![[Digital logo]](../../IMAGES/DIGITAL-LOGO.GIF){kind=logo}
![[HR]](../../IMAGES/REDBAR.GIF)
| FILE=filename |
Specifies the name of the installed file. You can represent all or part
of the name with a wildcard.
Note that on Alpha systems prior to Version 6.1 and on VAX systems prior to Version 6.0, audit log files record the installed file name within an object name packet. To select the installed file, you must use the expression OBJECT=(NAME=object-name) instead of FILE=filename. |
| FLAGS=flag-name | Specifies the names of the flags, which correspond to qualifiers of the Install utility (INSTALL); for example, OPEN corresponds to /OPEN. |
| PRIVILEGES=privilege-name | Specifies the names of the privileges with which the file was installed. |
| USERNAME=username | Specifies the name of the local account. You can represent all or part of the name with a wildcard. |
The names NOLABEL and FOREIGN each point to the FOREIGN flag. The reason for this is that the MOUNT/NOLABEL and MOUNT/FOREIGN commands each set the FOREIGN flag. Therefore, if you used MOUNT/NOLABEL, and you use ANALYZE/AUDIT/SELECT/MOUNT_FLAGS=NOLABEL, the audit record will display the FOREIGN flag.
| CLASS=class-name | Specifies the general object class as one of the following: |
|
Capability
Device Event_cluster File Group_global_section Logical_name_table Queue Resource_domain Security_class System_global_section Volume |
|
| You must enter the full class name (for example, CLASS=logical_name_table) or use wildcard characters to supply a portion of the class name (for example, CLASS=log*). | |
| NAME=object-name | Specifies the name of the object. You can represent all or part of the name with a wildcard. If you do not use a wildcard, specify the full object name (for example, BOSTON$DUA0:[RWOODS]MEMO.MEM;1). |
| OWNER=value | Specifies the UIC or general identifier of the object. |
| TYPE=type | Specifies the general object class (type of object). The available classes are as follows: |
|
Capability
Device File Group_global_section Logical_name_table Queue System_global_section |
|
| The CLASS keyword supersedes the TYPE keyword. However, TYPE is required to select audit records in files created prior to OpenVMS Alpha Version 6.1 and OpenVMS VAX Version 6.0. |
| IDENTIFICATION=value | Specifies the process identifier (PID) of the parent process. |
| NAME=process-name | Specifies the name of the parent process. You can represent all or part of the name with a wildcard. |
| OWNER=value | Specifies the owner (identifier value) of the parent process. |
| USERNAME=username | Specifies the user name of the parent process. You can represent all or part of the name with a wildcard. |
| IDENTIFICATION=value | Specifies the PID of the process. |
| NAME=process-name | Specifies the name of the process. You can represent all or part of the name with a wildcard. |
| ASSOCIATION_NAME=IPC-name | Specifies the interprocess communication (IPC) association name. |
| LINK_IDENTIFICATION=value | Specifies the number of the DECnet logical link. |
| IDENTIFICATION=value | Specifies the DECnet node address. |
| NODENAME=node-name | Specifies the DECnet node name. You can represent all or part of the name with a wildcard. |
| USERNAME=username | Specifies the remote user name. You can represent all or part of the remote user name with a wildcard. |
| SUCCESSFUL | Specifies any success status. |
| FAILURE | Specifies any failure status. |
| CODE=(value,...) | Specifies a specific completion status. |
Refer to Table F-2 for valid subtype values.
| IDENTIFICATION=value | Specifies the numeric identification of the system. |
| NAME=nodename | Specifies the node name of the system. |
On VAX systems, it also can specify the DECnet transport name (NSP).
Examples
$ ANALYZE/AUDIT /FULL/SELECT=USERNAME=JOHNSON - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$ ANALYZE/AUDIT/FULL/SELECT=PRIVILEGES_USED=(SYSPRV,- _$ BYPASS) SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$ ANALYZE/AUDIT/FULL/EVENT=SYSUAF/SELECT= -
_$ IMAGE=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") -
_$ SYS$MANAGER:SECURITY
The following is a command procedure that you could run at midnight
to select all SYSUAF, AUDIT, and BREAKIN events (excluding password
changes) and mail the result to the system manager:
$! DAILY_AUDIT.COM
$
$ mail_list = "SYSTEM"
$ audsrv$_noselect = %X003080A0
$ audit_events = "SYSUAF,BREAKIN,AUDIT"
$
$ analyze /audit /full -
/event=('audit_events') -
/output=audit.tmp -
/ignore=image=("*:[SYS*SYSEXE]SETP0.EXE","*:[SYS*SYSEXE]LOGINOUT.EXE") -
sys$manager:SECURITY.AUDIT$JOURNAL
$
$ status = $status
$ if (status.and.%XFFFFFFF) .eq. audsrv$_noselect then goto no_records
$ if .not. status then goto error_analyze
$ if f$file("audit.tmp","eof") .eq. 0 then goto no_records
$ mail /subject="''audit_events' listing from ''f$time()'" -
audit.tmp 'mail_list'
$ goto new_log
$
$ no_records:
$ mail /subject="No interesting security events" nl: 'mail_list'
$
$ new_log:
$ if f$search("audit.tmp") .nes. "" then delete audit.tmp;*
$ set audit /server=new_log
$ rename sys$manager:SECURITY.AUDIT$JOURNAL;-1 -
sys$common:[sysmgr]'f$element(0," ",f$edit(f$time(),"TRIM"))'
$ exit
$
$ error_analyze:
$ mail/subj="Error analyzing auditing information" nl: 'mail_list'
$ exit
Indicates the utility must operate on records dated with the specified time or after the specified time.
/SINCE [=time]
/NOSINCE
time
Specifies the time used to select records. Records dated the same or later than the specified time are selected. You can specify an absolute time, a delta time, or a combination of the two. Observe the syntax rules for date and time described in the OpenVMS User's Manual.If you specify /SINCE without the time, the utility uses the beginning of the current day.
Examples
$ ANALYZE/AUDIT /SINCE=25-NOV-1995 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$ ANALYZE/AUDIT /SINCE=25-NOV-1995:15:00 - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
Specifies that a summary of the selected records be produced after all records are processed.You can use the /SUMMARY qualifier alone or in combination with the /BRIEF, the /BINARY, or the /FULL qualifier.
/SUMMARY =presentation
/NOSUMMARY
presentation
Specifies the presentation of the summary. If you do not specify a presentation criterion, ANALYZE/AUDIT summarizes the number of audits.You can specify either of the following presentations:
COUNT
Lists the total number of audit messages for each class of security event that have been extracted from the security audit log file. This is the default.PLOT
Displays a plot showing the class of the audit event, the time of day when the audit was generated, and the name of the system where the audit was generated.
$ ANALYZE/AUDIT/SUMMARY SYS$MANAGER:SECURITY.AUDIT$JOURNAL
Total records read: 9701 Records selected: 9701 Record buffer size: 1031 Successful logins: 542 Object creates: 1278 Successful logouts: 531 Object accesses: 3761 Login failures: 35 Object deaccesses: 2901 Breakin attempts: 2 Object deletes: 301 System UAF changes: 10 Volume (dis)mounts: 50 Rights db changes: 8 System time changes: 0 Netproxy changes: 5 Server messages: 0 Audit changes: 7 Connections: 0 Installed db changes: 50 Process control audits: 0 Sysgen changes: 9 Privilege audits: 91 NCP command lines: 120
$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY- _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$ ANALYZE/AUDIT/FULL/EVENT_TYPE=(BREAKIN,LOGFAIL)/SUMMARY=PLOT - _$ SYS$MANAGER:SECURITY.AUDIT$JOURNAL
The utility runs interactively by default; you disable the feature with the /NOINTERACTIVE qualifier to the ANALYZE/AUDIT command. To enter interactive commands, press Ctrl/C at any time during the processing of a full or brief interactive display. At the COMMAND> prompt, you can enter any command listed in this section. Use the CONTINUE command to resume processing of the event records, or use the EXIT command to terminate the session.
Resumes processing of event records.
CONTINUE
None.
None.
COMMAND> DISPLAY/SINCE=25-JAN-1996/SELECT=USERNAME=JOHNSON COMMAND> CONTINUE
The first command in this example selects only event records generated by user JOHNSON after January 25, 1996. The second command in the example displays a report based on the new selection criteria.
Changes the criteria used to select event records.
DISPLAY
None.
For a more complete description of any one of the following qualifiers, refer to the description of the qualifier in the preceding ANALYZE/AUDIT Qualifiers section.
/BEFORE=time
Controls whether only those records dated earlier than the specified time are selected./BRIEF
Controls whether a brief (one-line-per-record) format is used in ASCII displays./EVENT_TYPE=event-type[,...]
Controls whether only those records matching the specified event type are selected./FULL
Controls whether a full format for each record is used in ASCII displays./IGNORE=criteria[,...]
Controls whether records matching the specified criteria are excluded. If you specify /IGNORE two or more times, the criteria are combined. To specify a new set of exclusion criteria, include the /REMOVE qualifier with the /IGNORE qualifier./PAUSE=seconds
For full-format displays (/FULL), specifies the length of time each record is displayed./REMOVE
Controls whether the criteria specified by the /IGNORE and the /SELECT qualifiers are no longer to be used to select event records to be displayed./SELECT=criteria[,...]
Controls whether only those records matching the specified criteria are selected. If you specify /SELECT two or more times, the criteria are combined. To specify a new set of selection criteria, include the /REMOVE qualifier with the /SELECT qualifier./SINCE[=time]
Controls whether only those records dated the same or later than the specified time are selected.
Examples
COMMAND> DISPLAY/EVENT_TYPE=SYSUAF COMMAND> CONTINUE
COMMAND> DISPLAY/SELECT=USERNAME=CRICK COMMAND> CONTINUE . . . [Ctrl/C] COMMAND> DISPLAY/SELECT=USERNAME=WATSON COMMAND> CONTINUE
Terminates the session.
EXIT
None.
None.
Provides online help information for using ANALYZE/AUDIT commands.
HELP [topic]
topic
Specifies the command for which help information is to be displayed. If you omit the keyword, HELP displays a list of available help topics and prompts you for a particular keyword.
None.
COMMAND> HELP DISPLAY
The command in this example displays help information about the DISPLAY command.
Changes the criteria used to select event records. The LIST command is synonymous with the DISPLAY command.
LIST
None.
See the description of the DISPLAY command.
COMMAND> LIST/EVENT_TYPE=SYSUAF COMMAND> CONTINUE
The first command in this example selects records that were generated as a result of a modification to the system user authorization file (SYSUAF). The second command displays the selected records.
Controls whether the current security audit log file is closed and the next log file opened. The command is useful when you supply a wildcard file specification to the ANALYZE/AUDIT command; for example *.AUDIT$JOURNAL. If there are no other audit log files to open, the audit analysis session terminates and control returns to DCL.
NEXT FILE
None.
None.
Controls whether the next audit record is displayed. The NEXT RECORD command is the default for interactive mode.This command is synonymous with the POSITION command.
NEXT RECORD
None.
None.
6048P006.HTM OSSG Documentation 26-NOV-1996 12:42:25.24
Copyright © Digital Equipment Corporation 1996. All Rights Reserved.