Junji: add Category:DCL Commands

2021-11-26T02:26:10Z

add Category:DCL Commands

← Older revision		Revision as of 02:26, 26 November 2021
Line 457:		Line 457:

	[[Category:Utilities]]		[[Category:Utilities]]
			[[Category:DCL Commands]]

Darya.zelenina: added the See also section and the category link

2019-04-05T18:08:54Z

added the See also section and the category link

← Older revision		Revision as of 18:08, 5 April 2019
Line 452:		Line 452:
	\| Specifies the target process identifier (PID) used by a process control system service.		\| Specifies the target process identifier (PID) used by a process control system service.
	\|}		\|}

			=See also=
			* {{Template:UtilitiesI}} for use instructions and command dictionary

			[[Category:Utilities]]

Darya.zelenina: Created page with "'''ANALYZE/AUDIT''' is a utility that lets you view the system security audit log. =Criteria for Selecting Records= /SELECT specifies the criteria for selecting records for t..."

2019-03-28T12:42:19Z

Created page with "'''ANALYZE/AUDIT''' is a utility that lets you view the system security audit log. =Criteria for Selecting Records= /SELECT specifies the criteria for selecting records for t..."

New page

'''ANALYZE/AUDIT''' is a utility that lets you view the system security audit log.

=Criteria for Selecting Records=
/SELECT specifies the criteria for selecting records for the audit report.

{| class="wikitable"
! colspan='col' | Criterion
! colspan='col' | Description
|-
| ACCESS
| Specifies the type of object access upon which the selection is based: ASSOCIATE, CONTROL, CREATE, DELETE, EXECUTE, LOCK, LOGICAL, MANAGE, PHYSICAL, READ, SUBMIT, USE, WRITE
|-
| ACCOUNT
| Specifies the account name on which the selection is based. Wildcards can be used
|-
| ASSOCIATION_NAME
| Specifies the name of the interprocess communication (IPC) association
|-
| AUDIT_NAME
| Specifies the audit journal name on which the selection is based.
|-
| COMMAND_LINE
| Specifies the command line that the user entered
|-
| CONNECTION_IDENTIFICATION
| Specifies the name for the interprocess communication (IPC) connection
|-
| DECNET_LINK_IDENTIFICATION
| Specifies the number of the DECnet logical link
|-
| DECNET_OBJECT_NAME
| Specifies the name of the DECnet object
|-
| DECNET_OBJECT_NUMBER
| Specifies the number of the DECnet object
|-
| DEFAULT_USERNAME
| Specifies the default local user name for incoming network proxy
|-
| DEVICE_NAME
| Specifies the name of a device in audit records that have a DEVICE_NAME packet. Note that this does not select the device name when it occurs in other packet types, such as in a file name or in the TARGET_DEVICE_NAME packet
|-
| DIRECTORY_ENTRY
| Specifies the directory entry associated with file system operation
|-
| DIRECTORY_NAME
| Specifies the name of the directory file.
|-
| DISMOUNT_FLAGS
| Identifies the names of the volume dismounting flags to be used in selecting records. Specify one or more of the following flag names: Abort, Cluster, Nounload, and Unit.
|-
| EVENT_CLUSTER_NAME
| Specifies the name of the event flag cluster.
|-
| FACILITY
| Specifies that only events audited by the named facility be selected. Provide a name or a number but, in either case, the facility has to be defined through the logical AUDSERV$FACILITY_NAME as a decimal number; the system uses the number 0.
|-
| FIELD_NAME
| Specifies the name of the field that was modified. ANALYZE/AUDIT uses the FIELD_NAME criterion with packets containing the original data and the new data (specified by the NEW_DATA criterion). A FIELD_NAME is a character string that describes the content of the field. A search for "NEW:" in a full audit report will display records that contain the FIELD_NAME values that can be specified for this option. Examples of FIELD_NAME values are Account, Default Directory, Flags, and Password Date. For sensitive information, see SENSITIVE_FIELD_NAME.
|-
| FILE_NAME
| Describes audit records for the specified file by using a slightly different display format than is provided by the /OBJECT=NAME=object-name keyword.
|-
| FILE_IDENTIFICATION
| Specifies the value of the file's identification. To calculate the value, start with the value listed for File ID when you use the FILE_NAME keyword. For example, the display lists the File ID
as (3024,5,0), use the following formula to calculate the value: (((0 * 65536) + 5)* 65536) + 3024 = 330704
|-
| FLAGS
| Identifies the names of the audit event flags associated with the audited event. These names should be used in selecting records. Specify one or more of the following flags: ACL, Alarm, Audit, Flush, Foreign, Internal, and Mandatory.
|-
| HOLDER
| Specifies the name of the holder. Wildcards can be used.
|-
| IDENTIFIER
| Identifies which attributes of an identifier should be used when selecting event records. The following keywords can be used: ATTRIBUTES, NAME, NEW_NAME, NEW_ATTRIBUTES, VALUE, NEW_VALUE
|-
| IDENTIFIERS_MISSING
| Specifies the identifiers missing in a failure to access an object.
|-
| IDENTIFIERS_USED
| Specifies the identifiers used to gain access to an object. An event record matches if the specified list is a subset of the identifiers recorded in the event record
|-
| IMAGE_NAME
| Identifies the name of the image to be used when selecting event records. You can represent all or part of the image name with a wildcard
|-
| INSTALL
| Specifies that installation event packets are to be considered when selecting event records. Choose from the following keywords: FILE, FLAGS, PRIVILEGES
|-
| LNM_PARENT_NAME
| Specifies the name of the parent logical name table
|-
| LNM_TABLE_NAME
| Specifies the name of the logical name table
|-
| LOCAL
| Specifies the characteristics of the local (proxy) account to be used when selecting event records. The following characteristic is supported: USERNAME
|-
| LOGICAL_NAME
| Specifies the logical name of the mounted (or dismounted) volume upon which selection is based. You can represent all or part of the logical name with a wildcard.
|-
| MAILBOX_UNIT
| Specifies the number of the mailbox unit.
|-
| MOUNT_FLAGS
| Specifies the names of the volume mounting flags upon which selection is based. Possible flag names include the following names: CACHE=(NONE,WRITETHROUGH), CDROM, CLUSTER, COMPACTION, DATACHECK=(READ,WRITE), DSI, FOREIGN, GROUP, INCLUDE, INITIALIZATION=(ALLOCATE,CONTINUATION), MESSAGE, NOASSIST, NOAUTOMATIC, NOCOMPACTION, NOCOPY, NOHDR3, NOJOURNAL, NOLABEL, NOMOUNT_VERIFICATION, NOQUOTA, NOREBUILD, NOUNLOAD, NOWRITE, OVERRIDE, POOL, QUOTA, SHARE, SUBSYSTEM, SYSTEM, TAPE_DATA_WRITE, XAR
|-
| NEW_DATA
| Specifies the value to use after the event occurs. Use this criterion with the FIELD_NAME criterion. When you use the Authorize utility (AUTHORIZE) to copy a user name, NEW_DATA specifies the newly created user name. For sensitive information, see SENSITIVE_NEW_DATA.
|-
| NEW_IMAGE_NAME
| Specifies the name of the image to be activated in the newly created process, as supplied to the $CREPRC system service.
|-
| NEW_OWNER
| Specifies the user identification code (UIC) to be assigned to the created process, as supplied to the $CREPRC system service.
|-
| OBJECT
| Specifies which characteristics of an object should be used when selecting event records. Choose any of the following keywords: [[Object Class|CLASS]], NAME, TYPE,
|-
| PARENT
| Specifies which characteristics of the parent process are used when selecting event records generated by a subprocess. Choose from the following keywords:IDENTIFICATION,NAME,OWNER,USERNAME
|-
| PASSWORD
| Specifies the password used when the system detected a break-in attempt.
|-
| PRIVILEGES_MISSING
| Specifies [[Privileges|privileges]] the caller needed to perform the operation successfully.
|-
| PRIVILEGES_USED
| Specifies the [[Privileges|privileges]] of the process to be used when selecting event records. Also include the STATUS keyword in the selection criteria so the report can demonstrate whether the privilege was involved in a successful or an unsuccessful operation.
|-
| PROCESS
| Specifies the characteristics of the process to be used when selecting event records. Choose from the following characteristics: IDENTIFICATION, NAME
|-
| REMOTE
| Specifies that some characteristic of the network request is to be used when selecting event records. Choose from the following keywords: ASSOCIATION_NAME, LINK_IDENTIFICATION, IDENTIFICATION, NODENAME, USERNAME
|-
| REQUEST_NUMBER
| Specifies the request number associated with the DCL command REQUEST/REPLY.
|-
| SECTION_NAME
| Specifies the name of the [[Global Section|global section]]
|-
| SENSITIVE_FIELD_NAME
| Specifies the name of the field that was modified. ANALYZE/AUDIT uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with packets containing the original data and the new data (specified by the SENSITIVE_NEW_DATA criterion).
|-
| SENSITIVE_NEW_DATA
| Specifies the value to use after the event occurs. Use this criterion with the SENSITIVE_FIELD_NAME criterion.
|-
| SNAPSHOT_BOOTFILE
| Specifies the name of the file containing a snapshot of the system.
|-
| SNAPSHOT_SAVE_FILENAME
| Specifies the name of the system snapshot file for a save operation that is in progress.
|-
| STATUS
| Specifies the type of success status to be used when selecting event records. Choose from the following status types: SUCCESSFUL, FAILURE, CODE (completion status). Note that if you specify CODE more than once, only the last value is matched.
|-
| SUBJECT_OWNER
| Specifies the owner (UIC) of the process causing the event.
|-
| SUBTYPE
| Specifies that the criteria be limited to the value or values specified as a subtype. The following table lists events and their related subtypes. After SUBTYPE, enter the subtypes as they appear in the list-for example, SUBTYPE=ALARM_STATE. (In other words, do not enter a prefix.)
{| class="wikitable"
! colspan='col' | Event Type or Subtype
! colspan='col' | Meaning
|-
| ALARM_STATE
| Events enabled as alarms
|-
| AUDIT_DISABLED
| Audit events disabled
|-
| AUDIT_ENABLED
| Audit events enabled
|-
| AUDIT_INITIATE
| Audit server startup
|-
| AUDIT_LOG_FIRST
| First entry in audit log (backward link)
|-
| AUDIT_LOG_FINAL
| Final entry in audit log (forward link)
|-
| AUDIT_STATE
| Events enabled as audits
|-
| AUDIT_TERMINATE
| Audit server shutdown
|-
| NSA$C_MSG_BREAKIN
| Break-in attempt detected
|-
| BATCH
| Batch process
|-
| DETACHED
| Detached process
|-
| DIALUP
| Dialup interactive process
|-
| LOCAL
| Local interactive process
|-
| NETWORK
| Network server task
|-
| REMOTE
| Interactive process from another network node
|-
| SUBPROCESS
| Subprocess
|-
| NSA$C_MSG_CONNECTION
| Logical link connection or termination
|-
| CNX_ABORT
| Connection aborted
|-
| CNX_ACCEPT
| Connection accepted
|-
| CNX_DECNET_CREATE
| DECnet logical link created
|-
| CNX_DECNET_DELETE
| DECnet logical link disconnected
|-
| CNX_DISCONNECT
| Connection disconnected
|-
| CNX_INC_ABORT
| Incoming connection request aborted
|-
| CNX_INC_ACCEPT
| Incoming connection request accepted
|-
| CNX_INC_DISCONNECT
| Incoming connection disconnected
|-
| CNX_INC_REJECT
| Incoming connection request rejected
|-
| CNX_INC_REQUEST
| Incoming connection request
|-
| CNX_IPC_CLOSE
| Interprocess communication association closed
|-
| CNX_IPC_OPEN
| Interprocess communication association opened
|-
| CNX_REJECT
| Connection rejected
|-
| CNX_REQUEST
| Connection requested
|-
| NSA$C_MSG_INSTALL
| Use of the Install utility (INSTALL)
|-
| INSTALL_ADD
| Known image installed
|-
| INSTALL_REMOVE
| Known image deleted
|-
| NSA$C_MSG_LOGFAIL
| Login failure
|-
| NSA$C_MSG_LOGIN
| Successful login
|-
| NSA$C_MSG_LOGOUT
| Successful logout
|-
| NSA$C_MSG_MOUNT
| Volume mount or dismount
|-
| VOL_DISMOUNT
| Volume dismount
|-
| VOL_MOUNT
| Volume mount
|-
| NSA$C_MSG_NCP
| Modification to network configuration database
|-
| NCP_COMMAND
| Network Control Program (NCP) command issued
|-
| NSA$C_MSG_NETPROXY
| Modification to network proxy database
|-
| NETPROXY_ADD
| Record added to network proxy authorization file
|-
| NETPROXY_DELETE
| Record removed from network proxy authorization file
|-
| NETPROXY_MODIFY
| Record modi
fied in network proxy authorization file
|-
| NSA$C_MSG_OBJ_ACCESS
| Object access attempted
|-
| OBJ_ACCESS
| Access attempted to create, delete, or deaccess an object
|-
| NSA$C_MSG_OBJ_CREATE
| Object creation attempted
|-
| OBJ_CREATE
| Access attempted to create an object
|-
| NSA$C_MSG_OBJ_DEACCESS
| Object deaccessed
|-
| OBJ_DEACCESS
| Attempt to complete access to an object
|-
| NSA$C_MSG_OBJ_DELETE
| Object deletion attempted
|-
| OBJ_DELETE
| Object deletion attempted
|-
| NSA$C_MSG_PROCESS
| Process controlled through a system service
|-
| PRC_CANWAK
| Process wakeup canceled
|-
| PRC_CREPRC
| Process created
|-
| PRC_DELPRC
| Process deleted
|-
| PRC_FORCEX
| Process exit forced
|-
| PRC_GETJPI
| Process information gathered
|-
| PRC_GRANTID
| Process identifier granted
|-
| PRC_RESUME
| Process resumed
|-
| PRC_REVOKID
| Process identifier revoked
|-
| PRC_SCHDWK
| Process wakeup scheduled
|-
| PRC_SETPRI
| Process priority altered
|-
| PRC_SIGPRC
| Process exception issued
|-
| PRC_SUSPND
| Process suspended
|-
| PRC_TERM
| Process termination notification requested
|-
| PRC_WAKE
| Process wakeup issued
|-
| NSA$C_MSG_PRVAUD
| Use of privilege
|-
| PRVAUD_FAILURE
| Unsuccessful use of privilege
|-
| PRVAUD_SUCCESS
| Successful use of privilege
|-
| NSA$C_MSG_RIGHTSDB
| Modification to the rights database
|-
| RDB_ADD_ID
| Identifier added to rights database
|-
| RDB_CREATE
| Rights database created
|-
| RDB_GRANT_ID
| Identifier granted to user
|-
| RDB_MOD_HOLDER
| List of identifier holders modified
|-
| RDB_MOD_ID
| Identifier name or attributes modified
|-
| RDB_REM_ID
| Identifier removed from rights database
|-
| RDB_REVOKE_ID
| Identifier taken away from user
|-
| NSA$C_MSG_SYSGEN
| Use of the [[SYSGEN|System Generation utility]]
|-
| SYSGEN_SET
| System parameter modified
|-
| NSA$C_MSG_SYSTIME
| Modification to system time
|-
| SYSTIM_SET
| System time set
|-
| SYSTIM_CAL
| System time calibrated
|-
| NSA$C_MSG_SYSUAF
| Modification to system user authorization file (SYSUAF)
|-
| SYSUAF_ADD
| Record added to system user authorization file
|-
| SYSUAF_COPY
| Record added to system user authorization file
|-
| SYSUAF_DELETE
| Record deleted from system user authorization file
|-
| SYSUAF_MODIFY
| Record modified in system user authorization file
|-
| SYSUAF_RENAME
| Record renamed in system user authorization file
|}
|-
| SYSTEM
| Specifies the characteristics of the system to be used when selecting event records. Choose from the following keywords: IDENTIFICATION,NAME
|-
| SYSTEM_SERVICE_NAME
| Specifies the name of the system service associated with the event.
|-
| TARGET_DEVICE_NAME
| Specifies the target device name used by a process control system service.
|-
| TARGET_PROCESS_IDENTIFICATION
| Specifies the target process identifier (PID) used by a process control system service.
|}

ANALYZE/AUDIT - Revision history

Junji: add Category:DCL Commands

Darya.zelenina: added the See also section and the category link

Darya.zelenina: Created page with "'''ANALYZE/AUDIT''' is a utility that lets you view the system security audit log. =Criteria for Selecting Records= /SELECT specifies the criteria for selecting records for t..."