Safeguard Audit Service Manual Abstract This manual for security administrators and auditors describes all aspects of auditing on Safeguard controlled systems. Product Version Safeguard G06, H04 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.03 and all subsequent H-series RVUs until otherwise indicated by its replacement publication.
Document History Part Number Product Version Published 520480-010 Safeguard G06, H03 May 2006 520480-011 Safeguard G06, H03 July 2006 520480-012 Safeguard G06, H03 August 2006 520480-013 Safeguard G06, H03 November 2006 520480-014 Safeguard G06, H04 February 2007
Safeguard Audit Service Manual Index Examples What’s New in This Manual ix Manual Information ix New and Changed Information About This Manual xiii Organization of This Manual Related Manuals xiv Notation Conventions xiv Tables ix xiii 1. Introduction Events Controlled by the Safeguard Subsystem 1-1 Safeguard Events That Must Be Specified 1-1 Safeguard Events That Are Always Audited 1-2 Events From NonStop OS Subsystems 1-2 The Audit Trail 1-2 Extracting Audit Information 1-3 2.
2. Specifying Auditing (continued) Contents 2.
4. Audit Service Command Syntax Contents 4. Audit Service Command Syntax Impact of Security Groups 4-1 Syntax of Audit Commands 4-1 ADD AUDIT POOL Command 4-2 ALTER AUDIT POOL Command 4-3 ALTER AUDIT SERVICE Command 4-5 DELETE AUDIT POOL Command 4-8 Consideration 4-8 INFO AUDIT POOL Command 4-9 INFO AUDIT SERVICE Command 4-10 Consideration 4-13 NEXTFILE Command 4-13 Considerations 4-13 RELEASE Command 4-13 Considerations 4-14 SELECT Command 4-15 Considerations 4-15 5.
. Producing SAFEART Reports Contents 6.
. SAFEART Field Descriptions (continued) Contents 7.
A. Audit File Record Formats (continued) Contents A.
Tables (continued) Contents Tables (continued) Table 7-3. Table 7-4. Table 7-5. Table 7-6. Table 7-7. Table 7-8. Table 7-9. Table 7-10.
Contents Safeguard Audit Service Manual—520480-014 viii
What’s New in This Manual Manual Information Safeguard Audit Service Manual Abstract This manual for security administrators and auditors describes all aspects of auditing on Safeguard controlled systems. Product Version Safeguard G06, H04 Supported Release Version Updates (RVUs) This publication supports G06.21 and all subsequent G-series RVUs and H06.03 and all subsequent H-series RVUs until otherwise indicated by its replacement publication.
Changes to the H06.08 Manual What’s New in This Manual • Updated the DDL definition on page A-49 and field definitions on pages A-65 and A-66 under Safeguard configuration record. Changes to the H06.08 Manual • • • • Added the configuration attributes, ConfigPasswordCompMode on page 7-19 and ConfigPasswordMaximumLength on page 7-20. Added the DDL definitions, ZPASSWORD-COMPATIBILITY-MODE and ZPASSWORD-MAXIMUM-LENGTH on page A-48.
Changes to the H06.06 Manual What’s New in This Manual • • • • • • • • ° The INFO SAFEGUARD Command on page 2-20 Added the new section, OSS Auditing on page 2-18. Updated the example with the ALL and NONE values on page 2-20. Modified the ConfigAudClientGuardian attribute, and added the new configuration attribute, ConfigAudClientOss on page 7-12. Added the new section, OSS ACLs Attribute Record on page 7-57.
Changes to the H06.
About This Manual This manual is written primarily for security administrators and auditors. It serves as a single source of information about the auditing features of Safeguard controlled systems. These features include audit specification through SAFECOM, audit-trail management through the audit service commands, and audit reporting through SAFEART.
Related Manuals About This Manual Related Manuals You should be familiar with the Safeguard subsystem, which is documented in: • • • • Safeguard User’s Guide Safeguard Administrator’s Manual Safeguard Reference Manual Safeguard Management Programming Manual You might also want to see: • • Guardian Procedure Calls Reference Manual Data Definition Language (DDL) Reference Manual Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text.
General Syntax Notation About This Manual italic computer type. Italic computer type letters within text indicate C and Open System Services (OSS) variable items that you supply. Items not enclosed in brackets are required. For example: pathname [ ] Brackets. Brackets enclose optional syntax items. For example: TERM [\system-name.]$terminal-name INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none.
Notation for Messages About This Manual Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must type as shown. For example: "[" repetition-constant-list "]" Item Spacing. Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example: CALL STEPMOM ( process-id ) ; If there is no space between two items, spaces are not permitted.
Notation for Messages About This Manual Bold Text. Bold text in an example indicates user input typed at the terminal. For example: ENTER RUN CODE ?123 CODE RECEIVED: 123.00 The user must press the Return key after typing the input. Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned.
Notation for Management Programming Interfaces About This Manual % Percent Sign. A percent sign precedes a number that is not in decimal notation. The % notation precedes an octal number. The %B notation precedes a binary number. The %H notation precedes a hexadecimal number.
1 Introduction The ability to track security-relevant events on your system is one of the most important aspects of computer security. The Safeguard audit service allows you to record and retrieve information about a wide range of events. Audited events are recorded in the Safeguard audit files, collectively referred to as the audit trail. You can retrieve information about audited events by using SAFEART, the Safeguard audit file reduction tool.
Safeguard Events That Are Always Audited Introduction Safeguard Events That Are Always Audited These types of events are always audited, regardless of any Safeguard audit settings: • • • • Attempts to execute the ALTER SAFEGUARD or STOP SAFEGUARD commands Attempts to execute Safeguard audit service commands (except the INFO AUDIT SERVICE and the INFO AUDIT POOL commands) Attempts to execute Safeguard TERMINAL commands (except the INFO TERMINAL command) Attempts to execute EVENT-EXIT-PROCESS commands (ex
Extracting Audit Information Introduction Record Formats. For information about DDL definitions, see the Data Definition Language (DDL) Reference Manual. Note. Effective with the D10 product version of Safeguard, the SAFEACT program is no longer supported and cannot be used for audit file conversion. Extracting Audit Information The Safeguard subsystem provides an audit reduction tool called SAFEART.
Extracting Audit Information Introduction Safeguard Audit Service Manual—520480-014 1 -4
2 Specifying Auditing This section explains how to specify auditing for security-relevant events on a Safeguard controlled system. You specify auditing by setting audit attributes in the protection records for specific users, aliases, objects, or OBJECTTYPEs. In general, specifying auditing for user aliases follows the same rules as specifying auditing for users. Any statements pertaining to user auditing in this section also apply to alias auditing.
Special Audit Attributes for User Actions Specifying Auditing Special Audit Attributes for User Actions Two new AUDIT-USER-ACTION attributes in a user authentication record control auditing for most types of actions performed by the user. For more information, see Auditing Events Performed by a Specific User on page 2-11. Shorthand for Audit Attributes In many instances, you can use shortened forms of the attributes to specify combinations of auditing conditions.
How Attempts to Log On Are Audited Specifying Auditing • A local user runs a process that attempts to log on by calling the VERIFYUSER or USER_AUTHENTICATE_ procedure. REMOTE No authentication attempts are recorded in the current audit file. Although SAFECOM accepts this value, authentication attempts can be audited only on the system where they occur. NONE No authentication attempts are recorded in the current audit file.
Auditing Automatic Logoffs Specifying Auditing 3. If the supplied password matches the password in the authentication record, the Safeguard subsystem checks the values of these attributes in the authentication record: STATUS frozen/thawed USER EXPIRES date, time PASSWORD EXPIRES date, time 4. If the current status is frozen, the user authentication record has expired, or the user's password has expired, the logon attempt fails. (See the note following this list.
Specifying Auditing How Attempts to Access Objects Are Audited The audit-spec variable for AUDIT-ACCESS-PASS and AUDIT-ACCESS-FAIL can be any one of these four values: ALL All attempts to access the object are recorded in the current audit file. LOCAL Only local attempts to access this object are recorded in the current audit file. REMOTE Only remote attempts to access this object are recorded in the current audit file.
Rulings From the Event-Exit-Process Specifying Auditing AUDIT-ACCESS-FAIL is specified, the failed access attempt is recorded in the current audit file. Note. Safeguard configuration might affect whether protection records are consulted. If a protection record is not consulted, auditing specified in the protection record does not occur. For more information, see the ALTER SAFEGUARD command in the Safeguard Reference Manual.
Specifying Auditing How Attempts to Add Protection Records Are Audited user logged on to a remote system. The process itself might be running on the network user's system or on this system.) NONE No attempts to add a protection record of a given type are recorded in the current audit file. NONE is the default value for both AUDIT-ACCESS-PASS and AUDITACCESS-FAIL.
Auditing Attempts to Manage Protection Records Specifying Auditing Auditing Attempts to Manage Protection Records To specify auditing for attempts to manage (change, read, or delete) a particular protection record, use the AUDIT-MANAGE attributes in the protection record.
Auditing Attempts to Manage Protection Records Specifying Auditing • Attempting to delete a protection record with the DELETE command If this event is audited, one primary audit record and one secondary audit record are written to the current audit file. The secondary record contains the image of the protection record that was deleted or that the user attempted to delete. For user and alias records, two secondary records are written. See the following note. Note.
Examples Specifying Auditing Examples This example illustrates how to audit attempts to manage a user authentication record. In this example, the owner of the authentication record enters the command to set up auditing for successful remote attempts to manage the record (AUDIT-MANAGEPASS) and all unsuccessful attempts to manage the record (AUDIT-MANAGE-FAIL): =ALTER USER admin.
Auditing Events Performed by a Specific User Specifying Auditing AUDIT-MANAGE-FAIL is specified, the failed operation is recorded in the current audit file. Auditing Events Performed by a Specific User You can specify auditing for events performed by a specific user ID through the AUDITUSER-ACTION attributes in the user authentication record. These attributes are set at logon time. Modifications of these attributes do not take effect immediately for user IDs that are already logged on.
Example Specifying Auditing NONE Attempts made by the user are not recorded in the current audit file unless auditing is specified through other audit attributes. NONE is the default value for both AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL. Example This example specifies auditing for successful and unsuccessful remote events performed by admin.chris: =ALTER USER admin.
Shorthand for Audit Attributes Specifying Auditing You can use a shortened form of the audit attributes to specify the same auditing conditions. This command is equivalent to the preceding command: =ALTER DISKFILE $home.annual.report, AUDIT all Similarly, this command can be entered in shorthand: =ALTER DISKFILE $home.quarterly.report1, & =AUDIT-ACCESS-PASS remote =AUDIT-ACCESS-FAIL remote The shorthand version follows: =ALTER DISKFILE $home.quarterly.
Controlling Auditing of NonStop Client Events Specifying Auditing Table 2-1.
Controlling Auditing of NonStop Client Events Specifying Auditing • • • • • ZSFG-VAL-OBJ-OSSDISKFILE ZSFG-VAL-OBJ-OSSFILESET ZSFG-VAL-OBJ-OSSPROCESS ZSFG-VAL-OBJ-SOCKET ZSFG-VAL-OBJ-SYMLINK Possible values of the Safeguard configuration attribute AUDIT-CLIENT-OSS are ON and OFF. Initially, the attribute is set to ON.
Controlling Auditing of NonStop Client Events Specifying Auditing Table 2-2.
Controlling Auditing of NonStop Client Events Specifying Auditing Table 2-2.
OSS Auditing Specifying Auditing OSS Auditing The Safeguard audit attribute, AUDIT-CLIENT-OSS (ACO), controls if the OSS-related audit records are written to the audit trail in most cases. Note. The OSS Auditing is supported only on systems running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs. ACO Attribute The ACO attribute is primarily used in combination with other attributes to control OSS auditing.
Configuring Safeguard for Systemwide Auditing Specifying Auditing • • • • delete authorization (not the last name for a file) purge authorization (last name for a file) utime authorization setacl authorization AUDIT-CLIENT-GUARDIAN (ACG) and AUDIT-DEVICE-ACCESS-PASS/FAIL Attributes If an AUDIT-DEVICE-ACCESS-PASS or AUDIT-DEVICE-ACCESS-FAIL attribute is set, Safeguard authorization records the opening of the OSS terminals that are written to the audit trail.
The ALTER SAFEGUARD Command Specifying Auditing is set to audit ALL access attempts and the Safeguard configuration is set to audit NONE of the disk file access attempts, both local and remote access attempts are audited for the individual disk file. Specifying both systemwide and individual auditing does not cause duplicate records to be generated for audited events.
Systemwide Disk-File Auditing Specifying Auditing AUDIT-DEVICE-ACCESS-PASS specifies conditions for auditing successful attempts to access any device or subdevice on the system. This setting supplements individual device or subdevice audit settings. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. If client auditing is enabled, this attribute also controls auditing for successful file-system operations pertaining to devices and subdevices.
Systemwide Process Auditing Specifying Auditing AUDIT-DISKFILE-ACCESS-PASS specifies conditions for auditing successful attempts to access any volume, subvolume, or disk file on the system. This setting supplements the individual audit settings. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. If client auditing is enabled, this attribute also controls auditing for successful file-system operations pertaining to volumes, subvolumes, and disk files.
Systemwide Auditing of All Objects Specifying Auditing subprocess audit settings. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. If client auditing is enabled, this attribute also controls auditing for successful client operations pertaining to processes and subprocesses. AUDIT-PROCESS-ACCESS-FAIL specifies conditions for auditing unsuccessful attempts to access any process or subprocess on the system. This setting supplements individual process or subprocess audit settings.
Systemwide Auditing for Users, Aliases, and Groups Specifying Auditing AUDIT-OBJECT-ACCESS-PASS specifies conditions for auditing successful attempts to access any of the previously listed types of objects. This setting supplements any audit settings for individual objects. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. If client auditing is enabled, this attribute also controls auditing for successful client operations pertaining to any of the previously listed types of objects.
Unconditional Auditing Specifying Auditing AUDIT-AUTHENTICATE-PASS specifies conditions for auditing successful user and alias authentication attempts on the system. This setting supplements the audit settings in individual user and alias records. The conditions can be ALL, NONE, LOCAL or REMOTE. The default is NONE. The conditions specified for this attribute also apply to the systemwide auditing of automatic logoffs described in Auditing User Authentication Attempts on page 2-2.
ALTER SAFEGUARD and STOP SAFEGUARD Commands Specifying Auditing ALTER SAFEGUARD and STOP SAFEGUARD Commands All attempts to change the Safeguard configuration with the ALTER SAFEGUARD command, whether successful or not, are automatically audited. For each attempt, one primary audit record and two secondary audit records are written to the current audit file. One secondary record contains an image of the Safeguard configuration record before the attempt.
Specifying Auditing EVENT-EXIT-PROCESS Commands and one secondary audit record is written to the current audit file. The secondary record contains the image of the event-exit record associated with the attempt. For each ALTER EVENT-EXIT-PROCESS command, one primary and two secondary audit records are written to the current file. One secondary record contains the image of the event-exit record before the attempted change.
Specifying Auditing EVENT-EXIT-PROCESS Commands Safeguard Audit Service Manual—520480-014 2- 28
3 Managing the Audit Trail This section describes the components of the Safeguard audit trail and how to manage them with the audit service commands. The Safeguard audit trail consists of one or more audit pools. An audit pool is a subvolume that contains audit files. You can define multiple audit pools, and each audit pool can contain several individual audit files. These audit files contain records of audited events.
Audit Service Commands Managing the Audit Trail designated as the currently active audit pool until another audit pool is added and selected. After additional audit pools are added and one of them is selected, $SYSTEM.SAFE remains in the audit trail as a secondary audit pool; it is used in certain situations to record audit data if the currently active audit pool fills up or becomes unavailable due to a disk failure.
Establishing Security Groups Managing the Audit Trail Establishing Security Groups Initially, most audit service commands are restricted to members of the super group. However, you should take advantage of the two Safeguard security groups— SECURITY-ADMINISTRATOR and SYSTEM-OPERATOR—to establish roles and to further restrict the use of the audit service. The SECURITY-ADMINISTRATOR security group can issue all audit service commands except the NEXTFILE and RELEASE commands.
Creating an Audit Pool Managing the Audit Trail Creating an Audit Pool To create an audit pool, you specify its location. Optionally, you can also specify the number of audit files to be included in the audit pool, and you can set limits on the size of each audit file. For example, use this ADD AUDIT POOL command to create an audit pool on volume $SECURE and subvolume AUDIT1: =ADD AUDIT POOL $secure.
Selecting an Audit Pool Managing the Audit Trail You can also create an audit pool that has the same parameters as an existing audit pool. For example, use this command to create an audit pool at $KEEPER.AUDIT1 using the same parameters as the existing audit pool at $SECURE.AUDIT2: =ADD AUDIT POOL $keeper.audit1 LIKE $secure.audit2 As this example shows, you can choose to create audit pools on different disk volumes so that auditing can still occur if the current disk volume becomes inaccessible. Caution.
Specifying Audit Service Recovery Managing the Audit Trail You can choose one of these recovery actions: RECYCLE causes the Safeguard software to select the oldest unreleased audit file in the current audit pool, purge the data from it, and give it the next available audit file name. This recovery action applies only in an overflow situation. If a down volume occurs when RECYCLE is the specified recovery action, the Safeguard software suspends auditing.
Altering the Audit Pool Disk Allocation Managing the Audit Trail This output appears: CURRENT AUDIT POOL CURRENT AUDIT FILE NEXT AUDIT POOL RECOVERY CURRENT STATE WRITE-THROUGH CACHE EOF REFRESH $secure.audit2 A0000003 $keeper.audit1 DENY GRANTS NORMAL ON ON Suppose that you later want to return to the default state in which the Safeguard software attempts to recycle audit files.
Releasing Audit Files Managing the Audit Trail You can also use SELECT CURRENT AUDIT POOL to close the current audit file and switch to another audit pool. For example, this command closes the current audit file and switches to the first available audit file in the audit pool at $SECURE.AUDIT3: =SELECT CURRENT AUDIT POOL $secure.audit3 Releasing Audit Files When you no longer need to retain a used audit file, you can purge it with the RELEASE command.
Audit Pool Precautions During a Cold Start Managing the Audit Trail You cannot delete the current audit pool. Audit Pool Precautions During a Cold Start If the Safeguard subsystem was included with system generation, take these precautions to prevent auditing from being suspended during a cold start of the system: 1. Before shutting down the system, check that the current audit pool resides on a disk that is connected to the same processor as the $SYSTEM disk. Note.
Managing the Audit Trail Audit Pool Precautions During a Cold Start Safeguard Audit Service Manual—520480-014 3- 10
4 Audit Service Command Syntax Use the SAFECOM audit service commands to define and manage the components of the Safeguard audit trail. These commands allow you to specify audit pools, the size and number of the audit files within an audit pool, and recovery actions to be taken if access to the audit trail is interrupted. The commands also allow you to release audit files for reuse and to manually select the next audit file to be used.
ADD AUDIT POOL Command Audit Service Command Syntax • • • The format for the command listing or report (for commands that produce displays or listings) Considerations for the use of the command Examples of command usage ADD AUDIT POOL Command ADD AUDIT POOL defines a new audit pool, adds it to the collection of available audit pools, and allocates disk space for the audit files. This command does not select the specified audit pool as the current audit pool.
ALTER AUDIT POOL Command Audit Service Command Syntax LIKE $vol.subvol adopts the existing file-spec values of the specified $volume.subvolume as the file-spec values to be used for the audit pool being added. The volume and subvolume specified with LIKE must refer to an existing audit pool. Considerations • • If you do not include either LIKE or the file-spec variables, ADD AUDIT POOL uses the default values for the file-spec variables. All attempts to execute this command are audited. Caution.
ALTER AUDIT POOL Command Audit Service Command Syntax Members of either security group can execute this command. ALTER AUDIT POOL [ $vol.subvol ] [ , ] file-spec [ , file-spec ]... $vol.subvol specifies the audit pool for which disk allocation parameters are to be changed. The audit pool is designated by its volume and subvolume name. If $vol.subvol is omitted, the current audit pool is assumed. file-spec specifies the disk allocation parameters for the disk files that make up this audit pool.
ALTER AUDIT SERVICE Command Audit Service Command Syntax • All attempts to execute this command are audited. Caution. Altering the current audit pool can cause system performance problems. Examples 1. This command changes the disk allocation parameters for the current audit pool so the primary and secondary extents are 256, the maximum extents are 32, and the maximum audit files are 6: =ALTER AUDIT POOL EXT (256,256), MAXEXTENTS 32, & =MAXFILES 6 2.
ALTER AUDIT SERVICE Command Audit Service Command Syntax WRITE-THROUGH CACHE { ON | OFF } ON specifies that after each audit record is written, the block in which it resides is written to disk. OFF specifies that a block modified as a result of writing an audit record can be cached in memory and not written to disk immediately. The initial setting of WRITE-THROUGH CACHE is OFF.
ALTER AUDIT SERVICE Command Audit Service Command Syntax DENY GRANTS specifies that the Safeguard subsystem is to deny the granting of most authorization and authentication requests that require auditing. The only requests allowed are those that result in successful operations by members of the security groups. If this action is specified, auditing is redirected to the secondary audit pool $SYSTEM.SAFE. Caution. If no space is available in the audit pool at $SYSTEM.
DELETE AUDIT POOL Command Audit Service Command Syntax 1. Before shutting down the system, check that the current audit pool resides on a disk that is connected to the same processor as the $SYSTEM disk. Note. Check that the current audit pool resides on the $SYSTEM disk when Safeguard is configured as a persistent process and STARTMODE is KERNEL.
INFO AUDIT POOL Command Audit Service Command Syntax Example 1. This example assumes that the audit pool $SECURE.AUDIT1 contains six audit files named A0000020 through A0000025. These files must be released before the audit pool is deleted: =RELEASE A20 : A25 IN $secure.audit1 =DELETE AUDIT POOL $secure.audit1 INFO AUDIT POOL Command INFO AUDIT POOL displays status information about one or more audit pools. Any user can execute this command.
INFO AUDIT SERVICE Command Audit Service Command Syntax MAXEXTENTS max-ext is the maximum number of extents for files in the audit pool. EXTENTSIZE pri-ext,sec-ext are the primary and secondary extent sizes for files in the audit pool. Considerations • • You can use the wild-card characters * and ? any place in the audit pool volume and subvolume names. Use of the wild-card characters in the names causes INFO AUDIT POOL to display the status of all audit pools whose names match the wildcard template.
INFO AUDIT SERVICE Command Audit Service Command Syntax Example 4-2. INFO AUDIT SERVICE Report CURRENT AUDIT POOL $vol.subvol CURRENT AUDIT FILE Axxxxxxx NEXT AUDIT POOL $vol.subvol RECOVERY recovery CURRENT STATE state WRITE-THROUGH CACHE {ON|OFF} EOF REFRESH {ON|OFF} The fields in the INFO AUDIT SERVICE report are: CURRENT AUDIT POOL $vol.subvol is the volume and subvolume that contain the current audit pool. CURRENT AUDIT FILE Axxxxxxx is the name of the currently active audit file.
INFO AUDIT SERVICE Command Audit Service Command Syntax CURRENT STATE: state is the current operating state of the audit service. state is one of these operating states: NORMAL NORMAL - NO NEXT AUDIT POOL RECYCLING FILES AUDIT SUSPENDED DENY GRANTS DENY ALL GRANTS NORMAL indicates that the audit service is operating normally. NORMAL - NO NEXT AUDIT POOL indicates that the audit service is operating normally, but no next audit pool has been defined.
Consideration Audit Service Command Syntax Consideration Attempts to execute this command are not audited. Example This command displays an INFO AUDIT SERVICE report: =INFO AUDIT SERVICE NEXTFILE Command NEXTFILE closes the current audit file and opens the next audit file in the current audit pool. If there are any outstanding records to be written to the current audit file, those records are written before the switch to the next file occurs.
Considerations Audit Service Command Syntax Only members of the SYSTEM-OPERATOR security group can execute this command. RELEASE afile [ , afile ] ... [ IN $vol.subvol ] afile specifies the number of the audit file to be released. It can be expressed in either of these forms: file-num file-num : file-num file-num is expressed as the file's alphabetic prefix and the least significant digits of the audit file name that uniquely identify the file.
SELECT Command Audit Service Command Syntax SELECT Command SELECT selects a previously defined audit pool as the current audit pool or the next audit pool. When you select the current audit pool, the audit service automatically begins writing audit records to the first available audit file in that audit pool. You need not execute a NEXTFILE command to initiate the writing of audit records to this audit pool.
Considerations Audit Service Command Syntax Examples 1. This command selects the audit pool on $OPS2.TRAIL2 as the current audit pool: =SELECT CURRENT AUDIT POOL $ops2.trail2 2. This command selects the audit pool on $OPS3.TRAIL1 as the next audit pool: =SELECT NEXT AUDIT POOL $ops3.trail1 3. This command selects the audit pool on $BIG1.AUDIT as the current audit pool and selects the audit pool on $BIG2.TRAIL as the next audit pool: =SELECT CURRENT AUDIT POOL $big1.audit, & =NEXT AUDIT POOL $big2.
5 Getting Started With SAFEART This section describes basic rules for using SAFEART, the Safeguard Audit Reduction Tool. SAFEART extracts information from the Safeguard audit files and produces reports of audited events based on criteria you specify. SAFEART provides two types of commands: • • Session-control commands manage your interactive session. Report generation commands control the format, content, and destination of your report. You can use SAFEART in either interactive or batch mode.
Running SAFEART Getting Started With SAFEART Running SAFEART To run SAFEART interactively, at your command interpreter prompt: 2>SAFEART Safeguard Audit File Reduction Tool <= T9750D30 SAFEART displays a default prompt of <= while you are in a SAFEART session. Enter all SAFEART commands at this prompt. You can run as many reports as you want in one session. To end a SAFEART session and return to your command interpreter, enter the EXIT command.
Continuing a Command to the Next Line Getting Started With SAFEART These examples illustrate the use of quotation marks: <=SET TITLE February <=SET TITLE 'December 16, 1991' <=SET TITLE "Operation's Activities" Continuing a Command to the Next Line To continue a command to the next line, end the first line with an ampersand (&).
SAFEART Session-Control Commands Getting Started With SAFEART line is considered a comment. (For more information on comments, see the Safeguard Reference Manual.) This example contains a comment: <=SET TITLE Test1 <=AUDIT FILE testdata <=LOG logit -- This is a sample data file Note. SAFEART does not support comments embedded within a command. SAFEART Session-Control Commands Use the SAFEART session-control commands to manage your interactive session.
EXIT Command Getting Started With SAFEART This table lists possible values for prompt-item: Prompt Item Description string The prompt includes a user-supplied text string. The string must be enclosed within single or double quotes. COMMAND NUMBER The prompt includes the current command line number. CPU The prompt includes the number of the processor in which SAFEART is running. DATE The prompt includes the current date. END The default SAFEART prompt is suppressed.
HELP ITEMS Command Getting Started With SAFEART HELP ITEMS Command The HELP ITEMS command displays a SAFEART field and its field type. You can display one item or all fields permissible in a SET WHERE command. HELP ITEMS [ audit-record-item ] audit-record-item is the name of a field in a primary or secondary record. If the field is an enumerated type, the possible values for it are also displayed. All other fields are displayed with only their names and their respective field types.
LOG Command Getting Started With SAFEART LOG Command The LOG command defines a file for recording SAFEART commands and messages. Logging remains in effect during a SAFEART session until you turn it off or exit SAFEART. The log-file specified in a LOG command is the name of a file, printer, tape device, or terminal. The logging process is turned off when SAFEART receives a LOG command without log-file or when you exit SAFEART.
! Command Getting Started With SAFEART ! Command The ! command reexecutes a previously issued command line, without modifications. The SAFEART ! command is similar to the SAFECOM ! command, which is described in the Safeguard Reference Manual. ! [ [ [ [ string "string" linenum -linenum ] ] ] ] ? Command The ? command displays a previously issued command line. The SAFEART ? command is similar to the SAFECOM ? command, which is described in the Safeguard Reference Manual.
6 Producing SAFEART Reports SAFEART allows you to produce reports of security-relevant events based on criteria you specify. Minimally, you must specify the audit files from which to extract information. However, to limit the scope of a report, you should also specify a time period and the types of events to include. If you do not specify a time period and a subset of events, SAFEART includes all events from the audit files, which is usually too much information.
SAFEART Report Generation Commands Producing SAFEART Reports Before attempting to produce a report, become familiar with the SAFEART report generation commands described in the following pages. Note. You must have READ authority for the audit files before you can produce reports with SAFEART. See your security administrator or system manager. SAFEART Report Generation Commands Specify criteria for reports using the SAFEART report generation commands.
RESET Command Producing SAFEART Reports RESET Command The RESET command returns the current value of a report parameter to its default value. RESET { { { { { { DESTINATION FILE } TITLE } PAGE SIZE } START TIME } END TIME } WHERE } DESTINATION FILE returns the value of DESTINATION FILE to its default value (the home terminal). TITLE returns the value of TITLE to the default title, “Safeguard Audit Reduction Tool.” PAGE SIZE returns the value of PAGE SIZE to the default value of 60 lines per page.
SET Command Producing SAFEART Reports SET Command The SET commands define the values for these report parameters. SET { { { { { { DESTINATION FILE [ report-file ] } TITLE { (")title (") | ("title", "title",...) } } PAGE SIZE number-of-lines } START TIME starting-time } END TIME ending-time } WHERE expression } DESTINATION FILE report-file is the name of a file, tape device, printer, or terminal to which the report is written. The default is your home terminal.
SET Command Producing SAFEART Reports yyyy/mm/dd yy/mm/dd yyyy is a number representing the century and year, such as 2001. yy is a number representing the year in the current century, such as 01 for 2001. Leading zeros are optional. mm is a number in the range 01 through 12, representing the month of the year, such as 4 for April. Leading zeros are optional. dd is a number in the range 01 through 31, representing the day of the month. Leading zeros are optional.
SET Command Producing SAFEART Reports relational-operator is one of these: = equal to <> not equal to < less than <= less than or equal to > greater than >= greater than or equal to LE less than or equal to NE not equal to GE greater than or equal to If the record item is an enumerated field, only = and <> are valid operators. value specifies what record-item is compared to. It must be the same type as record-item. For example, if the item is a numeric field, value must be a number.
SHOW Command Producing SAFEART Reports • Special rules govern the evaluation of comparison statements in SET WHERE commands. For more information, see Specifying Selection Criteria on page 6-9. Examples 1.
START Command Producing SAFEART Reports SHOW * displays all values in effect for the current SAFEART session. Example This example includes a SHOW * command with the resulting output. The values in the output reflect the commands used in previous examples in this section. <=SHOW * OUT LOG AUDIT FILE "$bart.audit.A0000001" AUDIT FILE "$bart.audit.
Specifying Selection Criteria Producing SAFEART Reports These statistics appear in the report summary: Complete Events The number of complete events read from the audit file or files. An event might have more than one record associated with it. For more information, see Reviewing Reports on page 6-18. Header Records The number of header records found in the audit files. There should be one header record for each audit file used.
Wild-Card Support for Object Name Under SAFEART Producing SAFEART Reports You can specify additional criteria by using additional SET WHERE commands or by combining comparison statements in the same SET WHERE command. For more information, see Using Multiple Comparison Statements on page 6-12. To practice specifying selection criteria, you might want to copy an audit file to your subvolume and generate test reports with it. As mentioned earlier, you must have READ authority for the audit file.
Guidelines for Comparison Statements Producing SAFEART Reports To search for all diskfile-pattern records matching the objectname search string "$DATA.JA*.T*" (where the "*" in the filename is intended to be a search character), enter this command under SAFEART: SET WHERE objectname='$DATA.JA[*].T*' To search for both diskfile and diskfile-pattern records matching the objectname search string "$DATA.JA*.
Using Multiple Comparison Statements Producing SAFEART Reports If you use OwnerIsRemote in a comparison statement, you must compare it to one of these values. For example: <=SET WHERE OwnerIsRemote = local Using Multiple Comparison Statements When you use multiple comparison statements within a single SET WHERE command, connect them with a logical operator (AND or OR). The logical operator determines how the WHERE expression is evaluated.
Using Parentheses in SET WHERE Commands Producing SAFEART Reports Using Parentheses in SET WHERE Commands To change the order of evaluating a complex expression, you can group multiple comparison statements within parentheses. The statements within parentheses are evaluated before the other comparison statements. The following example shows how the grouping of items in parentheses affects the meaning of a SET WHERE command.
Using SAFEART Command Files Producing SAFEART Reports This example illustrates how to use the Before prefix in a search. This command selects events in which an attempt was made to change the Safeguard configuration attribute PASSWORD ENCRYPT from ON to OFF (from True to False): <=SET WHERE BeforeConfigPasswordEncrypt=True AND & <=&ConfigPasswordEncrypt=False Using SAFEART Command Files SAFEART command files simplify your work.
Placing Comments in Command Files Producing SAFEART Reports • Consider specifying the destination file in the command file. If the destination file already exists, it is overwritten the first time SAFEART writes to it in a session. If SAFEART writes to the same destination file more than once during the same session, each report output is appended to the destination file.
Command File Examples Producing SAFEART Reports session. The procedure for using this type of command file to produce a report is as follows: 1. From SAFEART, issue the OBEY command: <=OBEY obey-file 2. Specify the audit file or files with the AUDIT FILE command. 3. Specify a time period for the report with the SET START TIME and SET END TIME commands. 4. Specify any other preferred parameters. 5. Verify all report parameters with the SHOW * command. 6.
Command File Examples Producing SAFEART Reports Denied Object Events -- This file establishes criteria to produce a report of -- denied operations on device, process, or disk objects. -AUDIT FILE RESET START TIME; RESET END TIME RESET PAGE SIZE RESET WHERE SET DESTINATION FILE "\euro.$ops.audit.
Reviewing Reports Producing SAFEART Reports ---SET SET SET ---SET SET SET Select events where specified operator is the subject: WHERE subjectusernumber=255,60, 255,22, 255,77, 255,55 WHERE subjectusernumber=255,79, 255,48, 255,75, 255,97 WHERE subjectusernumber=255,4 Select events where specified operator ID is the object: WHERE guarduserusernumber=255,60, 255,22, 255,77, 255,55 WHERE guarduserusernumber=255,79, 255,48, 255,75, 255,97 WHERE guarduserusernumber=255,4 Reviewing Reports SAFEART includes o
Secondary Record Producing SAFEART Reports Information About the Object These primary record fields describe the object involved in the event. ObjectType The type of object involved ObjectName The name of the object In some cases, the object is actually a user ID or a user record. If so, the ObjectName field is replaced by fields that describe the user ID.
Special Considerations for Subject Fields Producing SAFEART Reports Automatic Logoff Events A user is automatically logged off if another user successfully logs on at the same terminal. This type of event is represented by a Logoff operation. The logged-off user is represented by the fields with the Subject prefix and the fields GuarduserUserName, GuarduserUserNumber, and UserAliasName.
7 SAFEART Field Descriptions This section describes the fields that appear in SAFEART reports. These fields are derived from the fields in the Safeguard audit records. Most of the fields can be used in SET WHERE commands to select events. However, you must use the SAFEART names described here instead of the DDL audit record names listed in Appendix A, Audit File Record Formats. Field Types SAFEART uses several types of fields in its report.
Report Layout SAFEART Field Descriptions Possible values for enumerated fields within a Safeguard text area are included in the text area description. Other enumerated fields that occur in primary and secondary records are described in Table 7-4 on page 7-44, Table 7-5 on page 7-47, Table 7-6 on page 7-50, Table 7-7 on page 7-51, Table 7-8 on page 7-51, Table 7-9 on page 7-51, and Table 7-10 on page 7-55. Example 7-1.
Primary Record Fields SAFEART Field Descriptions Primary Record Fields A primary audit record represents each audited security event. Table 7-1 describes the fields in the primary audit record. Except where noted, you can use these fields in SET WHERE commands. Table 7-1. Primary Record Fields (page 1 of 3) Field Name Field Type Description Auditnumber Numeric Identifies an audited event in the security audit pool.
Primary Record Fields SAFEART Field Descriptions Table 7-1. Primary Record Fields (page 2 of 3) Field Name Field Type Description ObjectName Character Describes the object of the audited event. This field usually contains only the name of the object. However, under some conditions, this field might be overlaid by another set of fields. For more information, see Variable ObjectName Field on page 7-6. ObjectType Enumerated Specifies the type of object.
Primary Record Fields SAFEART Field Descriptions Table 7-1. Primary Record Fields (page 3 of 3) Field Name Field Type Description SubjectProcessName Character Specifies the name of the user process attempting the operation. For more information, see Special Considerations for Subject Fields on page 6-19. If this value is not communicated to the Safeguard subsystem or the process is an NFS client, the field is set to all blanks.
Variable ObjectName Field SAFEART Field Descriptions Variable ObjectName Field Under certain conditions, the ObjectName field is overlaid by a different set of fields. The value of the ObjectType field indicates whether the ObjectName field is overlaid. If the value of the ObjectType field is GuardianUser or UserRecord, the ObjectName field is overlaid with these fields: Field Name Field Type Description GuarduserUserName Character Specifies the group name.member name of the user.
Variable ObjectName Field SAFEART Field Descriptions OSS Fileset: the fileset name, such as ROOT. OSS File: the path name used to access the file. The actual pathname audited is absolute and is normalized to have all '.', '..', multiple slashes and symbolic link references resolved. If the length of this pathname exceeds 1023 bytes, the audited name consists of three periods ('...') followed by the last 1020 bytes of the path name. The internal name also depends on the type of object being audited.
Secondary Record Fields SAFEART Field Descriptions The object name in the audit record generated by NonStop Kernel (T9050) is the textual representation of the process handle for operations such as: • • • process creation (exec() family, PROCESS_SPAWN_(), fork()) kill() setsid(), setpgid() This existing format is used to store the object name: \SYSNAME.$PNAME[,CPU,PIN][:VERIFIER] \SYSNAME.CPU,PIN[:VERIFIER] \###.$NAME[,CPU,PIN][:VERIFIER] \###.CPU,PIN[:VERIFIER] where ### is the system node number.
Secondary Text Area SAFEART Field Descriptions Table 7-2. Secondary Record Fields (page 2 of 2) Field Name Field Type Description SecondaryTimeReceived Date and time Specifies the date and time when the event description was received by the audit service collector process. You cannot use this field in SET WHERE commands. SecondaryTimeReported Date and time Specifies the date and time when the client or subsystem sent the event description to the audit service collector process.
Audit Pool Configuration Record SAFEART Field Descriptions Table 7-3.
Safeguard Configuration Record SAFEART Field Descriptions AuditCurrentFileNumber specifies the current audit file number in this audit pool. Field type is numeric. AuditMaxExtents specifies the maximum number of primary and secondary extents to be allocated to audit files created in this audit pool. Field type is numeric. AuditMaxFiles specifies the maximum number of files that can be allocated in this audit pool. Field type is numeric.
Safeguard Configuration Record SAFEART Field Descriptions Normal restricts creation of persistent disk-file protection records to files that exist at the time the record is added. Always allows the creation of persistent disk-file protection records for files that exist and files that do not exist at the time the record is added. ConfigAllowNodeACL specifies, if True, that ACL entries containing explicit node identifiers are consulted for remote access. Field type is True or False.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuditDeviceManagePass specifies conditions for systemwide auditing of successful attempts to manage a device protection record. Field type is enumerated. Possible values are None, Local, Remote, and All. ConfigAuditDiskfileAccessFail specifies conditions for systemwide auditing of unsuccessful attempts to access a protected disk file. Field type is enumerated. Possible values are None, Local, Remote, and All.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuditObjectManagePass specifies conditions for systemwide auditing of successful attempts to manage the protection record for an object. Field type is enumerated. Possible values are None, Local, Remote, and All. ConfigAuditProcessAccessFail specifies conditions for systemwide auditing of unsuccessful attempts to access a protected process. Field type is enumerated. Possible values are None, Local, Remote, and All.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuthFailFreeze specifies, if True, that a user is to be frozen when the number of consecutive failed authentication attempts for that user exceeds ConfigAuthMaxAttempts. Field type is True or False. ConfigAuthFailToUnits specifies the units associated with ConfigAuthFailToVal. Field type is enumerated. Possible values are Seconds, Minutes, Hours, Days, Weeks, Months, and Years.
Safeguard Configuration Record SAFEART Field Descriptions ONLY specifies that only pattern searching will occur. Normal, non-pattern searching will not be performed even if the pattern search returns NORECORD. OFF specifies that no pattern searches will occur. ConfigCheckProcess specifies, if True, that the Safeguard software examines protection records for processes. Field type is True or False.
Safeguard Configuration Record SAFEART Field Descriptions interpreter is specified for the user or the terminal. This field is blank if no value has been specified. Field type is character. ConfigCiSwap specifies the swap volume or file used with the default command interpreter. This field is blank if no value has been specified. Field type is character. ConfigClearonpurgeDiskfile specifies, if True, that disk files are cleared when purged. Field type is True or False.
Safeguard Configuration Record SAFEART Field Descriptions ConfigCombinationProcess specifies the manner in which the Safeguard software checks protection records for processes. Field type is enumerated. The possible values are FirstRule, FirstAcl, and All. ConfigCurrentAuditFile specifies the name of the current audit file—that is, the name of the audit file to which audit records are currently being written. Field type is character. ConfigCurrentAuditPool specifies the name of the current audit pool.
Safeguard Configuration Record SAFEART Field Descriptions ConfigPasswordAlgorithm specifies the algorithm used to encrypt the user's password when the password is to be stored in the encrypted form. Field type is enumerated. Note. The ConfigPasswordAlgorithm attribute is supported only on systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs. The possible values are DES and HMAC256. Default value is DES. DES indicates to use the DES algorithm to encrypt passwords.
Safeguard Configuration Record SAFEART Field Descriptions ConfigPasswordMaximumLength specifies the maximum length of new passwords for all users. Field type is numeric. Note. The ConfigPasswordMaximumLength attribute is supported only on systems running H06.08 and later H-series RVUs. ConfigPasswordMinimumLength specifies the minimum length of new passwords for all users. Field type is numeric.
Event-Exit Configuration Record SAFEART Field Descriptions DenyGrants denies Safeguard authorizations until the condition is removed. Recycle recycles audit files in the current audit pool. ConfigTermExclAccess specifies, if True, that a user who is logged on at a Safeguard terminal has exclusive access to the terminal. Field type is True or False. ConfigWarnFallbackSecurity specifies whether Guardian security rules are enforced when Safeguard warning mode is enabled. Field type is enumerated.
Event-Exit Configuration Record SAFEART Field Descriptions EepCpu specifies the number of the processor in which the event-exit process runs. Field type is enumerated. Possible values are Any, Cpu0 through Cpu15, and Undefined. EepEnableAuthenticationEvent specifies, if True, that authentication events are sent to the event-exit process. Field type is True or False. EepEnableAuthorizationEvent specifies, if True, that authorization events are sent to the event-exit process. Field type is True or False.
Group Profile Record SAFEART Field Descriptions EepRspTimeout specifies the number of seconds that Safeguard waits for the event-exit process to respond to an event. Field type is numeric. EepSwap specifies the swap volume or swap file used by the event-exit process. This field is blank if no value is specified. Field type is character. Group Profile Record The Safeguard subsystem maintains a record for every defined group on the system.
Automatic Logoff Record SAFEART Field Descriptions GroupOwnerTypeId specifies whether the owner must be local to manage the group record. Field type is enumerated. The defined values are: LocalSpecific indicates that the specified owner must be a local user. RemoteSpecific indicates that the specified owner can be either remote or local. GroupOwnerUserName specifies the user name of the owner. Field type is character. GroupOwnerUserNumber specifies the group number, member number of the owner.
Terminal Definition Record SAFEART Field Descriptions These fields appear in the text area representing the automatic logoff record: LogonAliasName specifies the alias under which the newly logged-on user gained access to the system. This field is blank if the underlying user ID, rather than an alias, is used to gain access to the system. Field type is character. LogonUserName specifies the user name of the newly logged-on user. This field is blank if an alias is used to gain access to the system.
Protection Record SAFEART Field Descriptions LuCiPri specifies the priority at which to run the command interpreter specified by LuCiProg. Field type is numeric. LuCiProg specifies the object file of the command interpreter that is started after user authentication at this terminal. This object file is used if no command interpreter is specified for the user. This field is blank if no value has been specified. Field type is character.
Protection Record SAFEART Field Descriptions in columns from left to right) are described next. You cannot use these items in SET WHERE commands. Column 1 specifies whether the subject is granted or denied the listed access authorities. Possible values are: Grant indicates that the ACL entry grants the listed authorities. Deny indicates that the ACL entry denies the listed authorities. Column 2 contains the user ID of the subject. Column 3 contains the user name of the subject.
Protection Record SAFEART Field Descriptions NodeSpecific indicates that the specified remote subject must be a user authenticated on a specific remote node. NodeGroup indicates that the remote subject must be a member of the specified user group and be authenticated on a specific remote node. NodeAnyone indicates that the remote subject can be any user authenticated on a specific remote node.
Protection Record SAFEART Field Descriptions ProtClearOnPurge specifies, if True, that the disk space used by this file is overwritten with zeros when the file is purged. Field type is True or False. ProtFreeze specifies, if True, that the protection record is frozen. Field type is True or False. ProtLicense specifies, if True, that the disk file is a program object code file with the LICENSE attribute. Field type is True or False.
Protection Record Extension SAFEART Field Descriptions ProtProgid specifies, if True, that the disk file is a program object code file with the PROGID attribute. Field type is True or False. Protection Record Extension The protection record extension appears in the text area of its own secondary record whenever a corresponding protection record appears in the audit trail.
Pattern Protection Record SAFEART Field Descriptions Pattern Protection Record In addition to object protection records, the Safeguard subsystem also maintains pattern protection records. Attempts to add, change, delete, or read these records might be audited depending on whether auditing has been specified for such events. If auditing is specified and an attempt is made to add, delete, or read an authorization record, two secondary audit records (one pair) are generated.
Pattern Protection Record SAFEART Field Descriptions PatProtLastModTime specifies the time that the pattern protection record was last modified. Field type is timestamp. PatProtCreatorTypeid indicates if the creator of this protection record was a locally or remotely authenticated user. Field type is enumerated. Possible values are Local and Remote. PatProtCreatorNodeNumber specifies the last authenticated node number of the user that created the pattern protection record. Field type is numeric.
Pattern Protection Record SAFEART Field Descriptions Column 1 specifies whether the subject is granted or denied the listed access authorities. Possible values are: Grant indicates that the ACL entry grants the listed authorities. Deny indicates that the ACL entry denies the listed authorities. Column 2 contains the user ID of the subject. Column 3 contains the user name of the subject. Column 4 lists the access authorities, separated by commas, that the subject is granted or denied.
Pattern Protection Record SAFEART Field Descriptions NodeSpecific indicates that the specified remote subject must be a user authenticated on a specific remote node. NodeGroup indicates that the remote subject must be a member of the specified user group and be authenticated on a specific remote node. NodeAnyone indicates that the remote subject can be any user authenticated on a specific remote node.
Pattern Protection Record SAFEART Field Descriptions PatProtClearOnPurge reserved—defaults to False. PatProtFreeze specifies, if True, that the protection record is frozen. Field type is True or False. PatProtLicense reserved—defaults to False. PatProtNumAclentries specifies the number of entries in the access control list (ACL) defined in the protection record. Field type is numeric. PatProtOtype specifies the type of object this record describes. Field type is enumerated.
Pattern Search Secondary Audit Record SAFEART Field Descriptions Pattern Search Secondary Audit Record A pattern search record is present only when a pattern protection record was involved in determining access to a diskfile object. The pattern search record is present when CHECK-DISKFILE-PATTERN is set to FIRST or ONLY or LAST, and a normal Safeguard record was not found. The pattern subrec will be absent when CHECK-DISKFILE-PATTERN is set to OFF, or LAST and a normal Safeguard record was found.
User Authentication Record SAFEART Field Descriptions PatternNumSearch specifies the number of pattern protection records searched and discarded before determining the outcome. This count includes the final selected pattern, if any. Field type is unsigned integer. PatternReductionLevel indicates how many levels of pattern reduction were used to determine the final pattern. Field type is enumerated. Possible values are Collation and Initial. PatternTsEnd indicates when the pattern search ended.
User Authentication Record SAFEART Field Descriptions name. Field type is enumerated. Possible values are None, Local, Remote, and All. UserAuditAuthenPass specifies conditions for auditing successful logon attempts. This field was previously called UserAuditAccessPass. SAFEART no longer accepts the old name. Field type is enumerated. Possible values are None, Local, Remote, and All. UserAuditManageFail specifies conditions for auditing unsuccessful attempts to manage the user authentication record.
User Authentication Record SAFEART Field Descriptions UserCiParamText is the startup parameter text used when starting the command interpreter specified by UserCiProg. This field is blank if no value has been specified. Field type is character. UserCiPri specifies the priority at which to run the command interpreter specified by UserCiProg. This field is blank if no value has been specified. Field type is numeric.
User Authentication Record SAFEART Field Descriptions UserDfltProtAuditManageFail specifies conditions for auditing unsuccessful attempts to manage the protection records associated with disk files that are protected on creation through DEFAULTPROTECTION. This field appears in SAFEART reports only if DEFAULTPROTECTION is defined for the user. Field type is enumerated. Possible values are None, Local, Remote, and All.
User Authentication Record SAFEART Field Descriptions UserDfltProtOwnerUserNumber specifies the user ID of the primary owner of disk files protected through DEFAULT-PROTECTION. This field appears in SAFEART reports only if DEFAULT-PROTECTION is defined for the user. Field type is user number. UserFreeze specifies, if True, that the user ID is frozen. Field type is True or False. UserLastLogonTime specifies when the last successful authentication of this user occurred. Field type is date and time.
User Record Extensions SAFEART Field Descriptions UserPasswordExpires specifies when the user's password expires. This field is blank if password expiration is not in effect. Field type is date and time. You cannot use this field in SET WHERE commands. UserPasswordExpiryGrace specifies the number of days after password expiration during which this user can change the password during logon. Field type is numeric. UserPassWordLastChange specifies last time this user's password was changed.
User Record Extensions SAFEART Field Descriptions User Record Extension These attributes appear in the User Record Extension: UserGroupCount specifies the number of entries in the user's group list. Field type is numeric. You cannot use this field in SET WHERE commands. UserGroupList specifies the list of groups for which the user is a member. The maximum number of groups is 32. You cannot use this field in SET WHERE commands.
Enumerated Fields SAFEART Field Descriptions For example: Numownentries =3 OwnerEntries = 255,255 SUPER.SUPER LocalSpecific 255,255 SUPER.SUPER RemoteSpecific 255,255 SUPER.SUPER NodeSpecific \010 User Record Extension1 These attributes appear in User Record Extension1: UserTextDescription contains the descriptive text associated with the authentication record. This field is blank if no descriptive text has been specified.
Enumerated Fields SAFEART Field Descriptions Table 7-4. ObjectType Enumeration (page 2 of 4) Value Description Controller Refers to a description of a controller. Device Refers to a nondisk device. The device name appears in the ObjectName field. Directory Refers to a type of OSS special file containing directory entries that name links to other files. The directory name appears in the ObjectName field. Diskfile Refers to an Enscribe disk file.
Enumerated Fields SAFEART Field Descriptions Table 7-4. ObjectType Enumeration (page 3 of 4) Value Description Socket Sockets are an endpoint for stream oriented communication. The name of the AF_UNIX socket appears in the ObjectName field. SqlCatalog Refers to an SQL catalog. The name of the catalog appears in the ObjectName field. SqlIndex Refers to an SQL index. The name of the index appears in the ObjectName field. SqlTable Refers to an SQL table.
Enumerated Fields SAFEART Field Descriptions Table 7-4. ObjectType Enumeration (page 4 of 4) Value Description UserRecord Refers to a profile record containing the security attributes of a user known to the operating system. The user name, user ID, and alias overlay the ObjectName field. UserRempass Refers to a remote password. The user name, user ID, alias, remote system name, and remote system number overlay the ObjectName field. Volume Refers to a disk volume.
Enumerated Fields SAFEART Field Descriptions Table 7-5. Operation Enumeration (page 2 of 3) Value Description Enable Refers to a TMF ENABLE operation. Exclude Refers to a TMF EXCLUDE operation. Execute Refers to opens of program files for execution. Give Reserved for future use. Grant Refers to an SQL grant or transmission of access rights to an SQL object by one user to another. Initialize Refers to a TMF INITIALIZE operation.
Enumerated Fields SAFEART Field Descriptions Table 7-5. Operation Enumeration (page 3 of 3) Value Description Reference Refers to an SQL operation in which an SQL object is implicitly read during the course of some other operation performed on a related object. Reject Refers to the rejection of a request. Release Refers to an audit file release resulting from a RELEASE command. Rename Refers to the renaming of an object. Reset Refers to the action of resetting a flag or condition.
Enumerated Fields SAFEART Field Descriptions Table 7-6. Outcome Enumeration Value Description Denied Permission to attempt the requested operation was denied. Failed The requested operation was unsuccessfully completed. Granted Permission to attempt the requested operation was granted. Maybe The outcome was unknown when the audit request was made.
Enumerated Fields SAFEART Field Descriptions Table 7-7 lists the possible values for the OwnerIsRemote field of the primary record. Table 7-7. OwnerIsRemote Enumeration Value Description Local The owner is local. None The owner field is not appropriate for this type of object. Remote The owner is remote. Unknown The owner is not known at this time. Table 7-8 lists the possible values for the SecondaryRecordType field of the secondary record. Table 7-8.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 2 of 4) Value Description LU The text area contains a Safeguard terminal definition record. Object The text area contains an object name. Output The text area contains generic command text output defined by the subsystem. OssAccess The text area contains the access mode used to access a file. OssAudit The text area contains the value of the audit-enabled attribute of the fileset.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 3 of 4) Value Description OssAclAttr The text area contains these fields: 1. Variant Type 2. File Mode 3. User ID 4. Group ID 5. rdev 6. Size 7. Access time 8. Modification time 9. Status Change time 10. Length of the Pathname 11. Pathname 12. Creator of user number 13. Creator of user name 14. Creator of alias 15. Creator time 16. Modification of user number 17.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 4 of 4) Value Description OssProcessGroup The text area contains the process group ID. OssUtime The text area contains the access time, modification time, and the last status change time of a file. PatternProt The text area contains a pattern protection record. PatternSearch The text area contains a pattern-search access record.
SAFEART Field Descriptions for OSS Audits SAFEART Field Descriptions Table 7-10 lists the possible values for both the Veracity field of the primary record and the SecondaryVeracity field of the secondary record. Table 7-10. Veracity Enumeration Value Description Tr Specifies that the request originated from a trusted client and no errors were detected in the audit request. TrInError Specifies that the request originated from a trusted client and errors were detected.
OSS Access Mode Record SAFEART Field Descriptions Secondary Text Area The fields in the secondary text area contain a prefix to help you identify the type of OSS record that appears in the text area: Field Prefix OSS Record Secondary Text Area Type OssAccess OSS Access Mode Record OssAccess OssAclAttr OSS ACLs Attribute Record OssAclAttr OssAuditAttr OSS Audit Attribute Record OssAudit OssExec OSS Process Startup Record OssExec OssFileAttr OSS File Attributes Record OssFileAttr OssKill
OSS ACLs Attribute Record SAFEART Field Descriptions OSS ACLs Attribute Record This record represents the OSS file attributes. Depending on the type of the operation, clients supply the necessary fields for auditing. The number of secondary records generated depends on the type of operation. Note. OssAclAttr is supported only on systems running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs. OssAclAttrFileMode specifies the file mode.
OSS ACLs Attribute Record SAFEART Field Descriptions OssAclAttrCreatorUserNumber specifies the number of the user who created the ACL, and displays the value of the DDL field, ZCREATORUSERNUM. OssAclAttrCreatorUserName specifies the name of the user who created the ACL, and displays the value of the DDL field, ZCREATORUSERNAME. OssAclAttrCreatorIsAlias specifies, if the user name is an alias, and displays the value of the DDL field, ZCREATORISALIAS.
OSS Audit Attribute Record SAFEART Field Descriptions OSS Audit Attribute Record A change in the audit attribute of a fileset from an SCF command is recorded in the audit trail by the OSS Monitor. The change generates a pair of secondary records, one to represent the audit attribute value before the attempt and one to represent the attempted change to the audit attribute value.
OSS Kill Record SAFEART Field Descriptions OssFileAttrOwnerUID specifies the User ID of the owner. Field value is OSS UserID. OssFileAttrOwnerGID specifies the Group ID. Field value is OSS GroupID. OssFileAttrRdev specifies the remote device ID. SAFEART displays this 64-bit double word as two 32-bit words in the format . OssFileAttrSize specifies the size of the file. Field type is numeric. OssFileAttrAccessTime specifies the last access time of the file.
OSS Kill Record SAFEART Field Descriptions OssKillProcGroupID specifies the Process Group ID. When a signal is queued for a target group of processes, this field contains the negative value of the Process Group ID. SAFEART displays the actual process group ID. This field is not present if the target of the kill operation is a process and not a process group. Field type is numeric. OssKillProcID specifies the target process's identifier (PID).
OSS Link Record SAFEART Field Descriptions OSS Link Record A link record is generated whenever the link count of a file is changed due to operations such as link() and unlink(). However, if the link count becomes zero, a File Attributes record is generated instead. These fields appear in the text area representing the Link record: OssLinkCount specifies the number of links. Field type is numeric. OssLinkPathName specifies the pathname of the file.
OSS Process Set ID Record SAFEART Field Descriptions OSS Process Set ID Record A Process Set ID record is generated whenever the user or group IDs of a process are changed by calls such as setuid(), setgid(), setreuid(), or setregid(). A pair of records is generated, one for the value of IDs before the operation and one for the value of IDs after the operation.
OSS File Times Record SAFEART Field Descriptions OSS File Times Record Any attempt to set the file access and modification times of a file generates a pair of records. One represents the access and modification times of the file before the operation, and the second represents the access and modification times of the file after the operation. These fields appear in the text area representing the File Times record: OssUtimeAccessTime specifies the last access time of the file.
8 SAFEART Error Messages SAFEART issues these error messages: ERROR: A maximum of 4 title lines is allowed. Cause. You used more than four TITLE commands. Effect. All title lines are discarded, and the previous valid title is used. Recovery. Reissue with four or fewer title lines. ERROR: A quote must be finished before the end of the command. Cause. The syntax required a pair of quotation marks around a character string. The beginning or ending pair is missing. Effect. The command is not executed.
SAFEART Error Messages ERROR: Audit file specified must have a file code of 541. Cause. You specified a file that is not an audit file in an AUDIT FILE command. Effect. The AUDIT FILE command is not executed. Recovery. Reenter the command specifying an audit file name known to the system. ERROR: Before prefix not allowed for item item-name. Cause. You used the before prefix for a primary record. This prefix is allowed only for secondary records. Effect. The SET WHERE command is not executed. Recovery.
SAFEART Error Messages ERROR: Could not open obey file. Cause. The command file could not be opened. Effect. Processing ends, and you are returned to the SAFEART prompt. Recovery. Check the spelling of the command file name. If the name is correct, check that the file exists in the volume and subvolume you specified or in the default volume and subvolume if you provided only a file name. ERROR: Could not open OUT file. Cause. The file defined in an OUT command could not be opened. Effect.
SAFEART Error Messages ERROR: Invalid date. Cause. You specified an invalid date in a SET START TIME or SET END TIME command; for example, 91/12/42. Effect. The command is not executed. Recovery. Reenter the command using a valid date. *** ERROR *** Invalid File Name file. Cause. The named audit file could not be opened. Effect. Processing ends, and you are returned to the command interpreter prompt rather than the SAFEART prompt. Recovery. Check the spelling of the audit file name.
SAFEART Error Messages ERROR: Numbers must contain only digits. Cause. You used a number that contains characters other than the digits 0 through 9. Effect. The command is not executed. Recovery. Reenter the command using a valid number. ERROR: Only operators '=' and '<>' allowed for item item-name. Cause. You used an invalid operator for a record item in a comparison statement for a SET WHERE command. Effect. The SET WHERE command is not executed. Recovery.
SAFEART Error Messages ERROR: Prompt string must be 80 characters or less. Cause. The new SAFEART prompt you defined with a DISPLAY PROMPT command is longer than 80 characters. Effect. The DISPLAY PROMPT command is not executed. Recovery. Reenter the command using a shorter prompt definition. (Use fewer parameters or a shorter character string within parentheses.) ERROR: SET WHERE ignored. Cause. Enough errors were found in a SET WHERE command to prevent SAFEART from using it. Effect.
SAFEART Error Messages *** ERROR *** Unable to Obtain Memory. Cause. Not enough memory was available to process the SAFEART report. Effect. Processing ends, and you are returned to the command interpreter prompt rather than the SAFEART prompt. Recovery. Rerun the SAFEART commands. If the problem persists, contact your service provider. ERROR: Unexpected I/O error while reading commands. Cause. An input/output (I/O) error occurred while SAFEART was reading commands. Effect.
SAFEART Error Messages WARNING error-number Event Flushed Cause. An event was not used because of an error in the audit file, identified by error-number. error-number is in one of these ranges: 10 - 49 A link from a primary to secondary record is damaged. 52 - 57 A secondary record has no primary record. The error-number is the record type. 102 An incomplete primary record is incomplete. Some of the secondary records are missing. Effect.
SAFEART Error Messages ERROR-: PASSWORD-MAXIMUM-LENGTH CANNOT BE MODIFIED UNLESS PASSWORD-ALGORITHM= HMAC256 AND ENCRYPT = ON; COMMAND NOT EXECUTED Cause. PASSWORD-ALGORITHIM is DES and PASSWORD-ENCRYPT is ON or OFF, when PASSWORD-MAXIMUM-LENGTH is not equal to eight. Effect. Command not executed. Recovery. PASSWORD-MAXIMUM-LENGTH should be less than or greater than eight. Note. This error message is supported only on systems running H06.08 and later H-series RVUs.
SAFEART Error Messages Safeguard Audit Service Manual—520480-014 8- 10
A Audit File Record Formats This appendix describes the structure of the records in the audit files. If you are writing programs to extract information from the audit trail, read this appendix. However, if you are using SAFEART to get information from the audit trail, you do not need to read this appendix. Instead, see Section 7, SAFEART Field Descriptions. About the Audit Trail The security audit trail consists of one or more audit pools.
Audit File Structure Audit File Record Formats • • • • • • • Full name of the preceding audit file Full name of the audit file Full name of the next audit file Time, specified as a Greenwich mean time (GMT) timestamp, when the audit file was initialized and the header record written Safeguard version number Operating system TOSVERSION Local time zone offset relative to Greenwich mean time Audit Records The audit file also contains primary audit records and secondary audit records.
Audit Record Definitions Audit File Record Formats Audit Record Definitions This subsection contains DDL definitions for each type of record that appears in the audit files. For more information about DDL definitions, see the Data Definition Language (DDL) Reference Manual. Some fields in the audit records are optional. That is, they are blank or set to zero if they are not defined or not applicable. For example, for an unnamed system, the field ZAUDITING-SYSTEMNAME is blank.
Audit File Header Record Audit File Record Formats Field Definitions ZRECORD-TYPE is the audit record type. For header records, it is always the value of ZSFG-VALAUD-REC-HEADER. ZRECORD-LEN is the length, in bytes, of this audit record.
Primary Audit Record Audit File Record Formats ZTIMEZONE-OFFSET is, in microseconds, the local standard time zone of the auditing system as a signed, 64-bit integer offset relative to Greenwich mean time. The offset for time zones longitudes 0 and 180 degrees West is negative. For all others, it is positive. ZAUDIT-FILENAME is the name, including the volume name and subvolume name, of this audit file when it was first opened.
Primary Audit Record Audit File Record Formats 02 02 02 02 02 ZGROUP-COUNT ZOPERATION ZOUTCOME ZMASTER-AUDITNUMBER ZSUBJECT 04 ZSUBJECT-TYPE 04 ZUSERNUMBER 04 ZUSERNAME 04 ZCREATORNUMBER 04 ZCREATORNAME 04 ZSYSTEMNUMBER 04 ZSYSTEMNAME 04 ZAUTHLOCNUMBER 04 ZAUTHLOCNAME 04 ZPROCESSNAME 04 ZSUBSYSTEMID 04 ZTERMINALNAME 02 ZAUDIT-CREATOR 04 ZSUBJECT-TYPE 04 ZUSERNUMBER 04 ZUSERNAME 04 ZCREATORNUMBER 04 ZCREATORNAME 04 ZSYSTEMNUMBER 04 ZSYSTEMNAME 04 ZAUTHLOCNUMBER 04 ZAUTHLOCNAME 04 ZPROCESSNAME 04 ZSUBSYSTE
Primary Audit Record Audit File Record Formats ZAUDITNUMBER is a binary integer that identifies an audited event in the security audit pool. For events whose descriptions span more than one record, the several records involved are linked by a common value of ZAUDITNUMBER. ZTIME-REPORTED is a 64-bit timestamp specifying the date and Greenwich mean time when the audit service client interface sent the event description to the audit service collector process.
Primary Audit Record Audit File Record Formats request. Instead, the audit records resulting from such requests are marked to indicate that they might contain erroneous data. ZSFG-VAL-VER-UNTR-UNCHECKED indicates that the request originated from an untrusted client and was not checked for errors. In this product version of the audit service, this value does not normally occur. ZGROUP-COUNT is the number of subordinate audit records that are linked (via ZAUDITNUMBER) to this record.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-CHANGEPRIORITY indicates a change to the priority of a process or process pair. ZSFG-VAL-OPER-CHANGESTEPMOM indicates a change to the stepmom of a process or process pair. ZSFG-VAL-OPER-CLOSE indicates the termination of a connection between an object and a subject when an object is closed. ZSFG-VAL-OPER-COMPOSITE is reserved for future use. ZSFG-VAL-OPER-CREATE indicates the creation of an object.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-INSERT indicates an operation, not exclusively by SQL, involving the insertion of a record or other collection of values into an object, such as a file or table. ZSFG-VAL-OPER-LICENSE is reserved for future use. ZSFG-VAL-OPER-LOGOFF indicates a logoff that occurs if a user successfully logs on at a terminal where another user has not logged off. The previous user is logged off.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-PURGE indicates the deletion of an object after which the object ceases to exist. ZSFG-VAL-OPER-READ indicates object opens for read access. ZSFG-VAL-OPER-READWRITE indicates object opens for read/write access. This field does not imply that the accessed object was actually changed. It implies only that the requested access was read/write.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-SECURITY is reserved for future use. ZSFG-VAL-OPER-SELECT indicates an SQL selection operation applied to an SQL table or view. ZSFG-VAL-OPER-SET indicates the action of setting a flag or condition. ZSFG-VAL-OPER-START indicates an object's change of state to an active state. ZSFG-VAL-OPER-STOP indicates an object's change of state to an inactive state in which the object might cease to exist.
Primary Audit Record Audit File Record Formats Two sets of outcomes are defined. Their applicability depends on the type of operation. If the operation is an authentication, ZSFG-VAL-OPER-VERIFYUSER or ZSFG-VAL-OPER-AUTHENTICATE, the possible outcomes are: ZSFG-VAL-AUTH-USER-EXPIRED The authentication attempt failed because the user ID expired. ZSFG-VAL-AUTH-USER-FAILED The authentication attempt failed because the number of failed attempts by the user exceeded the configured maximum.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OUTCOME-NORECORD The outcome was undetermined when the audit request occurred because the authorization record for the accessed object could not be found or did not exist. This outcome occurs in audit requests originated by the Safeguard subsystem. ZSFG-VAL-OUTCOME-OTHER The outcome of the requested operation was none of those defined here.
Primary Audit Record Audit File Record Formats ZCREATORNUMBER is, in internal form, the group number, member number corresponding to the CAID of the subject. ZCREATORNAME is, in external form, the group name.member name corresponding to the CAID of the subject. ZSYSTEMNUMBER is, as a 32-bit integer, the system number of the subject. The field is set to -1 if the subject is an NFS client. ZSYSTEMNAME is, as an ASCII string, the name corresponding to ZSYSTEMNUMBER.
Primary Audit Record Audit File Record Formats ZOBJECT is an instance of the ZSFG-DDL-OBJECT-DESC template that describes the object of the event. The fields are: ZOBJECT-TYPE indicates the type of object. ZOBJECT-TYPE has one of these values: ZSFG-VAL-OBJ-AUD-TR-CONFIG-REC indicates an audit pool configuration record. The object name of an object of this type is a name of an audit pool. ZSFG-VAL-OBJ-COMMAND indicates a command.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-OSSPROCESS indicates that the object type is OSSPROCESS. Note. The token value, ZSFG-VAL-OBJ-OSSPROCESS, is supported only on systems running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs. ZSFG-VAL-OBJ-PATH indicates a description of a path. ZSFG-VAL-OBJ-PROCESS indicates a process. The object name of an object of this type is a process name in external form or a CRTPID.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-SQL-TABLE indicates an SQL table. The object name of an object of this type follows the same lexical and syntactic rules that apply to ZSFG-VAL-OBJDISKFILE. ZSFG-VAL-OBJ-SQL-VIEW indicates an SQL protection view. The object name of an object of this type follows the same lexical and syntactic rules that apply to ZSFG-VAL-OBJDISKFILE. ZSFG-VAL-OBJ-SUBDEVICE indicates a subdevice.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-TMF-BACKOUT indicates the TMF backout process. ZSFG-VAL-OBJ-TMF-CATALOG indicates the TMF catalog process. ZSFG-VAL-OBJ-TMF-DUMPS indicates the dumps in the TMF catalog. ZSFG-VAL-OBJ-TMF-TAPEMEDIA indicates the tape volumes in the TMF catalog. ZSFG-VAL-OBJ-TMF-TRANSACTION indicates a TMF transaction. ZSFG-VAL-OBJ-USER indicates a class of users known to and managed by a client subsystem. An example of this class is Transfer Correspondents.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OWNER-NONE indicates that the owner field is not appropriate for this type of object. ZSFG-VAL-OWNER-REMOTE indicates that the owner is remote. ZSFG-VAL-OWNER-UNKNOWN indicates that the owner is not known at this time. ZOWNER-USERNUMBER is the user ID of the owner of the object. ZOWNER-USERNAME is the user name of the owner of the object. ZOBJECT-NAME is usually the name of the object. (See the following exceptions.
Primary Audit Record Audit File Record Formats ZUSERNAME is, in external form, the group name.member name of the subject. This field is blank if an alias is used to gain access to the system. ZALIASNAME is the alias name under which the user gained access to the system. This field is blank if the underlying user ID, rather than an alias, is used to gain access to the system.
Secondary Audit Record Audit File Record Formats Field Definitions ZGROUPID is the group ID number. ZGROUPNAME is the group name. Secondary Audit Record Secondary audit records are subordinate records that provide additional information about an object access that causes a change to one or more of the object's attributes. A secondary audit record is always linked by a common ZAUDITNUMBER value to a preceding primary audit record. DDL Definition DEF ZSFG-DDL-SECONDARY-RECORD.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-AUD-REC-DELETE indicates that the text area contains a representation of an object before an attempted delete operation. ZSFG-VAL-AUD-REC-NEW indicates that the text area contains a representation of a newly added object. ZSFG-VAL-AUD-REC-OTHER indicates that the text area contains information determined by the subsystem that wrote it. ZRECORD-LEN is the length, in bytes, of this audit record.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-VER-TR-UNCHECKED indicates that the request originated from a trusted client and was not checked for errors. In this product revision of the audit service, this value does not normally occur. ZSFG-VAL-VER-UNTR indicates that the request originated from an untrusted client and no errors were detected in the audit request. ZSFG-VAL-VER-UNTR-IN-ERROR indicates that the request originated from an untrusted client and errors were detected.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-TEXT-GROUP The text area contains a group profile record. ZSFG-VAL-TEXT-INPUT The text area contains generic command text input defined by the subsystem. ZSFG-VAL-TEXT-LOGOFF The text area contains a ZSFG-DDL-VERIFYUSER-SUBREC variant. ZSFG-VAL-TEXT-LU The text area contains a ZSFG-DDL-LU-SUBREC variant. ZSFG-VAL-TEXT-OBJECT The text area contains an object name.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-TEXT-PROTECTION-EXT The text area contains a ZSFG-DDL-PROT-SUBRECEXT variant. ZSFG-VAL-TEXT-SCREEN-INPUT The text area contains a partial or full representation of a screen image representing a command input or request. The subsystem defines the format and interpretation of this data. ZSFG-VAL-TEXT-SCREEN-OUTPUT The text area contains a partial or full representation of a screen image representing a command output or request.
Safeguard Object Representations Audit File Record Formats Safeguard Object Representations The audit records include representations of several Safeguard internal data structures. All of these representations occur as variants of the ZTEXT-AREA of secondary audit records. This section specifies the DDL subrecord templates for the variants of ZTEXT-AREA.
Event-Exit Configuration Record Audit File Record Formats 02 ZMAXEXTENTS END. TYPE ZSPI-DDL-UINT. Field Definitions ZAUDIT-POOL-NAME is the $volume.subvolume name of the audit pool to which this record refers. ZMAXFILES is the maximum number of files that can be allocated in this audit pool. ZCURRENT-FILE-NUMBER is the current audit file number in this audit pool. ZPRIMARY-EXTENTS is the primary extent size to be used when creating audit files in this audit pool.
Event-Exit Configuration Record Audit File Record Formats 02 ZPARAM-TEXT END. TYPE ZSPI-DDL-BYTE OCCURS 255 TIMES. Field Definitions ZPNAME is the process name under which the event-exit process runs. This field is blank if no value is specified. ZPROG is the name of the local file containing the event-exit program. The event-exit program is run if the event-exit process is enabled. This field is blank if no value is specified. ZLIB is the name of the library file used by the event-exit process.
Event-Exit Configuration Record Audit File Record Formats ZENA-SEEP-PSWD indicates whether password change events are sent to the event-exit process. ZPARAM-TEXT is the startup parameter text passed to the event-exit process. This field is blank if no value is specified. Group Profile Record The Safeguard subsystem maintains a record for each defined group on the system. When an audited event involves a group record, a representation of the group record appears in one or more secondary records.
Logoff Record Audit File Record Formats ZOWNERUSERNUMBER is the group number, member number of the owner. ZOWNERUSERNAME is the user name of the owner. ZAUTODELETE indicates whether the group is automatically deleted when it no longer has any members. ZDESCRIPTION is text used to describe the group. ZADDMEMBER-COUNT indicates the number of users in the list specified by ZADDMEMBER. ZADDMEMBER contains a list of users that were specified in an attempt to add members to a group.
Protection Record Audit File Record Formats Field Definitions ZUSERNUMBER is the user ID of the newly logged-on user. ZUSERNAME is, in external form, the group name.member Name of the newly logged-on user. This field is blank if an alias is used to gain access to the system. ZALIASNAME is the alias name of the newly logged-on user. This field is blank if the underlying ID, rather than an alias, is used to gain access to the system.
Protection Record Audit File Record Formats 04 04 04 04 04 ZAUTHORITY-CREATE ZAUTHORITY-PURGE ZAUTHORITY-EXECUTE ZAUTHORITY-WRITE ZAUTHORITY-READ TYPE TYPE TYPE TYPE TYPE ZSPI-DDL-UINT. ZSPI-DDL-UINT. ZSPI-DDL-UINT. ZSPI-DDL-UINT. ZSPI-DDL-UINT. END. Field Definitions ZSFG-DDL-PROTECTION-SUBREC has these fields: ZOTYPE indicates the type of object this record describes. The defined values for ZOTYPE are: ZSFG-VAL-OTYPE-DEVICE indicates a device authorization record.
Protection Record Audit File Record Formats ZLASTMODTIME is a 64-bit GMT timestamp specifying when the protection record was last modified. ZCLEARONPURGE indicates, if nonzero, that the disk space used by this file is to be overwritten with zeros when the file is purged. ZPROGID indicates, if nonzero, that the disk file is a program object code file with the PROGID attribute. ZLICENSE indicates, if nonzero, that the disk file is a program object code file with the LICENSE attribute.
Protection Record Audit File Record Formats ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-MANAGE-PASS indicates that successful attempts to manage the protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts.
Protection Record Audit File Record Formats ZFREEZE indicates, if nonzero, that the protection record is frozen. ZOWNERTYPEID indicates how the following ZOWNERUSERNUMBER and ZOWNERUSERNAME fields are to be are to be interpreted. The defined values for ZOWNERTYPEID are: ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTESPECIFIC is a local or remote user ID that matches: \*.USERID.GROUPNUMBER, USERID.
Protection Record Audit File Record Formats ZSFG-VAL-TYPEID-LOCALANYONE is any user ID that matches: *,* ZSFG-VAL-TYPEID-LOCALGROUP is any local user ID that matches: USERID.GROUPNUMBER, * ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTEANYONE is any local or remote user ID that matches: \*.*,* ZSFG-VAL-TYPEID-REMOTEGROUP is any remote or local user ID that matches: \*.USERID.
Protection Record Extension Audit File Record Formats ZSUBJECTUSERNAME is the user name of the subject. ZAUTHORITY-OWNER indicates, if nonzero, that the subject is granted or denied OWNER authority. ZAUTHORITY-CREATE indicates, if nonzero, that the subject is granted or denied CREATE authority. ZAUTHORITY-PURGE indicates, if nonzero, that the subject is granted or denied PURGE authority. ZAUTHORITY-EXECUTE indicates, if nonzero, that the subject is granted or denied EXECUTE authority.
Pattern Protection Record Audit File Record Formats ZTRUST specifies the TRUST setting for the objects protected by this record. ZWARNINGMODE indicates, if nonzero, that warning mode is enabled for the object protected by this protection record. Pattern Protection Record DDL Definition DEF 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 ZSFG-DDL-PATPROT-SUBREC. ZOTYPE TYPE ZSPI-DDL-ENUM. ZLASTMODTIME TYPE ZSPI-DDL-TIMESTAMP. ZCLEARONPURGE TYPE ZSPI-DDL-UINT.
Pattern Protection Record Audit File Record Formats 04 ZAUTHORITY-WRITE 04 ZAUTHORITY-READ 04 ZRESERVED TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-BYTE OCCURS 4 TIMES. END. Field Definitions ZSFG-DDL-PATPROT-SUBREC has these fields: ZOTYPE indicates the type of object this record describes. The defined values for ZOTYPE are: ZSFG-VAL-OTYPE-DEVICE indicates a device authorization record. ZSFG-VAL-OTYPE-DISKFILE indicates a disk file authorization record.
Pattern Protection Record Audit File Record Formats ZCLEARONPURGE reserved—defaults to False. ZPROGID reserved—defaults to False. ZLICENSE reserved—defaults to False. ZPERSISTENT reserved—defaults to False. ZAUDIT-ACCESS-PASS indicates that successful attempts to access the protected object are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-MANAGE-PASS indicates that successful attempts to manage the protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTESPECIFIC is a local or remote user ID that matches: \*.USERID.GROUPNUMBER, USERID.USERNUMBER ZOWNERUSERNUMBER is the group number, member number of the owner. ZOWNERUSERNAME is the user name of the owner. ZNONEXISTENT indicates, if nonzero, that a diskfile did not exist when the protection record was added.
Pattern Protection Record Audit File Record Formats ZLASTMODISALIAS indicates, when true, that ZLASTMODUSERNAME is an ALIAS name. ZLASTMODTIME contains the time when the pattern protection record was last modified. ZCREATORTYPEID indicates if the creator was a locally or remotely authenticated user. ZCREATORNODE includes the last authenticated node number of the user that created the pattern protection record.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-TYPEID-LOCALANYONE is any user ID that matches: *,* ZSFG-VAL-TYPEID-LOCALGROUP is any local user ID that matches: USERID.GROUPNUMBER, * ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTEANYONE is any local or remote user ID that matches: \*.*,* ZSFG-VAL-TYPEID-REMOTEGROUP is any remote or local user ID that matches: \*.USERID.
Pattern Search Access Record Audit File Record Formats ZSUBJECTUSERNAME is the user name of the subject. ZAUTHORITY-OWNER indicates, if nonzero, that the subject is granted or denied OWNER authority. ZAUTHORITY-CREATE indicates, if nonzero, that the subject is granted or denied CREATE authority. ZAUTHORITY-PURGE indicates, if nonzero, that the subject is granted or denied PURGE authority. ZAUTHORITY-EXECUTE indicates, if nonzero, that the subject is granted or denied EXECUTE authority.
Safeguard Configuration Record Audit File Record Formats ZPATAUTHZSPEC displays the pattern-spec of a pattern protection record used in determining the object access authorization. ZPATAUTHZMETHOD indicates the method used to determine the outcome. ZPATREDUCTIONLEVEL indicates the number of search levels used to arrive at a null or unique pattern. Possible values are: ZSFG-VAL-REDLVL-INITIAL indicates that the initial search for a pattern resulted in an empty or unique result.
Safeguard Configuration Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-CONFIG-SUBREC.
Safeguard Configuration Record Audit File Record Formats 02 ZWRITE-THROUGH-CACHE 02 ZEOF-REFRESH 02 ZRECOVERY 02 ZPASSWORD-EXPIRY-GRACE 02 ZCI-PROG 47 TIMES. 02 ZCI-LIB 47 TIMES. 02 ZCI-SWAP 47 TIMES. 02 ZCI-CPU 02 ZCI-PRI 02 ZCI-PARAM-TEXT 255 TIMES.
Safeguard Configuration Record Audit File Record Formats ZAUTH-FAIL-TO-VAL is the amount of time to delay a process after ZAUTH-MAX-ATTEMPTS is exceeded as an integral number of ZAUTH-FAIL-TO-UNITS. ZAUTH-FAIL-TO-UNITS indicates what the smallest increment of ZAUTH-FAIL-TO-VALUE represents.
Safeguard Configuration Record Audit File Record Formats ZCHECK-SUBDEVICE indicates, if nonzero, that the Safeguard software will look for protection records for subdevices. ZDIRECTION-DEVICE is the order in which the Safeguard software will look for protection records for devices and subdevices. The values are: ZSFG-VAL-DIR-DEV-DEVICE-1ST indicates that the Safeguard software will examine protection records for devices before subdevices.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-DEVICE-ACCESS-FAIL indicates that unsuccessful attempts to access a protected device are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZCHECK-PROCESS indicates, if nonzero, that the Safeguard software examines protection records for processes.
Safeguard Configuration Record Audit File Record Formats ZACL-REQUIRED-PROCESS indicates, if nonzero, that access is denied to all processes not protected by an ACL. ZAUDIT-PROCESS-ACCESS-PASS indicates that successful attempts to access a protected process are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZAUDIT-PROCESS-MANAGE-FAIL indicates that unsuccessful attempts to manage a process protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-DIR-DISK-FILE-1ST indicates that the Safeguard software will look at protection records for disk files before those for volumes. ZSFG-VAL-DIR-DISK-VOL-1ST indicates that the Safeguard software will look at protection records for volumes before those for disk files. ZCOMBINATION-DISKFILE is the manner in which the Safeguard software checks protection records for disk files.
Safeguard Configuration Record Audit File Record Formats ZAUDIT-DISKFILE-ACCESS-FAIL indicates that unsuccessful attempts to access a protected disk file are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZCLEARONPURGE-DISKFILE indicates, if nonzero, that disk files are cleared when purged. ZAUDIT-SUBJECT-AUTH-PASS indicates that successful attempts to authenticate users are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote attempts. ZSFG-VAL-AUDIT-LOCAL Audit local attempts.
Safeguard Configuration Record Audit File Record Formats ZAUDIT-SUBJECT-MANAGE-PASS indicates that successful attempts to manage a user authentication record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote attempts. ZAUDIT-OBJECT-ACCESS-FAIL indicates that unsuccessful attempts to access a protected object are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote attempts. ZSFG-VAL-AUDIT-LOCAL Audit local attempts. ZSFG-VAL-AUDIT-NONE Do not audit attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZCURRENT-AUDIT-POOL is the name of the current audit pool. ZNEXT-AUDIT-POOL is the name of the next audit pool.
Safeguard Configuration Record Audit File Record Formats ZPASSWORD-EXPIRY-GRACE is the number of days after password expiration during which users can change their password. ZCI-PROG is the object file of the default command interpreter that is started after user authentication at a Safeguard terminal. This value is used if no command interpreter is specified for the user or the terminal. ZCI-LIB is the library file used with the default command interpreter.
Safeguard Configuration Record Audit File Record Formats ZBLINDLOGON indicates, if nonzero, that passwords are not displayed and cannot be entered on the same line as the user name during logon. ZNAMELOGON indicates, if nonzero, that only user names (not user IDs) can be used during logon. ZTERMEXCLUSIVEACCESS indicates, if nonzero, that a user name logged on at a Safeguard terminal has exclusive access to the terminal. ZWARNSYSTEMLEVEL indicates, if nonzero, that Safeguard warning mode is enabled.
Safeguard Configuration Record Audit File Record Formats ZWARNOBJECTLEVEL indicates, if nonzero, that warning mode is enabled for individual object protection records. ZALLOWNODEACL indicates, if nonzero, that ACL entries containing explicit node identifiers are consulted for remote access. ZCHECK-PAT-DISKFILE specifies whether the diskfile-pattern protection record is consulted to determine access to disk files. Field type is enumerated.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-PSWD-ALGTHM-HMAC256 specifies that passwords given at the time of changing a password be encrypted using HMAC and SHA-256 algorithms. ZPASSWORD-MAXIMUM-LENGTH is the maximum length of new passwords for all users. Note. ZPASSWORD-MAXIMUM-LENGTH is supported only on systems running H06.08 and later H-series RVUs.
Terminal Definition Record Audit File Record Formats PASSWORD-SPACES-ALLOWED to ON shall result in error. The error messages displayed are: THIS ATTRIBUTE CANNOT BE MODIFIED UNLESS PASSWORD-ALGORITHM = HMAC256, PASSWORD-ENCRYPT = ON, and PASSWORD-COMPATIBILITY-MODE = OFF; COMMAND NOT EXECUTED. ZSFG^ERR^PSWD^SPACE^NEED^CMOFF 1PASSWORD-MIN-QUALITY-REQUIRED specifies the mininum quality criteria that have to be met when a password is set or changed. The initial value is 0.
User Authentication Record Audit File Record Formats Field Definitions ZTERMINAL-NAME is the name of the terminal to which this record refers. ZCI-PROG is the name of object file of the command interpreter that is started after user authentication at this terminal. This value is used if no command interpreter is specified for the user. ZCI-LIB is the library file used with this command interpreter. ZCI-SWAP is the swap volume or file used with this command interpreter.
User Authentication Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-USER-SUBREC.
User Authentication Record Audit File Record Formats 06 ZAUTHORITY-READ TYPE ZSPI-DDL-UINT. END. Field Definitions ZSFG-DDL-USER-SUBREC contains these fields: ZPASSWORD-CHANGED indicates, if nonzero, that the password was changed. ZDEFAULTVOLUME is the default volume and subvolume at the time of the authentication attempt. ZDEFAULTSECURITY is a 16-bit field specifying the default Guardian security vector that applies to disk files created by this user and not protected by the Safeguard software.
User Authentication Record Audit File Record Formats ZAUDIT-AUTHEN-FAIL indicates that unsuccessful authentication attempts are audited according to the specified values. This field was previously called ZAUDIT-ACCESS-FAIL. The old name is no longer supported. Possible values are: ZSFG-VAL-AUDIT-ALL Audit local and remote authentication attempts. ZSFG-VAL-AUDIT-LOCAL Audit local authentication attempts. ZSFG-VAL-AUDIT-NONE No authentication attempts are audited.
User Authentication Record Audit File Record Formats ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZAUDIT-USER-ACTION-PASS indicates that all successful attempts by the user to access protected objects or manage Safeguard protection records are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote attempts by the user.
User Authentication Record Audit File Record Formats ZFREEZE indicates, if nonzero, that the user ID is frozen. ZPASSWORDPERIOD is an integer specifying the interval, in days, within which the same password can be used for authentication attempts. ZLASTMODTIME is a 64-bit GMT timestamp specifying the date and time when the user's profile record was last modified. ZLASTLOGONTIME is a 64-bit GMT timestamp specifying when the last successful authentication of this user occurred.
User Authentication Record Audit File Record Formats ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTESPECIFIC is a local or remote user ID that matches: \*.USERID.GROUPNUMBER, USERID.USERNUMBER ZOWNERUSERNUMBER is the user ID of the owner of the profile record. ZOWNERUSERNAME is the user name of the owner of the profile record.
User Authentication Record Audit File Record Formats ZAUDIT-ACCESS-PASS indicates that successful attempts to access the disk file are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts.
User Authentication Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZAUDIT-MANAGE-FAIL indicates that unsuccessful attempts to manage the disk-file protection record created through DEFAULT-PROTECTION are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts.
User Authentication Record Audit File Record Formats ZOWNERUSERNAME is the user name of the owner of the disk file protection record. ZNUMACLENTRIES indicates, as an unsigned integer, the number of entries in the ACL defined in the protection record. ZACLENTRY is a repeated structure, each instance of which specifies an ACL entry. The component fields are: ZGRANT indicates, if nonzero, that this entry grants authorities to its subject; otherwise, this entry denies authorities to its subject.
User Authentication Record Audit File Record Formats ZSFG-VAL-TYPEID-REMOTESPECIFIC is any local or remote user ID that matches: \*.USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-NODEANYONE is any remote user ID authenticated on a specific node node that matches: \node.*,* ZSFG-VAL-TYPEID-NODEGROUP is any remote user ID authenticated on node that matches: \node.USERID.GROUPNUMBER, * ZSFG-VAL-TYPEID-NODESPECIFIC is a remote user ID authenticated on node that matches: \node.USERIDGROUPNUMBER, \node.
User Record Extensions Audit File Record Formats User Record Extensions The Safeguard subsystem maintains extensions to the authentication record for each user or alias on the system. The user record extensions appear in their own secondary record whenever a corresponding authentication record appears in the audit trail. The user record extensions are represented by a ZSFG-DDL-USER-SUBRECEXT variant and a ZSFG-DDL-USER-SUBRECEXT-1 variant of the ZTEXT-AREA field.
User Record Extensions Audit File Record Formats ZINITIAL-PROGTYPE is the initial program type for the user within the OSS file system. ZINITIAL-PROGLEN is the length of the pathname for the user's initial program within the OSS file system. ZINITIAL-PROGRAM is the pathname for the user's initial program within the OSS file system. ZINITIAL-DIRLEN is the length of the pathname for the user's initial working directory within the OSS file system.
User Record Extensions Audit File Record Formats ZSFG-VAL-TYPEID-LOCALGROUP is any local user ID that matches GROUPNUMBER, * ZSFG-VAL-TYPEID-REMOTEGROUP is any local or remote user ID that matches \*.GROUPNUMBER, * ZSFG-VAL-TYPEID-LOCALANYONE is any local user ID that matches *.* ZSFG-VAL-TYPEID-REMOTEANYONE is any local or remote user ID that matches \*.*.* ZSFG-VAL-TYPEID-NODESPECIFIC is any local or remote user ID that matches \NODENUMBER.USERID.GROUPNUMBER, USERID.
User Record Extensions Audit File Record Formats DDL Definition of ZSFG-DDL-USER-SUBRECEXT-1 Note. The DDL definition of ZSFG-DDL-USER-SUBRECEXT-1 and its field definitions are supported only on systems running G06.27 and later G-series RVUs and H06.06 and later H-series RVUs. DEF ZSFG-DDL-USER-SUBRECEXT-1 02 ZLENDESCTEXT TYPE ZSPI-DDL-INT. 02 ZDESCRIPTIONTEXT TYPE ZSPI-DDL-BYTE-OCCURS-2049 TIMES. 02 ZLENDESCBIN TYPE ZSPI-DDL-INT. END.
OSS Audit File Record Format Audit File Record Formats OSS Audit File Record Format The Audit record format for OSS audits is the same as Guardian audits. The secondary text area is utilized for reporting additional attributes. OSS audit support applies only to systems running G06.12 and later RVUs. ZTEXT-AREA-TYPE indicates the type of text contained in the ZTEXT-AREA field. This field can have these additional values: ZSFG-VAL-TEXT-OSSACCESS The text area contains a ZSFG-DDL-OSSACCESS-SUBREC variant.
OSS Object Representations Audit File Record Formats ZSFG-VAL-TEXT-OBJECT For an OSS rename operation, the text area contains a ZSFG-DDLOSSRENAME-SUBREC variant. OSS Object Representations The audit records include representations of several OSS attributes. All of these representations occur as variants of the ZTEXT-AREA of secondary audit records. This section specifies the DDL subrecord templates for the variants of ZTEXT-AREA.
OSS Access Mode Record Audit File Record Formats ZMTIME is the date and time of last modification. ZCTIME is the time of the last file status change. OSS Access Mode Record Any attempt to determine the accessibility of a file is audited. The access mode is represented in the ZTEXT-AREA of secondary audit record with this template overlay: DDL Definition DEF ZSFG-DDL-OSSACCESS-SUBREC. 02 ZACCESS-MODE TYPE ZSPI-DDL-INT2. END.
OSS Process Startup Record Audit File Record Formats OSS Process Startup Record Whenever a new process is started in an OSS environment, a process startup record is generated on a successful startup. The process startup record is represented in the ZTEXT-AREA of secondary audit record with this template overlay: DDL Definition DEF ZSFG-DDL-OSSAUDIT-SUBREC. 02 ZPROG TYPE ZSPI-DDL-BYTE OCCURS 44 TIMES. 02 ZUSER-ID TYPE ZSPI-DDL-INT2. 02 ZGROUP-ID TYPE ZSPI-DDL-INT2. END.
OSS File Attributes Record Audit File Record Formats 02 ZSIZE 02 ZTIMES 02 ZPATHNAME-LEN 02 ZPATHNAME TIMES. END. TYPE TYPE TYPE TYPE ZSPI-DDL-INT2. ZSFG-DDL-OSSUTIME-SUBREC. ZSPI-DDL-UINT. ZSPI-DDL-BYTE OCCURS 1024 Field Definitions ZVARIANT-TYPE indicates which fields are present in the record.
OSS ACL Attributes Record Audit File Record Formats OSS ACL Attributes Record The OSS ACL attribute record represents the ACL attributes for OSS file. Depending on the type of the operation, clients supply the necessary fields. The number of secondary records generated depends on the type of operation. The record is represented in the ZTEXT-AREA of secondary audit record with this template overlay: Note. The OSS ACL entry structure is supported only on systems running G06.
OSS ACL Attributes Record Audit File Record Formats ZCREATORISALIAS contains a flag when true, indicating that ZCREATORUSERNAME is an ALIAS name. ZCREATORTIME contains the time when the OSS ACL was created. ZLASTMODUSERNUM contains the user ID of the user that last modified the OSS ACL. ZLASTMODUSERNAME contains the user name of the user that last modified the OSS ACL. ZLASTMODISALIAS contains a flag when true, indicating that ZLASTMODUSERNAME is an ALIAS name.
OSS Kill Record Audit File Record Formats ZSFG-VAL-ACETYPEID-OPT-USER indicates that the ACETYPEID is optional user. ZSFG-VAL-ACETYPEID-OPT-GROUP indicates that the ACETYPEID is optional group. ZSFG-VAL-ACETYPEID-DEF-USER indicates that the ACETYPEID is default owning user. ZSFG-VAL-ACETYPEID-DEF-GROUP indicates that the ACETYPEID is default owning group. ZSFG-VAL-ACETYPEID-DEF-CLASS indicates that the ACETYPEID is default class. ZSFG-VAL-ACETYPEID-DEF-OTHER indicates that the ACETYPEID is default other.
OSS Link Record Audit File Record Formats 02 ZEAUTHTYPE-REQUESTOR 02 ZRAUTHTYPE-REQUESTOR 02 ZRAUTHTYPE-TARGET 02 ZSAUTHTYPE-TARGET END. TYPE TYPE TYPE TYPE ZSPI-DDL-INT. ZSPI-DDL-INT. ZSPI-DDL-INT. ZSPI-DDL-INT. Field Definitions ZSIGNAL specifies the signal sent. ZPROCESSGROUP-ID-PID is either the OSS process ID of the target process or the process group ID. ZEUID-REQUESTOR is the OSS effective user ID of the requestor. ZRUID-REQUESTOR is the OSS real user ID of the requestor.
OSS Open Record Audit File Record Formats Attributes record is generated with variant type 5. The link record is represented in the ZTEXT-AREA of secondary audit record with this template overlay: DDL Definition DEF ZSFG-DDL-OSSLINK-SUBREC 02 ZLINK-COUNT TYPE ZSPI-DDL-UINT. 02 ZPATHNAME-LEN TYPE ZSPI-DDL-UINT. 02 ZPATHNAME TYPE ZSPI-DDL-BYTE OCCURS 1024 TIMES. END. Field Definitions ZLINK-COUNT is the number of links. ZPATHNAME-LEN is the length of the pathname used to find the file.
OSS Process Group ID Record Audit File Record Formats OSS Process Group ID Record A Process Group ID record is generated whenever there is a change in the process group ID of a process. Setpgid() and setsid() can change the process group ID. The change generates a pair of secondary records, one to represent the process group ID (pgid) before the change and one to represent the changed process group ID. Process Group ID records are also generated during OSS process startup.
OSS Rename Record Audit File Record Formats Field Definition ZVARIANT-TYPE is the type of ID being changed. Variant type 1 represents user ID, whereas Variant type 2 represents group ID. ZREAL-ID is the OSS real user or group ID. ZEFFECTIVE-ID is the OSS effective user or group ID. ZSAVED-SET-ID is the OSS saved-set user or group ID. ZREAL-AUTHTYPE is the real authentication type of the user. ZEFFECTIVE-AUTHTYPE is the effective authentication type of the user.
OSS Rename Record Audit File Record Formats Safeguard Audit Service Manual—520480-014 A -94
Index A Abbreviating audit attributes 2-12 Aclentries 7-26, 7-32 ADD AUDIT POOL command 3-4, 4-2 Adding an audit pool 4-2 Alias auditing 2-1 ALL audit specification for attempts to add protection records 2-6 for attempts to manage protection records 2-9 for auditing user actions 2-11 for authentication attempts 2-2 for object access attempts 2-5 ALTER AUDIT POOL command 3-7, 3-8, 4-3 ALTER AUDIT SERVICE command 3-5, 4-5 Altering audit pool configuration 4-3 Altering audit service operating modes 4-5 Alterin
B Index Auditing (continued) client subsystems 2-14 EVENT-EXIT-PROCESS commands 2-26 for objects 2-4 NonStop clients 2-14 object access attempts 2-4 TERMINAL commands 2-26 user actions 2-11 user authentication 2-2 Auditing user actions enabling 2-11 performance considerations 2-12 AuditMaxExtents 7-10 AuditMaxFiles 7-10 Auditnumber 7-3 AuditPrimaryExtents 7-10 AuditSecondaryExtents 7-10 AUDIT-ACCESS attributes description of 2-1 for OBJECTTYPE records 2-6 AUDIT-AUTHENTICATE attributes description of 2-1,
C Index ConfigAuditObjectAccessFail 7-13 ConfigAuditObjectAccessPass 7-13 ConfigAuditObjectManageFail 7-13 ConfigAuditObjectManagePass 7-14 ConfigAuditProcessAccessFail 7-14 ConfigAuditProcessAccessPass 7-14 ConfigAuditProcessManageFail 7-14 ConfigAuditProcessManagePass 7-14 ConfigAuditSubjectAuthFail 7-14 ConfigAuditSubjectAuthPass 7-14 ConfigAuditSubjectManageFail 7-14 ConfigAuditSubjectManagePass 7-14 ConfigAuthFailFreeze 7-15 ConfigAuthFailToUnits 7-15 ConfigAuthFailToVal 7-15 ConfigAuthMaxAttempts 7-
D Index CreatorSystemNumber 7-3 CreatorTerminalName 7-3 CreatorUserName 7-3 CreatorUserNumber 7-3 D DDL output for programming languages A-3 source files A-3 Defining the audit trail 3-3 DELETE AUDIT POOL command 3-8, 4-8 Deleting an audit pool 3-8, 4-8 Deleting audit files 4-3 Disabling client auditing 2-15 Disk allocation for audit pools 3-7 Disk allocation parameters for audit pools 4-3 Displaying audit pool status information 4-9 Displaying audit service status information 4-10 E EepCpu 7-22 EepEnab
M Index LOCAL audit specification (continued) for attempts to manage protection records 2-9 for auditing user actions 2-11 for authentication attempts 2-2 for object access attempts 2-5 Logical operators for SAFEART 6-6 LogonAliasName 7-25 LogonUserName 7-25 LogonUserNumber 7-25 LuCiCpu 7-25 LuCiLib 7-25 LuCiName 7-25 LuCiParamText 7-25 LuCiPri 7-26 LuCiProg 7-26 LuCiSwap 7-26 LuFreeze 7-26 LuTerminalName 7-26 M Managing protection records 2-8 MAXPASSWORDLEN 8-8 N Next audit pool 3-5 NEXTFILE command 3-
P Index OssKillReqEffAuthType 7-61 OssKillReqEffUID 7-61 OssKillReqRealAuthType 7-61 OssKillReqRealUID 7-61 OssKillSignalSent 7-60 OssKillTargetRealAuthType 7-61 OssKillTargetRealUID 7-61 OssKillTargetSavedAuthType 7-61 OssKillTargetSavedUID 7-61 OssLinkCount 7-62 OssLinkPathName 7-62 OssOpenFlags 7-62 OssPathName 7-64 OssProcessEffAuthType 7-63 OssProcessEffGID 7-63 OssProcessEffUID 7-63 OssProcessRealAuthType 7-63 OssProcessRealGID 7-63 OssProcessRealUID 7-63 OssProcessSavedAuthType 7-63 OssProcessSaved
S Index S SAFEART AUDIT FILE command 6-2 Command files 6-14, 6-15 command rules 5-2 comments in command files 6-15 comparison statements 6-5, 6-11 description of 1-3 DISPLAY PROMPT command 5-4 EXIT command 5-5 FC command 5-5 field types 7-1 HELP ITEMS command 5-6 HISTORY command 5-6 LOG command 5-7 logical operators 6-6 OBEY command 5-7 OUT command 5-7 primary record fields 7-3 relational operators 6-6 report format 6-18, 7-1 RESET command 6-3 secondary records 6-19, 7-8 secondary text area 7-9 session co
T Index T TERMINAL commands, auditing of 2-26 Text area 7-9 TimeReceived 7-3 TimeReported 7-3 U User alias auditing 2-1 User authentication auditing 2-2 UserAliasName 7-6 UserAuditAuthenFail 7-37 UserAuditAuthenPass 7-38 UserAuditManageFail 7-38 UserAuditManagePass 7-38 UserAuditUserActionFail 7-38 UserAuditUserActionPass 7-38 UserBinDescription 7-44 UserCiCpu 7-38 UserCiLib 7-38 UserCiName 7-38 UserCiParamText 7-39 UserCiPri 7-39 UserCiProg 7-39 UserCiSwap 7-39 UserDefaultSecurity 7-39 UserDefaultVolume
Z Index ZAUDIT-ACCESS-FAIL A-34, A-41 ZAUDIT-ACCESS-PASS A-34, A-41 ZAUDIT-AUTHEN-FAIL A-70 ZAUDIT-AUTHEN-PASS A-69 ZAUDIT-CREATOR A-15 ZAUDIT-DEVICE-ACCESS-FAIL A-52 ZAUDIT-DEVICE-ACCESS-PASS A-51 ZAUDIT-DEVICE-MANAGE-FAIL A-52 ZAUDIT-DEVICE-MANAGE-PASS A-52 ZAUDIT-DISKFILE-ACCESS-FAIL A-57 ZAUDIT-DISKFILE-ACCESS-PASS A-56 ZAUDIT-DISKFILE-MANAGE-FAIL A-57 ZAUDIT-DISKFILE-MANAGE-PASS A-57 ZAUDIT-FILENAME A-5 ZAUDIT-FILE-PREDECESSOR A-5 ZAUDIT-FILE-SUCCESSOR A-5 ZAUDIT-MANAGE-FAIL in protection record A-35
Z Index ZCMON A-62 ZCMONERROR A-62 ZCMONTIMEOUT A-62 ZCOMBINATION-DEVICE A-51 ZCOMBINATION-DISKFILE A-56 ZCOMBINATION-PROCESS A-53 ZCOMPRESSION-ID A-5 ZCPU A-29 ZCREATION-PROGRAM A-4 ZCREATION-TIME A-4 ZCURRENT-AUDIT-FILE A-61 ZCURRENT-AUDIT-POOL A-61 ZCURRENT-FILE-NUMBER A-28 ZDEFAULTSECURITY A-69 ZDEFAULTVOLUME A-69 ZDEFAULT-PROTECTION A-73 ZDELMEMBER A-31 ZDELMEMBER-COUNT A-31 ZDESCRIPTION A-31 ZDESCRIPTIONTEXT A-81 ZDIRECTION-DEVICE A-51 ZDIRECTION-DISKFILE A-55 ZDIRECTION-PROCESS A-53 ZENABLED A-29 Z
Z Index ZPASSWORDLASTCHANGE A-72 ZPASSWORDMAYCHANGE A-72 ZPASSWORDPERIOD A-72 ZPASSWORD-ALGORITHM A-64 ZPASSWORD-CHANGED A-69 ZPASSWORD-COMPATIBILITYMODE A-65 ZPASSWORD-ENCRYPT A-50 ZPASSWORD-EXPIRY-GRACE in Safeguard configuration record A-62 in user authentication record A-72 ZPASSWORD-HISTORY A-50 ZPASSWORD-LOWERCASEREQUIRED A-65 ZPASSWORD-MAXIMUM-LENGTH A-65 ZPASSWORD-MAY-CHANGE A-50 ZPASSWORD-MINIMUM-LENGTH A-50 ZPASSWORD-NUMERICREQUIRED A-65 ZPASSWORD-REQUIRED A-50 ZPASSWORD-SPACES-ALLOWED A-65 ZPAS
Special Characters Index ZUSERNAME (continued) in primary record A-21 ZUSERNUMBER description of A-20 in logoff record A-32 in primary record A-21 ZVERACITY in header record A-7 in secondary record A-23 ZWARNFALLBACKSECURITY A-63 ZWARNINGMODE A-39, A-43 ZWARNOBJECTLEVEL A-64 ZWARNSYSTEMLEVEL A-63 ZWRITE-THROUGH-CACHE A-61 Special Characters ! (exclamation point) to reexecute a previous SAFEART command 5-8 & (ampersand sign) as a SAFEART continuation character 5-3 - - (two hyphens) for including SAFEART c
