OpenVMS System Management Utilities Reference Manual

ANALYZE/DISK_STRUCTURE has completed the first two stages, and is beginning Stage 3. Stage 1 involves collection and verification of various volume information. ANALYZE/DISK_STRUCTURE found no problems with volume information. In Stage 2, ANALYZE/DISK_STRUCTURE copies the current version of QUOTA.SYS to working memory, and builds the structure on which a new copy is built during subsequent stages. The first error message is produced by Stage 3. Stage 3 uses the reserved file INDEXF.SYS to locate a variety of file problems. Here, Stage 3 detects a number of invalid file headers. Note that the error message includes the FID and the file name.
This error message is produced during Stage 4, during which ANALYZE/DISK_STRUCTURE builds a current version of BITMAP.SYS, resolves multiple references to extension headers, and corrects discrepancies in the map sections of headers. Here, ANALYZE/DISK_STRUCTURE has found that the specified logical blocks on the specified relative volume were marked allocated in the storage bit map, but were not allocated to a file.
This message marks the beginning of Stage 5. Here, messages stating "lost extension file header" and "invalid file header" indicate that ANALYZE/DISK_STRUCTURE is performing a pass of all entries placed on the invalid backlink map. This map was created in Stage 3.
This message marks the beginning of the second phase of Stage 5, in which ANALYZE/DISK_STRUCTURE confirms that all files in INDEX.SYS are retrievable through the directory structure. Here, the series of "invalid file identification..." messages indicates those directory entries that did not contain a valid file identification.
This message is produced by Stage 6, which is essentially a cleanup phase for lost files. This message indicates that ANALYZE/DISK_STRUCTURE encountered errors during the directory scan that were reported in previous messages. As a result, the file is not entered in directory [SYSLOST].
Here, ANALYZE/DISK_STRUCTURE begins Stage 7, in which it compares values stored in the quota file built during Stage 2 with values in the reserved file QUOTA.SYS. The last three messages here indicate discrepancies between the two files.
Note that no messages were produced during Stage 8. During Stage 8, ANALYZE/DISK_STRUCTURE executes all operations placed on the deferred list, and if you specified /REPAIR, updates QUOTA.SYS and VOLSET.SYS as necessary.

Appendix E
ANALYZE/DISK_STRUCTURE---Usage File

When you specify the /USAGE qualifier, ANALYZE/DISK_STRUCTURE creates a disk usage accounting file. The first record of this file, the identification record, contains a summary of the disk and volume characteristics. The identification record is followed by many file summary records, one record for each file on the disk. Each file summary record contains the owner, size, and name of a file.

The identification record is characterized by the type code USG$K_IDENT in the USG$B_TYPE field of the record. Table E-1 contains a description of all the fields in this record.

Table E-1 Identification Record Format (Length USG$K_IDENT_LEN)
Field Meaning

USG$L_SERIALNUM Serial number of the volume. This is an octal longword value.

USG$T_STRUCNAM Volume set name (if the volume is part of a volume set). For a Files-11 Structure Level 1 volume, this field contains binary zeros; for a Files-11 Structure Level 2 volume that is not part of a volume set, this field contains spaces. The length of this field is USG$S_STRUCNAME.

USG$T_VOLNAME Volume name of relative volume 1. The length of this field is USG$S_VOLNAME.

USG$T_OWNERNAME Volume owner name. The length of this field is USG$S_OWNERNAME.

USG$T_FORMAT Volume format type. For a Files-11 Structure Level 1 volume, this field contains "DECFILE11A"; for a Files-11 Structure Level 2 volume, this field contains "DECFILE11B". The length of this field is USG$S_FORMAT.

USG$Q_TIME Quadword system time when this usage file was created. The length of this field is USG$S_TIME.

**Table E-1 Identification Record Format (Length USG$K_IDENT_LEN)**
Field	Meaning
USG$L_SERIALNUM	Serial number of the volume. This is an octal longword value.
USG$T_STRUCNAM	Volume set name (if the volume is part of a volume set). For a Files-11 Structure Level 1 volume, this field contains binary zeros; for a Files-11 Structure Level 2 volume that is not part of a volume set, this field contains spaces. The length of this field is USG$S_STRUCNAME.
USG$T_VOLNAME	Volume name of relative volume 1. The length of this field is USG$S_VOLNAME.
USG$T_OWNERNAME	Volume owner name. The length of this field is USG$S_OWNERNAME.
USG$T_FORMAT	Volume format type. For a Files-11 Structure Level 1 volume, this field contains "DECFILE11A"; for a Files-11 Structure Level 2 volume, this field contains "DECFILE11B". The length of this field is USG$S_FORMAT.
USG$Q_TIME	Quadword system time when this usage file was created. The length of this field is USG$S_TIME.

Each file summary record is characterized by the type code USG$K_FILE in the USG$B_TYPE field of the record. Table E-2 contains a description of all the fields in these records.

Table E-2 File Record Format (Length USG$K_FILE_LEN)
Field Meaning

USG$L_FILEOWNER File owner UIC. This can be considered as a single longword value or as two word values (USG$W_UICMEMBER and USG$W_UICGROUP).

USG$W_UICMEMBER The member field of the file owner UIC. This is an octal word value.

USG$W_UICGROUP The group field of the file owner UIC. This is an octal word value.

USG$L_ALLOCATED Number of blocks allocated to the file, including file headers. This is a decimal longword value.

USG$L_USED Number of blocks used, up to and including the end-of-file block. This is a decimal longword value.

USG$W_DIR_LEN Length of the directory string portion of USG$T_FILESPEC, including the brackets. This is a decimal word value.

USG$W_SPEC_LEN Length of the complete file specification in USG$T_FILESPEC. This is a decimal word value.

USG$T_FILESPEC File specification, in the following format:
[dir]nam.typ;ver
This field is of variable length. A file that has more than one directory entry is listed under the first file specification found. A lost file has an empty directory string "[]" and the file name is taken from the file header. In some cases this information does not exist; you must take this into consideration when you write application programs to process the usage file. The length of this field is USG$S_FILESPEC.

**Table E-2 File Record Format (Length USG$K_FILE_LEN)**
Field	Meaning
USG$L_FILEOWNER	File owner UIC. This can be considered as a single longword value or as two word values (USG$W_UICMEMBER and USG$W_UICGROUP).
USG$W_UICMEMBER	The member field of the file owner UIC. This is an octal word value.
USG$W_UICGROUP	The group field of the file owner UIC. This is an octal word value.
USG$L_ALLOCATED	Number of blocks allocated to the file, including file headers. This is a decimal longword value.
USG$L_USED	Number of blocks used, up to and including the end-of-file block. This is a decimal longword value.
USG$W_DIR_LEN	Length of the directory string portion of USG$T_FILESPEC, including the brackets. This is a decimal word value.
USG$W_SPEC_LEN	Length of the complete file specification in USG$T_FILESPEC. This is a decimal word value.
USG$T_FILESPEC	File specification, in the following format: [dir]nam.typ;ver This field is of variable length. A file that has more than one directory entry is listed under the first file specification found. A lost file has an empty directory string "[]" and the file name is taken from the file header. In some cases this information does not exist; you must take this into consideration when you write application programs to process the usage file. The length of this field is USG$S_FILESPEC.

The symbolic names referenced in both the identification and the file summary records are defined in the system definition macro $USGDEF. The length of the identification record is USG$K_IDENT_LEN. The length of a file summary record is USG$K_FILE_LEN.

Appendix F
Security Audit Message Format

This appendix describes the format of the auditing messages written to the security auditing log file. The default audit log file SECURITY.AUDIT$JOURNAL is created by default in the SYS$COMMON:[SYSMGR] directory.

Each security audit record consists of a header packet followed by one or more data packets, as shown in Figure F-1. The number of data packets depends on the type of information being sent. This appendix describes the format of the audit header and its data packets as well as the contents of the data packets.

Figure F-1 Format of a Security Audit Message

F.1 Audit Header Packet

Table F-1 describes the fields contained in the audit header packet, illustrated in Figure F-2.

Figure F-2 Audit Header Packet Format

Symbols representing the types or subtypes of security events are listed in Table F-2. For each audit event record type defined by NSA$W_RECORD_TYPE, there is a record subtype defined by the symbol NSA$W_RECORD_SUBTYPE, which further defines the event.

Table F-3 identifies any flags associated with the audited event.

The symbol NSA$K_MSG_HDR_LENGTH defines the current size of the message header (in bytes).

Table F-1 Description of the Audit Header Fields
Field Symbolic Offset Contents

Type NSA$W_RECORD_TYPE Indicates the type of event that has occurred. See Table F-2 for details.

Subtype NSA$W_RECORD_SUBTYPE Further defines the type of event that has occurred. See Table F-2 for details.

Flags NSA$W_FLAGS Identifies any flags associated with the audited event. See Table F-3 for details. Reserved to Digital. (Word)

Packet count NSA$W_PACKET_COUNT Number of data packets in the audit record. (Word)

Record size NSA$W_RECORD_SIZE Total size of the audit message; the size represents the header packet plus all its data packets. (Word)

Version NSA$C_VERSION_3 Indicates the version of the security auditing facility. The symbol NSA$C_VERSION_3 indicates the current version. (Byte)

Facility NSA$W_FACILITY The facility code for the generated event. By default, this field is zero, indicating a system-generated event. (Word)

**Table F-1 Description of the Audit Header Fields**
Field	Symbolic Offset	Contents
Type	NSA$W_RECORD_TYPE	Indicates the type of event that has occurred. See Table F-2 for details.
Subtype	NSA$W_RECORD_SUBTYPE	Further defines the type of event that has occurred. See Table F-2 for details.
Flags	NSA$W_FLAGS	Identifies any flags associated with the audited event. See Table F-3 for details. Reserved to Digital. (Word)
Packet count	NSA$W_PACKET_COUNT	Number of data packets in the audit record. (Word)
Record size	NSA$W_RECORD_SIZE	Total size of the audit message; the size represents the header packet plus all its data packets. (Word)
Version	NSA$C_VERSION_3	Indicates the version of the security auditing facility. The symbol NSA$C_VERSION_3 indicates the current version. (Byte)
Facility	NSA$W_FACILITY	The facility code for the generated event. By default, this field is zero, indicating a system-generated event. (Word)

When you enter subtypes, do not include a prefix, as shown in Table F-2.

Table F-2 Description of Audit Event Types and Subtypes
Symbol of Event Type Meaning

NSA$C_MSG_AUDIT Systemwide change to auditing

Subtype and Meaning
ALARM_STATE
AUDIT_DISABLED
AUDIT_ENABLED
AUDIT_INITIATE
AUDIT_LOG_FIRST
AUDIT_LOG_FINAL
AUDIT_STATE
AUDIT_TERMINATE
SNAPSHOT_ABORT
SNAPSHOT_ACCESS
SNAPSHOT_SAVE
SNAPSHOT_STARTUP
Events enabled as alarms
Audit events disabled
Audit events enabled
Audit server startup
First entry in audit log (backward link)
Final entry in audit log (forward link)
Events enabled as audits
Audit server shutdown
System snapshot attempt has aborted
Snapshot file access/deaccess
System snapshot save in progress
System booted from a snapshot file

NSA$C_MSG_BREAKIN Break-in attempt detected

Subtype and Meaning
BATCH
DETACHED
DIALUP
LOCAL
NETWORK
REMOTE
SUBPROCESS
Batch process
Detached process
Dialup interactive process
Local interactive process
Network server task
Interactive process from another network node
Subprocess

NSA$C_MSG_CONNECTION Logical link connection or termination

Subtype and Meaning
CNX_ABORT
CNX_ACCEPT
CNX_DECNET_CREATE
CNX_DECNET_DELETE
CNX_DISCONNECT
CNX_INC_ABORT
CNX_INC_ACCEPT
CNX_INC_DISCONNECT
CNX_INC_REJECT
CNX_INC_REQUEST
CNX_IPC_CLOSE
CNX_IPC_OPEN
CNX_REJECT
CNX_REQUEST
Connection aborted
Connection accepted
DECnet logical link created
DECnet logical link disconnected
Connection disconnected
Incoming connection request aborted
Incoming connection request accepted
Incoming connection disconnected
Incoming connection request rejected
Incoming connection request
Interprocess communication association closed
Interprocess communication association opened
Connection rejected
Connection requested

NSA$C_MSG_INSTALL Use of the Install utility (INSTALL)

Subtype and Meaning
INSTALL_ADD
INSTALL_REMOVE
Known image installed
Known image deleted

NSA$C_MSG_LOGFAIL Login failure

Subtype and Meaning
See subtypes for
NSA$C_MSG_BREAKIN

NSA$C_MSG_LOGIN Successful login

Subtype and Meaning
See subtypes for
NSA$C_MSG_BREAKIN

NSA$C_MSG_LOGOUT Successful logout

Subtype and Meaning
See subtypes for
NSA$C_MSG_BREAKIN

NSA$C_MSG_MOUNT Volume mount or dismount

Subtype and Meaning
VOL_DISMOUNT
VOL_MOUNT
Volume dismount
Volume mount

NSA$C_MSG_NCP Modification to network configuration database

Subtype and Meaning
NCP_COMMAND
Network Control Program (NCP) command issued

NSA$C_MSG_NETPROXY Modification to network proxy database

Subtype and Meaning
NETPROXY_ADD
NETPROXY_DELETE
NETPROXY_MODIFY
Record added to network proxy authorization file
Record removed from network proxy authorization file
Record modified in network proxy authorization file

NSA$C_MSG_OBJ_ACCESS Object access attempted

Subtype and Meaning
OBJ_ACCESS
Access attempted to create, delete, or deaccess an object

NSA$C_MSG_OBJ_CREATE Object creation attempted

Subtype and Meaning
OBJ_CREATE
Access attempted to create an object

NSA$C_MSG_OBJ_DEACCESS Object deaccessed

Subtype and Meaning
OBJ_DEACCESS
Attempt to complete access to an object

NSA$C_MSG_OBJ_DELETE Object deletion attempted

Subtype and Meaning
OBJ_DELETE
Object deletion attempted

NSA$C_MSG_PROCESS Process controlled through a system service

Subtype and Meaning
PRC_CANWAK
PRC_CREPRC
PRC_DELPRC
PRC_FORCEX
PRC_GETJPI
PRC_GRANTID
PRC_RESUME
PRC_REVOKID
PRC_SCHDWK
PRC_SETPRI
PRC_SIGPRC
PRC_SUSPND
PRC_TERM
PRC_WAKE
Process wakeup canceled
Process created
Process deleted
Process exit forced
Process information gathered
Process identifier granted
Process resumed
Process identifier revoked
Process wakeup scheduled
Process priority altered
Process exception issued
Process suspended
Process termination notification requested
Process wakeup issued

NSA$C_MSG_PRVAUD Use of privilege

Subtype and Meaning
PRVAUD_FAILURE
PRVAUD_SUCCESS
Unsuccessful use of privilege
Successful use of privilege

NSA$C_MSG_RIGHTSDB Modification to the rights database

Subtype and Meaning
RDB_ADD_ID
RDB_CREATE
RDB_GRANT_ID
RDB_MOD_HOLDER
RDB_MOD_ID
RDB_REM_ID
RDB_REVOKE_ID
Identifier added to rights database
Rights database created
Identifier granted to user
List of identifier holders modified
Identifier name or attributes modified
Identifier removed from rights database
Identifier taken away from user

NSA$C_MSG_SYSGEN Use of the System Generation utility (SYSGEN)

Subtype and Meaning
SYSGEN_SET
System Generation utility (SYSGEN) parameter modified

NSA$C_MSG_SYSTIME Modification to system time

Subtype and Meaning
SYSTIM_SET
SYSTIM_CAL
System time set
System time calibrated

NSA$C_MSG_SYSUAF Modification to system user authorization file (SYSUAF)

Subtype and Meaning
SYSUAF_ADD
SYSUAF_COPY
SYSUAF_DELETE
SYSUAF_MODIFY
SYSUAF_RENAME
Record added to system user authorization file
Record copied in system user authorization file
Record deleted from system user authorization file
Record modified in system user authorization file
Record renamed in system user authorization file

**Table F-2 Description of Audit Event Types and Subtypes**
Symbol of Event Type	Meaning
NSA$C_MSG_AUDIT	Systemwide change to auditing
Subtype and Meaning ALARM_STATE AUDIT_DISABLED AUDIT_ENABLED AUDIT_INITIATE AUDIT_LOG_FIRST AUDIT_LOG_FINAL AUDIT_STATE AUDIT_TERMINATE SNAPSHOT_ABORT SNAPSHOT_ACCESS SNAPSHOT_SAVE SNAPSHOT_STARTUP	Events enabled as alarms Audit events disabled Audit events enabled Audit server startup First entry in audit log (backward link) Final entry in audit log (forward link) Events enabled as audits Audit server shutdown System snapshot attempt has aborted Snapshot file access/deaccess System snapshot save in progress System booted from a snapshot file
NSA$C_MSG_BREAKIN	Break-in attempt detected
Subtype and Meaning BATCH DETACHED DIALUP LOCAL NETWORK REMOTE SUBPROCESS	Batch process Detached process Dialup interactive process Local interactive process Network server task Interactive process from another network node Subprocess
NSA$C_MSG_CONNECTION	Logical link connection or termination
Subtype and Meaning CNX_ABORT CNX_ACCEPT CNX_DECNET_CREATE CNX_DECNET_DELETE CNX_DISCONNECT CNX_INC_ABORT CNX_INC_ACCEPT CNX_INC_DISCONNECT CNX_INC_REJECT CNX_INC_REQUEST CNX_IPC_CLOSE CNX_IPC_OPEN CNX_REJECT CNX_REQUEST	Connection aborted Connection accepted DECnet logical link created DECnet logical link disconnected Connection disconnected Incoming connection request aborted Incoming connection request accepted Incoming connection disconnected Incoming connection request rejected Incoming connection request Interprocess communication association closed Interprocess communication association opened Connection rejected Connection requested
NSA$C_MSG_INSTALL	Use of the Install utility (INSTALL)
Subtype and Meaning INSTALL_ADD INSTALL_REMOVE	Known image installed Known image deleted
NSA$C_MSG_LOGFAIL	Login failure
Subtype and Meaning See subtypes for NSA$C_MSG_BREAKIN
NSA$C_MSG_LOGIN	Successful login
Subtype and Meaning See subtypes for NSA$C_MSG_BREAKIN
NSA$C_MSG_LOGOUT	Successful logout
Subtype and Meaning See subtypes for NSA$C_MSG_BREAKIN
NSA$C_MSG_MOUNT	Volume mount or dismount
Subtype and Meaning VOL_DISMOUNT VOL_MOUNT	Volume dismount Volume mount
NSA$C_MSG_NCP	Modification to network configuration database
Subtype and Meaning NCP_COMMAND	Network Control Program (NCP) command issued
NSA$C_MSG_NETPROXY	Modification to network proxy database
Subtype and Meaning NETPROXY_ADD NETPROXY_DELETE NETPROXY_MODIFY	Record added to network proxy authorization file Record removed from network proxy authorization file Record modified in network proxy authorization file
NSA$C_MSG_OBJ_ACCESS	Object access attempted
Subtype and Meaning OBJ_ACCESS	Access attempted to create, delete, or deaccess an object
NSA$C_MSG_OBJ_CREATE	Object creation attempted
Subtype and Meaning OBJ_CREATE	Access attempted to create an object
NSA$C_MSG_OBJ_DEACCESS	Object deaccessed
Subtype and Meaning OBJ_DEACCESS	Attempt to complete access to an object
NSA$C_MSG_OBJ_DELETE	Object deletion attempted
Subtype and Meaning OBJ_DELETE	Object deletion attempted
NSA$C_MSG_PROCESS	Process controlled through a system service
Subtype and Meaning PRC_CANWAK PRC_CREPRC PRC_DELPRC PRC_FORCEX PRC_GETJPI PRC_GRANTID PRC_RESUME PRC_REVOKID PRC_SCHDWK PRC_SETPRI PRC_SIGPRC PRC_SUSPND PRC_TERM PRC_WAKE	Process wakeup canceled Process created Process deleted Process exit forced Process information gathered Process identifier granted Process resumed Process identifier revoked Process wakeup scheduled Process priority altered Process exception issued Process suspended Process termination notification requested Process wakeup issued
NSA$C_MSG_PRVAUD	Use of privilege
Subtype and Meaning PRVAUD_FAILURE PRVAUD_SUCCESS	Unsuccessful use of privilege Successful use of privilege
NSA$C_MSG_RIGHTSDB	Modification to the rights database
Subtype and Meaning RDB_ADD_ID RDB_CREATE RDB_GRANT_ID RDB_MOD_HOLDER RDB_MOD_ID RDB_REM_ID RDB_REVOKE_ID	Identifier added to rights database Rights database created Identifier granted to user List of identifier holders modified Identifier name or attributes modified Identifier removed from rights database Identifier taken away from user
NSA$C_MSG_SYSGEN	Use of the System Generation utility (SYSGEN)
Subtype and Meaning SYSGEN_SET	System Generation utility (SYSGEN) parameter modified
NSA$C_MSG_SYSTIME	Modification to system time
Subtype and Meaning SYSTIM_SET SYSTIM_CAL	System time set System time calibrated
NSA$C_MSG_SYSUAF	Modification to system user authorization file (SYSUAF)
Subtype and Meaning SYSUAF_ADD SYSUAF_COPY SYSUAF_DELETE SYSUAF_MODIFY SYSUAF_RENAME	Record added to system user authorization file Record copied in system user authorization file Record deleted from system user authorization file Record modified in system user authorization file Record renamed in system user authorization file

Table F-3 Description of Audit Event Flags
Symbol Meaning

NSA$M_ACL Event generated by an alarm access control entry (ACE) or an audit ACE.

NSA$M_ALARM Event is a security alarm.

NSA$M_AUDIT Event is a security audit.

NSA$M_FLUSH Event forced the audit server to write all buffered event messages to the audit log file.

NSA$M_FOREIGN Event occurred outside of the system trusted computing base.

NSA$M_MANDATORY Event resulted from a mandatory process audit.

**Table F-3 Description of Audit Event Flags**
Symbol	Meaning
NSA$M_ACL	Event generated by an alarm access control entry (ACE) or an audit ACE.
NSA$M_ALARM	Event is a security alarm.
NSA$M_AUDIT	Event is a security audit.
NSA$M_FLUSH	Event forced the audit server to write all buffered event messages to the audit log file.
NSA$M_FOREIGN	Event occurred outside of the system trusted computing base.
NSA$M_MANDATORY	Event resulted from a mandatory process audit.

Note
All other flags besides those listed in the table are reserved by Digital.

F.2 Audit Data Packets

Figure F-3 illustrates the format of an audit data packet. NSA$K_PKT_HDR_LENGTH defines the current size of each packet header (in bytes).

Note that audit data packets do not appear in any predefined order within an event message, and packet types can appear more than once throughout the event message.

For examples of the types of data appearing in different event messages, see the appendix of alarm messages in the OpenVMS Guide to System Security.

Figure F-3 Audit Data Packet Format

Table F-4 describes the fields contained in these packets.

Table F-4 Description of the Audit Data Packet
Field Symbolic Offset Contents

Packet size NSA$W_PACKET_SIZE Indicates the size of the data packet. (Word)

Packet type NSA$W_PACKET_TYPE Indicates the type of data in the packet, as described in Table F-5.

Packet data NSA$R_PACKET_DATA Variable length field containing the packet data.

**Table F-4 Description of the Audit Data Packet**
Field	Symbolic Offset	Contents
Packet size	NSA$W_PACKET_SIZE	Indicates the size of the data packet. (Word)
Packet type	NSA$W_PACKET_TYPE	Indicates the type of data in the packet, as described in Table F-5.
Packet data	NSA$R_PACKET_DATA	Variable length field containing the packet data.

Table F-5 describes the types of data in audit packets.

Table F-5 Types of Data in Audit Packets
Symbol Packet Contents

NSA$_ACCESS_DESIRED Access requested or granted to the object as defined by $ARMDEF (Longword)

NSA$_ACCESS_MODE Access mode of the process (Byte)

NSA$_ACCOUNT Account name associated with the process (String of 1-32 characters)

NSA$_ALARM_NAME Name of the user (or the security class operators terminal) to receive the record (String of 1-32 characters)

NSA$_ASSOCIATION_NAME Interprocess communication (IPC) association name (String of 1-256 characters)

NSA$_AUDIT_FLAGS Bit mask of enabled or disabled events. This is reserved to Digital. (40-byte record) (String of 1-65 characters)

NSA$_AUDIT_NAME Journal file to receive the audit record (String of 1-65 characters)

NSA$_COMMAND_LINE Command line the user entered (String of 1-2048 characters)

NSA$_CONNECTION_ID Interprocess communication (IPC) connection identification (Longword)

NSA$_DECNET_LINK_ID DECnet logical link identification (Longword)

NSA$_DECNET_OBJECT_NAME DECnet object name (String of 1-16 characters)

NSA$_DECNET_OBJECT_NUMBER DECnet object number (Longword)

NSA$_DEFAULT_USERNAME Default local user name for incoming network proxy requests (String of 1-32 characters)

NSA$_DEVICE_NAME Device name where the volume resides (String of 1-64 characters)

NSA$_DIRECTORY_ENTRY Directory entry associated with file system operation (Longword)

NSA$_DIRECTORY_ID Directory file identification (Array of 3 words)

NSA$_DIRECTORY_NAME Directory file name

NSA$_DISMOUNT_FLAGS The $DMTDEF macro in STARLET defines the dismount flags; each flag is one quadword.

NSA$_EFC_NAME Event flag cluster name (String of 1-16 characters)

NSA$_EVENT_FACILITY Facility code for the generated event (Word)

NSA$_FIELD_NAME Name of the field being modified. This is used in combination with NSA$_ORIGINAL_DATA and NSA$_NEW_DATA. (String of 1-256 characters)

NSA$_FILE_ID File identification (Array of words)

NSA$_FINAL_STATUS Status (successful or unsuccessful) causing the auditing facility to be invoked (Longword)

NSA$_HOLDER_NAME Name of user holding the identifier (String of 1-32 characters)

NSA$_HOLDER_OWNER Owner (UIC) of holder (Longword)

NSA$_ID_ATTRIBUTES Attributes of the identifier, which are defined by the $KGBDEF macro in STARLET (Longword)

NSA$_IDENTIFIERS_USED Identifiers (from the access control entry (ACE) granting access) used to gain access to the object (Array of longwords)

NSA$_ID_NAME Name of the identifier (String of 1-32 characters)

NSA$_ID_NEW_ATTRIBUTES New attributes of the identifier, which are defined by the $KGBDEF macro in STARLET (Longword)

NSA$_ID_NEW_NAME New name of the identifier (String of 1-32 characters)

NSA$_ID_NEW_VALUE New value of the identifier (Longword)

NSA$_ID_VALUE Value of the identifier (Longword)

NSA$_ID_VALUE_ASCII Identification value provided by $IDTOASC (Longword)

NSA$_IMAGE_NAME Name of the image being executed when the event took place (String of 1-1024 characters)

NSA$_INSTALL_FILE The name of the installed file (String of 1-255 characters)

NSA$_INSTALL_FLAGS The INSTALL flags correspond to qualifiers for the Install utility (for example, NSA$M_INS_EXECUTE_ONLY); each flag is one longword.

NSA$_LNM_PARENT_NAME Name of the parent logical name table (String of 1-31 characters)

NSA$_LNM_TABLE_NAME Name of the logical name table (String of 1-31 characters)

NSA$_LOCAL_USERNAME User name of the account available for incoming network proxy requests (String of 1-32 characters)

NSA$_LOGICAL_NAME Logical name associated with the device (String of 1-255 characters)

NSA$_MAILBOX_UNIT Mailbox unit number (Longword)

NSA$_MATCHING_ACE ACE granting or denying access (Array of bytes)

NSA$_MESSAGE Associated message code; see NSA$_MSGFILNAM for translation (Longword)

NSA$_MOUNT_FLAGS The MOUNT flags defined by the $MNTDEF macro in STARLET (Longword)

NSA$_MSGFILNAM Message file containing the translation for the message code in NSA$_MESSAGE (String of 1-255 characters)

NSA$_NEW_DATA Contents of the field named in NSA$_FIELD_NAME after the event occurred. NSA$_ORIGINAL_DATA contains the field contents prior to the event. (String of 1-n characters)

NSA$_NEW_IMAGE_NAME Name of the new image (String of 1-1024 characters)

NSA$_NEW_OWNER New process owner (UIC) (Longword)

NSA$_NEW_PRIORITY New process priority (Longword)

NSA$_NEW_PRIVILEGES New privileges (Quadword)

NSA$_NEW_PROCESS_ID New identification of the process (Longword)

NSA$_NEW_PROCESS_NAME New name of the process (String of 1-15 characters)

NSA$_NEW_PROCESS_OWNER New owner (UIC) of the process (Longword)

NSA$_NEW_USERNAME New user name (String of 1-32 characters)

NSA$_NOP Packet in static event list to omit from processing

NSA$_OBJECT_CLASS Object class name, as defined by the system or by the user (String of 1-23 characters)

NSA$_OBJECT_MAX_CLASS The minimum access classification of the object (20-byte record)

NSA$_OBJECT_MIN_CLASS The minimum access classification of the object (20-byte record)

NSA$_OBJECT_NAME Object's name (String of 1-255 characters)

NSA$_OBJECT_NAME_2 Alternate object name; currently applies to file-backed global sections where the alternate name of global section is the file name. (String of 1-255 characters)

NSA$_OBJECT_OWNER UIC or general identifier of the process causing the auditable event (Longword)

NSA$_OBJECT_PROTECTION UIC-based protection of the object (Vector of words or longwords)

NSA$_OBJECT_TYPE Object's type code, as listed in $ACLDEF. (String of 1-23 characters)

NSA$_OLD_PRIORITY Former process priority (Longword)

NSA$_OLD_PRIVILEGES Former privileges (Quadword)

NSA$_ORIGINAL_DATA Contents of the field named in NSA$_FIELD_NAME before the event occurred. NSA$_NEW_DATA contains the field contents following the event. (String of 1-n characters)

NSA$_PARAMS_INUSE Set of parameter values given to the SYSGEN command USE (String of 1-255 characters)

NSA$_PARAMS_WRITE File name for the SYSGEN command WRITE (String of 1-255 characters)

NSA$_PARENT_ID Process identifier (PID) of the parent process; only used when auditing events pertaining to a subprocess (Longword)

NSA$_PARENT_NAME Parent's process name; only used when auditing events pertaining to a subprocess (String of 1-15 characters)

NSA$_PARENT_OWNER Owner (UIC) of the parent process (Longword)

NSA$_PARENT_USERNAME User name associated with the parent process (String of 1-32 characters)

NSA$_PASSWORD Password used in unsuccessful break-in attempt (String of 1-32 characters)

NSA$_PRIVILEGES Privilege mask (Quadword)

NSA$_PRIVS_MISSING Privileges that are lacking (Longword or quadword)

NSA$_PRIVS_USED Privileges used to gain access to the object (Longword or quadword)

NSA$_PROCESS_ID PID of the process causing the auditable event (Longword)

NSA$_PROCESS_NAME Process' name that caused the auditable event (String of 1-15 characters)

NSA$_REM_ASSOCIATION_NAME Interprocess communication (IPC) remote association name (String of 1-256 characters)

NSA$_REMOTE_LINK_ID Remote logical link identification number (Longword)

NSA$_REMOTE_NODE_ID DECnet address of the remote process (Longword)

NSA$_REMOTE_NODENAME DECnet node name of the remote process (String of 1-6 characters)

NSA$_REMOTE_USERNAME User name of the remote process (String of 1-32 characters)

NSA$_REQUEST_NUMBER Request number associated with the system service call (Longword)

NSA$_RESOURCE_NAME Lock resource name (String of 1-32 characters)

NSA$_SECTION_NAME Global section name (String of 1-42 characters)

NSA$_SNAPSHOT_BOOTFILE The name of the snapshot boot file, the saved system image file from which the system just booted (String of 1-255 characters)

NSA$_SNAPSHOT_SAVE_FILNAM The name of the snapshot save file, which is the original location of the snapshot file at the time that the system was saved (String of 1-255 characters)

NSA$_SNAPSHOT_TIME The time the picture of the configuration was taken and saved in the snapshot boot file (Quadword)

NSA$_SOURCE_PROCESS_ID Identification of process originating the request (Longword)

NSA$_SUBJECT_CLASS The current access class of the process causing the auditable event (A 20-byte record)

NSA$_SUBJECT_OWNER Owner (UIC) of the process causing the event (Longword)

NSA$_SYSTEM_ID SCS identification of the cluster node where the event took place (SYSGEN parameter SCSSYSTEMID) (Longword)

NSA$_SYSTEM_NAME System Communication Services (SCS) node name where the event took place (SYSGEN parameter SCSNODE) (String of 1-6 characters)

NSA$_SYSTEM_SERVICE_NAME Name of the system service associated with the event (String of 1-256 characters)

NSA$_SYSTIM_NEW New system time (Quadword)

NSA$_SYSTIM_OLD Old system time (Quadword)

NSA$_TARGET_DEVICE_NAME Target device name (String of 1-64 characters)

NSA$_TARGET_PROCESS_CLASS The target process classification. (A 20-byte vector)

NSA$_TARGET_PROCESS_ID Target process identifier (PID) (Longword)

NSA$_TARGET_PROCESS_NAME Target process name (String of 1-64 characters)

NSA$_TARGET_PROCESS_OWNER Target process owner (UIC) (Longword)

NSA$_TARGET_USERNAME Target user name (String of 1-32 characters)

NSA$_TERMINAL Name of the terminal to which the process was connected when the auditable event occurred (String of 1-256 characters)

NSA$_TIME_STAMP The time that the event occurred (Quadword)

NSA$_TRANSPORT_NAME Name of transport: interprocess communication (IPC), DECnet, or System Management Integrator (SMI), which handles requests from the SYSMAN utility (String of 1-256 characters)

NSA$_UAF_ADD Name of the authorization record being added (String of 1-32 characters)

NSA$_UAF_COPY Original and new names of the authorization record being copied (String of 1-32 characters)

NSA$_UAF_DELETE Name of the authorization record being removed (String of 1-32 characters)

NSA$_UAF_FIELDS Fields being changed in an authorization record and their new values. This is reserved to Digital. (Quadword bitmask)

NSA$_UAF_MODIFY Name of the authorization record being modified (String of 1-32 characters)

NSA$_UAF_RENAME Name of the authorization record being renamed (String of 1-32 characters)

NSA$_UAF_SOURCE User name of the source record for an Authorize utility (AUTHORIZE) copy operation (String of 1-32 characters)

NSA$_USERNAME User name of process causing the auditable event (String of 1-32 characters)

NSA$_VOLUME_NAME Volume name (String of 1-15 characters)

NSA$_VOLUME_SET_NAME Volume set name (String of 1-15 characters)

**Table F-5 Types of Data in Audit Packets**
Symbol	Packet Contents
NSA$_ACCESS_DESIRED	Access requested or granted to the object as defined by $ARMDEF (Longword)
NSA$_ACCESS_MODE	Access mode of the process (Byte)
NSA$_ACCOUNT	Account name associated with the process (String of 1-32 characters)
NSA$_ALARM_NAME	Name of the user (or the security class operators terminal) to receive the record (String of 1-32 characters)
NSA$_ASSOCIATION_NAME	Interprocess communication (IPC) association name (String of 1-256 characters)
NSA$_AUDIT_FLAGS	Bit mask of enabled or disabled events. This is reserved to Digital. (40-byte record) (String of 1-65 characters)
NSA$_AUDIT_NAME	Journal file to receive the audit record (String of 1-65 characters)
NSA$_COMMAND_LINE	Command line the user entered (String of 1-2048 characters)
NSA$_CONNECTION_ID	Interprocess communication (IPC) connection identification (Longword)
NSA$_DECNET_LINK_ID	DECnet logical link identification (Longword)
NSA$_DECNET_OBJECT_NAME	DECnet object name (String of 1-16 characters)
NSA$_DECNET_OBJECT_NUMBER	DECnet object number (Longword)
NSA$_DEFAULT_USERNAME	Default local user name for incoming network proxy requests (String of 1-32 characters)
NSA$_DEVICE_NAME	Device name where the volume resides (String of 1-64 characters)
NSA$_DIRECTORY_ENTRY	Directory entry associated with file system operation (Longword)
NSA$_DIRECTORY_ID	Directory file identification (Array of 3 words)
NSA$_DIRECTORY_NAME	Directory file name
NSA$_DISMOUNT_FLAGS	The $DMTDEF macro in STARLET defines the dismount flags; each flag is one quadword.
NSA$_EFC_NAME	Event flag cluster name (String of 1-16 characters)
NSA$_EVENT_FACILITY	Facility code for the generated event (Word)
NSA$_FIELD_NAME	Name of the field being modified. This is used in combination with NSA$_ORIGINAL_DATA and NSA$_NEW_DATA. (String of 1-256 characters)
NSA$_FILE_ID	File identification (Array of words)
NSA$_FINAL_STATUS	Status (successful or unsuccessful) causing the auditing facility to be invoked (Longword)
NSA$_HOLDER_NAME	Name of user holding the identifier (String of 1-32 characters)
NSA$_HOLDER_OWNER	Owner (UIC) of holder (Longword)
NSA$_ID_ATTRIBUTES	Attributes of the identifier, which are defined by the $KGBDEF macro in STARLET (Longword)
NSA$_IDENTIFIERS_USED	Identifiers (from the access control entry (ACE) granting access) used to gain access to the object (Array of longwords)
NSA$_ID_NAME	Name of the identifier (String of 1-32 characters)
NSA$_ID_NEW_ATTRIBUTES	New attributes of the identifier, which are defined by the $KGBDEF macro in STARLET (Longword)
NSA$_ID_NEW_NAME	New name of the identifier (String of 1-32 characters)
NSA$_ID_NEW_VALUE	New value of the identifier (Longword)
NSA$_ID_VALUE	Value of the identifier (Longword)
NSA$_ID_VALUE_ASCII	Identification value provided by $IDTOASC (Longword)
NSA$_IMAGE_NAME	Name of the image being executed when the event took place (String of 1-1024 characters)
NSA$_INSTALL_FILE	The name of the installed file (String of 1-255 characters)
NSA$_INSTALL_FLAGS	The INSTALL flags correspond to qualifiers for the Install utility (for example, NSA$M_INS_EXECUTE_ONLY); each flag is one longword.
NSA$_LNM_PARENT_NAME	Name of the parent logical name table (String of 1-31 characters)
NSA$_LNM_TABLE_NAME	Name of the logical name table (String of 1-31 characters)
NSA$_LOCAL_USERNAME	User name of the account available for incoming network proxy requests (String of 1-32 characters)
NSA$_LOGICAL_NAME	Logical name associated with the device (String of 1-255 characters)
NSA$_MAILBOX_UNIT	Mailbox unit number (Longword)
NSA$_MATCHING_ACE	ACE granting or denying access (Array of bytes)
NSA$_MESSAGE	Associated message code; see NSA$_MSGFILNAM for translation (Longword)
NSA$_MOUNT_FLAGS	The MOUNT flags defined by the $MNTDEF macro in STARLET (Longword)
NSA$_MSGFILNAM	Message file containing the translation for the message code in NSA$_MESSAGE (String of 1-255 characters)
NSA$_NEW_DATA	Contents of the field named in NSA$_FIELD_NAME after the event occurred. NSA$_ORIGINAL_DATA contains the field contents prior to the event. (String of 1-n characters)
NSA$_NEW_IMAGE_NAME	Name of the new image (String of 1-1024 characters)
NSA$_NEW_OWNER	New process owner (UIC) (Longword)
NSA$_NEW_PRIORITY	New process priority (Longword)
NSA$_NEW_PRIVILEGES	New privileges (Quadword)
NSA$_NEW_PROCESS_ID	New identification of the process (Longword)
NSA$_NEW_PROCESS_NAME	New name of the process (String of 1-15 characters)
NSA$_NEW_PROCESS_OWNER	New owner (UIC) of the process (Longword)
NSA$_NEW_USERNAME	New user name (String of 1-32 characters)
NSA$_NOP	Packet in static event list to omit from processing
NSA$_OBJECT_CLASS	Object class name, as defined by the system or by the user (String of 1-23 characters)
NSA$_OBJECT_MAX_CLASS	The minimum access classification of the object (20-byte record)
NSA$_OBJECT_MIN_CLASS	The minimum access classification of the object (20-byte record)
NSA$_OBJECT_NAME	Object's name (String of 1-255 characters)
NSA$_OBJECT_NAME_2	Alternate object name; currently applies to file-backed global sections where the alternate name of global section is the file name. (String of 1-255 characters)
NSA$_OBJECT_OWNER	UIC or general identifier of the process causing the auditable event (Longword)
NSA$_OBJECT_PROTECTION	UIC-based protection of the object (Vector of words or longwords)
NSA$_OBJECT_TYPE	Object's type code, as listed in $ACLDEF. (String of 1-23 characters)
NSA$_OLD_PRIORITY	Former process priority (Longword)
NSA$_OLD_PRIVILEGES	Former privileges (Quadword)
NSA$_ORIGINAL_DATA	Contents of the field named in NSA$_FIELD_NAME before the event occurred. NSA$_NEW_DATA contains the field contents following the event. (String of 1-n characters)
NSA$_PARAMS_INUSE	Set of parameter values given to the SYSGEN command USE (String of 1-255 characters)
NSA$_PARAMS_WRITE	File name for the SYSGEN command WRITE (String of 1-255 characters)
NSA$_PARENT_ID	Process identifier (PID) of the parent process; only used when auditing events pertaining to a subprocess (Longword)
NSA$_PARENT_NAME	Parent's process name; only used when auditing events pertaining to a subprocess (String of 1-15 characters)
NSA$_PARENT_OWNER	Owner (UIC) of the parent process (Longword)
NSA$_PARENT_USERNAME	User name associated with the parent process (String of 1-32 characters)
NSA$_PASSWORD	Password used in unsuccessful break-in attempt (String of 1-32 characters)
NSA$_PRIVILEGES	Privilege mask (Quadword)
NSA$_PRIVS_MISSING	Privileges that are lacking (Longword or quadword)
NSA$_PRIVS_USED	Privileges used to gain access to the object (Longword or quadword)
NSA$_PROCESS_ID	PID of the process causing the auditable event (Longword)
NSA$_PROCESS_NAME	Process' name that caused the auditable event (String of 1-15 characters)
NSA$_REM_ASSOCIATION_NAME	Interprocess communication (IPC) remote association name (String of 1-256 characters)
NSA$_REMOTE_LINK_ID	Remote logical link identification number (Longword)
NSA$_REMOTE_NODE_ID	DECnet address of the remote process (Longword)
NSA$_REMOTE_NODENAME	DECnet node name of the remote process (String of 1-6 characters)
NSA$_REMOTE_USERNAME	User name of the remote process (String of 1-32 characters)
NSA$_REQUEST_NUMBER	Request number associated with the system service call (Longword)
NSA$_RESOURCE_NAME	Lock resource name (String of 1-32 characters)
NSA$_SECTION_NAME	Global section name (String of 1-42 characters)
NSA$_SNAPSHOT_BOOTFILE	The name of the snapshot boot file, the saved system image file from which the system just booted (String of 1-255 characters)
NSA$_SNAPSHOT_SAVE_FILNAM	The name of the snapshot save file, which is the original location of the snapshot file at the time that the system was saved (String of 1-255 characters)
NSA$_SNAPSHOT_TIME	The time the picture of the configuration was taken and saved in the snapshot boot file (Quadword)
NSA$_SOURCE_PROCESS_ID	Identification of process originating the request (Longword)
NSA$_SUBJECT_CLASS	The current access class of the process causing the auditable event (A 20-byte record)
NSA$_SUBJECT_OWNER	Owner (UIC) of the process causing the event (Longword)
NSA$_SYSTEM_ID	SCS identification of the cluster node where the event took place (SYSGEN parameter SCSSYSTEMID) (Longword)
NSA$_SYSTEM_NAME	System Communication Services (SCS) node name where the event took place (SYSGEN parameter SCSNODE) (String of 1-6 characters)
NSA$_SYSTEM_SERVICE_NAME	Name of the system service associated with the event (String of 1-256 characters)
NSA$_SYSTIM_NEW	New system time (Quadword)
NSA$_SYSTIM_OLD	Old system time (Quadword)
NSA$_TARGET_DEVICE_NAME	Target device name (String of 1-64 characters)
NSA$_TARGET_PROCESS_CLASS	The target process classification. (A 20-byte vector)
NSA$_TARGET_PROCESS_ID	Target process identifier (PID) (Longword)
NSA$_TARGET_PROCESS_NAME	Target process name (String of 1-64 characters)
NSA$_TARGET_PROCESS_OWNER	Target process owner (UIC) (Longword)
NSA$_TARGET_USERNAME	Target user name (String of 1-32 characters)
NSA$_TERMINAL	Name of the terminal to which the process was connected when the auditable event occurred (String of 1-256 characters)
NSA$_TIME_STAMP	The time that the event occurred (Quadword)
NSA$_TRANSPORT_NAME	Name of transport: interprocess communication (IPC), DECnet, or System Management Integrator (SMI), which handles requests from the SYSMAN utility (String of 1-256 characters)
NSA$_UAF_ADD	Name of the authorization record being added (String of 1-32 characters)
NSA$_UAF_COPY	Original and new names of the authorization record being copied (String of 1-32 characters)
NSA$_UAF_DELETE	Name of the authorization record being removed (String of 1-32 characters)
NSA$_UAF_FIELDS	Fields being changed in an authorization record and their new values. This is reserved to Digital. (Quadword bitmask)
NSA$_UAF_MODIFY	Name of the authorization record being modified (String of 1-32 characters)
NSA$_UAF_RENAME	Name of the authorization record being renamed (String of 1-32 characters)
NSA$_UAF_SOURCE	User name of the source record for an Authorize utility (AUTHORIZE) copy operation (String of 1-32 characters)
NSA$_USERNAME	User name of process causing the auditable event (String of 1-32 characters)
NSA$_VOLUME_NAME	Volume name (String of 1-15 characters)
NSA$_VOLUME_SET_NAME	Volume set name (String of 1-15 characters)

Appendix G
Valid Combinations of BACKUP Qualifiers

The following figures show the qualifiers that can be used in BACKUP save, restore, copy, compare and list operations. The figures also indicate valid combinations of BACKUP qualifiers.

Figure G-1 shows command qualifiers used in save operations.
Figure G-2 shows input file-selection qualifiers used in save operations.
Figure G-3 shows output save-set qualifiers used in save operations.
Figure G-4 shows command qualifiers used in restore operations.
Figure G-5 shows input save-set qualifiers used in restore operations.
Figure G-6 shows output file qualifiers used in restore operations.
Figure G-7 shows command qualifiers used in copy operations.
Figure G-8 shows input file-selection qualifiers used in copy operations.
Figure G-9 shows output file qualifiers used in copy operations.
Figure G-10 shows command qualifiers used in compare operations.
Figure G-11 shows input file-selection qualifiers used in compare operations.
Figure G-12 shows input save-set qualifiers used in compare operations.

Figure G-1 Command Qualifiers Used in Save Operations

Figure G-2 Input File-Selection Qualifiers Used in Save Operations

Figure G-3 Output Save-Set Qualifiers Used in Save Operations

Figure G-4 Command Qualifiers Used in Restore Operations

Figure G-5 Input Save-Set Qualifiers Used in Restore Operations

Figure G-6 Output File Qualifiers Used in Restore Operations

Figure G-7 Command Qualifiers Used in Copy Operations

Figure G-8 Input File-Selection Qualifiers Used in Copy Operations

Figure G-9 Output File Qualifiers Used in Copy Operations

Figure G-10 Command Qualifiers Used in Compare Operations

Figure G-11 Input File-Selection Qualifiers Used in Compare Operations

Figure G-12 Input Save-Set Qualifiers Used in Compare Operations

Appendix H
Supplemental MONITOR Information---Record Formats

The following sections describe the MONITOR record formats.

H.1 The MONITOR Recording File

Binary performance data is written into the MONITOR recording file when a MONITOR request indicates recording. A record is written to this file once per interval for each requested class. The record contains a predefined set of data for each of the requested performance classes.

  6048P061.HTM
  OSSG Documentation
  26-NOV-1996 12:43:54.11

Legal

OpenVMS System Management Utilities Reference Manual

Appendix EANALYZE/DISK_STRUCTURE---Usage File

Appendix FSecurity Audit Message Format