Difference between revisions of "SET AUDIT"

From VSI OpenVMS Wiki
Jump to: navigation, search
Line 15: Line 15:
 
* /ALARM
 
* /ALARM
 
* /CLASS
 
* /CLASS
* /ENABLE
+
* /ENABLE=class
* /DISABLE
+
* /DISABLE=class
 
| Specify whether you are defining alarms (/ALARM), audits (/AUDIT), or both. Also specify whether you are enabling (/ENABLE) or disabling (/DISABLE) the reporting of the event.
 
| Specify whether you are defining alarms (/ALARM), audits (/AUDIT), or both. Also specify whether you are enabling (/ENABLE) or disabling (/DISABLE) the reporting of the event.
 
|-
 
|-
Line 52: Line 52:
 
|}
 
|}
  
 +
==Keywords==
 +
The following table contains the keywords you may use with the /ENABLE and /DISABLE qualifiers.
 +
{| class="wikitable"
 +
! colspan="col" | Keyword
 +
! colspan="col" | Description
 +
|-
 +
| ACCESS=(condition [:access[,...]] [,...])
 +
| Specifies access events for all objects in a [[Object Class|class]] (unlike ACL which specifies access events for a particular object in the class).
 +
The following access events are valid:
 +
{| class="wikitable"
 +
! colspan="col" | Access event
 +
! colspan="col" | Description
 +
|-
 +
| ALL
 +
| All object classes
 +
|-
 +
| BYPASS
 +
| Successful object access due to the use of the [[BYPASS]] privilege
 +
|-
 +
| FAILURE
 +
| Unsuccessful object access
 +
|-
 +
| GRPPRV
 +
| Successful object access due to the use of the [[GRPPRV]] privilege
 +
|-
 +
| READALL
 +
| Successful object access due to the use of the [[READALL]] privilege
 +
|-
 +
| SUCCESS
 +
| Successful object access
 +
|-
 +
| SYSPRV
 +
| Successful object access due to the use of the system privilege (SYSPRV)
 +
|-
 +
| ALL
 +
| All types of access
 +
|-
 +
| ASSOCIATE
 +
| Associate access
 +
|-
 +
| CONTROL
 +
| Control access to examine or change security characteristics
 +
|-
 +
| CREATE
 +
| Create access. To audit create events for files, use the CREATE keyword.
 +
|-
 +
| DELETE
 +
| Delete access
 +
|-
 +
| EXECUTE
 +
| Execute access
 +
|-
 +
| LOCK
 +
| Lock access
 +
|-
 +
| LOGICAL
 +
| Logical I/O access
 +
|-
 +
| MANAGE
 +
| Manage access
 +
|-
 +
| PHYSICAL
 +
| Physical I/O access
 +
|-
 +
| READ
 +
| Read access
 +
|-
 +
| SUBMIT
 +
| Submit access
 +
|-
 +
| WRITE
 +
| Write access
 +
|}
 +
|-
 +
| ACL
 +
| Specifies an event requested by an audit or alarm ACE in the access control list (ACL) of an object. To audit all objects of a class, use the ACCESS keyword.
 +
|-
 +
| ALL
 +
| Specifies all system events and file access events. It does not enable access events for [[Object Class|object classes]] other than FILE.
 +
|-
 +
| AUDIT=keyword
 +
| Specifies events within the [[Security Auditing|auditing subsystem]]. Only one keyword is currently defined: ILLFORMED (specifies illformed events from internal calls (identified by NSA$M_INTERNAL) to $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS system services.
 +
|-
 +
| AUTHORIZATION
 +
| Specifies the modification of any portion of the system user authorization file ([[SYSUAF]]), network proxy authorization file ([[NETPROXY.DAT|NETPROXY]]), or the rights list ([[RIGHTLIST.DAT|RIGHTSLIST]]) (including password changes made through the [[AUTHORIZE]], [[SET PASSWORD]], or LOGINOUT commands or the [[$SETUAI]] system service).
 +
|-
 +
| BREAKIN=(keyword [,...])
 +
| Specifies the occurrence of one or more classes of break-in attempts, as specified by one or more of the following keywords:
 +
* ALL
 +
* DETACHED
 +
* DIALUP
 +
* LOCAL
 +
* NETWORK
 +
* REMOTE
 +
|-
 +
| CONNECTION
 +
| Specifies a logical link connection or termination through [[DECnet-Plus]], [[DECnet Phase IV]], [[DECwindows]], [[$IPC]], or [[SYSMAN]].
 +
|-
 +
| CREATE
 +
| Specifies the creation of an object. Requires the /CLASS qualifier if it is not a file.
 +
|-
 +
| DEACCESS
 +
| Specifies deaccess from an object. Requires the /CLASS qualifier if it is not a file.
 +
|-
 +
| DELETE
 +
| Specifies the deletion of an object. Requires the /CLASS=DEVICE qualifier.
 +
|-
 +
| FILE_ACCESS=(keyword[,...])
 +
| This keyword is obsolete and is superseded by the ACCESS keyword, which is valid on all OpenVMS Version 6.1 or higher systems. On [[Alpha]], this keyword specifies the occurrence of file and global section access events (regardless of the value given in the object's access control list [ACL], if any).
 +
|-
 +
| IDENTIFIER
 +
| Specifies that the use of identifiers as privileges should be audited.
 +
|-
 +
|  INSTALL
 +
| Specifies modifications made to the known file list through the INSTALL utility.
 +
|-
 +
|  LOGFAILURE=(keyword[,...])
 +
| Specifies the occurrence of one or more classes of login failures, as specified by the following keywords:
 +
{| class="wikitable"
 +
! colspan="col" | Keyword
 +
! colspan="col" | Description
 +
|-
 +
| ALL
 +
| All possible types of login failures
 +
|-
 +
|  BATCH
 +
| Batch process login failure
 +
|-
 +
| DETACHED
 +
| Detached process login failure
 +
|-
 +
| DIALUP
 +
| Dialup interactive login failure
 +
|-
 +
| LOCAL
 +
| Local interactive login failure
 +
|-
 +
| NETWORK
 +
| Network server task login failure
 +
|-
 +
| REMOTE
 +
| Interactive login failure from another network node, for example, with a [[SET HOST]] command
 +
|-
 +
| SERVER
 +
| Server or TCB-based login failure.
 +
|-
 +
| SUBPROCESS
 +
| Subprocess login failure
 +
|}
 +
|-
 +
| LOGIN=(keyword[,...])
 +
| Specifies the occurrence of one or more classes of login attempts, as specified by the following keywords:
 +
* ALL
 +
* BATCH
 +
* DETACHED
 +
* DIALUP
 +
* LOCAL
 +
* NETWORK
 +
* REMOTE
 +
* SERVER
 +
* SUBPROCESS
 +
See the LOGFAILURE keyword for further description.
 +
|-
 +
| LOGOUT=(keyword[,...])
 +
| Specifies the occurrence of one or more classes of logouts, as specified by the following keywords:
 +
* ALL
 +
* BATCH
 +
* DETACHED
 +
* DIALUP
 +
* LOCAL
 +
* NETWORK
 +
* REMOTE
 +
* SERVER
 +
* SUBPROCESS
 +
See the LOGFAILURE keyword for further description.
 +
|-
 +
| MOUNT
 +
| Specifies a [[MOUNT|mount]] or [[DISMOUNT|dismount]] operation
 +
|-
 +
| NCP
 +
| Specifies access to the network configuration database, using the network control program (NCP).
 +
|-
 +
|  PRIVILEGE=(keyword[,...])
 +
| Specifies successful or unsuccessful use of privilege, as specified by the following keywords:
 +
* FAILURE [:privilege(,...)] - unsuccessful use of privilege
 +
* SUCCESS [:privilege(,...)] - successful use of privilege
 +
|-
 +
| PROCESS=(keyword[,...])
 +
| Specifies the privileged use of one or more of the process control [[System Service|system services]], as specified by the following keywords:
 +
* ALL: Use of any of the process control system services
 +
* [[$CREPRC|CREPRC]]
 +
* [[$DELPRC|DELPRC]]
 +
* [[$SCHDWK|SCHDWK]]
 +
* [[$CANWAK|CANWAK]]
 +
* [[$WAKE|WAKE]]
 +
* [[$SUSPND|SUSPND]]
 +
* [[$RESUME|RESUME]]
 +
* [[$GRANTID|GRANTID]]
 +
* [[$REVOKID|REVOKID]]
 +
* [[$GETJPI|GETJPI]]
 +
* [[$FORCEX|FORCEX]]
 +
* [[$SETPRI|SETPRI]]
 +
Privileged use of a process control system service means the caller used [[GROUP]] or [[WORLD]] privilege to affect the target process.
 +
|-
 +
| SYSGEN
 +
| Specifies the modification of a system parameter with the [[SYSGEN|OpenVMS System Generation utility]].
 +
|-
 +
| TIME
 +
| Specifies the modification of system time.
 +
|}
 +
 +
=Examples=
 +
<nowiki>
 +
$ SET AUDIT /ENABLE=ACL /ALARM
 +
</nowiki>
 +
The command above enables security alarms for the ACL class of security events.
  
 
[[Category:DCL Commands]]
 
[[Category:DCL Commands]]

Revision as of 15:27, 11 December 2019

SET AUDIT is a DCL command that provides the management interface to the security auditing system.

Syntax

SET AUDIT

Qualifiers

Task Qualifiers Requirements
Define auditing events
  • /AUDIT
  • /ALARM
  • /CLASS
  • /ENABLE=class
  • /DISABLE=class
Specify whether you are defining alarms (/ALARM), audits (/AUDIT), or both. Also specify whether you are enabling (/ENABLE) or disabling (/DISABLE) the reporting of the event.
Define auditing log file
  • /DESTINATION
  • /JOURNAL
  • /VERIFY
Requires both the /DESTINATION and the /JOURNAL qualifiers.
Define operational characteristics of the audit server and a listener mailbox (if any).
  • /INTERVAL
  • /LISTENER
  • /SERVER
  • /VERIFY
Define secondary log file
  • /ARCHIVE
  • /DESTINATION
  • /VERIFY
Define resource monitoring defaults
  • /BACKLOG,
  • /EXCLUDE,
  • /JOURNAL,
  • /RESOURCE,
  • /THRESHOLD,
  • /VERIFY
With the /RESOURCE or /THRESHOLD qualifier, include the /JOURNAL qualifier.

Keywords

The following table contains the keywords you may use with the /ENABLE and /DISABLE qualifiers.

Keyword Description
ACCESS=(condition [:access[,...]] [,...]) Specifies access events for all objects in a class (unlike ACL which specifies access events for a particular object in the class).

The following access events are valid:

Access event Description
ALL All object classes
BYPASS Successful object access due to the use of the BYPASS privilege
FAILURE Unsuccessful object access
GRPPRV Successful object access due to the use of the GRPPRV privilege
READALL Successful object access due to the use of the READALL privilege
SUCCESS Successful object access
SYSPRV Successful object access due to the use of the system privilege (SYSPRV)
ALL All types of access
ASSOCIATE Associate access
CONTROL Control access to examine or change security characteristics
CREATE Create access. To audit create events for files, use the CREATE keyword.
DELETE Delete access
EXECUTE Execute access
LOCK Lock access
LOGICAL Logical I/O access
MANAGE Manage access
PHYSICAL Physical I/O access
READ Read access
SUBMIT Submit access
WRITE Write access
ACL Specifies an event requested by an audit or alarm ACE in the access control list (ACL) of an object. To audit all objects of a class, use the ACCESS keyword.
ALL Specifies all system events and file access events. It does not enable access events for object classes other than FILE.
AUDIT=keyword Specifies events within the auditing subsystem. Only one keyword is currently defined: ILLFORMED (specifies illformed events from internal calls (identified by NSA$M_INTERNAL) to $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS system services.
AUTHORIZATION Specifies the modification of any portion of the system user authorization file (SYSUAF), network proxy authorization file (NETPROXY), or the rights list (RIGHTSLIST) (including password changes made through the AUTHORIZE, SET PASSWORD, or LOGINOUT commands or the $SETUAI system service).
BREAKIN=(keyword [,...]) Specifies the occurrence of one or more classes of break-in attempts, as specified by one or more of the following keywords:
  • ALL
  • DETACHED
  • DIALUP
  • LOCAL
  • NETWORK
  • REMOTE
CONNECTION Specifies a logical link connection or termination through DECnet-Plus, DECnet Phase IV, DECwindows, $IPC, or SYSMAN.
CREATE Specifies the creation of an object. Requires the /CLASS qualifier if it is not a file.
DEACCESS Specifies deaccess from an object. Requires the /CLASS qualifier if it is not a file.
DELETE Specifies the deletion of an object. Requires the /CLASS=DEVICE qualifier.
FILE_ACCESS=(keyword[,...]) This keyword is obsolete and is superseded by the ACCESS keyword, which is valid on all OpenVMS Version 6.1 or higher systems. On Alpha, this keyword specifies the occurrence of file and global section access events (regardless of the value given in the object's access control list [ACL], if any).
IDENTIFIER Specifies that the use of identifiers as privileges should be audited.
INSTALL Specifies modifications made to the known file list through the INSTALL utility.
LOGFAILURE=(keyword[,...]) Specifies the occurrence of one or more classes of login failures, as specified by the following keywords:
Keyword Description
ALL All possible types of login failures
BATCH Batch process login failure
DETACHED Detached process login failure
DIALUP Dialup interactive login failure
LOCAL Local interactive login failure
NETWORK Network server task login failure
REMOTE Interactive login failure from another network node, for example, with a SET HOST command
SERVER Server or TCB-based login failure.
SUBPROCESS Subprocess login failure
LOGIN=(keyword[,...]) Specifies the occurrence of one or more classes of login attempts, as specified by the following keywords:
  • ALL
  • BATCH
  • DETACHED
  • DIALUP
  • LOCAL
  • NETWORK
  • REMOTE
  • SERVER
  • SUBPROCESS

See the LOGFAILURE keyword for further description.

LOGOUT=(keyword[,...]) Specifies the occurrence of one or more classes of logouts, as specified by the following keywords:
  • ALL
  • BATCH
  • DETACHED
  • DIALUP
  • LOCAL
  • NETWORK
  • REMOTE
  • SERVER
  • SUBPROCESS

See the LOGFAILURE keyword for further description.

MOUNT Specifies a mount or dismount operation
NCP Specifies access to the network configuration database, using the network control program (NCP).
PRIVILEGE=(keyword[,...]) Specifies successful or unsuccessful use of privilege, as specified by the following keywords:
  • FAILURE [:privilege(,...)] - unsuccessful use of privilege
  • SUCCESS [:privilege(,...)] - successful use of privilege
PROCESS=(keyword[,...]) Specifies the privileged use of one or more of the process control system services, as specified by the following keywords:

Privileged use of a process control system service means the caller used GROUP or WORLD privilege to affect the target process.

SYSGEN Specifies the modification of a system parameter with the OpenVMS System Generation utility.
TIME Specifies the modification of system time.

Examples

$ SET AUDIT /ENABLE=ACL /ALARM
 

The command above enables security alarms for the ACL class of security events.