VMS Help  —  SET  AUDIT  Qualifiers

1    /ALARM

    Makes the command apply to alarms, which are messages displayed
    on an operator terminal. See the description of the DCL command
    REPLY/ENABLE for details on how to enable terminals to display
    security messages.

2    /ARCHIVE

       /ARCHIVE=[keyword,...]

    Specifies which classes of audit event messages are written to
    the security archive file. Specify one or more of the following
    keywords:

    Keyword              Description

    NONE                 Disables archiving on the system.

    [NO]ALL (default)    Enables or disables archiving of all system
                         security events. By default, no events are
                         archived.

    SYSTEM_ALARM         Enables archiving of all security alarm
                         events.

    SYSTEM_AUDIT         Enables archiving of all security audit
                         events.

    Archiving should be run on only one node in an OpenVMS Cluster
    with its own audit server database because multiple nodes will
    try to open the audit file exclusively.

3    /AUDIT

    Makes the command apply to audits, which are messages recorded in
    the system security audit log file.

4    /BACKLOG

       /BACKLOG=[keyword[,...]]

    Specifies the thresholds for suspending a process that has
    exceeded the process message limit. The thresholds include the
    total number of messages in memory and the number belonging
    to the particular process. To prevent a process from being
    suspended, use the /EXCLUDE qualifier. Specify the following
    keywords:

    Keyword          Description

    TOTAL=(n1,n2,n3) Thresholds at which flow control is initiated
                     and accelerated; see description below.

    PROCESS=(p1,p2)  Thresholds at which process submissions are
                     controlled.

    Total             Process
    Messages Default  Messages Default Action Taken

    N1       100      P1       5       When there are 100 messages
                                       in memory, the audit server
                                       suspends any process that has
                                       submitted 5 or more messages
                                       until all messages are written
                                       to disk.

    N2       200      P2       2       When there are 200 messages
                                       in memory, the audit server
                                       suspends any process that has
                                       submitted 2 or more messages
                                       until all messages are written
                                       to disk.

    N3       300                       Any process with messages in
                                       memory is suspended until all
                                       messages are written to disk.

5    /CLASS

       /CLASS=class

    Specifies the class of the object whose auditing attributes are
    to be modified. If /CLASS is not specified, the command assumes
    the class is FILE. Specify one of the following keywords with the
    /CLASS qualifier:

       CAPABILITY
       COMMON_EVENT_CLUSTER
       DEVICE
       FILE
       GROUP_GLOBAL_SECTION
       LOGICAL_NAME_TABLE
       QUEUE
       RESOURCE_DOMAIN
       SECURITY_CLASS
       SYSTEM_GLOBAL_SECTION
       VOLUME

6    /DESTINATION

       /DESTINATION=filespec

    When changing the destination of event messages, specifies
    the new location of the system security audit log file. The
    device, if part of the file specification, must be a disk. The
    /DESTINATION qualifier requires the /JOURNAL qualifier in this
    case.

    Once you have relocated the log file, execute the command SET
    AUDIT/SERVER=NEW_LOG to let all the nodes in the cluster know of
    the new location. The previous audit log file is closed and all
    subsequent audit event messages generated throughout the cluster
    are sent to the new audit log file.

    When used with /ARCHIVE, specifies the name of the archive log
    file. Events can be archived to a local or remote file on any
    file-structured disk device. For example, you can use an archive
    file to redirect event messages from a satellite to a larger node
    in the cluster.

7    /DISABLE

       /DISABLE=(keyword[,...])

    Disables alarms or audits for the specified events. To disable
    all system events and file access events, specify the keyword
    ALL. You must specify at least one of the keywords. For a list of
    the keywords to use with the /DISABLE qualifier, see the /ENABLE
    qualifier description. You must also specify either the /ALARM or
    /AUDIT qualifier, or both, when you use the /DISABLE qualifier.

                                   NOTE

       In processing the SET AUDIT command, the system processes
       the /DISABLE qualifier last. If you specify both the /ENABLE
       and /DISABLE qualifiers for items in the same class on the
       same command line, the /DISABLE qualifier disables any
       enabled items. VSI recommends that you use separate lines
       for commands containing the /ENABLE and /DISABLE qualifiers.

8    /ENABLE

       /ENABLE=(keyword[,...])

    Enables alarms or audits for the specified events. To enable all
    system events and file access events, specify the keyword ALL.
    You must specify at least one keyword. You must also specify
    either the /ALARM or /AUDIT qualifier, or both, when you use the
    /ENABLE qualifier.

    The keywords that you can specify with either the /ENABLE or the
    /DISABLE qualifier are as follows:

    Keyword           Description

    ACCESS=(condition Specifies access events for all objects in
                      a class. (To audit a single object, use an
    [:access[,...]]   auditing ACE and enable the access control list
    [,...])           (ACL) category.)

                      VSI recommends that when you enable auditing
                      conditionally, you enable it for all possible
                      forms of access because the system can check
                      access rights at several points during an
                      operation. (For example, a FAILURE might occur
                      on a read or write access check.)

                      See the VSI OpenVMS Guide to System Security for
                      information about the various types of access
                      permitted on each class. (For example, the
                      Access keyword, CREATE, is not defined for FILE
                      objects.)

                      Condition      Description
                      Keyword

                      ALL            All object access

                      BYPASS         Successful object access due to
                                     the use of the BYPASS privilege

                      FAILURE        Unsuccessful object access

                      GRPPRV         Successful object access due to
                                     the use of the group privilege
                                     (GRPPRV)

                      READALL        Successful object access due to
                                     the use of the READALL privilege

                      SUCCESS        Successful object access

                      SYSPRV         Successful object access due to
                                     the use of the system privilege
                                     (SYSPRV)

                      Access         Description
                      Keyword

                      ALL            All types of access

                      ASSOCIATE      Associate access

                      CONTROL        Control access to examine or
                                     change security characteristics

                      CREATE         Create access. To audit create
                                     events for files, use the CREATE
                                     keyword.

                      DELETE         Delete access

                      EXECUTE        Execute access

                      LOCK           Lock access

                      LOGICAL        Logical I/O access

                      MANAGE         Manage access

                      PHYSICAL       Physical I/O access

                      READ           Read access

                      SUBMIT         Submit access

                      WRITE          Write access

    ACL               Specifies an event requested by an audit or
                      alarm ACE in the access control list (ACL) of
                      an object. To audit all objects of a class, use
                      the ACCESS keyword.

    ALL               Specifies all system events and file access
                      events. It does not enable access events for
                      object classes other than FILE.

    AUDIT=keyword     Specifies events within the auditing subsystem.
                      Only one keyword is currently defined.
                      Keyword        Description

                      ILLFORMED      Specifies illformed events from
                                     internal calls (identified by
                                     NSA$M_INTERNAL) to $AUDIT_
                                     EVENT, $CHECK_PRIVILEGE,
                                     $CHKPRO, or $CHECK_ACCESS system
                                     services. An illformed event
                                     is caused by an incomplete or
                                     syntactically incorrect argument
                                     being supplied to one of these
                                     system services by a piece of
                                     privileged code.

    AUTHORIZATION     Specifies the modification of any portion of
                      the system user authorization file (SYSUAF),
                      network proxy authorization file (NETPROXY),
                      or the rights list (RIGHTLIST) (including
                      password changes made through the AUTHORIZE,
                      SET PASSWORD, or LOGINOUT commands or the
                      $SETUAI system service).

    BREAKIN=(keyword  Specifies the occurrence of one or more classes
    [,...])           of break-in attempts, as specified by one or
                      more of the following keywords:

                         ALL
                         DETACHED
                         DIALUP
                         LOCAL
                         NETWORK
                         REMOTE

    CONNECTION        Specifies a logical link connection or
                      termination through DECnet-Plus, DECnet Phase
                      IV, DECwindows, $IPC, or SYSMAN.

    CREATE            Specifies the creation of an object. Requires
                      the /CLASS qualifier if it is not a file.

    DEACCESS          Specifies deaccess from an object. Requires the
                      /CLASS qualifier if it is not a file.

    DELETE            Specifies the deletion of an object. Requires
                      the /CLASS=DEVICE qualifier.

    FILE_ACCESS=      This keyword is obsolete and is superseded
    (keyword[,...])   by the ACCESS keyword, which is valid on all
                      OpenVMS Version 6.1 or higher systems. On
                      Alpha, this keyword specifies the occurrence
                      of file and global section access events
                      (regardless of the value given in the object's
                      access control list [ACL], if any).

    IDENTIFIER        Specifies that the use of identifiers as
                      privileges should be audited. For further
                      information, see the VSI OpenVMS Guide to System
                      Security.

    INSTALL           Specifies modifications made to the known file
                      list through the INSTALL utility.

    LOGFAILURE=       Specifies the occurrence of one or more
    (keyword[,...])   classes of login failures, as specified by
                      the following keywords:

                      ALL            All possible types of login
                                     failures

                      BATCH          Batch process login failure

                      DETACHED       Detached process login failure

                      DIALUP         Dialup interactive login failure

                      LOCAL          Local interactive login failure

                      NETWORK        Network server task login
                                     failure

                      REMOTE         Interactive login failure
                                     from another network node, for
                                     example, with a SET HOST command

                      SERVER         Server or TCB-based login
                                     failure.

                      SUBPROCESS     Subprocess login failure

    LOGIN=            Specifies the occurrence of one or more
    (keyword[,...])   classes of login attempts, as specified by the
                      following keywords. See the LOGFAILURE keyword
                      for further description.

                         ALL            BATCH
                         DETACHED       DIALUP
                         LOCAL          NETWORK
                         REMOTE         SERVER
                         SUBPROCESS

    LOGOUT=           Specifies the occurrence of one or more classes
    (keyword[,...])   of logouts, as specified by the following
                      keywords. See the LOGFAILURE keyword for
                      further description.

                         ALL            BATCH
                         DETACHED       DIALUP
                         LOCAL          NETWORK
                         REMOTE         SERVER
                         SUBPROCESS

    MOUNT             Specifies a mount or dismount operation.

    NCP               Specifies access to the network configuration
                      database, using the network control program
                      (NCP).

    PRIVILEGE=        Specifies successful or unsuccessful use
    (keyword[,...])   of privilege, as specified by the following
                      keywords:

                         FAILURE [:privilege(,...)] - Unsuccessful
                         use of privilege

                         SUCCESS [:privilege(,...)] - Successful use
                         of privilege

                      For a listing of privileges, see the
                      online help for the DCL command SET
                      PROCESS/PRIVILEGES.

    PROCESS=          Specifies the use of one or more of the process
    (keyword[,...])   control system services, as specified by the
                      following keywords:

                      ALL            Use of any of the process
                                     control system services

                      CREPRC         All use of $CREPRC

                      DELPRC         All use of $DELPRC

                      SCHDWK         Privileged use of $SCHDWK

                      CANWAK         Privileged use of $CANWAK

                      WAKE           Privileged use of $WAKE

                      SUSPND         Privileged use of $SUSPND

                      RESUME         Privileged use of $RESUME

                      GRANTID        Privileged use of $GRANTID

                      REVOKID        Privileged use of $REVOKID

                      GETJPI         Privileged use of $GETJPI

                      FORCEX         Privileged use of $FORCEX

                      SETPRI         Privileged use of $SETPRI

                      Privileged use of a process control system
                      service means the caller used GROUP or WORLD
                      privilege to affect the target process.

    SYSGEN            Specifies the modification of a system
                      parameter with the OpenVMS System Generation
                      utility.

    TIME              Specifies the modification of system time.

9    /EXCLUDE

       /EXCLUDE=process-id
       /NOEXCLUDE=process-id

    Adds a process identification (PID) to the audit server's process
    exclusion list. The process exclusion list contains those
    processes that will not be suspended by the audit server if a
    resource exhaustion reaches the action threshold. By default,
    realtime processes and all of the following processes are
    included in the process exclusion list and are never suspended:

       CACHE_SERVER
       CLUSTER_SERVER
       CONFIGURE
       DFS$COM_ACP
       DNS$ADVER
       IPCACP
       JOB_CONTROL
       NETACP
       NET$ACP
       OPCOM
       REMACP
       SHADOW_SERVER
       SMISERVER
       SWAPPER
       TP_SERVER
       VWS$DISPLAYMGR
       VWS$EMULATORS

    Use the SET AUDIT/NOEXCLUDE command to remove a process from the
    process exclusion list; however, processes listed above cannot
    be removed from the exclusion list. Also note that PIDs are
    not automatically removed from the process exclusion list when
    processes log out of the system.

10    /FAILURE_MODE

       /FAILURE_MODE[=keyword]

    This qualifier is obsolete.

    On Alpha, specifies how the OpenVMS system proceeds following
    a failed attempt to write a security alarm to the operator
    communication process's (OPCOM's) mailbox. Specify one of the
    following keywords with the /FAILURE_MODE qualifier:

    Option Description

    CRASH  Forces a system failure if security alarms cannot be
           written.

    IGNORE Indicates that failing security alarms are to be ignored.
           The first failed alarm causes an error message to be
           written to the operator console and log file. The system
           maintains a count of the lost alarms, which can be
           displayed with the SHOW AUDIT command.

    WAIT   Indicates that processes are placed in the MWAIT state to
           wait until the resource is available. This is the default.

    The /ALARM qualifier is required when specifying an audit failure
    mode.

11    /INTERVAL

       /INTERVAL=(keyword[,...])

    Specifies the delta times to be used for regular audit server
    operations. For information about specifying delta times, see the
    OpenVMS User's Manual.

    The following table describes keywords for the /INTERVAL
    qualifier:

    Keyword          Description

    ARCHIVE_         Specifies the interval at which data collected
    FLUSH=time       by the audit server is written to the archive
                     file. The default is 1 minute.

    JOURNAL_         Specifies the interval at which data collected
    FLUSH=time       by the audit server is written to the audit log
                     file. The default is 5 minutes.

    RESOURCE_        Specifies the interval at which the audit server
    MONITOR=time     retries log file allocation or access. This
                     interval applies whenever free space in the
                     log file is below either the warning or action
                     thresholds, or when the volume holding the log
                     file is inaccessible. The default interval is 5
                     minutes.

    RESUME_          Specifies the interval at which the audit
    SCAN=time        server reviews an existing resource exhaustion
                     condition. The default is 15 minutes.

12    /JOURNAL

       /JOURNAL[=journal-name]

    Specifies the name of the audit journal; the name defaults to
    SECURITY. (Currently, there is only one journal.)

    The /JOURNAL qualifier is required when redefining the audit log
    file or when specifying resource monitoring characteristics with
    the /RESOURCE or the /THRESHOLD qualifier.

13    /LISTENER

       /LISTENER=device
       /NOLISTENER

    Specifies the name of a mailbox device to which the audit server
    sends a binary copy of all security audit event messages.
    Users can create such a mailbox to process system security
    events as they occur. For a description of the message formats
    written to the listener mailbox, see the Audit Analysis Utility
    documentation in the VSI OpenVMS System Management Utilities
    Reference Manual.

    Use the SET AUDIT/NOLISTENER command to disable a listener
    device.

14    /RESOURCE

       /RESOURCE=keyword[,...]

    Enables or disables the monitoring of disk volumes to ensure
    adequate space for audit journal entries; it also specifies the
    monitoring method to use. The /JOURNAL qualifier is required. For
    more information about resource monitoring, see the VSI OpenVMS
    Guide to System Security.

    Keyword          Description

    DISABLE          Disables monitoring on the disk volume
                     containing the audit journal.

    ENABLE           Enables resource monitoring on the disk volume
                     containing the audit journal.
    MONITOR_         This keyword is obsolete.
    MODE=mode
                     Specifies the method the audit server uses to
                     monitor available resources. Specify one of the
                     following keywords:

                     COUNT      Controls whether resource monitoring
                                is based on the amount of free disk
                                space required to store a fixed
                                number of event messages.

                     PERCENTAGE Controls whether resource monitoring
                                is based on the percentage of the
                                disk volume or volume set available.

                     SPACE      Controls whether resource monitoring
                                is based on the number of free blocks
                                on the disk. The is the default
                                method used for resource monitoring.

                     TIME       Controls whether resource monitoring
                                is based on the amount of free disk
                                space needed to store events which
                                occur over a fixed period of time (in
                                seconds).

15    /SERVER

       /SERVER=keyword[,...]

    Modifies audit server characteristics. The following table
    describes keywords for the /SERVER qualifier:

    Keyword            Description

    CREATE_SYSTEM_LOG  This keyword is obsolete. Use SET
                       AUDIT/SERVER=NEW_LOG

                       On Alpha, causes the audit server to create
                       a new local system security audit log file.
                       Other audit servers in the cluster are not
                       affected. This keyword may be used by sites
                       operating a multienvironment cluster where
                       it may be necessary to create a new log file
                       on a specific node in the cluster. CREATE_
                       SYSTEM_LOG is synonymous with NEW_LOG for
                       nonclustered systems.

    EXIT               Initiates an audit server shutdown. This is
                       the only method for removing the audit server
                       process from the system; the audit server
                       cannot be deleted or suspended.

    FINAL_             Specifies the action the audit server should
    ACTION=action      take when it runs out of memory and cannot
                       buffer messages. (For more information, see
                       the discussion of message flow control in the
                       VSI OpenVMS Guide to System Security.) Specify
                       one of the following actions:

                          CRASH - Crash the system if the audit
                          server runs out of memory.

                          IGNORE_NEW - Ignore new event messages
                          until memory is available. New event
                          messages are lost but event messages in
                          memory are saved.

                          PURGE_OLD (default) - Remove old event
                          messages until memory is available for the
                          most current messages.

    FLUSH              Copies all buffered audit and archive records
                       to the security audit log file and security
                       archive file, respectively.

    INITIATE           Enables auditing during system startup.
                       Ordinarily, auditing is started from
                       VMS$LPBEGIN in STARTUP.COM but, if a site
                       redefines the logical name SYS$AUDIT_SERVER_
                       INHIBIT, the OpenVMS system waits for a SET
                       AUDIT/SERVER=INITIATE command before enabling
                       auditing.

    NEW_LOG            Creates a new clusterwide audit log file.
                       Typically, this is used daily to generate a
                       new version of the audit log file.

                       The following sequence of commands can be used
                       to reset the space monitoring thresholds and
                       then to recreate the auditing log, thereby
                       creating a smaller log file:

                       $ SET AUDIT /JOURNAL=SECURITY
                       /THRESHOLD=WARN=200
                       $ SET AUDIT /SERVER=NEW_LOG

                       By default, the size of the new auditing log
                       file is based on the size of the previous
                       auditing logs.

    REDIRECT_SYSTEM_   This keyword is obsolete. Use SET
    LOG                AUDIT/SERVER=NEW_LOG.

                       On Alpha, causes the audit server on the local
                       node to redirect security event messages to a
                       new audit log file, whose location was defined
                       previously by the /DESTINATION qualifier.
                       Audit server processes (and log files) on
                       other nodes in the cluster are unaffected.

    RESUME             Requests the audit server process to resume
                       normal activity on the system, if adequate
                       disk space is available. Normally, once the
                       resource monitoring action threshold has been
                       reached, the audit server process suspends
                       most system activity and waits 15 minutes
                       before attempting to resume normal system
                       activity.

    START              Starts the audit server process on the
                       system. In order to fully enable the auditing
                       subsystem, the SET AUDIT/SERVER=INITIATE
                       command must be used after the SET
                       AUDIT/SERVER=START command has completed.

                       VSI recommends using the following command
                       procedure to start the audit server:

                       SYS$SYSTEM:STARTUP AUDIT_SERVER

16    /THRESHOLD

       /THRESHOLD=type=value

    Specifies threshold values used in monitoring available space
    in the audit log file. The auditing system issues advisory
    messages to central and security operators whenever free space
    in the audit log file falls below the WARNING threshold. The
    auditing system suspends processes that generate audit events
    when free disk space is below the action threshold. (See
    /RESOURCE=[enable|disable]). The /JOURNAL qualifier is required.

    The following table lists the types of thresholds:

    Keyword        Description

    WARNING=value  Specifies the threshold at which the audit server
                   notifies all security operator terminals that
                   resources are getting low.

    ACTION=value   Specifies the threshold at which the audit server
                   starts suspending processes that are generating
                   audit records. (Certain processes are immune
                   to this: see the VSI OpenVMS Guide to System
                   Security).

    RESUME=value   This keyword is obsolete.

                   Specifies the threshold at which the audit server
                   resumes normal system activity.

    The following table lists the default warning and action values
    for each monitoring mode:

    Mode                  Warning        Action

    Blocks                100            25
    Delta time            2 0:00:00      0 0:30:00

17    /VERIFY

    Do not return the dollar sign ($) prompt until the audit server
    completes the command. Associated qualifiers determine which of
    the following actions occur:

    o  Redefinition of auditing events

    o  Redefinition of the audit log file or the archive file

    o  Modification of the audit server's operational characteristics

    o  Modification of resource monitoring attributes

    If you do not want to wait for the command to complete, specify
    /NOVERIFY.
Close Help