11.44 – REQUEST_NUMBER
REQUEST_NUMBER=(value,...)
Specifies the request number associated with the DCL command
REQUEST/REPLY.
11.45 – SECTION_NAME
SECTION_NAME=(global-section-name,...)
Specifies the name of the global section.
11.46 – SENSITIVE_FIELD_NAME
SENSITIVE_FIELD_NAME=(field-name,...)
Specifies the name of the field that was modified. ANALYZE/AUDIT
uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with
packets containing the original data and the new data (specified
by the SENSITIVE_NEW_DATA criterion).
11.47 – SENSITIVE_NEW_DATA
SENSITIVE_NEW_DATA=(value,...)
Specifies the value to use after the event occurs. Use this
criterion with the SENSITIVE_FIELD_NAME criterion.
11.48 – SNAPSHOT_BOOTFILE
SNAPSHOT_BOOTFILE=(filename,...)
Specifies the name of the file containing a snapshot of the
system.
11.49 – SNAPSHOT_SAVE_FILENAME
SNAPSHOT_SAVE_FILENAME=(filename,...)
Specifies the name of the system snapshot file for a save
operation that is in progress.
11.50 – STATUS
STATUS=(type,...)
Specifies the type of success status to be used when selecting
event records. Choose from the following status types:
SUCCESSFUL Specifies any success status.
FAILURE Specifies any failure status.
CODE=(value) Specifies a specific completion status.
Note that if you specify CODE more than once, only the last value
is matched.
11.51 – SUBJECT_OWNER
SUBJECT_OWNER=(uic,...)
Specifies the owner (UIC) of the process causing the event.
11.52 – SUBTYPE
SUBTYPE=(subtype,...)
Specifies that the criteria be limited to the value or values
specified as a subtype. The following table lists events and
their related subtypes. After SUBTYPE, enter the subtypes as they
appear in the list-for example, SUBTYPE=ALARM_STATE. (In other
words, do not enter a prefix.)
Symbols for Event Types
and Subtypes Meaning
NSA$C_MSG_AUDIT Systemwide change to auditing
ALARM_STATE Events enabled as alarms
AUDIT_DISABLED Audit events disabled
AUDIT_ENABLED Audit events enabled
AUDIT_INITIATE Audit server startup
AUDIT_LOG_FIRST First entry in audit log (backward
link)
AUDIT_LOG_FINAL Final entry in audit log (forward link)
AUDIT_STATE Events enabled as audits
AUDIT_TERMINATE Audit server shutdown
SNAPSHOT_ABORT* System snapshot attempt has aborted
SNAPSHOT_ACCESS* Snapshot file access/deaccess
SNAPSHOT_SAVE* System snapshot save in progress
SNAPSHOT_STARTUP* System booted from a snapshot file
* Obsolete as of OpenVMS Version 7.1
NSA$C_MSG_BREAKIN Break-in attempt detected
BATCH Batch process
DETACHED Detached process
DIALUP Dialup interactive process
LOCAL Local interactive process
NETWORK Network server task
REMOTE Interactive process from another
network node
SUBPROCESS Subprocess
NSA$C_MSG_CONNECTION Logical link connection or termination
CNX_ABORT Connection aborted
CNX_ACCEPT Connection accepted
CNX_DECNET_CREATE DECnet logical link created
CNX_DECNET_DELETE DECnet logical link disconnected
CNX_DISCONNECT Connection disconnected
CNX_INC_ABORT Incoming connection request aborted
CNX_INC_ACCEPT Incoming connection request accepted
CNX_INC_DISCONNECT Incoming connection disconnected
CNX_INC_REJECT Incoming connection request rejected
CNX_INC_REQUEST Incoming connection request
CNX_IPC_CLOSE Interprocess communication association
closed
CNX_IPC_OPEN Interprocess communication association
opened
CNX_REJECT Connection rejected
CNX_REQUEST Connection requested
NSA$C_MSG_INSTALL Use of the Install utility (INSTALL)
INSTALL_ADD Known image installed
INSTALL_REMOVE Known image deleted
NSA$C_MSG_LOGFAIL Login failure
See subtypes for
NSA$C_MSG_BREAKIN
NSA$C_MSG_LOGIN Successful login
See subtypes for
NSA$C_MSG_BREAKIN
NSA$C_MSG_LOGOUT Successful logout
See subtypes for
NSA$C_MSG_BREAKIN
NSA$C_MSG_MOUNT Volume mount or dismount
VOL_DISMOUNT Volume dismount
VOL_MOUNT Volume mount
NSA$C_MSG_NCP Modification to network configuration
database
NCP_COMMAND Network Control Program (NCP) command
issued
NSA$C_MSG_NETPROXY Modification to network proxy database
NETPROXY_ADD Record added to network proxy
authorization file
NETPROXY_DELETE Record removed from network proxy
authorization file
NETPROXY_MODIFY Record modified in network proxy
authorization file
NSA$C_MSG_OBJ_ACCESS Object access attempted
OBJ_ACCESS Access attempted to create, delete, or
deaccess an object
NSA$C_MSG_OBJ_CREATE Object creation attempted
OBJ_CREATE Access attempted to create an object
NSA$C_MSG_OBJ_DEACCESS Object deaccessed
OBJ_DEACCESS Attempt to complete access to an object
NSA$C_MSG_OBJ_DELETE Object deletion attempted
OBJ_DELETE Object deletion attempted
NSA$C_MSG_PROCESS Process controlled through a system
service
PRC_CANWAK Process wakeup canceled
PRC_CREPRC Process created
PRC_DELPRC Process deleted
PRC_FORCEX Process exit forced
PRC_GETJPI Process information gathered
PRC_GRANTID Process identifier granted
PRC_RESUME Process resumed
PRC_REVOKID Process identifier revoked
PRC_SCHDWK Process wakeup scheduled
PRC_SETPRI Process priority altered
PRC_SIGPRC Process exception issued
PRC_SUSPND Process suspended
PRC_TERM Process termination notification
requested
PRC_WAKE Process wakeup issued
NSA$C_MSG_PRVAUD Use of privilege
PRVAUD_FAILURE Unsuccessful use of privilege
PRVAUD_SUCCESS Successful use of privilege
NSA$C_MSG_RIGHTSDB Modification to the rights database
RDB_ADD_ID Identifier added to rights database
RDB_CREATE Rights database created
RDB_GRANT_ID Identifier granted to user
RDB_MOD_HOLDER List of identifier holders modified
RDB_MOD_ID Identifier name or attributes modified
RDB_REM_ID Identifier removed from rights database
RDB_REVOKE_ID Identifier taken away from user
NSA$C_MSG_SYSGEN Use of the System Generation utility
(SYSGEN)
SYSGEN_SET System parameter modified
NSA$C_MSG_SYSTIME Modification to system time
SYSTIM_SET System time set
SYSTIM_CAL System time calibrated
NSA$C_MSG_SYSUAF Modification to system user
authorization file (SYSUAF)
SYSUAF_ADD Record added to system user
authorization file
SYSUAF_COPY Record added to system user
authorization file
SYSUAF_DELETE Record deleted from system user
authorization file
SYSUAF_MODIFY Record modified in system user
authorization file
SYSUAF_RENAME Record renamed in system user
authorization file
11.53 – SYSTEM
SYSTEM=keyword(,...)
Specifies the characteristics of the system to be used when
selecting event records. Choose from the following keywords:
IDENTIFICATION=value Specifies the numeric identification of
the system.
NAME=nodename Specifies the node name of the system.
11.54 – SYSTEM_SERVICE_NAME
SYSTEM_SERVICE_NAME=(service-name,...)
Specifies the name of the system service associated with the
event.
11.55 – TARGET_DEVICE_NAME
TARGET_DEVICE_NAME=(device-name,...)
Specifies the target device name used by a process control system
service.
11.56 – TARGET_PROCESS_IDENTIFICATION
TARGET_PROCESS_IDENTIFICATION=(value,...)
Specifies the target process identifier (PID) used by a process
control system service.
11.57 – TARGET_PROCESS_NAME
TARGET_PROCESS_NAME=(process-name,...)
Specifies the target process name used by a process control
system service.
11.58 – TARGET_PROCESS_OWNER
TARGET_PROCESS_OWNER=(uic,...)
Specifies the target process owner (UIC) used by a process
control system service.
11.59 – TARGET_USERNAME
TARGET_USERNAME=(username,...)
Specifies the target user name used by a process control system
service.
11.60 – TERMINAL
TERMINAL=(device-name,...)
Specifies the name of the terminal to be used when selecting
event records. You can represent all or part of the terminal name
with a wildcard.
11.61 – TRANSPORT_NAME
TRANSPORT_NAME=(transport-name,...)
Specifies the name of the transport: interprocess communication
(IPC) or System Management Integrator (SMI), which handles
requests from the System Management utility.
On VAX systems, it also can specify the DECnet transport name
(NSP).
11.62 – UAF_SOURCE
UAF_SOURCE=(record-name,...)
Specifies the user name of the source record for an Authorize
utility (AUTHORIZE) add, modify, or delete operation.
11.63 – USERNAME
USERNAME=(username,...)
Specifies the user name to be used when selecting event records.
You can represent all or part of the user name with a wildcard.
11.64 – VOLUME_NAME
VOLUME_NAME=(volume-name,...)
Specifies the name of the mounted (or dismounted) volume to be
used when selecting event records. You can represent all or part
of the volume name with a wildcard.
11.65 – VOLUME_SET_NAME
VOLUME_SET_NAME=(volume-set-name,...)
Specifies the name of the mounted (or dismounted) volume set to
be used when selecting event records. You can represent all or
part of the volume set name with a wildcard.
11.66 – Examples
1.$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example selects all records written to the
security audit log file that were generated by user JOHNSON.
2.$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,-
_$ BYPASS) SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example selects all records written to the
security audit log file that were generated by events through
the use of either SYSPRV or BYPASS privilege.
12 /SINCE
Indicates the utility must operate on records dated with the
specified time or after the specified time.
Format
/SINCE[=time]
/NOSINCE
time
Specifies the time used to select records. Records dated the
same or later than the specified time are selected. You can
specify an absolute time, a delta time, or a combination of the
two. Observe the syntax rules for date and time described in the
OpenVMS User's Manual.
If you specify /SINCE without the time, the utility uses the
beginning of the current day.
12.1 – Examples
1.$ ANALYZE/AUDIT /SINCE=25-NOV-2005 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example selects records dated later than
November 25, 2005.
2.$ ANALYZE/AUDIT /SINCE=25-NOV-2005:15:00 -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example selects records written after 3
P.M. on November 25, 2005.
13 /SUMMARY
Specifies that a summary of the selected records be produced
after all records are processed.
Note that the /SUMMARY qualifier code is executed after the
Audit Analyzer is finished, that is, after all the records to be
analyzed have been collected and processed. When you specify the
/INTERACTIVE qualifier (which is the default), the Audit Analyzer
never reaches the finished state because /INTERACTIVE prompts you
repeatedly to enter another command (which might result in a new
set of records to be analyzed).
To use the /SUMMARY qualifier, you must also specify
/NOINTERACTIVE, which ensures that the Audit Analyzer reaches
the finished state that allows the SUMMARY code to be executed
and to display the proper information. In a future version of
OpenVMS, the Audit Analyzer will return an error when /SUMMARY
and /INTERACTIVE are specified together.
You can use the /SUMMARY qualifier alone or in combination with
the /BRIEF, the /BINARY, or the /FULL qualifier.
Format
/SUMMARY=presentation
/NOSUMMARY
presentation
Specifies the presentation of the summary. If you do not specify
a presentation criterion, ANALYZE/AUDIT summarizes the number of
audits.
You can specify either of the following presentations:
COUNT
Lists the total number of audit messages for each class of
security event that have been extracted from the security audit
log file. This is the default.
PLOT
Displays a plot showing the class of the audit event, the time
of day when the audit was generated, and the name of the system
where the audit was generated.
13.1 – Examples
1.$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example generates a summary report of all
records processed.
Total records read: 9701 Records selected: 9701
Record buffer size: 1031
Successful logins: 542 Object creates: 1278
Successful logouts: 531 Object accesses: 3761
Login failures: 35 Object deaccesses: 2901
Breakin attempts: 2 Object deletes: 301
System UAF changes: 10 Volume (dis)mounts: 50
Rights db changes: 8 System time changes: 0
Netproxy changes: 5 Server messages: 0
Audit changes: 7 Connections: 0
Installed db changes: 50 Process control audits: 0
Sysgen changes: 9 Privilege audits: 91
NCP command lines: 120
2.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The command in this example generates a full format listing
of all logged audit messages that match the break-in or log
failure event classes. A summary report is included at the end
of the listing.
3.$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT -
_$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
This command generates a histogram that you can display on a
character-cell terminal.