[Digital logo]
[HR]

OpenVMS DCL Dictionary

Previous | Contents

Requires OPER (operator) privilege.

Format

SET ACCOUNTING

PARAMETERS

None.

DESCRIPTION

Each node on your system has its own current accounting file. You can control what resources this file tracks, and start up a new version of this file using the SET ACCOUNTING command.

There are two occasions when the resources used by a process are not tracked, despite the SET ACCOUNTING command:

Similarly, there is one occasion when the resources used by an image are always tracked, despite the SET ACCOUNTING command:

For more information on how to use the SET ACCOUNTING command see the OpenVMS System Manager's Manual.

QUALIFIERS

/DISABLE[=(keyword[,...])]

Prevents the tracking of the resources specified by the keywords.

Table DCLII-18 lists the keywords you can use to specify the type of resource.

Table DCLII-18 SET ACCOUNTING Keywords for Resource Types
Keyword Type of Resource
IMAGE Resources used by an image
LOGIN_FAILURE Resources used by an unsuccessful attempt to log in
MESSAGE Unformatted record written to the accounting file by a call to the $SNDJBC system service
PRINT Resources used by a print job
PROCESS Resources used by a process

You do not need to stop the tracking of all processes and images. You can prevent resources being tracked for specific types of process and for images running in these types of process.

Table DCLII-19 lists the keywords you can use to specify the type of process.

Table DCLII-19 SET ACCOUNTING Keywords for Process Types
Keyword Type of Process
BATCH Batch process
DETACHED Detached process
INTERACTIVE Interactive process
NETWORK Network process
SUBPROCESS Subprocess (the parent process can be a batch, detached, network, or interactive process)

If the system is no longer tracking any resources, /DISABLE closes the current accounting file.

If you use the /DISABLE qualifier and omit the keywords, the current accounting file does not track any resources, and the system closes the file.

/ENABLE[=(keyword[,...])]

Enables the tracking of the specified resources, and opens the current accounting file if it is not already open. The /ENABLE qualifier uses the same keywords as the /DISABLE qualifier.

Use the keywords shown in Table DCLII-18 to specify the types of resource that you want the local node to track in its current accounting file.

If the resources used by processes or images are being tracked, you can use the keywords shown in Table DCLII-19 to enable the tracking of these resources for specified types of process and for images running in those types of process.

If you use the /ENABLE qualifier and omit the keywords, the current accounting file tracks all resources.

/LOG

Writes information to the current SYS$OUTPUT device as the command executes.

/NEW_FILE

Closes the current accounting file, and starts up a new version of it.

The name of the new file depends on whether the logical name ACCOUNTNG is defined in your system logical name table.

If this logical name is not defined, the SET ACCOUNTING command opens the file SYS$MANAGER:ACCOUNTNG.DAT.

If this logical name is defined, the command opens the file that this logical name points to. If you omit the directory, SYS$MANAGER is the default, and if you omit the file type, .DAT is the default.

The /NEW_FILE qualifier writes a file forward link record to the old file, and a file backward link record to the new file. These records contain the names of the old and new files respectively.

Examples

#1 
$ SET ACCOUNTING /DISABLE /ENABLE=(PROCESS,BATCH,INTERACTIVE)
$ SET ACCOUNTING /ENABLE=IMAGE

This example tells the system to track the resources used only by batch and interactive processes, and by images running in batch and interactive processes. It illustrates the cumulative effect of /ENABLE and /DISABLE qualifiers, and of SET ACCOUNTING commands.

The /DISABLE qualifier prevents the tracking of all resources. The /ENABLE qualifier then tells the system to track the resources used by batch and interactive processes. The second SET ACCOUNTING command tells the system to track the resources used by images.

#2 
$ SET ACCOUNTING /NEW_FILE
$ RENAME SYS$MANAGER:ACCOUNTNG.DAT;-1 WEEK_24_RESOURCES.DAT

This example closes the current accounting file, opens a new version of it, and changes the name of the old file to WEEK_24_RESOURCES.DAT.

SET AUDIT

Provides the management interface to the security auditing system.

Requires the SECURITY privilege.

Format

SET AUDIT/qualifier

PARAMETERS

None.

DESCRIPTION

The SET AUDIT command and the SHOW AUDIT command provide the management interface to the security auditing system.

The SET AUDIT command enables or disables security auditing. In addition, you use the command to do the following:

Values set by the command are saved so it is unnecessary to set them each time the system starts up. Commands for event definition, resource monitoring, and starting a new log apply clusterwide, while other commands apply only to the local node.

Security auditing features require a certain amount of system overhead. Therefore, you should be careful to select the features that will provide the most benefit in your work environment. Enable only the auditing of information that you know you will examine and analyze regularly. Any other collection of data is likely to be wasteful. For further information about auditing, see the OpenVMS Guide to System Security.

There are five categories of qualifiers, grouped by task, for the SET AUDIT command:
Task Qualifiers Requirements
Define auditing events /AUDIT, /ALARM, /CLASS, /ENABLE, /DISABLE Specify whether you are defining alarms (/ALARM), audits (/AUDIT), or both. Also specify whether you are enabling (/ENABLE) or disabling (/DISABLE) the reporting of the event.
Define auditing log file /DESTINATION, /JOURNAL, /VERIFY Requires both the /DESTINATION and /JOURNAL qualifiers.
Define operational characteristics of the audit server and a listener mailbox (if any) /INTERVAL, /LISTENER, /SERVER, /VERIFY None.
Define secondary log file /ARCHIVE, /DESTINATION, /VERIFY None.
Define resource monitoring defaults /BACKLOG, /EXCLUDE, /JOURNAL, /RESOURCE, /THRESHOLD, /VERIFY With the /RESOURCE or /THRESHOLD qualifier, include the /JOURNAL qualifier.

QUALIFIERS

/ALARM

Makes the command apply to alarms, which are messages displayed on an operator terminal. See the description of the DCL command REPLY/ENABLE for details on how to enable terminals to display security messages.

/ARCHIVE=[keyword,...]

Specifies which classes of audit event messages are written to the security archive file. Specify one or more of the following keywords:
Keyword Description
NONE Disables archiving on the system.
[NO]ALL (default) Enables or disables archiving of all system security events. By default, no events are archived.
SYSTEM_ALARM Enables archiving of all security alarm events.
SYSTEM_AUDIT Enables archiving of all security audit events.

Archiving should be run on only one node in an OpenVMS Cluster with its own audit server database because multiple nodes will try to open the audit file exclusively.

/AUDIT

Makes the command apply to audits, which are messages recorded in the system security audit log file.

/BACKLOG=[keyword[,...]]

Specifies the thresholds for suspending a process that has exceeded the process message limit. The thresholds include the total number of messages in memory and the number belonging to the particular process. To prevent a process from being suspended, use the /EXCLUDE qualifier. Specify the following keywords:
Keyword Description
TOTAL=(n1,n2,n3) Thresholds at which flow control is initiated and accelerated; see description below.
PROCESS=(p1,p2) Thresholds at which process submissions are controlled.
Total Messages Default Process Messages Default Action Taken
N1 100 P1 5 When there are 100 messages in memory, the audit server suspends any process that has submitted 5 or more messages until all messages are written to disk.
N2 200 P2 2 When there are 200 messages in memory, the audit server suspends any process that has submitted 2 or more messages until all messages are written to disk.
N3 300 Any process with messages in memory is suspended until all messages are written to disk.

/CLASS=class

Specifies the class of the object whose auditing attributes are to be modified. If /CLASS is not specified, the command assumes the class is FILE. Specify one of the following keywords with the /CLASS qualifier:

/DESTINATION=filespec

When changing the destination of event messages, specifies the new location of the system security audit log file. The device, if part of the file specification, must be a disk. The /DESTINATION qualifier requires the /JOURNAL qualifier in this case.

Once you have relocated the log file, execute the command SET AUDIT/SERVER=NEW_LOG to let all the nodes in the cluster know of the new location. The previous audit log file is closed and all subsequent audit event messages generated throughout the cluster are sent to the new audit log file.

When used with /ARCHIVE, specifies the name of the archive log file. Events can be archived to a local or remote file on any file-structured disk device. For example, you can use an archive file to redirect event messages from a satellite to a larger node in the cluster.

/DISABLE=(keyword[,...])

Disables alarms or audits for the specified events. To disable all system events and file access events, specify the keyword ALL. You must specify at least one of the keywords. For a list of the keywords to use with the /DISABLE qualifier, see the /ENABLE qualifier description. You must also specify either the /ALARM or /AUDIT qualifier, or both, when you use the /DISABLE qualifier.

In processing the SET AUDIT command, the system processes the /DISABLE qualifier last. If you specify both the /ENABLE and /DISABLE qualifiers in the same command line, the /DISABLE qualifier prevails.

/ENABLE=(keyword[,...])

Enables alarms or audits for the specified events. To enable all system events and file access events, specify the keyword ALL. You must specify at least one keyword. You must also specify either the /ALARM or /AUDIT qualifier, or both, when you use the /ENABLE qualifier.

The keywords that you can specify with either the /ENABLE or the /DISABLE qualifier are as follows:
Keyword Description
ACCESS=(condition
[:access[,...]] [,...]) 		Specifies access events for all objects in a class. (To audit a single object, use an auditing ACE and enable the access control list (ACL) category.)

Digital recommends that when you enable auditing conditionally, you enable it for all possible forms of access since the system can check access rights at several points during an operation. (For example, a FAILURE might occur on a read or write access check.)
Condition Keyword Description
ALL All object access
BYPASS Successful object access due to the use of the BYPASS privilege
FAILURE Unsuccessful object access
GRPPRV Successful object access due to the use of the group privilege (GRPPRV)
READALL Successful object access due to the use of the READALL privilege
SUCCESS Successful object access
SYSPRV Successful object access due to the use of the system privilege (SYSPRV)
Access Keyword Description
ALL All types of access
ASSOCIATE Associate access
CONTROL Control access to examine or change security characteristics
CREATE Create access
DELETE Delete access
EXECUTE Execute access
LOCK Lock access
LOGICAL Logical I/O access
MANAGE Manage access
PHYSICAL Physical I/O access
READ Read access
SUBMIT Submit access
WRITE Write access

ACL Specifies an event requested by an audit or alarm ACE in the access control list (ACL) of an object. To audit all objects of a class, use the ACCESS keyword.
ALL Specifies all system events and file access events. It does not enable access events for object classes other than FILE.
AUDIT=keyword Specifies events within the auditing subsystem. Only one keyword is currently defined.
Keyword Description
ILLFORMED Specifies illformed events from internal calls (identified by NSA$M_INTERNAL) to $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS system services. An illformed event is caused by an incomplete or syntactically incorrect argument being supplied to one of these system services by a piece of privileged code.
AUTHORIZATION Specifies the modification of any portion of the system user authorization file (SYSUAF), network proxy authorization file (NETPROXY), or the rights list (RIGHTLIST) (including password changes made through the AUTHORIZE, SET PASSWORD, or LOGINOUT commands or the $SETUAI system service).
BREAKIN=(keyword[,...]) Specifies the occurrence of one or more classes of break-in attempts, as specified by one or more of the following keywords:
  • ALL
  • DETACHED
  • DIALUP
  • LOCAL
  • NETWORK
  • REMOTE
CONNECTION Specifies a logical link connection or termination through DECnet Phase IV, DECwindows, $IPC, or SYSMAN.
CREATE Specifies the creation of an object. Requires the /CLASS qualifier if it is not a file.
DEACCESS Specifies deaccess from an object. Requires the /CLASS qualifier if it is not a file.
DELETE Specifies the deletion of an object. Requires the /CLASS=DEVICE qualifier.
IDENTIFIER Specifies that the use of identifiers as privileges should be audited. For further information, see the OpenVMS Guide to System Security.
INSTALL Specifies modifications made to the known file list through the INSTALL utility.
LOGFAILURE= (keyword[,...]) Specifies the occurrence of one or more classes of login failures, as specified by the following keywords:
ALL All possible types of login failures
BATCH Batch process login failure
DETACHED Detached process login failure
DIALUP Dialup interactive login failure
LOCAL Local interactive login failure
NETWORK Network server task login failure
REMOTE Interactive login failure from another network node, for example, with a SET HOST command
SUBPROCESS Subprocess login failure
LOGIN= (keyword[,...]) Specifies the occurrence of one or more classes of login attempts, as specified by the following keywords. See the LOGFAILURE keyword for further description.
  • ALL
  • DETACHED
  • LOCAL
  • REMOTE
  • BATCH
  • DIALUP
  • NETWORK
  • SUBPROCESS
LOGOUT= (keyword[,...]) Specifies the occurrence of one or more classes of logouts, as specified by the following keywords. See the LOGFAILURE keyword for further description.
  • ALL
  • DETACHED
  • LOCAL
  • REMOTE
  • BATCH
  • DIALUP
  • NETWORK
  • SUBPROCESS
MOUNT Specifies a mount or dismount operation.
NCP Specifies access to the network configuration database, using the network control program (NCP).
PRIVILEGE= (keyword[,...]) Specifies successful or unsuccessful use of privilege, as specified by the following keywords:
  • FAILURE [:privilege(,...)] --- Unsuccessful use of privilege
  • SUCCESS [:privilege(,...)] --- Successful use of privilege

For a listing of privileges, see online help for the DCL command SET PROCESS/PRIVILEGES.

PROCESS= (keyword[,...]) Specifies the use of one or more of the process control system services, as specified by the following keywords:
ALL Use of any of the process control system services
CREPRC All use of $CREPRC
DELPRC All use of $DELPRC
SCHDWK Privileged use of $SCHDWK
CANWAK Privileged use of $CANWAK
WAKE Privileged use of $WAKE
SUSPND Privileged use of $SUSPND
RESUME Privileged use of $RESUME
GRANTID Privileged use of $GRANTID
REVOKID Privileged use of $REVOKID
GETJPI Privileged use of $GETJPI
FORCEX Privileged use of $FORCEX
SETPRI Privileged use of $SETPRI

Privileged use of a process control system service means the caller used GROUP or WORLD privilege to affect the target process.

SYSGEN Specifies the modification of a system parameter with the OpenVMS System Generation utility.
TIME Specifies the modification of system time.

/EXCLUDE=process-id

/NOEXCLUDE=process-id

Adds a process identification (PID) to the audit server's process exclusion list. The process exclusion list contains those processes that will not be suspended by the audit server if a resource exhaustion reaches the action threshold. By default, realtime processes and all of the following processes are included in the process exclusion list and are never suspended:

Use the SET AUDIT/NOEXCLUDE command to remove a process from the process exclusion list; however, processes listed above cannot be removed from the exclusion list. Also note that PIDs are not automatically removed from the process exclusion list when processes log out of the system.

/INTERVAL=(keyword[,...])

Specifies the delta times to be used for regular audit server operations. For information about specifying delta times, see the OpenVMS User's Manual. The following table describes keywords for the /INTERVAL qualifier.
Keyword Description
ARCHIVE_FLUSH=time Specifies the interval at which data collected by the audit server is written to the archive file. The default is 1 minute.
JOURNAL_FLUSH=time Specifies the interval at which data collected by the audit server is written to the audit log file. The default is 5 minutes.
RESOURCE_MONITOR=time Specifies the interval at which the audit server retries log file allocation or access. This interval applies whenever free space in the log file is below either the warning or action thresholds, or when the volume holding the log file is inaccessible. The default interval is 5 minutes.
RESUME_SCAN=time Specifies the interval at which the audit server reviews an existing resource exhaustion condition. The default is 15 minutes.

/JOURNAL[=journal-name]

Specifies the name of the audit journal; the name defaults to SECURITY. (Currently, there is only one journal.)

The /JOURNAL qualifier is required when redefining the audit log file or when specifying resource monitoring characteristics with the /RESOURCE or the /THRESHOLD qualifier.

/LISTENER=device

/NOLISTENER

Specifies the name of a mailbox device to which the audit server sends a binary copy of all security audit event messages. Users can create such a mailbox to process system security events as they occur. For a description of the message formats written to the listener mailbox, see the Audit Analysis Utility documentation in the OpenVMS System Management Utilities Reference Manual.

Previous | Next | Contents | [Home] | [Comments] | [Ordering info] | [Help]

[HR] 

  9996P039.HTM
  OSSG Documentation
  26-NOV-1996 11:18:00.95

Copyright © Digital Equipment Corporation 1996. All Rights Reserved.

Legal