed from rights database
          RDB_REVOKE_ID       Identifier taken away from user

    NSA$C_MSG_SYSGEN          Use of the System Generation utility
                              (SYSGEN)
          SYSGEN_SET          System parameter modified

    NSA$C_MSG_SYSTIME         Modification to system time
          SYSTIM_SET          System time set
          SYSTIM_CAL          System time calibrated

    NSA$C_MSG_SYSUAF          Modification to system user
                              authorization file (SYSUAF)
          SYSUAF_ADD          Record added to system user
                              authorization file
          SYSUAF_COPY         Record added to system user
                              authorization file
          SYSUAF_DELETE       Record deleted from system user
                              authorization file
          SYSUAF_MODIFY       Record modified in system user
                              authorization file
          SYSUAF_RENAME       Record renamed in system user
                              authorization file

11.53  –  SYSTEM

    SYSTEM=keyword(,...)

    Specifies the characteristics of the system to be used when
    selecting event records. Choose from the following keywords:

    IDENTIFICATION=value   Specifies the numeric identification of
                           the system.
    NAME=nodename          Specifies the node name of the system.

11.54  –  SYSTEM_SERVICE_NAME

    SYSTEM_SERVICE_NAME=(service-name,...)

    Specifies the name of the system service associated with the
    event.

11.55  –  TARGET_DEVICE_NAME

    TARGET_DEVICE_NAME=(device-name,...)

    Specifies the target device name used by a process control system
    service.

11.56  –  TARGET_PROCESS_IDENTIFICATION

    TARGET_PROCESS_IDENTIFICATION=(value,...)

    Specifies the target process identifier (PID) used by a process
    control system service.

11.57  –  TARGET_PROCESS_NAME

    TARGET_PROCESS_NAME=(process-name,...)

    Specifies the target process name used by a process control
    system service.

11.58  –  TARGET_PROCESS_OWNER

    TARGET_PROCESS_OWNER=(uic,...)

    Specifies the target process owner (UIC) used by a process
    control system service.

11.59  –  TARGET_USERNAME

    TARGET_USERNAME=(username,...)

    Specifies the target user name used by a process control system
    service.

11.60  –  TERMINAL

    TERMINAL=(device-name,...)

    Specifies the name of the terminal to be used when selecting
    event records. You can represent all or part of the terminal name
    with a wildcard.

11.61  –  TRANSPORT_NAME

    TRANSPORT_NAME=(transport-name,...)

    Specifies the name of the transport: interprocess communication
    (IPC) or System Management Integrator (SMI), which handles
    requests from the System Management utility.

    On VAX systems, it also can specify the DECnet transport name
    (NSP).

11.62  –  UAF_SOURCE

    UAF_SOURCE=(record-name,...)

    Specifies the user name of the source record for an Authorize
    utility (AUTHORIZE) add, modify, or delete operation.

11.63  –  USERNAME

    USERNAME=(username,...)

    Specifies the user name to be used when selecting event records.
    You can represent all or part of the user name with a wildcard.

11.64  –  VOLUME_NAME

    VOLUME_NAME=(volume-name,...)

    Specifies the name of the mounted (or dismounted) volume to be
    used when selecting event records. You can represent all or part
    of the volume name with a wildcard.

11.65  –  VOLUME_SET_NAME

    VOLUME_SET_NAME=(volume-set-name,...)

    Specifies the name of the mounted (or dismounted) volume set to
    be used when selecting event records. You can represent all or
    part of the volume set name with a wildcard.

11.66  –  Examples

    1.$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all records written to the
      security audit log file that were generated by user JOHNSON.

    2.$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,-
      _$ BYPASS)  SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects all records written to the
      security audit log file that were generated by events through
      the use of either SYSPRV or BYPASS privilege.

12    /SINCE

    Indicates the utility must operate on records dated with the
    specified time or after the specified time.

    Format

      /SINCE[=time]

      /NOSINCE

    time

    Specifies the time used to select records. Records dated the
    same or later than the specified time are selected. You can
    specify an absolute time, a delta time, or a combination of the
    two. Observe the syntax rules for date and time described in the
    OpenVMS User's Manual.

    If you specify /SINCE without the time, the utility uses the
    beginning of the current day.

12.1  –  Examples

    1.$ ANALYZE/AUDIT /SINCE=25-NOV-2005 -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects records dated later than
      November 25, 2005.

    2.$ ANALYZE/AUDIT /SINCE=25-NOV-2005:15:00 -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example selects records written after 3
      P.M. on November 25, 2005.

13    /SUMMARY

    Specifies that a summary of the selected records be produced
    after all records are processed.

    Note that the /SUMMARY qualifier code is executed after the
    Audit Analyzer is finished, that is, after all the records to be
    analyzed have been collected and processed. When you specify the
    /INTERACTIVE qualifier (which is the default), the Audit Analyzer
    never reaches the finished state because /INTERACTIVE prompts you
    repeatedly to enter another command (which might result in a new
    set of records to be analyzed).

    To use the /SUMMARY qualifier, you must also specify
    /NOINTERACTIVE, which ensures that the Audit Analyzer reaches
    the finished state that allows the SUMMARY code to be executed
    and to display the proper information. In a future version of
    OpenVMS, the Audit Analyzer will return an error when /SUMMARY
    and /INTERACTIVE are specified together.

    You can use the /SUMMARY qualifier alone or in combination with
    the /BRIEF, the /BINARY, or the /FULL qualifier.

    Format

      /SUMMARY=presentation

      /NOSUMMARY

    presentation

    Specifies the presentation of the summary. If you do not specify
    a presentation criterion, ANALYZE/AUDIT summarizes the number of
    audits.

    You can specify either of the following presentations:

    COUNT

    Lists the total number of audit messages for each class of
    security event that have been extracted from the security audit
    log file. This is the default.

    PLOT

    Displays a plot showing the class of the audit event, the time
    of day when the audit was generated, and the name of the system
    where the audit was generated.

13.1  –  Examples

    1.$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example generates a summary report of all
      records processed.

        Total records read:        9701          Records selected:          9701
        Record buffer size:        1031
        Successful logins:          542          Object creates:            1278
        Successful logouts:         531          Object accesses:           3761
        Login failures:              35          Object deaccesses:         2901
        Breakin attempts:             2          Object deletes:             301
        System UAF changes:          10          Volume (dis)mounts:          50
        Rights db changes:            8          System time changes:          0
        Netproxy changes:             5          Server messages:              0
        Audit changes:                7          Connections:                  0
        Installed db changes:        50          Process control audits:       0
        Sysgen changes:               9          Privilege audits:            91
        NCP command lines:          120

    2.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      The command in this example generates a full format listing
      of all logged audit messages that match the break-in or log
      failure event classes. A summary report is included at the end
      of the listing.

    3.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT -
      _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL

      This command generates a histogram that you can display on a
      character-cell terminal.
Close Help