Provides the management interface to the security auditing
system.
Requires the SECURITY privilege.
Format
SET AUDIT/qualifier
There are five categories of qualifiers, grouped by task, for the
SET AUDIT command:
Task Qualifiers Requirements
Define /AUDIT, Specify whether you are defining
auditing /ALARM, alarms (/ALARM), audits (/AUDIT),
events /CLASS, or both. Also specify whether you
/ENABLE, are enabling (/ENABLE) or disabling
/DISABLE (/DISABLE) the reporting of the
event.
Define /DESTINATION, Requires both the /DESTINATION and
auditing /JOURNAL, /JOURNAL qualifiers.
log file /VERIFY
Define /INTERVAL, None.
operational /LISTENER,
character- /SERVER,
istics of /VERIFY
the audit
server and
a listener
mailbox (if
any)
Define /ARCHIVE, None.
secondary /DESTINATION,
log file /VERIFY
Define /BACKLOG, With the /RESOURCE or /THRESHOLD
resource /EXCLUDE, qualifier, include the /JOURNAL
monitoring /JOURNAL, qualifier.
defaults /RESOURCE,
/THRESHOLD,
/VERIFY
1 – Qualifiers
1.1 /ALARM
Makes the command apply to alarms, which are messages displayed
on an operator terminal. See the description of the DCL command
REPLY/ENABLE for details on how to enable terminals to display
security messages.
1.2 /ARCHIVE
/ARCHIVE=[keyword,...]
Specifies which classes of audit event messages are written to
the security archive file. Specify one or more of the following
keywords:
Keyword Description
NONE Disables archiving on the system.
[NO]ALL (default) Enables or disables archiving of all system
security events. By default, no events are
archived.
SYSTEM_ALARM Enables archiving of all security alarm
events.
SYSTEM_AUDIT Enables archiving of all security audit
events.
Archiving should be run on only one node in an OpenVMS Cluster
with its own audit server database because multiple nodes will
try to open the audit file exclusively.
1.3 /AUDIT
Makes the command apply to audits, which are messages recorded in
the system security audit log file.
1.4 /BACKLOG
/BACKLOG=[keyword[,...]]
Specifies the thresholds for suspending a process that has
exceeded the process message limit. The thresholds include the
total number of messages in memory and the number belonging
to the particular process. To prevent a process from being
suspended, use the /EXCLUDE qualifier. Specify the following
keywords:
Keyword Description
TOTAL=(n1,n2,n3) Thresholds at which flow control is initiated
and accelerated; see description below.
PROCESS=(p1,p2) Thresholds at which process submissions are
controlled.
Total Process
Messages Default Messages Default Action Taken
N1 100 P1 5 When there are 100 messages
in memory, the audit server
suspends any process that has
submitted 5 or more messages
until all messages are written
to disk.
N2 200 P2 2 When there are 200 messages
in memory, the audit server
suspends any process that has
submitted 2 or more messages
until all messages are written
to disk.
N3 300 Any process with messages in
memory is suspended until all
messages are written to disk.
1.5 /CLASS
/CLASS=class
Specifies the class of the object whose auditing attributes are
to be modified. If /CLASS is not specified, the command assumes
the class is FILE. Specify one of the following keywords with the
/CLASS qualifier:
CAPABILITY
COMMON_EVENT_CLUSTER
DEVICE
FILE
GROUP_GLOBAL_SECTION
LOGICAL_NAME_TABLE
QUEUE
RESOURCE_DOMAIN
SECURITY_CLASS
SYSTEM_GLOBAL_SECTION
VOLUME
1.6 /DESTINATION
/DESTINATION=filespec
When changing the destination of event messages, specifies
the new location of the system security audit log file. The
device, if part of the file specification, must be a disk. The
/DESTINATION qualifier requires the /JOURNAL qualifier in this
case.
Once you have relocated the log file, execute the command SET
AUDIT/SERVER=NEW_LOG to let all the nodes in the cluster know of
the new location. The previous audit log file is closed and all
subsequent audit event messages generated throughout the cluster
are sent to the new audit log file.
When used with /ARCHIVE, specifies the name of the archive log
file. Events can be archived to a local or remote file on any
file-structured disk device. For example, you can use an archive
file to redirect event messages from a satellite to a larger node
in the cluster.
1.7 /DISABLE
/DISABLE=(keyword[,...])
Disables alarms or audits for the specified events. To disable
all system events and file access events, specify the keyword
ALL. You must specify at least one of the keywords. For a list of
the keywords to use with the /DISABLE qualifier, see the /ENABLE
qualifier description. You must also specify either the /ALARM or
/AUDIT qualifier, or both, when you use the /DISABLE qualifier.
NOTE
In processing the SET AUDIT command, the system processes
the /DISABLE qualifier last. If you specify both the /ENABLE
and /DISABLE qualifiers for items in the same class on the
same command line, the /DISABLE qualifier disables any
enabled items. VSI recommends that you use separate lines
for commands containing the /ENABLE and /DISABLE qualifiers.
1.8 /ENABLE
/ENABLE=(keyword[,...])
Enables alarms or audits for the specified events. To enable all
system events and file access events, specify the keyword ALL.
You must specify at least one keyword. You must also specify
either the /ALARM or /AUDIT qualifier, or both, when you use the
/ENABLE qualifier.
The keywords that you can specify with either the /ENABLE or the
/DISABLE qualifier are as follows:
Keyword Description
ACCESS=(condition Specifies access events for all objects in
a class. (To audit a single object, use an
[:access[,...]] auditing ACE and enable the access control list
[,...]) (ACL) category.)
VSI recommends that when you enable auditing
conditionally, you enable it for all possible
forms of access because the system can check
access rights at several points during an
operation. (For example, a FAILURE might occur
on a read or write access check.)
See the VSI OpenVMS Guide to System Security for
information about the various types of access
permitted on each class. (For example, the
Access keyword, CREATE, is not defined for FILE
objects.)
Condition Description
Keyword
ALL All object access
BYPASS Successful object access due to
the use of the BYPASS privilege
FAILURE Unsuccessful object access
GRPPRV Successful object access due to
the use of the group privilege
(GRPPRV)
READALL Successful object access due to
the use of the READALL privilege
SUCCESS Successful object access
SYSPRV Successful object access due to
the use of the system privilege
(SYSPRV)
Access Description
Keyword
ALL All types of access
ASSOCIATE Associate access
CONTROL Control access to examine or
change security characteristics
CREATE Create access. To audit create
events for files, use the CREATE
keyword.
DELETE Delete access
EXECUTE Execute access
LOCK Lock access
LOGICAL Logical I/O access
MANAGE Manage access
PHYSICAL Physical I/O access
READ Read access
SUBMIT Submit access
WRITE Write access
ACL Specifies an event requested by an audit or
alarm ACE in the access control list (ACL) of
an object. To audit all objects of a class, use
the ACCESS keyword.
ALL Specifies all system events and file access
events. It does not enable access events for
object classes other than FILE.
AUDIT=keyword Specifies events within the auditing subsystem.
Only one keyword is currently defined.
Keyword Description
ILLFORMED Specifies illformed events from
internal calls (identified by
NSA$M_INTERNAL) to $AUDIT_
EVENT, $CHECK_PRIVILEGE,
$CHKPRO, or $CHECK_ACCESS system
services. An illformed event
is caused by an incomplete or
syntactically incorrect argument
being supplied to one of these
system services by a piece of
privileged code.
AUTHORIZATION Specifies the modification of any portion of
the system user authorization file (SYSUAF),
network proxy authorization file (NETPROXY),
or the rights list (RIGHTLIST) (including
password changes made through the AUTHORIZE,
SET PASSWORD, or LOGINOUT commands or the
$SETUAI system service).
BREAKIN=(keyword Specifies the occurrence of one or more classes
[,...]) of break-in attempts, as specified by one or
more of the following keywords:
ALL
DETACHED
DIALUP
LOCAL
NETWORK
REMOTE
CONNECTION Specifies a logical link connection or
termination through DECnet-Plus, DECnet Phase
IV, DECwindows, $IPC, or SYSMAN.
CREATE Specifies the creation of an object. Requires
the /CLASS qualifier if it is not a file.
DEACCESS Specifies deaccess from an object. Requires the
/CLASS qualifier if it is not a file.
DELETE Specifies the deletion of an object. Requires
the /CLASS=DEVICE qualifier.
FILE_ACCESS= This keyword is obsolete and is superseded
(keyword[,...]) by the ACCESS keyword, which is valid on all
OpenVMS Version 6.1 or higher systems. On
Alpha, this keyword specifies the occurrence
of file and global section access events
(regardless of the value given in the object's
access control list [ACL], if any).
IDENTIFIER Specifies that the use of identifiers as
privileges should be audited. For further
information, see the VSI OpenVMS Guide to System
Security.
INSTALL Specifies modifications made to the known file
list through the INSTALL utility.
LOGFAILURE= Specifies the occurrence of one or more
(keyword[,...]) classes of login failures, as specified by
the following keywords:
ALL All possible types of login
failures
BATCH Batch process login failure
DETACHED Detached process login failure
DIALUP Dialup interactive login failure
LOCAL Local interactive login failure
NETWORK Network server task login
failure
REMOTE Interactive login failure
from another network node, for
example, with a SET HOST command
SERVER Server or TCB-based login
failure.
SUBPROCESS Subprocess login failure
LOGIN= Specifies the occurrence of one or more
(keyword[,...]) classes of login attempts, as specified by the
following keywords. See the LOGFAILURE keyword
for further description.
ALL BATCH
DETACHED DIALUP
LOCAL NETWORK
REMOTE SERVER
SUBPROCESS
LOGOUT= Specifies the occurrence of one or more classes
(keyword[,...]) of logouts, as specified by the following
keywords. See the LOGFAILURE keyword for
further description.
ALL BATCH
DETACHED DIALUP
LOCAL NETWORK
REMOTE SERVER
SUBPROCESS
MOUNT Specifies a mount or dismount operation.
NCP Specifies access to the network configuration
database, using the network control program
(NCP).
PRIVILEGE= Specifies successful or unsuccessful use
(keyword[,...]) of privilege, as specified by the following
keywords:
FAILURE [:privilege(,...)] - Unsuccessful
use of privilege
SUCCESS [:privilege(,...)] - Successful use
of privilege
For a listing of privileges, see the
online help for the DCL command SET
PROCESS/PRIVILEGES.
PROCESS= Specifies the use of one or more of the process
(keyword[,...]) control system services, as specified by the
following keywords:
ALL Use of any of the process
control system services
CREPRC All use of $CREPRC
DELPRC All use of $DELPRC
SCHDWK Privileged use of $SCHDWK
CANWAK Privileged use of $CANWAK
WAKE Privileged use of $WAKE
SUSPND Privileged use of $SUSPND
RESUME Privileged use of $RESUME
GRANTID Privileged use of $GRANTID
REVOKID Privileged use of $REVOKID
GETJPI Privileged use of $GETJPI
FORCEX Privileged use of $FORCEX
SETPRI Privileged use of $SETPRI
Privileged use of a process control system
service means the caller used GROUP or WORLD
privilege to affect the target process.
SYSGEN Specifies the modification of a system
parameter with the OpenVMS System Generation
utility.
TIME Specifies the modification of system time.
1.9 /EXCLUDE
/EXCLUDE=process-id
/NOEXCLUDE=process-id
Adds a process identification (PID) to the audit server's process
exclusion list. The process exclusion list contains those
processes that will not be suspended by the audit server if a
resource exhaustion reaches the action threshold. By default,
realtime processes and all of the following processes are
included in the process exclusion list and are never suspended:
CACHE_SERVER
CLUSTER_SERVER
CONFIGURE
DFS$COM_ACP
DNS$ADVER
IPCACP
JOB_CONTROL
NETACP
NET$ACP
OPCOM
REMACP
SHADOW_SERVER
SMISERVER
SWAPPER
TP_SERVER
VWS$DISPLAYMGR
VWS$EMULATORS
Use the SET AUDIT/NOEXCLUDE command to remove a process from the
process exclusion list; however, processes listed above cannot
be removed from the exclusion list. Also note that PIDs are
not automatically removed from the process exclusion list when
processes log out of the system.
1.10 /FAILURE_MODE
/FAILURE_MODE[=keyword]
This qualifier is obsolete.
On Alpha, specifies how the OpenVMS system proceeds following
a failed attempt to write a security alarm to the operator
communication process's (OPCOM's) mailbox. Specify one of the
following keywords with the /FAILURE_MODE qualifier:
Option Description
CRASH Forces a system failure if security alarms cannot be
written.
IGNORE Indicates that failing security alarms are to be ignored.
The first failed alarm causes an error message to be
written to the operator console and log file. The system
maintains a count of the lost alarms, which can be
displayed with the SHOW AUDIT command.
WAIT Indicates that processes are placed in the MWAIT state to
wait until the resource is available. This is the default.
The /ALARM qualifier is required when specifying an audit failure
mode.
1.11 /INTERVAL
/INTERVAL=(keyword[,...])
Specifies the delta times to be used for regular audit server
operations. For information about specifying delta times, see the
OpenVMS User's Manual.
The following table describes keywords for the /INTERVAL
qualifier:
Keyword Description
ARCHIVE_ Specifies the interval at which data collected
FLUSH=time by the audit server is written to the archive
file. The default is 1 minute.
JOURNAL_ Specifies the interval at which data collected
FLUSH=time by the audit server is written to the audit log
file. The default is 5 minutes.
RESOURCE_ Specifies the interval at which the audit server
MONITOR=time retries log file allocation or access. This
interval applies whenever free space in the
log file is below either the warning or action
thresholds, or when the volume holding the log
file is inaccessible. The default interval is 5
minutes.
RESUME_ Specifies the interval at which the audit
SCAN=time server reviews an existing resource exhaustion
condition. The default is 15 minutes.
1.12 /JOURNAL
/JOURNAL[=journal-name]
Specifies the name of the audit journal; the name defaults to
SECURITY. (Currently, there is only one journal.)
The /JOURNAL qualifier is required when redefining the audit log
file or when specifying resource monitoring characteristics with
the /RESOURCE or the /THRESHOLD qualifier.
1.13 /LISTENER
/LISTENER=device
/NOLISTENER
Specifies the name of a mailbox device to which the audit server
sends a binary copy of all security audit event messages.
Users can create such a mailbox to process system security
events as they occur. For a description of the message formats
written to the listener mailbox, see the Audit Analysis Utility
documentation in the VSI OpenVMS System Management Utilities
Reference Manual.
Use the SET AUDIT/NOLISTENER command to disable a listener
device.
1.14 /RESOURCE
/RESOURCE=keyword[,...]
Enables or disables the monitoring of disk volumes to ensure
adequate space for audit journal entries; it also specifies the
monitoring method to use. The /JOURNAL qualifier is required. For
more information about resource monitoring, see the VSI OpenVMS
Guide to System Security.
Keyword Description
DISABLE Disables monitoring on the disk volume
containing the audit journal.
ENABLE Enables resource monitoring on the disk volume
containing the audit journal.
MONITOR_ This keyword is obsolete.
MODE=mode
Specifies the method the audit server uses to
monitor available resources. Specify one of the
following keywords:
COUNT Controls whether resource monitoring
is based on the amount of free disk
space required to store a fixed
number of event messages.
PERCENTAGE Controls whether resource monitoring
is based on the percentage of the
disk volume or volume set available.
SPACE Controls whether resource monitoring
is based on the number of free blocks
on the disk. The is the default
method used for resource monitoring.
TIME Controls whether resource monitoring
is based on the amount of free disk
space needed to store events which
occur over a fixed period of time (in
seconds).
1.15 /SERVER
/SERVER=keyword[,...]
Modifies audit server characteristics. The following table
describes keywords for the /SERVER qualifier:
Keyword Description
CREATE_SYSTEM_LOG This keyword is obsolete. Use SET
AUDIT/SERVER=NEW_LOG
On Alpha, causes the audit server to create
a new local system security audit log file.
Other audit servers in the cluster are not
affected. This keyword may be used by sites
operating a multienvironment cluster where
it may be necessary to create a new log file
on a specific node in the cluster. CREATE_
SYSTEM_LOG is synonymous with NEW_LOG for
nonclustered systems.
EXIT Initiates an audit server shutdown. This is
the only method for removing the audit server
process from the system; the audit server
cannot be deleted or suspended.
FINAL_ Specifies the action the audit server should
ACTION=action take when it runs out of memory and cannot
buffer messages. (For more information, see
the discussion of message flow control in the
VSI OpenVMS Guide to System Security.) Specify
one of the following actions:
CRASH - Crash the system if the audit
server runs out of memory.
IGNORE_NEW - Ignore new event messages
until memory is available. New event
messages are lost but event messages in
memory are saved.
PURGE_OLD (default) - Remove old event
messages until memory is available for the
most current messages.
FLUSH Copies all buffered audit and archive records
to the security audit log file and security
archive file, respectively.
INITIATE Enables auditing during system startup.
Ordinarily, auditing is started from
VMS$LPBEGIN in STARTUP.COM but, if a site
redefines the logical name SYS$AUDIT_SERVER_
INHIBIT, the OpenVMS system waits for a SET
AUDIT/SERVER=INITIATE command before enabling
auditing.
NEW_LOG Creates a new clusterwide audit log file.
Typically, this is used daily to generate a
new version of the audit log file.
The following sequence of commands can be used
to reset the space monitoring thresholds and
then to recreate the auditing log, thereby
creating a smaller log file:
$ SET AUDIT /JOURNAL=SECURITY
/THRESHOLD=WARN=200
$ SET AUDIT /SERVER=NEW_LOG
By default, the size of the new auditing log
file is based on the size of the previous
auditing logs.
REDIRECT_SYSTEM_ This keyword is obsolete. Use SET
LOG AUDIT/SERVER=NEW_LOG.
On Alpha, causes the audit server on the local
node to redirect security event messages to a
new audit log file, whose location was defined
previously by the /DESTINATION qualifier.
Audit server processes (and log files) on
other nodes in the cluster are unaffected.
RESUME Requests the audit server process to resume
normal activity on the system, if adequate
disk space is available. Normally, once the
resource monitoring action threshold has been
reached, the audit server process suspends
most system activity and waits 15 minutes
before attempting to resume normal system
activity.
START Starts the audit server process on the
system. In order to fully enable the auditing
subsystem, the SET AUDIT/SERVER=INITIATE
command must be used after the SET
AUDIT/SERVER=START command has completed.
VSI recommends using the following command
procedure to start the audit server:
SYS$SYSTEM:STARTUP AUDIT_SERVER
1.16 /THRESHOLD
/THRESHOLD=type=value
Specifies threshold values used in monitoring available space
in the audit log file. The auditing system issues advisory
messages to central and security operators whenever free space
in the audit log file falls below the WARNING threshold. The
auditing system suspends processes that generate audit events
when free disk space is below the action threshold. (See
/RESOURCE=[enable|disable]). The /JOURNAL qualifier is required.
The following table lists the types of thresholds:
Keyword Description
WARNING=value Specifies the threshold at which the audit server
notifies all security operator terminals that
resources are getting low.
ACTION=value Specifies the threshold at which the audit server
starts suspending processes that are generating
audit records. (Certain processes are immune
to this: see the VSI OpenVMS Guide to System
Security).
RESUME=value This keyword is obsolete.
Specifies the threshold at which the audit server
resumes normal system activity.
The following table lists the default warning and action values
for each monitoring mode:
Mode Warning Action
Blocks 100 25
Delta time 2 0:00:00 0 0:30:00
1.17 /VERIFY
Do not return the dollar sign ($) prompt until the audit server
completes the command. Associated qualifiers determine which of
the following actions occur:
o Redefinition of auditing events
o Redefinition of the audit log file or the archive file
o Modification of the audit server's operational characteristics
o Modification of resource monitoring attributes
If you do not want to wait for the command to complete, specify
/NOVERIFY.
2 – Examples
1.$ SET AUDIT/AUDIT/ENABLE= -
_$ (CREATE,ACCESS=(SYSPRV,BYPASS),DEACCESS)/CLASS=FILE
$ SHOW AUDIT/AUDIT
System security audits currently enabled for:
.
.
.
FILE access:
Failure: read,write,execute,delete,control
SYSPRV: read,write,execute,delete,control
BYPASS: read,write,execute,delete,control
Other: create,deaccess
The SET AUDIT command in this example enables auditing of file
creation and file deaccess; it also enables auditing for any
file access done by using either SYSPRV or BYPASS privilege.
2.$ SET AUDIT/JOURNAL=SECURITY/DESTINATION=AUDIT$:[AUDIT]TURIN
$ SET AUDIT/SERVER=NEW
$ SHOW AUDIT/JOURNAL
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: AUDIT$:[AUDIT]TURIN.AUDIT$JOURNAL
The SET AUDIT command in this example demonstrates how to
switch to a new journal.
3.$ SET AUDIT/SERVER=FINAL=CRASH
$ SHOW AUDIT/SERVER
Security auditing server characteristics:
Database version: 4.4
Backlog (total): 100, 200, 300
Backlog (process): 5, 2
Server processing intervals:
Archive flush: 0 00:01:00.00
Journal flush: 0 00:05:00.00
Resource scan: 0 00:05:00.00
Final resource action: crash system
The SET AUDIT command in this example changes the audit
server's final action setting so the system crashes when the
audit server runs out of memory.
4.$ SET AUDIT/ARCHIVE/DESTINATION=SYS$SPECIFIC:[SYSMGR]TURIN-ARCHIVE
$ SHOW AUDIT/ARCHIVE
Security archiving information:
Archiving events: system audits
Archive destination: SYS$SPECIFIC:[SYSMGR]TURIN-ARCHIVE.AUDIT$JOURNAL
The SET AUDIT command in this example enables a node-specific
archive file.
5.$ SET AUDIT/JOURNAL/RESOURCE=ENABLE
$ SHOW AUDIT/JOURNAL
List of audit journals:
Journal name: SECURITY
Journal owner: (system audit journal)
Destination: SYS$COMMON:[SYSMGR]SECURITY.AUDIT$JOURNAL
Monitoring: enabled
Warning thresholds, Block count: 100 Duration: 2 00:00:00.0
Action thresholds, Block count: 25 Duration: 0 00:30:00.0
The SET AUDIT command in this example enables disk monitoring
and switches the mode so the disk space is monitored in terms
of time rather than free blocks.