ANALYZE/AUDIT

From VSI OpenVMS Wiki
Jump to: navigation, search

ANALYZE/AUDIT is a utility that lets you view the system security audit log.

Criteria for Selecting Records

/SELECT specifies the criteria for selecting records for the audit report.

Criterion Description
ACCESS Specifies the type of object access upon which the selection is based: ASSOCIATE, CONTROL, CREATE, DELETE, EXECUTE, LOCK, LOGICAL, MANAGE, PHYSICAL, READ, SUBMIT, USE, WRITE
ACCOUNT Specifies the account name on which the selection is based. Wildcards can be used
ASSOCIATION_NAME Specifies the name of the interprocess communication (IPC) association
AUDIT_NAME Specifies the audit journal name on which the selection is based.
COMMAND_LINE Specifies the command line that the user entered
CONNECTION_IDENTIFICATION Specifies the name for the interprocess communication (IPC) connection
DECNET_LINK_IDENTIFICATION Specifies the number of the DECnet logical link
DECNET_OBJECT_NAME Specifies the name of the DECnet object
DECNET_OBJECT_NUMBER Specifies the number of the DECnet object
DEFAULT_USERNAME Specifies the default local user name for incoming network proxy
DEVICE_NAME Specifies the name of a device in audit records that have a DEVICE_NAME packet. Note that this does not select the device name when it occurs in other packet types, such as in a file name or in the TARGET_DEVICE_NAME packet
DIRECTORY_ENTRY Specifies the directory entry associated with file system operation
DIRECTORY_NAME Specifies the name of the directory file.
DISMOUNT_FLAGS Identifies the names of the volume dismounting flags to be used in selecting records. Specify one or more of the following flag names: Abort, Cluster, Nounload, and Unit.
EVENT_CLUSTER_NAME Specifies the name of the event flag cluster.
FACILITY Specifies that only events audited by the named facility be selected. Provide a name or a number but, in either case, the facility has to be defined through the logical AUDSERV$FACILITY_NAME as a decimal number; the system uses the number 0.
FIELD_NAME Specifies the name of the field that was modified. ANALYZE/AUDIT uses the FIELD_NAME criterion with packets containing the original data and the new data (specified by the NEW_DATA criterion). A FIELD_NAME is a character string that describes the content of the field. A search for "NEW:" in a full audit report will display records that contain the FIELD_NAME values that can be specified for this option. Examples of FIELD_NAME values are Account, Default Directory, Flags, and Password Date. For sensitive information, see SENSITIVE_FIELD_NAME.
FILE_NAME Describes audit records for the specified file by using a slightly different display format than is provided by the /OBJECT=NAME=object-name keyword.
FILE_IDENTIFICATION Specifies the value of the file's identification. To calculate the value, start with the value listed for File ID when you use the FILE_NAME keyword. For example, the display lists the File ID

as (3024,5,0), use the following formula to calculate the value: (((0 * 65536) + 5)* 65536) + 3024 = 330704

FLAGS Identifies the names of the audit event flags associated with the audited event. These names should be used in selecting records. Specify one or more of the following flags: ACL, Alarm, Audit, Flush, Foreign, Internal, and Mandatory.
HOLDER Specifies the name of the holder. Wildcards can be used.
IDENTIFIER Identifies which attributes of an identifier should be used when selecting event records. The following keywords can be used: ATTRIBUTES, NAME, NEW_NAME, NEW_ATTRIBUTES, VALUE, NEW_VALUE
IDENTIFIERS_MISSING Specifies the identifiers missing in a failure to access an object.
IDENTIFIERS_USED Specifies the identifiers used to gain access to an object. An event record matches if the specified list is a subset of the identifiers recorded in the event record
IMAGE_NAME Identifies the name of the image to be used when selecting event records. You can represent all or part of the image name with a wildcard
INSTALL Specifies that installation event packets are to be considered when selecting event records. Choose from the following keywords: FILE, FLAGS, PRIVILEGES
LNM_PARENT_NAME Specifies the name of the parent logical name table
LNM_TABLE_NAME Specifies the name of the logical name table
LOCAL Specifies the characteristics of the local (proxy) account to be used when selecting event records. The following characteristic is supported: USERNAME
LOGICAL_NAME Specifies the logical name of the mounted (or dismounted) volume upon which selection is based. You can represent all or part of the logical name with a wildcard.
MAILBOX_UNIT Specifies the number of the mailbox unit.
MOUNT_FLAGS Specifies the names of the volume mounting flags upon which selection is based. Possible flag names include the following names: CACHE=(NONE,WRITETHROUGH), CDROM, CLUSTER, COMPACTION, DATACHECK=(READ,WRITE), DSI, FOREIGN, GROUP, INCLUDE, INITIALIZATION=(ALLOCATE,CONTINUATION), MESSAGE, NOASSIST, NOAUTOMATIC, NOCOMPACTION, NOCOPY, NOHDR3, NOJOURNAL, NOLABEL, NOMOUNT_VERIFICATION, NOQUOTA, NOREBUILD, NOUNLOAD, NOWRITE, OVERRIDE, POOL, QUOTA, SHARE, SUBSYSTEM, SYSTEM, TAPE_DATA_WRITE, XAR
NEW_DATA Specifies the value to use after the event occurs. Use this criterion with the FIELD_NAME criterion. When you use the Authorize utility (AUTHORIZE) to copy a user name, NEW_DATA specifies the newly created user name. For sensitive information, see SENSITIVE_NEW_DATA.
NEW_IMAGE_NAME Specifies the name of the image to be activated in the newly created process, as supplied to the $CREPRC system service.
NEW_OWNER Specifies the user identification code (UIC) to be assigned to the created process, as supplied to the $CREPRC system service.
OBJECT Specifies which characteristics of an object should be used when selecting event records. Choose any of the following keywords: CLASS, NAME, TYPE,
PARENT Specifies which characteristics of the parent process are used when selecting event records generated by a subprocess. Choose from the following keywords:IDENTIFICATION,NAME,OWNER,USERNAME
PASSWORD Specifies the password used when the system detected a break-in attempt.
PRIVILEGES_MISSING Specifies privileges the caller needed to perform the operation successfully.
PRIVILEGES_USED Specifies the privileges of the process to be used when selecting event records. Also include the STATUS keyword in the selection criteria so the report can demonstrate whether the privilege was involved in a successful or an unsuccessful operation.
PROCESS Specifies the characteristics of the process to be used when selecting event records. Choose from the following characteristics: IDENTIFICATION, NAME
REMOTE Specifies that some characteristic of the network request is to be used when selecting event records. Choose from the following keywords: ASSOCIATION_NAME, LINK_IDENTIFICATION, IDENTIFICATION, NODENAME, USERNAME
REQUEST_NUMBER Specifies the request number associated with the DCL command REQUEST/REPLY.
SECTION_NAME Specifies the name of the global section
SENSITIVE_FIELD_NAME Specifies the name of the field that was modified. ANALYZE/AUDIT uses the SENSITIVE_FIELD_NAME criterion, such as PASSWORD, with packets containing the original data and the new data (specified by the SENSITIVE_NEW_DATA criterion).
SENSITIVE_NEW_DATA Specifies the value to use after the event occurs. Use this criterion with the SENSITIVE_FIELD_NAME criterion.
SNAPSHOT_BOOTFILE Specifies the name of the file containing a snapshot of the system.
SNAPSHOT_SAVE_FILENAME Specifies the name of the system snapshot file for a save operation that is in progress.
STATUS Specifies the type of success status to be used when selecting event records. Choose from the following status types: SUCCESSFUL, FAILURE, CODE (completion status). Note that if you specify CODE more than once, only the last value is matched.
SUBJECT_OWNER Specifies the owner (UIC) of the process causing the event.
SUBTYPE Specifies that the criteria be limited to the value or values specified as a subtype. The following table lists events and their related subtypes. After SUBTYPE, enter the subtypes as they appear in the list-for example, SUBTYPE=ALARM_STATE. (In other words, do not enter a prefix.)
Event Type or Subtype Meaning
ALARM_STATE Events enabled as alarms
AUDIT_DISABLED Audit events disabled
AUDIT_ENABLED Audit events enabled
AUDIT_INITIATE Audit server startup
AUDIT_LOG_FIRST First entry in audit log (backward link)
AUDIT_LOG_FINAL Final entry in audit log (forward link)
AUDIT_STATE Events enabled as audits
AUDIT_TERMINATE Audit server shutdown
NSA$C_MSG_BREAKIN Break-in attempt detected
BATCH Batch process
DETACHED Detached process
DIALUP Dialup interactive process
LOCAL Local interactive process
NETWORK Network server task
REMOTE Interactive process from another network node
SUBPROCESS Subprocess
NSA$C_MSG_CONNECTION Logical link connection or termination
CNX_ABORT Connection aborted
CNX_ACCEPT Connection accepted
CNX_DECNET_CREATE DECnet logical link created
CNX_DECNET_DELETE DECnet logical link disconnected
CNX_DISCONNECT Connection disconnected
CNX_INC_ABORT Incoming connection request aborted
CNX_INC_ACCEPT Incoming connection request accepted
CNX_INC_DISCONNECT Incoming connection disconnected
CNX_INC_REJECT Incoming connection request rejected
CNX_INC_REQUEST Incoming connection request
CNX_IPC_CLOSE Interprocess communication association closed
CNX_IPC_OPEN Interprocess communication association opened
CNX_REJECT Connection rejected
CNX_REQUEST Connection requested
NSA$C_MSG_INSTALL Use of the Install utility (INSTALL)
INSTALL_ADD Known image installed
INSTALL_REMOVE Known image deleted
NSA$C_MSG_LOGFAIL Login failure
NSA$C_MSG_LOGIN Successful login
NSA$C_MSG_LOGOUT Successful logout
NSA$C_MSG_MOUNT Volume mount or dismount
VOL_DISMOUNT Volume dismount
VOL_MOUNT Volume mount
NSA$C_MSG_NCP Modification to network configuration database
NCP_COMMAND Network Control Program (NCP) command issued
NSA$C_MSG_NETPROXY Modification to network proxy database
NETPROXY_ADD Record added to network proxy authorization file
NETPROXY_DELETE Record removed from network proxy authorization file
NETPROXY_MODIFY Record modi

fied in network proxy authorization file

NSA$C_MSG_OBJ_ACCESS Object access attempted
OBJ_ACCESS Access attempted to create, delete, or deaccess an object
NSA$C_MSG_OBJ_CREATE Object creation attempted
OBJ_CREATE Access attempted to create an object
NSA$C_MSG_OBJ_DEACCESS Object deaccessed
OBJ_DEACCESS Attempt to complete access to an object
NSA$C_MSG_OBJ_DELETE Object deletion attempted
OBJ_DELETE Object deletion attempted
NSA$C_MSG_PROCESS Process controlled through a system service
PRC_CANWAK Process wakeup canceled
PRC_CREPRC Process created
PRC_DELPRC Process deleted
PRC_FORCEX Process exit forced
PRC_GETJPI Process information gathered
PRC_GRANTID Process identifier granted
PRC_RESUME Process resumed
PRC_REVOKID Process identifier revoked
PRC_SCHDWK Process wakeup scheduled
PRC_SETPRI Process priority altered
PRC_SIGPRC Process exception issued
PRC_SUSPND Process suspended
PRC_TERM Process termination notification requested
PRC_WAKE Process wakeup issued
NSA$C_MSG_PRVAUD Use of privilege
PRVAUD_FAILURE Unsuccessful use of privilege
PRVAUD_SUCCESS Successful use of privilege
NSA$C_MSG_RIGHTSDB Modification to the rights database
RDB_ADD_ID Identifier added to rights database
RDB_CREATE Rights database created
RDB_GRANT_ID Identifier granted to user
RDB_MOD_HOLDER List of identifier holders modified
RDB_MOD_ID Identifier name or attributes modified
RDB_REM_ID Identifier removed from rights database
RDB_REVOKE_ID Identifier taken away from user
NSA$C_MSG_SYSGEN Use of the System Generation utility
SYSGEN_SET System parameter modified
NSA$C_MSG_SYSTIME Modification to system time
SYSTIM_SET System time set
SYSTIM_CAL System time calibrated
NSA$C_MSG_SYSUAF Modification to system user authorization file (SYSUAF)
SYSUAF_ADD Record added to system user authorization file
SYSUAF_COPY Record added to system user authorization file
SYSUAF_DELETE Record deleted from system user authorization file
SYSUAF_MODIFY Record modified in system user authorization file
SYSUAF_RENAME Record renamed in system user authorization file
SYSTEM Specifies the characteristics of the system to be used when selecting event records. Choose from the following keywords: IDENTIFICATION,NAME
SYSTEM_SERVICE_NAME Specifies the name of the system service associated with the event.
TARGET_DEVICE_NAME Specifies the target device name used by a process control system service.
TARGET_PROCESS_IDENTIFICATION Specifies the target process identifier (PID) used by a process control system service.

See also