Safeguard Audit Service Manual Abstract This manual for security administrators and auditors describes all aspects of auditing on Safeguard controlled systems. Product Version Safeguard G06.06, H05 Supported Release Version Updates (RVUs) This publication supports J06.03 and all subsequent J-series RVUs, H06.08 and all subsequent H-series RVUs, and G06.29 and all subsequent G-series RVUs, until otherwise indicated by its replacement publications.
Document History Part Number Product Version Published 520480-026 Safeguard G06.06, H05 August 2011 520480-027 Safeguard G06.06, H05 February 2012 520480-028 Safeguard G06.06, H05 August 2012 520480-029 Safeguard G06.06, H05 February 2013 520480-030 Safeguard G06.06, H05 August 2013 520480-031 Safeguard G06.
Legal Notices © Copyright 2014 Hewlett-Packard Development Company L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
Safeguard Audit Service Manual Index Examples Tables Legal Notices What’s New in This Manual ix Manual Information ix New and Changed Information About This Manual xv Organization of This Manual Related Manuals xvi Notation Conventions xvi ix xv 1. Introduction Events Controlled by the Safeguard Subsystem 1-1 Safeguard Events That Must Be Specified 1-1 Safeguard Events That Are Always Audited 1-2 Events From NonStop OS Subsystems 1-2 The Audit Trail 1-2 Extracting Audit Information 1-3 2.
3.
4. Audit Service Command Syntax Contents 4. Audit Service Command Syntax Impact of Security Groups 4-1 Syntax of Audit Commands 4-1 ADD AUDIT POOL Command 4-2 ALTER AUDIT POOL Command 4-3 ALTER AUDIT SERVICE Command 4-5 DELETE AUDIT POOL Command 4-8 Consideration 4-8 INFO AUDIT POOL Command 4-9 INFO AUDIT SERVICE Command 4-11 Consideration 4-13 NEXTFILE Command 4-13 Considerations 4-13 RELEASE Command 4-14 Considerations 4-14 SELECT Command 4-15 Considerations 4-15 5.
6. Producing SAFEART Reports Contents 6.
8.
Index Contents Protection Record Extension A-41 Pattern Protection Record A-42 Pattern Search Access Record A-50 Safeguard Configuration Record A-51 Terminal Definition Record A-74 User Authentication Record A-75 User Record Extensions A-86 Guardian File System Error Record A-90 Object Program File Name Error Record A-91 OSS Audit File Record Format A-92 OSS Object Representations A-93 OSS File Times Record A-93 OSS Access Mode Record A-94 OSS Audit Attribute Record A-94 OSS Process Startup Record A-95 OS
Contents Table 6-1. Table 7-1. Table 7-2. Table 7-3. Table 7-4. Table 7-5. Table 7-6. Table 7-7. Table 7-8. Table 7-9. Table 7-10.
Contents Safeguard Audit Service Manual — 520480-031 viii
What’s New in This Manual Manual Information Safeguard Audit Service Manual Abstract This manual for security administrators and auditors describes all aspects of auditing on Safeguard controlled systems. Product Version Safeguard G06.06, H05 Supported Release Version Updates (RVUs) This publication supports J06.03 and all subsequent J-series RVUs, H06.08 and all subsequent H-series RVUs, and G06.29 and all subsequent G-series RVUs, until otherwise indicated by its replacement publications.
Changes to 520480-030 manual What’s New in This Manual Changes to 520480-030 manual • • • • Updated the section Establishing Security Groups on page 3-2. Updated the section Guardian File System Error Record on page 7-54. Updated the section Safeguard Configuration Record on page A-53. Added the attribute ZPROMPT-BEFORE-STOP on page A-77. Changes to 520480-029 manual • • • • • • • • • • • • • • • • • • • • • • • Updated the section Establishing Security Groups on page 3-2.
Changes to 520480-028 manual What’s New in This Manual • Added the section, OSS SEEP Attribute Record on page A-109. Changes to 520480-028 manual • • • • Updated the information for OSS Audit Attribute Record on page 7-73. Added the attribute ZPASSWORD-ERR-DETAIL on page A-71. Added DDL Definition of ZSFG-DDL-GROUP-SUBRECEXT on page A-93. Updated the definition for OSS Audit Attribute Record on page A-97.
Changes to the H06.21/J06.10 Manual What’s New in This Manual • • • • • • • Added the OSSProcessOperPrivSetID field to OSS Process Set ID Record on pages 7-79 and 7-80. Added OSS File Privileges Attribute Record on page 7-81. Added the following fields and their descriptions to the structure of the Safeguard Configuration Record: ° ° ° ° ° ° ZPASSWORD-MIN-UPPERCASE-REQ on pages A-55 and A-73. ZPASSWORD-MIN-LOWERCASE-REQ on pages A-55 and A-73. ZPASSWORD-MIN-NUMERIC-REQ on pages A-55 and A-74.
Changes to the 520480-022 Manual What’s New in This Manual • • Added a note to the description of ZOBJECT-NAME on page A-21. Added DDL definition and field description of ZDYNAMIC-PROC-UPDATE on pages A-55 and A-76 respectively. Changes to the 520480-022 Manual • • • • Updated notes in the following sections to include support for G-series RVUs: ° ° ° How Attempts to Log On are Audited section on page 2-5. ° ConfigAuditOSSFilter and ConfigAuditTACLLOGOFF attribute description on page 7-18.
Changes to the H06.16/J06.05 Manual What’s New in This Manual • • • • • • • • • • • • ° ° ° ° ° ° UserCreationTime on page 7-8. GroupCreatorNumber on page 7-9. GroupCreatorName on page 7-9. GroupCreatorIsAlias on page 7-9. GroupCreatorNodeNumber on page 7-9. GroupCreationTime on page 7-9. Added ConfigAuditOSSFilter attribute on page 7-18. Added ConfigAuditTACLLOGOFF attribute on page 7-18. Added a note specifying the position of node name and node number on page 7-34.
What’s New in This Manual • ° Changes to the H06.16/J06.05 Manual Index Updated the Protection Record Extension template with the DDL Definition and Field Definition of the following: ° ° ° ZOBJTEXTLEN on pages A-43 and A-44 respectively. ZOBJTEXTDESC on pages A-43 and A-44 respectively. ZFILLER on pages A-43 and A-44 respectively.
What’s New in This Manual Changes to the H06.16/J06.
About This Manual This manual is written primarily for security administrators and auditors. It serves as a single source of information about the auditing features of Safeguard controlled systems. These features include audit specification through SAFECOM, audit-trail management through the audit service commands, and audit reporting through SAFEART.
Related Manuals About This Manual Related Manuals You should be familiar with the Safeguard subsystem, which is documented in: • • • • Safeguard User’s Guide Safeguard Administrator’s Manual Safeguard Reference Manual Safeguard Management Programming Manual You might also want to see: • • Guardian Procedure Calls Reference Manual Data Definition Language (DDL) Reference Manual Notation Conventions Hypertext Links Blue underline is used to indicate a hypertext link within text.
General Syntax Notation About This Manual italic computer type. Italic computer type letters within text indicate C and Open System Services (OSS) variable items that you supply. Items not enclosed in brackets are required. For example: pathname [ ] Brackets. Brackets enclose optional syntax items. For example: TERM [\system-name.]$terminal-name INT[ERRUPTS] A group of items enclosed in brackets is a list from which you can choose one item or none.
Notation for Messages About This Manual Quotation marks around a symbol such as a bracket or brace indicate the symbol is a required character that you must type as shown. For example: "[" repetition-constant-list "]" Item Spacing. Spaces shown between items are required unless one of the items is a punctuation symbol such as a parenthesis or a comma. For example: CALL STEPMOM ( process-id ) ; If there is no space between two items, spaces are not permitted.
Notation for Messages About This Manual Bold Text. Bold text in an example indicates user input typed at the terminal. For example: ENTER RUN CODE ?123 CODE RECEIVED: 123.00 The user must press the Return key after typing the input. Nonitalic text. Nonitalic letters, numbers, and punctuation indicate text that is displayed or returned exactly as shown. For example: Backup Up. lowercase italic letters. Lowercase italic letters indicate variable items whose values are displayed or returned.
Notation for Management Programming Interfaces About This Manual % Percent Sign. A percent sign precedes a number that is not in decimal notation. The % notation precedes an octal number. The %B notation precedes a binary number. The %H notation precedes a hexadecimal number.
HP Encourages Your Comments About This Manual HP Encourages Your Comments HP encourages your comments concerning this document. We are committed to providing documentation that meets your needs. Send any errors found, suggestions for improvement, or compliments to docsfeedback@hp.com. Include the document title, part number, and any comment, error found, or suggestion for improvement you have concerning this document.
About This Manual HP Encourages Your Comments Safeguard Audit Service Manual — 520480-031 xxiv
1 Introduction The ability to track security-relevant events on your system is one of the most important aspects of computer security. The Safeguard audit service allows you to record and retrieve information about a wide range of events. Audited events are recorded in the Safeguard audit files, collectively referred to as the audit trail. You can retrieve information about audited events by using SAFEART, the Safeguard Audit File Reduction Tool.
Safeguard Events That Are Always Audited Introduction Safeguard Events That Are Always Audited The following events are always audited, regardless of any Safeguard audit settings: • • • • Running the ALTER SAFEGUARD or STOP SAFEGUARD commands Running the Safeguard audit service commands (except the INFO AUDIT SERVICE and the INFO AUDIT POOL commands) Running the Safeguard TERMINAL commands (except the INFO TERMINAL command) Running the EVENT-EXIT-PROCESS commands (except the INFO EVENTEXIT-PROCESS comma
Extracting Audit Information Introduction Record Formats. For information on DDL definitions, see the Data Definition Language (DDL) Reference Manual. Note. Effective with the D10 product version of Safeguard, the SAFEACT program is no longer supported and cannot be used for audit file conversion. Extracting Audit Information The Safeguard subsystem provides an audit reduction tool called SAFEART. SAFEART is an interactive, batch-mode program that allows you to retrieve information from the audit files.
Extracting Audit Information Introduction Safeguard Audit Service Manual — 520480-031 1-4
2 Specifying Auditing This section explains how to specify auditing for security-relevant events on a Safeguard controlled system. You can specify auditing by setting audit attributes in the protection records for specific users, aliases, objects, or OBJECTTYPEs. In general, specifying auditing for user aliases follows the same rules as specifying auditing for users. Any statements pertaining to user auditing in this section also apply to alias auditing.
Special Audit Attributes for User Actions Specifying Auditing Special Audit Attributes for User Actions Two new AUDIT-USER-ACTION attributes in a user authentication record control auditing for most types of actions performed by the user. For more information, see Auditing Events Performed by a Specific User on page 2-12. Shorthand for Audit Attributes In many instances, you can use shortened forms of the attributes to specify combinations of auditing conditions.
How Attempts to Log On Are Audited Specifying Auditing • A local user runs a process that attempts to log on by calling the VERIFYUSER or USER_AUTHENTICATE_ procedure. REMOTE No authentication attempts are recorded in the current audit file. Although SAFECOM accepts this value, authentication attempts can be audited only on the system where they occur. NONE No authentication attempts are recorded in the current audit file.
Auditing Automatic Logoffs Specifying Auditing 3. If the supplied password matches the password in the authentication record, the Safeguard subsystem checks the values of these attributes in the authentication record: STATUS frozen/thawed USER EXPIRES date, time PASSWORD EXPIRES date, time 4. If the current status is frozen, the user authentication record has expired, or the user's password has expired, the logon attempt fails. (See the note following this list.
Auditing Attempts to Access Objects Specifying Auditing • AUDIT-AUTHENTICATE-FAIL Note. This information is supported only on systems running J06.03 and later J-series RVUs, H06.14 and later H-series RVUs, and G06.32 and later G-series RVUs. Auditing Attempts to Access Objects To specify auditing for attempts to access a particular object, use the AUDIT-ACCESS attributes in the authorization record for the object. The Safeguard subsystem records the specified access attempts in the current audit file.
How Attempts to Access Objects Are Audited Specifying Auditing Examples This example shows how an owner of the protection record can specify auditing for all successful attempts to access the file $DATA.SALES.RECORD1 (that is, all attempts to read, write, execute, or purge the file): =ALTER DISKFILE $data.sales.record1, AUDIT-ACCESS-PASS all Similarly, an owner can specify the auditing of all unsuccessful remote attempts to access the file $DATA.SALES.RECORD2: =ALTER DISKFILE $data.sales.
Auditing Attempts to Add Protection Records Specifying Auditing Auditing Attempts to Add Protection Records To specify auditing for attempts to add protection records of a given type, use the AUDIT-ACCESS attributes in the appropriate OBJECTTYPE authorization record. The Safeguard subsystem records the specified protection attempts in the current audit file.
Specifying Auditing How Attempts to Add Protection Records Are Audited How Attempts to Add Protection Records Are Audited When an attempt is made to add a protection record, the Safeguard subsystem performs this procedure to authorize the action and to determine if auditing is required: 1. The appropriate OBJECTTYPE record is consulted to determine whether the user attempting to add the protection record has the required authority. 2.
Auditing Attempts to Manage Protection Records Specifying Auditing Auditing Attempts to Manage Protection Records To specify auditing for attempts to manage (change, read, or delete) a particular protection record, use the AUDIT-MANAGE attributes in the protection record.
Auditing Attempts to Manage Protection Records Specifying Auditing • Attempting to delete a protection record with the DELETE command If this event is audited, one primary audit record and one secondary audit record are written to the current audit file. The secondary record contains the image of the protection record that was deleted or that the user attempted to delete. For user and alias records, two secondary records are written. See the following note. Note.
Examples Specifying Auditing NONE No attempts to manage this protection record are recorded in the current audit file. NONE is the default value for both AUDIT-MANAGE-PASS and AUDIT-MANAGEFAIL. Examples This example illustrates how to audit attempts to manage a user authentication record.
Auditing Events Performed by a Specific User Specifying Auditing If AUDIT-MANAGE-PASS is specified, the successful operation is recorded in the current audit file. 3. If the user lacks the required authority, the Safeguard subsystem issues a security violation (error 48) and checks the value of the AUDIT-MANAGE-FAIL attribute. If AUDIT-MANAGE-FAIL is specified, the failed operation is recorded in the current audit file.
Example Specifying Auditing REMOTE Remote attempts made by the user are recorded in the current audit file. (A remote attempt is made by a network user logged on to a remote system.) NONE Attempts made by the user are not recorded in the current audit file unless auditing is specified through other audit attributes. NONE is the default value for both AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL. Example This example specifies auditing for successful and unsuccessful remote events performed by admin.
Shorthand for Audit Attributes Specifying Auditing Shorthand for Audit Attributes You can use a shortened form of the audit attributes under most circumstances when you are specifying the same conditions for different audit attributes. For example, consider this command: =ALTER DISKFILE $home.annual.report, & =AUDIT-MANAGE-PASS all =AUDIT-MANAGE-FAIL all =AUDIT-ACCESS-PASS all =AUDIT-ACCESS-FAIL all You can use a shortened form of the audit attributes to specify the same auditing conditions.
Controlling Auditing of NonStop Client Events Specifying Auditing Table 2-1.
Controlling Auditing of NonStop Client Events Specifying Auditing service receives event information from the clients and writes records to the audit trail on their behalf. The content and format of audit records vary from one client to another. The existence of audit records from clients might also vary from RVU to RVU. The Safeguard configuration attribute AUDIT-CLIENT-GUARDIAN controls whether client events are recorded. Possible values are ON and OFF. Initially, the attribute is set to ON.
Controlling Auditing of NonStop Client Events Specifying Auditing Table 2-2.
Controlling Auditing of NonStop Client Events Specifying Auditing Table 2-2.
Configuring Audit Exclusion of NonStop Client Events Specifying Auditing Table 2-2.
Configuring Audit Exclusion of NonStop Client Events Specifying Auditing Table 2-3.
Configuring Audit Exclusion of NonStop Client Events Specifying Auditing Table 2-3.
Configuring Audit Exclusion of NonStop Client Events Specifying Auditing Table 2-3.
Configuring Audit Exclusion of NonStop Client Events Specifying Auditing Table 2-3.
Configuring Audit Exclusion of NonStop Client Events Specifying Auditing Table 2-3. AUDIT-EXCLUDE-FIELDs and their corresponding values (page 5 of 5) AUDIT-EXCLUDE-FIELD OWNERISREMOTE Values for AUDIT-EXCLUDE-VALUE • • • • • • • • • • OSSFILESET SOCKET SYMLINK TTY PROCESSGROUP OSSPROCESS REMOTE LOCAL NONE UNKNOWN The following AUDIT-EXCLUDE-FIELD values have dynamic variable names, therefore no enums are defined.
OSS Auditing Specifying Auditing • • • • • • CREATORSYSTEMNUMBER CREATORPROCESSNAME CREATORAUTHLOCNAME CREATORTERMINALNAME CREATORAUTHLOCNUMBER OBJECTNAME AUDIT-EXCLUDE-VALUE specifies a set of values (up to five) for the respective field names in the AUDITEXCLUDE-FIELD. A combination of field names and values determine the exclusion of NonStop client audit events. The default value is NONE. Note.
OSS Auditing Specifying Auditing ACO Attribute The ACO attribute is primarily used in combination with other attributes to control OSS auditing. However, the following fileset-management audit outcome records are written to the audit trail anytime when the ACO attribute is set to — start/stop fileset, add/delete fileset, and alter fileset.
Specifying Auditing Configuring Safeguard for Systemwide Auditing AUDIT-CLIENT-GUARDIAN (ACG) and AUDIT-DEVICE-ACCESS-PASS/FAIL Attributes If an AUDIT-DEVICE-ACCESS-PASS or AUDIT-DEVICE-ACCESS-FAIL attribute is set, Safeguard authorization records the opening of the OSS terminals that are written to the audit trail.
The ALTER SAFEGUARD Command Specifying Auditing The ALTER SAFEGUARD Command To configure systemwide auditing, use the ALTER SAFEGUARD command to specify Safeguard configuration attributes. The ALTER SAFEGUARD command is restricted to either the super group or to the SECURITY-ADMINISTRATOR security group if it has been created. The INFO SAFEGUARD Command You can check the values of the Safeguard configuration attributes with the INFO SAFEGUARD command.
Systemwide Device Auditing Specifying Auditing Note. 1. The Safeguard attribute, AUDIT-CLIENT-GUARDIAN, is a synonym for AUDIT-CLIENT-SERVICE. The AUDIT-CLIENT-OSS attribute is supported only on systems running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs. 2. The AUDIT-DISKFILE-PRIV-LOGON attribute is supported only on systems running H06.11 and later H-series RVUs and G06.32 and later G-series RVUs. 3.
Systemwide Disk-File Auditing Specifying Auditing AUDIT-DEVICE-ACCESS-FAIL specifies conditions for auditing unsuccessful attempts to access any device or subdevice on the system. This setting supplements individual device or subdevice audit settings. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. If client auditing is enabled, this attribute also controls auditing for unsuccessful file-system operations pertaining to devices and subdevices.
Systemwide Process Auditing Specifying Auditing AUDIT-DISKFILE-ACCESS-FAIL specifies conditions for auditing unsuccessful attempts to access any volume, subvolume, or disk file on the system. This setting supplements the individual audit settings. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE. If client auditing is enabled, this attribute also controls auditing for successful file-system operations pertaining to volumes, subvolumes, and disk files.
Systemwide Auditing of All Objects Specifying Auditing If client auditing is enabled, this attribute also controls auditing for successful client operations pertaining to processes and subprocesses. AUDIT-PROCESS-ACCESS-FAIL specifies conditions for auditing unsuccessful attempts to access any process or subprocess on the system. This setting supplements individual process or subprocess audit settings. The conditions can be ALL, NONE, LOCAL, or REMOTE. The default is NONE.
Systemwide Auditing for Users, Aliases, and Groups Specifying Auditing If client auditing is enabled, this attribute also controls auditing for successful client operations pertaining to any of the previously listed types of objects. AUDIT-OBJECT-ACCESS-FAIL specifies conditions for auditing unsuccessful attempts to access any of the previously listed types of objects. This setting supplements any audit settings for individual objects. The conditions can be ALL, NONE, LOCAL, or REMOTE.
Systemwide Auditing for Users, Aliases, and Groups Specifying Auditing The conditions specified for this attribute also apply to the systemwide auditing of automatic logoffs described in Auditing User Authentication Attempts on page 2-2. AUDIT-AUTHENTICATE-FAIL specifies conditions for auditing unsuccessful user and alias authentication attempts on the system. This setting supplements the audit settings in individual user and alias records. The conditions can be ALL, NONE, LOCAL or REMOTE.
Unconditional Auditing Specifying Auditing AUDIT-TACL-LOGOFF controls generation of audits for the TACL LOGOFF or TACL EXIT operations. When set to TRUE, audits for the TACL LOGOFF or TACL EXIT operations are generated based on the value of the AUDIT-AUTHENTICATE-PASS and AUDITAUTHENTICATE-FAIL attributes. When set to FALSE, audits for the TACL LOGOFF or TACL EXIT operations are generated based on the value of the AUDIT-CLIENT-GUARDIAN, AUDITPROCESS-ACCESS-PASS, and AUDIT-PROCESS-ACCESS-FAIL attributes.
TERMINAL Commands Specifying Auditing attempt, and the other contains an image of the audit pool record showing the attempted change. For each attempted ALTER AUDIT SERVICE command, two secondary audit records are written to the current file. One contains an image of the Safeguard configuration record before the attempt, and the other contains an image of the Safeguard configuration record showing the attempted change.
3 Managing the Audit Trail This section describes the components of the Safeguard audit trail and how to manage them with the audit service commands. The Safeguard audit trail consists of one or more audit pools. An audit pool is a subvolume that contains audit files. You can define multiple audit pools, and each audit pool can contain several individual audit files. These audit files contain records of audited events.
Audit Service Commands Managing the Audit Trail designated as the currently active audit pool until another audit pool is added and selected. After additional audit pools are added and one of them is selected, $SYSTEM.SAFE remains in the audit trail as a secondary audit pool; it is used in certain situations to record audit data if the currently active audit pool fills up or becomes unavailable due to a disk failure.
Establishing Security Groups Managing the Audit Trail ADMINISTRATOR,SECURITY-PRV-ADMINISTRATOR,SECURITYAUDITOR,SECURITY-MEDIA-ADMIN,and SECURITY-PERSISTENCE-ADMIN to establish roles and to further restrict the use of the audit service. The SECURITY-ADMINISTRATOR security group can issue all audit service commands except the NEXTFILE and RELEASE commands. The SYSTEM-OPERATOR security group can issue all audit service commands except the ALTER AUDIT SERVICE command.
Managing the Audit Trail Defining and Managing the Audit Trail The SECURITY-PERSISTENCE-ADMIN security group designates a list of users who have the same privileges as that of the super group users for managing persistence processes. Note. The SECURITY-PERSISTENCE-ADMIN security group is supported only on systems running on J06.16 and later J-series RVUs and H06.27 and later H-series RVUs.
Creating an Audit Pool Managing the Audit Trail Creating an Audit Pool To create an audit pool, you specify its location. Optionally, you can also specify the number of audit files to be included in the audit pool, and you can set limits on the size of each audit file. For example, use this ADD AUDIT POOL command to create an audit pool on volume $SECURE and subvolume AUDIT1: =ADD AUDIT POOL $secure.
Selecting an Audit Pool Managing the Audit Trail Use this INFO AUDIT POOL command to verify the new disk allocation parameters: =INFO AUDIT POOL $secure.audit2 This output appears: AUDIT POOL $SECURE.AUDIT2 CONFIGURATION MAXFILES 6 MAXEXTENTS 32 EXTENTSIZE 256,256 AUDITCLEARONPURGE ON You can also create an audit pool that has the same parameters as an existing audit pool. For example, use this command to create an audit pool at $KEEPER.
Specifying Audit Service Recovery Managing the Audit Trail for these situations and no next audit pool is selected, the Safeguard software attempts to recycle the audit files in the current audit pool. If it cannot recycle the files, the Safeguard software automatically suspends auditing. Overflow means the current audit file is full and no additional unreleased audit files are available in the current audit pool. Down volume means the disk volume containing the current audit pool has become inaccessible.
Altering the Audit Pool Disk Allocation Managing the Audit Trail Examples Suppose that you want to deny grants in the event of overflow or a down volume. To do so: =ALTER AUDIT SERVICE, RECOVERY DENY GRANTS Use the INFO AUDIT SERVICE command to verify your setting of the recovery actions: =INFO AUDIT SERVICE This output appears: CURRENT AUDIT POOL CURRENT AUDIT FILE NEXT AUDIT POOL RECOVERY CURRENT STATE WRITE-THROUGH CACHE EOF REFRESH $secure.audit2 A0000003 $keeper.
Releasing Audit Files Managing the Audit Trail manually with the NEXTFILE command. When you execute NEXTFILE, the Safeguard software completes any outstanding write operations to the current file, closes it, and opens the next audit file. The NEXTFILE command has the form: =NEXTFILE You can also use SELECT CURRENT AUDIT POOL to close the current audit file and switch to another audit pool.
Deleting an Audit Pool Managing the Audit Trail Deleting an Audit Pool When you no longer need to retain an audit pool, you can delete it with the DELETE AUDIT POOL command. When you delete an audit pool, you must first release all files in the audit pool: =RELEASE A1 : A7 IN $secure.audit2 =DELETE AUDIT POOL $secure.audit2 You cannot delete the current audit pool.
4 Audit Service Command Syntax Use the SAFECOM audit service commands to define and manage the components of the Safeguard audit trail. These commands allow you to specify audit pools, the size and number of the audit files within an audit pool, and recovery actions to be taken if access to the audit trail is interrupted. The commands also allow you to release audit files for reuse and to manually select the next audit file to be used.
ADD AUDIT POOL Command Audit Service Command Syntax • • • The format for the command listing or report (for commands that produce displays or listings) Considerations for the use of the command Examples of command usage ADD AUDIT POOL Command ADD AUDIT POOL defines a new audit pool, adds it to the collection of available audit pools, and allocates disk space for the audit files. This command does not select the specified audit pool as the current audit pool.
ALTER AUDIT POOL Command Audit Service Command Syntax AUDITCLEARONPURGE { ON | OFF } specifies whether the diskspace occupied by a specific audit file is cleared when that audit file is purged. The default value is ON. Note. This parameter is supported only on systems running J06.03 and later J-series RVUs, H06.12 and later H-series RVUs, and G06.32 and later G-series RVUs. LIKE $vol.subvol adopts the existing file-spec values of the specified $volume.
ALTER AUDIT POOL Command Audit Service Command Syntax ALTER AUDIT POOL also provides a method of deleting released audit files. To do so, use the MAXFILES parameter to decrease the maximum number of audit files in an audit pool. This action effectively causes the excess number of released files to be deleted. Members of either security group can execute this command. ALTER AUDIT POOL [ $vol.subvol ] [ , ] file-spec [ , file-spec ]... $vol.
ALTER AUDIT SERVICE Command Audit Service Command Syntax Considerations • • • If you lower the value of MAXFILES, the audit service attempts to delete enough released audit files to reach the new MAXFILES value. If not enough released files are available for deletion, the audit service deletes as many released files as possible. In this instance, the new MAXFILES value is set to the user-specified value, and the additional files are deleted when they are released.
ALTER AUDIT SERVICE Command Audit Service Command Syntax operating-mode specifies the audit service operating mode to be altered. Any operating-mode not specified in this command retains its current settings. The operating-mode values are: WRITE-THROUGH CACHE { ON | OFF } EOF REFRESH { ON | OFF } RECOVERY recovery WRITE-THROUGH CACHE { ON | OFF } ON specifies that after each audit record is written, the block in which it resides is written to disk.
ALTER AUDIT SERVICE Command Audit Service Command Syntax If this recovery action is specified and a down volume condition occurs, the audit service suspends auditing because it cannot recycle the files on a down volume. SUSPEND AUDIT specifies that auditing is suspended as long as the condition exists. DENY GRANTS specifies that the Safeguard subsystem is to deny the granting of most authorization and authentication requests that require auditing.
DELETE AUDIT POOL Command Audit Service Command Syntax • If the Safeguard subsystem is included with system generation, take these precautions to prevent auditing from being suspended during a cold start of the system: 1. Before shutting down the system, check that the current audit pool resides on a disk that is connected to the same processor as the $SYSTEM disk. Note.
INFO AUDIT POOL Command Audit Service Command Syntax Example 1. This example assumes that the audit pool $SECURE.AUDIT1 contains six audit files named A0000020 through A0000025. These files must be released before the audit pool is deleted: =RELEASE A20 : A25 IN $secure.audit1 =DELETE AUDIT POOL $secure.audit1 INFO AUDIT POOL Command INFO AUDIT POOL displays status information about one or more audit pools. Any user can execute this command.
INFO AUDIT POOL Command Audit Service Command Syntax MAXFILES maxfiles is the MAXFILES limit for the audit pool. MAXEXTENTS max-ext is the maximum number of extents for files in the audit pool. EXTENTSIZE pri-ext,sec-ext are the primary and secondary extent sizes for files in the audit pool. AUDITCLEARONPURGE ON,OFF specifies whether the diskspace occupied by a specific audit file is cleared when that audit file is purged. The default value is ON. Note. This field is supported only on systems running J06.
INFO AUDIT SERVICE Command Audit Service Command Syntax INFO AUDIT SERVICE Command INFO AUDIT SERVICE displays status information about the audit service. Any user can execute this command. INFO AUDIT SERVICE Example 4-2 shows the format of the INFO AUDIT SERVICE report. Example 4-2. INFO AUDIT SERVICE Report CURRENT AUDIT POOL $vol.subvol CURRENT AUDIT FILE Axxxxxxx NEXT AUDIT POOL $vol.
INFO AUDIT SERVICE Command Audit Service Command Syntax SUSPEND AUDIT indicates that auditing is suspended as long as the condition exists. DENY GRANTS indicates that most authorization and authentication requests that require auditing are denied. The only requests allowed are those that result in successful operations by members of security groups. CURRENT STATE: state is the current operating state of the audit service.
Consideration Audit Service Command Syntax WRITE-THROUGH CACHE {ON|OFF} indicates the current state of the WRITE-THROUGH CACHE option. ON means the option is activated. OFF means it is inactive. EOF REFRESH {ON|OFF} indicates the current state of the EOF REFRESH option. ON means the option is activated. OFF means it is inactive. Consideration Attempts to execute this command are not audited.
RELEASE Command Audit Service Command Syntax RELEASE Command RELEASE releases audit files for reuse by the audit service. The audit service releases the audit file by setting its end-of-file pointer to zero and securing it against access by all user processes. All audit data in the file is purged, and it is put into service as the next available file in the audit pool. Only members of the SYSTEM-OPERATOR security group can execute this command. RELEASE afile [ , afile ] ... [ IN $vol.
SELECT Command Audit Service Command Syntax 3. This command releases audit files A0000141 through A0000146 and file A0000150 in the current audit pool: =RELEASE A141:A146, A150 SELECT Command SELECT selects a previously defined audit pool as the current audit pool or the next audit pool. When you select the current audit pool, the audit service automatically begins writing audit records to the first available audit file in that audit pool.
Considerations Audit Service Command Syntax check that this audit pool is accessible and has files available when it is put in use as the current audit pool. • All attempts to execute this command are audited. Examples 1. This command selects the audit pool on $OPS2.TRAIL2 as the current audit pool: =SELECT CURRENT AUDIT POOL $ops2.trail2 2. This command selects the audit pool on $OPS3.TRAIL1 as the next audit pool: =SELECT NEXT AUDIT POOL $ops3.trail1 3. This command selects the audit pool on $BIG1.
5 Getting Started With SAFEART This section describes basic rules for using SAFEART, the Safeguard Audit Reduction Tool. SAFEART extracts information from the Safeguard audit files and produces reports of audited events based on criteria you specify. SAFEART provides two types of commands: • • Session-control commands manage your interactive session. Report generation commands control the format, content, and destination of your report. You can use SAFEART in either interactive or batch mode.
Running SAFEART Getting Started With SAFEART Running SAFEART To run SAFEART interactively, at your command interpreter prompt: 2>SAFEART Safeguard Audit File Reduction Tool <= T9750D30 SAFEART displays a default prompt of <= while you are in a SAFEART session. Enter all SAFEART commands at this prompt. You can run as many reports as you want in one session. To end a SAFEART session and return to your command interpreter, enter the EXIT command.
Continuing a Command to the Next Line Getting Started With SAFEART These examples illustrate the use of quotation marks: <=SET TITLE February <=SET TITLE 'December 16, 1991' <=SET TITLE "Operation's Activities" Continuing a Command to the Next Line To continue a command to the next line, end the first line with an ampersand (&).
SAFEART Session-Control Commands Getting Started With SAFEART line is considered a comment. (For more information on comments, see the Safeguard Reference Manual.) This example contains a comment: <=SET TITLE Test1 <=AUDIT FILE testdata <=LOG logit -- This is a sample data file Note. SAFEART does not support comments embedded within a command. SAFEART Session-Control Commands Use the SAFEART session-control commands to manage your interactive session.
EXIT Command Getting Started With SAFEART This table lists possible values for prompt-item: Prompt Item Description string The prompt includes a user-supplied text string. The string must be enclosed within single or double quotes. COMMAND NUMBER The prompt includes the current command line number. CPU The prompt includes the number of the processor in which SAFEART is running. DATE The prompt includes the current date. END The default SAFEART prompt is suppressed.
HELP ITEMS Command Getting Started With SAFEART HELP ITEMS Command The HELP ITEMS command displays a SAFEART field and its field type. You can display one item or all fields permissible in a SET WHERE command. HELP ITEMS [ audit-record-item ] audit-record-item is the name of a field in a primary or secondary record. If the field is an enumerated type, the possible values for it are also displayed. All other fields are displayed with only their names and their respective field types.
LOG Command Getting Started With SAFEART LOG Command The LOG command defines a file for recording SAFEART commands and messages. Logging remains in effect during a SAFEART session until you turn it off or exit SAFEART. The log-file specified in a LOG command is the name of a file, printer, tape device, or terminal. The logging process is turned off when SAFEART receives a LOG command without log-file or when you exit SAFEART.
! Command Getting Started With SAFEART ! Command The ! command reexecutes a previously issued command line, without modifications. The SAFEART ! command is similar to the SAFECOM ! command, which is described in the Safeguard Reference Manual. ! [ [ [ [ string "string" linenum -linenum ] ] ] ] ? Command The ? command displays a previously issued command line. The SAFEART ? command is similar to the SAFECOM ? command, which is described in the Safeguard Reference Manual.
Producing SAFEART Reports 6 General Procedure for Producing Reports Producing SAFEART Reports SAFEART allows you to produce reports of security-relevant events based on criteria you specify. Minimally, you must specify the audit files from which to extract information. However, to limit the scope of a report, you should also specify a time period and the types of events to include.
SAFEART Report Generation Commands Producing SAFEART Reports Before attempting to produce a report, become familiar with the SAFEART report generation commands described in the following pages. Note. You must have READ authority for the audit files before you can produce reports with SAFEART. See your security administrator or system manager. SAFEART Report Generation Commands Specify criteria for reports using the SAFEART report generation commands.
RESET Command Producing SAFEART Reports RESET Command The RESET command returns the current value of a report parameter to its default value. RESET { { { { { { DESTINATION FILE } TITLE } PAGE SIZE } START TIME } END TIME } WHERE } DESTINATION FILE returns the value of DESTINATION FILE to its default value (the home terminal). TITLE returns the value of TITLE to the default title, “Safeguard Audit Reduction Tool.” PAGE SIZE returns the value of PAGE SIZE to the default value of 60 lines per page.
SET Command Producing SAFEART Reports SET Command The SET commands define the values for these report parameters. SET { { { { { { DESTINATION FILE [ report-file ] } TITLE { (")title (") | ("title", "title",...) } } PAGE SIZE number-of-lines } START TIME starting-time } END TIME ending-time } WHERE expression } DESTINATION FILE report-file is the name of a file, tape device, printer, or terminal to which the report is written. The default is your home terminal.
SET Command Producing SAFEART Reports yyyy/mm/dd yy/mm/dd yyyy is a number representing the century and year, such as 2001. yy is a number representing the year in the current century, such as 01 for 2001. Leading zeros are optional. mm is a number in the range 01 through 12, representing the month of the year, such as 4 for April. Leading zeros are optional. dd is a number in the range 01 through 31, representing the day of the month. Leading zeros are optional.
SET Command Producing SAFEART Reports relational-operator is one of these: = equal to <> not equal to < less than <= less than or equal to > greater than >= greater than or equal to LE less than or equal to NE not equal to GE greater than or equal to If the record item is an enumerated field, only = and <> are valid operators. value specifies what record-item is compared to. It must be the same type as record-item. For example, if the item is a numeric field, value must be a number.
SHOW Command Producing SAFEART Reports • Special rules govern the evaluation of comparison statements in SET WHERE commands. For more information, see Specifying Selection Criteria on page 6-9. Examples 1.
START Command Producing SAFEART Reports SHOW * displays all values in effect for the current SAFEART session. Example This example includes a SHOW * command with the resulting output. The values in the output reflect the commands used in previous examples in this section. <=SHOW * OUT LOG AUDIT FILE "$bart.audit.A0000001" AUDIT FILE "$bart.audit.
Specifying Selection Criteria Producing SAFEART Reports These statistics appear in the report summary: Complete Events The number of complete events read from the audit file or files. An event might have more than one record associated with it. For more information, see Reviewing Reports on page 6-18. Header Records The number of header records found in the audit files. There should be one header record for each audit file used.
Wild-Card Support for Object Name Under SAFEART Producing SAFEART Reports You can specify additional criteria by using additional SET WHERE commands or by combining comparison statements in the same SET WHERE command. For more information, see Using Multiple Comparison Statements on page 6-12. To practice specifying selection criteria, you might want to copy an audit file to your subvolume and generate test reports with it. As mentioned earlier, you must have READ authority for the audit file.
Guidelines for Comparison Statements Producing SAFEART Reports To search for all diskfile-pattern records matching the objectname search string "$DATA.JA*.T*" (where the "*" in the filename is intended to be a search character), enter this command under SAFEART: SET WHERE objectname='$DATA.JA[*].T*' To search for both diskfile and diskfile-pattern records matching the objectname search string "$DATA.JA*.
Using Multiple Comparison Statements Producing SAFEART Reports If you use OwnerIsRemote in a comparison statement, you must compare it to one of these values. For example: <=SET WHERE OwnerIsRemote = local Using Multiple Comparison Statements When you use multiple comparison statements within a single SET WHERE command, connect them with a logical operator (AND or OR). The logical operator determines how the WHERE expression is evaluated.
Using Parentheses in SET WHERE Commands Producing SAFEART Reports Using Parentheses in SET WHERE Commands To change the order of evaluating a complex expression, you can group multiple comparison statements within parentheses. The statements within parentheses are evaluated before the other comparison statements. The following example shows how the grouping of items in parentheses affects the meaning of a SET WHERE command.
Using SAFEART Command Files Producing SAFEART Reports This example illustrates how to use the Before prefix in a search. This command selects events in which an attempt was made to change the Safeguard configuration attribute PASSWORD ENCRYPT from ON to OFF (from True to False): <=SET WHERE BeforeConfigPasswordEncrypt=True AND & <=&ConfigPasswordEncrypt=False Using SAFEART Command Files SAFEART command files simplify your work.
Placing Comments in Command Files Producing SAFEART Reports • Consider specifying the destination file in the command file. If the destination file already exists, it is overwritten the first time SAFEART writes to it in a session. If SAFEART writes to the same destination file more than once during the same session, each report output is appended to the destination file.
Command File Examples Producing SAFEART Reports session. The procedure for using this type of command file to produce a report is as follows: 1. From SAFEART, issue the OBEY command: <=OBEY obey-file 2. Specify the audit file or files with the AUDIT FILE command. 3. Specify a time period for the report with the SET START TIME and SET END TIME commands. 4. Specify any other preferred parameters. 5. Verify all report parameters with the SHOW * command. 6.
Command File Examples Producing SAFEART Reports Denied Object Events -- This file establishes criteria to produce a report of -- denied operations on device, process, or disk objects. -AUDIT FILE RESET START TIME; RESET END TIME RESET PAGE SIZE RESET WHERE SET DESTINATION FILE "\euro.$ops.audit.
Reviewing Reports Producing SAFEART Reports ---SET SET SET ---SET SET SET Select events where specified operator is the subject: WHERE subjectusernumber=255,60, 255,22, 255,77, 255,55 WHERE subjectusernumber=255,79, 255,48, 255,75, 255,97 WHERE subjectusernumber=255,4 Select events where specified operator ID is the object: WHERE guarduserusernumber=255,60, 255,22, 255,77, 255,55 WHERE guarduserusernumber=255,79, 255,48, 255,75, 255,97 WHERE guarduserusernumber=255,4 Reviewing Reports SAFEART includes o
Secondary Record Producing SAFEART Reports Information About the Object These primary record fields describe the object involved in the event. ObjectType The type of object involved ObjectName The name of the object In some cases, the object is actually a user ID or a user record. If so, the ObjectName field is replaced by fields that describe the user ID.
Special Considerations for Subject Fields Producing SAFEART Reports Automatic Logoff Events A user is automatically logged off if another user successfully logs on at the same terminal. This type of event is represented by a Logoff operation. The logged-off user is represented by the fields with the Subject prefix and the fields GuarduserUserName, GuarduserUserNumber, and UserAliasName.
7 SAFEART Field Descriptions This section describes the fields that appear in SAFEART reports. These fields are derived from the fields in the Safeguard audit records. Most of the fields can be used in SET WHERE commands to select events. However, you must use the SAFEART names described here instead of the DDL audit record names listed in Appendix A, Audit File Record Formats. Field Types SAFEART uses several types of fields in its report.
Report Layout SAFEART Field Descriptions Possible values for enumerated fields within a Safeguard text area are included in the text area description. Other enumerated fields that occur in primary and secondary records are described in Table 7-4 on page 7-55, Table 7-5 on page 7-58, Table 7-6 on page 7-61, Table 7-7 on page 7-63, Table 7-8 on page 7-63, Table 7-9 on page 7-63, and Table 7-10 on page 7-69. Example 7-1.
Report Layout SAFEART Field Descriptions SecondaryTextAreaType and ProtOtype fields indicate that the secondary text area contains an image of a disk-file protection record. The ObjectName field in the primary record contains the name of the disk file that the protection record represents. The remainder of this section describes the fields that appear in SAFEART reports.
Primary Record Fields SAFEART Field Descriptions Primary Record Fields A primary audit record represents each audited security event. Table 7-1 describes the fields in the primary audit record. Except where noted, you can use these fields in SET WHERE commands. Table 7-1. Primary Record Fields (page 1 of 4) Field Name Field Type Description Auditnumber Numeric Identifies an audited event in the security audit pool.
Primary Record Fields SAFEART Field Descriptions Table 7-1. Primary Record Fields (page 2 of 4) Field Name Field Type Description CreatorUserNumber User number Specifies the group number, member number of the process associated with the client or subsystem that reported the audited event. ObjectName Character Describes the object of the audited event. This field usually contains only the name of the object. However, under some conditions, this field might be overlaid by another set of fields.
Primary Record Fields SAFEART Field Descriptions Table 7-1. Primary Record Fields (page 3 of 4) Field Name Field Type Description SubjectCreatorNumber User number Specifies the CAID of the user process attempting the operation. For more information, see Special Considerations for Subject Fields on page 6-19. SubjectProgramName Character Specifies the program file name of the user process attempting the operation.
Primary Record Fields SAFEART Field Descriptions Table 7-1. Primary Record Fields (page 4 of 4) Field Name Field Type Description TimeReceived Date and time Specifies the date and time when the event description was received by the audit service collector process. You cannot use this field in SET WHERE commands. TimeReported Date and time Specifies the date and time when the client or subsystem sent the event description to the audit service collector process.
Variable ObjectName Field SAFEART Field Descriptions Variable ObjectName Field Under certain conditions, the ObjectName field is overlaid by a different set of fields. The value of the ObjectType field indicates whether the ObjectName field is overlaid. If the value of the ObjectType field is GuardianUser or UserRecord, the ObjectName field is overlaid with these fields: Field Name Field Type Description GuarduserUserName Character Specifies the group name.member name of the user.
Variable ObjectName Field SAFEART Field Descriptions Field Name Field Type Description GuarduserUserName Character Specifies the group name.member name of the user. This field is blank if an alias was used to gain access to the system. GuarduserUserNumber User Number Specifies the group number.member number of the user. UserAliasName Character Specifies the alias used to gain access to the system.
Variable ObjectName Field SAFEART Field Descriptions OSS Fileset: $ZPMON.Znnnnn:yyyymmddhhmmss where nnnnn is the fileset device number and yyyymmddhhmmss is the time when the fileset was created. Example $ZPMON.Z00000:19980119152451 OSS Regular File: $VOL.ZYQnnnnn:Ziiiiiii:ccccccccccc (disk file) where nnnnn is the fileset device number, iiiiiii is the file's inode, number and ccccccccccc is the file's creation version sequence number (CRVSN) (leading zeros suppressed). Example $OSS1.ZYQ00000.
Secondary Record Fields SAFEART Field Descriptions \###.$NAME[,CPU,PIN][:VERIFIER] \###.CPU,PIN[:VERIFIER] where ### is the system node number. Secondary Record Fields Some audited events might include one or more secondary records. Secondary records provide additional information about an event. The additional information is recorded in the text area of the secondary record, which is described in the following pages.
Secondary Text Area SAFEART Field Descriptions and the other secondary record contains a representation of the attempted change. The Outcome field in the primary record indicates whether the attempt succeeded. The SecondaryRecordType field indicates whether the record represents a before image. Other possible types of secondary records appear in Table 7-8 on page 7-63. Secondary Text Area The text area portion of the secondary record immediately follows the SecondaryTextAreaType field.
Audit Pool Configuration Record SAFEART Field Descriptions Table 7-3. Secondary Text Area Field Prefixes Field Prefix Safeguard Record SecondaryTextAreaType User User record extension1 UserProfileExt1 User@ User record extension1n UserProfileExt1n @Supported only on systems running J06.03 and later J-series RVUs, H06.14 and later H-series RVUs, and G06.32 and later G-series RVUs.
Safeguard Configuration Record SAFEART Field Descriptions AuditMaxExtents specifies the maximum number of primary and secondary extents to be allocated to audit files created in this audit pool. Field type is numeric. AuditMaxFiles specifies the maximum number of files that can be allocated in this audit pool. Field type is numeric. AuditPrimaryExtents specifies the primary extent size to be used when creating audit files in this audit pool. Field type is numeric.
Safeguard Configuration Record SAFEART Field Descriptions Normal restricts creation of persistent disk-file protection records to files that exist at the time the record is added. Always allows the creation of persistent disk-file protection records for files that exist and files that do not exist at the time the record is added. ConfigAllowNodeACL specifies, if True, that ACL entries containing explicit node identifiers are consulted for remote access. Field type is True or False.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuditDeviceManagePass specifies conditions for systemwide auditing of successful attempts to manage a device protection record. Field type is enumerated. Possible values are None, Local, Remote, and All. ConfigAuditDiskfileAccessFail specifies conditions for systemwide auditing of unsuccessful attempts to access a protected disk file. Field type is enumerated. Possible values are None, Local, Remote, and All.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuditObjectManageFail specifies conditions for systemwide auditing of unsuccessful attempts to manage the protection record for an object. Field type is enumerated. Possible values are None, Local, Remote, and All. ConfigAuditObjectManagePass specifies conditions for systemwide auditing of successful attempts to manage the protection record for an object. Field type is enumerated. Possible values are None, Local, Remote, and All.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuditSubjectManagePass specifies conditions for auditing successful attempts to manage a user authentication record. Field type is enumerated. Possible values are None, Local, Remote, and All. ConfigAuditExcludeField specifies the field name of an audit record. All NonStop client audit events containing the specified field names are not generated by the Safeguard subsystem. The default value is NONE. Note.
Safeguard Configuration Record SAFEART Field Descriptions ConfigAuthFailFreeze specifies, if True, that a user is to be frozen when the number of consecutive failed authentication attempts for that user exceeds ConfigAuthMaxAttempts. Field type is True or False. ConfigAuthFailToUnits specifies the units associated with ConfigAuthFailToVal. Field type is enumerated. Possible values are Seconds, Minutes, Hours, Days, Weeks, Months, and Years.
Safeguard Configuration Record SAFEART Field Descriptions ONLY specifies that only pattern searching will occur. Normal, non-pattern searching will not be performed even if the pattern search returns NORECORD. OFF specifies that no pattern searches will occur. ConfigCheckProcess specifies, if True, that the Safeguard software examines protection records for processes. Field type is True or False.
Safeguard Configuration Record SAFEART Field Descriptions interpreter is specified for the user or the terminal. This field is blank if no value has been specified. Field type is character. ConfigCiSwap specifies the swap volume or file used with the default command interpreter. This field is blank if no value has been specified. Field type is character. ConfigClearonpurgeDiskfile specifies, if True, that disk files are cleared when purged. Field type is True or False.
Safeguard Configuration Record SAFEART Field Descriptions ConfigCombinationProcess specifies the manner in which the Safeguard software checks protection records for processes. Field type is enumerated. The possible values are FirstRule, FirstAcl, and All. ConfigCurrentAuditFile specifies the name of the current audit file—that is, the name of the audit file to which audit records are currently being written. Field type is character. ConfigCurrentAuditPool specifies the name of the current audit pool.
Safeguard Configuration Record SAFEART Field Descriptions ConfigPasswordAlgorithm specifies the algorithm used to encrypt the user's password when the password is to be stored in the encrypted form. Field type is enumerated. Note. The ConfigPasswordAlgorithm attribute is supported only on systems running G06.29 and later G-series RVUs and H06.06 and later H-series RVUs. The possible values are DES and HMAC256. Default value is DES. DES indicates to use the DES algorithm to encrypt passwords.
Safeguard Configuration Record SAFEART Field Descriptions ConfigPasswordMaximumLength specifies the maximum length of new passwords for all users. Field type is numeric. Note. This attribute is supported only on systems running G06.31 and later G-series RVUs and H06.08 and later H-series RVUs. ConfigPasswordMinimumLength specifies the minimum length of new passwords for all users. Field type is numeric.
Safeguard Configuration Record SAFEART Field Descriptions ConfigPasswordNumericRequired specifies, if True, that the user password has at least one numeric character. Note. This attribute is supported only on systems running G06.31 and later G-series RVUs and H06.09 and later H-series RVUs. ConfigPasswordMinNumericReq specifies, if True, that the user password must contain the specified minimum number of numeric characters. Field type is numeric and the default value is 0. Note.
Safeguard Configuration Record SAFEART Field Descriptions ConfigPasswordMinQualityRequired specifies the minimum quality criteria that have to be met when a password is set or changed. Note. This attribute is supported only on systems running G06.31 and later G-series RVUs and H06.09 and later H-series RVUs. ConfigRecovery specifies the recovery action that the audit service applies when disk space in the current audit pool becomes unavailable. Field type is enumerated.
Event-Exit Configuration Record SAFEART Field Descriptions ConfigWriteThroughCache specifies, if true, that audit files are opened with the write-through cache option enabled. Field type is True or False. Event-Exit Configuration Record The Safeguard subsystem maintains a configuration record for the event-exit process. Attempts to read the event-exit record are not audited. All attempts to add, delete, or change the event-exit record are audited.
Group Profile Record SAFEART Field Descriptions EepPName specifies the process name under which the event-exit process runs. This field is blank if no value is specified. Field type is character. EepPri specifies the priority at which the event-exit process runs. Field type is numeric. EepProg specifies the name of the local file containing the event-exit program. This program is run if the event-exit process is enabled. This field is blank if no value is specified. Field type is character.
Automatic Logoff Record SAFEART Field Descriptions GroupAddMemberList is a list of users specified in an attempt to add members to a group. As many as 32 users can appear. You cannot use this list in SET WHERE commands. GroupAutoDelete specifies whether the group is automatically deleted when it no longer has any members. Field type is True or False. GroupDelMemberCount indicates the number of users in the list specified by GroupDelMember. Field type is numeric.
Automatic Logoff Record SAFEART Field Descriptions Fields in the primary record with a prefix of Subject or Guarduser describe the loggedoff user. Fields in the text area of the secondary record describe the newly logged-on user.
Terminal Definition Record SAFEART Field Descriptions These fields appear in the text area representing the automatic logoff record: LogonAliasName specifies the alias under which the newly logged-on user gained access to the system. This field is blank if the underlying user ID, rather than an alias, is used to gain access to the system. Field type is character. LogonUserName specifies the user name of the newly logged-on user. This field is blank if an alias is used to gain access to the system.
Protection Record SAFEART Field Descriptions LuCiPri specifies the priority at which to run the command interpreter specified by LuCiProg. Field type is numeric. LuCiProg specifies the object file of the command interpreter that is started after user authentication at this terminal. This object file is used if no command interpreter is specified for the user. This field is blank if no value has been specified. Field type is character.
Protection Record SAFEART Field Descriptions in columns from left to right) are described next. You cannot use these items in SET WHERE commands. Column 1 specifies whether the subject is granted or denied the listed access authorities. Possible values are: Grant indicates that the ACL entry grants the listed authorities. Deny indicates that the ACL entry denies the listed authorities. Column 2 contains the user ID of the subject. Column 3 contains the user name of the subject.
Protection Record SAFEART Field Descriptions NodeSpecific indicates that the specified remote subject must be a user authenticated on a specific remote node. Note. • • The node name is present at the end of all the ACL entries of the protection record. The node number is present at the end of these node names. NodeGroup indicates that the remote subject must be a member of the specified user group and be authenticated on a specific remote node.
Protection Record SAFEART Field Descriptions ProtAuditManageFail specifies conditions for auditing unsuccessful attempts to manage the protection record for the object. Field type is enumerated. Possible values are None, Local, Remote, and All. ProtAuditManagePass specifies conditions for auditing successful attempts to manage the protection record for the object. Field type is enumerated. Possible values are None, Local, Remote, and All.
Protection Record Extension SAFEART Field Descriptions ProtOwnerUserName specifies the user name of the owner. Field type is character. ProtOwnerUserNumber specifies the user ID of the owner. Field type is user number. ProtPersistent specifies, if True, that the disk-file protection record should exist even if the file is purged. Field type is True or False. ProtProgid specifies, if True, that the disk file is a program object code file with the PROGID attribute. Field type is True or False.
Protection Record Extension SAFEART Field Descriptions Shared TRUST is set to SHARED. The program file is trusted to not access the buffers that are private to the process or are shared with another process that also has TRUST SHARED set, before I/O completion. ProtPrivLogon specifies, if true, that a privlogon operation was attempted by the object file protected by this protection record. Field value is True or False. Note. This attribute is supported only on systems running H06.
Protection Record Extension SAFEART Field Descriptions P PURGE authority C CREATE authority O OWNER authority Column 4 specifies the type of subject granted or denied access. Possible values are: LocalSpecific indicates that the specified subject must be a local user. RemoteSpecific indicates that the specified subject can be either remote or local. LocalGroup indicates that the subject must be a local member of the specified user group.
Protection Record Extension SAFEART Field Descriptions Column 6 specifies the remote node numbers for network subjects with type IDs, NodeSpecific, NodeGroup, and NodeAnyone. Example Grant 255,255 R,W,E,P, ,O LocalSpecific Grant 255,255 R,W,E,P, , RemoteSpecific Deny 00122 R,W, , , , LocalGroup Grant 00195 R,W,E,P, , RemoteGroup ProtNumProcessAclentries specifies the number of entries in the process-access control list (ACL) defined in the protection record. Field type is numeric.
Pattern Protection Record SAFEART Field Descriptions Pattern Protection Record In addition to object protection records, the Safeguard subsystem also maintains pattern protection records. Attempts to add, change, delete, or read these records might be audited depending on whether auditing has been specified for such events. If auditing is specified and an attempt is made to add, delete, or read an authorization record, two secondary audit records (one pair) are generated.
Pattern Protection Record SAFEART Field Descriptions PatProtLastModTime specifies the time that the pattern protection record was last modified. Field type is timestamp. PatProtCreatorTypeid indicates if the creator of this protection record was a locally or remotely authenticated user. Field type is enumerated. Possible values are Local and Remote. PatProtCreatorNodeNumber specifies the last authenticated node number of the user that created the pattern protection record. Field type is numeric.
Pattern Protection Record SAFEART Field Descriptions Column 1 specifies whether the subject is granted or denied the listed access authorities. Possible values are: Grant indicates that the ACL entry grants the listed authorities. Deny indicates that the ACL entry denies the listed authorities. Column 2 contains the user ID of the subject. Column 3 contains the user name of the subject. Column 4 lists the access authorities, separated by commas, that the subject is granted or denied.
Pattern Protection Record SAFEART Field Descriptions NodeSpecific indicates that the specified remote subject must be a user authenticated on a specific remote node. NodeGroup indicates that the remote subject must be a member of the specified user group and be authenticated on a specific remote node. NodeAnyone indicates that the remote subject can be any user authenticated on a specific remote node.
Pattern Protection Record SAFEART Field Descriptions PatProtClearOnPurge reserved—defaults to False. PatProtFreeze specifies, if True, that the protection record is frozen. Field type is True or False. PatProtLicense reserved—defaults to False. PatProtNumAclentries specifies the number of entries in the access control list (ACL) defined in the protection record. Field type is numeric. PatProtOtype specifies the type of object this record describes. Field type is enumerated.
Pattern Search Secondary Audit Record SAFEART Field Descriptions Pattern Search Secondary Audit Record A pattern search record is present only when a pattern protection record was involved in determining access to a diskfile object. The pattern search record is present when CHECK-DISKFILE-PATTERN is set to FIRST or ONLY or LAST or MID, and a normal Safeguard record was not found. Note. This is supported only on systems running J06.08 and later J-series RVUs and H06.18 and later H-series RVUs.
User Authentication Record SAFEART Field Descriptions PatternNumSearch specifies the number of pattern protection records searched and discarded before determining the outcome. This count includes the final selected pattern, if any. Field type is unsigned integer. PatternReductionLevel indicates how many levels of pattern reduction were used to determine the final pattern. Field type is enumerated. Possible values are Collation and Initial. PatternTsEnd indicates when the pattern search ended.
User Authentication Record SAFEART Field Descriptions name. Field type is enumerated. Possible values are None, Local, Remote, and All. UserAuditAuthenPass specifies conditions for auditing successful logon attempts. This field was previously called UserAuditAccessPass. SAFEART no longer accepts the old name. Field type is enumerated. Possible values are None, Local, Remote, and All. UserAuditManageFail specifies conditions for auditing unsuccessful attempts to manage the user authentication record.
User Authentication Record SAFEART Field Descriptions UserCiParamText is the startup parameter text used when starting the command interpreter specified by UserCiProg. This field is blank if no value has been specified. Field type is character. UserCiPri specifies the priority at which to run the command interpreter specified by UserCiProg. This field is blank if no value has been specified. Field type is numeric.
User Authentication Record SAFEART Field Descriptions UserDfltProtAuditManageFail specifies conditions for auditing unsuccessful attempts to manage the protection records associated with disk files that are protected on creation through DEFAULTPROTECTION. This field appears in SAFEART reports only if DEFAULTPROTECTION is defined for the user. Field type is enumerated. Possible values are None, Local, Remote, and All.
User Authentication Record SAFEART Field Descriptions UserDfltProtOwnerUserNumber specifies the user ID of the primary owner of disk files protected through DEFAULT-PROTECTION. This field appears in SAFEART reports only if DEFAULT-PROTECTION is defined for the user. Field type is user number. UserFreeze specifies, if True, that the user ID is frozen. Field type is True or False. UserLastLogonTime specifies when the last successful authentication of this user occurred. Field type is date and time.
User Record Extensions SAFEART Field Descriptions UserPasswordExpires specifies when the user's password expires. This field is blank if password expiration is not in effect. Field type is date and time. You cannot use this field in SET WHERE commands. UserPasswordExpiryGrace specifies the number of days after password expiration during which this user can change the password during logon. Field type is numeric. UserPassWordLastChange specifies last time this user's password was changed.
User Record Extensions SAFEART Field Descriptions User Record Extension These attributes appear in the User Record Extension: UserGroupCount specifies the number of entries in the user's group list. Field type is numeric. You cannot use this field in SET WHERE commands. UserGroupList specifies the list of groups for which the user is a member. The maximum number of groups is 32. You cannot use this field in SET WHERE commands.
User Record Extensions SAFEART Field Descriptions For example: Numownentries =3 OwnerEntries = 255,255 SUPER.SUPER LocalSpecific 255,255 SUPER.SUPER RemoteSpecific 255,255 SUPER.SUPER NodeSpecific \010 User Record Extension1 These attributes appear in User Record Extension1: UserTextDescription contains the descriptive text associated with the authentication record. This field is blank if no descriptive text has been specified.
User Record Extensions SAFEART Field Descriptions can hold text-description data of variable length and is blank if no descriptive-text has been specified. Note. User Record Extension 1n is supported only on systems running J06.03 and later Jseries RVUs, H06.14 and later H-series RVUs, and G06.32 and later G-series RVUs.
Enumerated Fields SAFEART Field Descriptions Enumerated Fields Enumerated fields occur in primary records, secondary records, and secondary text areas. Possible values for enumerated fields that are part of a secondary text area appear in Secondary Text Area on page 7-12. The following tables list the possible values for the enumerated fields not previously defined in this section. You can use the values in the first column of each table in comparison statements involving the particular field.
Enumerated Fields SAFEART Field Descriptions Table 7-4. ObjectType Enumeration (page 2 of 3) Value Description OssFileset In the OSS environment, refers to a set of files with a common mount point within the file hierarchy. The fileset name in external name=internal name [on mount point] format appears in the ObjectName field. OssNS In the OSS environment, OssNS refers to the Name Server. The OSS SEEP attributes are set as part of the Name Server attributes.
Enumerated Fields SAFEART Field Descriptions Table 7-4. ObjectType Enumeration (page 3 of 3) Value Description Subsystem Refers to a subsystem. The name of the subsystem, represented as an ASCII string, appears in the ObjectName field. Subvolume Refers to an Enscribe subvolume. The name of the subvolume, explicitly qualified with a volume name, appears in the ObjectName field. SystemDevice Refers to a system device such as the system clock. TapeMount Refers to a generated mount request number.
Enumerated Fields SAFEART Field Descriptions Table 7-5. Operation Enumeration (page 1 of 3) Value Description Abort Refers to a TMF ABORT operation. Accept Refers to the acceptance of a request. Access Refers to OSS operations to check the user’s access permissions for a given object. Add Refers to a TMF ADD operation. Alter Describes a TMF ALTER operation. Authenticate Refers to an identity check of a user ID requested by a client subsystem.
Enumerated Fields SAFEART Field Descriptions Table 7-5. Operation Enumeration (page 2 of 3) Value Description Grant Refers to an SQL grant or transmission of access rights to an SQL object by one user to another. Initialize Refers to a TMF INITIALIZE operation. Insert Refers to an operation, not exclusively by SQL, involving the insertion of a record or other collection of values into an object, such as a file or table.
Enumerated Fields SAFEART Field Descriptions Table 7-5. Operation Enumeration (page 3 of 3) Value Description Reject Refers to the rejection of a request. Release Refers to an audit file release resulting from a RELEASE command. Rename Refers to the renaming of an object. Reset Refers to the action of resetting a flag or condition. Resolve Refers to a TMF RESOLVE operation. Revive Refers to a change of state of an object from inactive to active.
Enumerated Fields SAFEART Field Descriptions Table 7-6. Outcome Enumeration (page 1 of 2) Value Description Denied Permission to attempt the requested operation was denied. Failed The requested operation was unsuccessfully completed. Granted Permission to attempt the requested operation was granted. Maybe The outcome was unknown when the audit request was made.
Enumerated Fields SAFEART Field Descriptions Table 7-6. Outcome Enumeration (page 2 of 2) Value Description Pswdqualdenied@ The password change attempt failed because the password provided does not meet the PASSWORD-MIN-QUALITY-REQUIRED. Pswdqualreject@ The password change attempt failed because the password provided is rejected from Security-Event-Exit-Process. Pswdinvalid@ The password change attempt failed because the password provided is invalid.
Enumerated Fields SAFEART Field Descriptions Table 7-7 lists the possible values for the OwnerIsRemote field of the primary record. Table 7-7. OwnerIsRemote Enumeration Value Description Local The owner is local. None The owner field is not appropriate for this type of object. Remote The owner is remote. Unknown The owner is not known at this time. Table 7-8 lists the possible values for the SecondaryRecordType field of the secondary record. Table 7-8.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 2 of 6) Value Description EEprocess The text area contains an event-exit process configuration record. Group The text area contains a group profile record. GroupprofileExt The text area contains an extension to the group authentication record. Input The text area contains generic command text input defined by the subsystem. Logoff The text area contains a Safeguard automatic logoff record.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 3 of 6) Value Description OssFileAttr The text area contains these fields: 1. Variant type 2. File Mode 3. User ID 4. Group ID 5. rdev 6. Size 7. Access time 8. Modification time 9. Status Change time 10. Length of the pathname 11. Pathname Depending on the type of operation, clients supply the necessary fields. Variant type field indicates which fields are present.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 4 of 6) Value Description OssAclAttr The text area contains these fields: 1. Variant Type 2. File Mode 3. User ID 4. Group ID 5. rdev 6. Size 7. Access time 8. Modification time 9. Status Change time 10. Length of the Pathname 11. Pathname 12. Creator of user number 13. Creator of user name 14. Creator of alias 15. Creator time 16. Modification of user number 17.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 5 of 6) Value Description OssProcessSetID The text area contains an enumerated field giving information of the ID affected (1 for user ID, 2 for group ID) along with the corresponding real, effective, and saved-set user ID or group ID information. This text area also provides the corresponding real, effective, and saved-set authentication type information for the user ID.
Enumerated Fields SAFEART Field Descriptions Table 7-9. SecondaryTextAreaType Enumeration (page 6 of 6) Value Description UserProfileExt1 The text area contains another extension to the user authentication record. User Profile Ext 1n@ The text area supersedes Extn 1. All fields are similar to Extn 1, except the user test field, which is of variable length. ClientIPAddress! The text area contains the client IP address. @ Supported only on systems running J06.03 and later J-series RVUs, H06.
SAFEART Field Descriptions for OSS Audits SAFEART Field Descriptions Table 7-10 lists the possible values for both the Veracity field of the primary record and the SecondaryVeracity field of the secondary record. Table 7-10. Veracity Enumeration Value Description Tr Specifies that the request originated from a trusted client and no errors were detected in the audit request. TrInError Specifies that the request originated from a trusted client and errors were detected.
OSS Access Mode Record SAFEART Field Descriptions Secondary Text Area The fields in the secondary text area contain a prefix to help you identify the type of OSS record that appears in the text area: Field Prefix OSS Record Secondary Text Area Type OssAccess OSS Access Mode Record OssAccess OssAclAttr OSS ACLs Attribute Record OssAclAttr OssAuditAttr OSS Audit Attribute Record OssAudit OssExec OSS Process Startup Record OssExec OssFileAttr OSS File Attributes Record OssFileAttr OssKill
OSS ACLs Attribute Record SAFEART Field Descriptions For more details on access mode, see the Open System Services System Calls Reference Manual. OSS ACLs Attribute Record This record represents the OSS file attributes. Depending on the type of the operation, clients supply the necessary fields for auditing. The number of secondary records generated depends on the type of operation. Note. OssAclAttr is supported only on systems running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs.
OSS ACLs Attribute Record SAFEART Field Descriptions OssAclAttrCreatorUserNumber specifies the number of the user who created the ACL, and displays the value of the DDL field, ZCREATORUSERNUM. OssAclAttrCreatorTime specifies the time that the ACL was created, and displays the value of the DDL field, ZCREATORTIME. OssAclAttrLastModUserNumber specifies the user number of the user who last modified the ACL, and displays the value of the DDL field, ZLASTMODUSERNUM.
OSS Audit Attribute Record SAFEART Field Descriptions OSS Audit Attribute Record A change in the audit attribute of a fileset from an SCF command is recorded in the audit trail by the OSS Monitor. The number of secondary records generated depends on the type of command executed. For example, an Add command generates only one secondary record, whereas an Alter command generates two secondary records.
OSS Process Startup Record SAFEART Field Descriptions OssSeepEnabled if True, specifies that SEEP is enabled. Valid values are True and False. OssSeepRspTimeout specifies the time in seconds that the OSS Name Server waits for SEEP to respond to an event. OssSeepPriority specifies the priority at which SEEP is running. OssSeepCPU specifies the CPU in which the primary SEEP is running.
OSS File Attributes Record SAFEART Field Descriptions OssExecOwnerGID specifies the Group ID. Field value is OSS GroupID. OSS File Attributes Record This record represents the OSS File Attributes. Depending on the type of the operation, clients supply the necessary fields for auditing. The number of secondary records generated depends on the type of operation. One or more of these fields appears in the text area representing the File Attributes record: OssFileAttrMode specifies the file mode.
OSS Kill Record SAFEART Field Descriptions OssFileAttrChangeTime specifies the time of the last file status change. This is a 32-bit representation of the timestamp. For more information, see the Open System Services System Calls Reference Manual. OssFileAttrPathName if the object type is Symlink specifies the pathname of the file or contents of the symbolic link. Field type is character.
OSS Kill Record SAFEART Field Descriptions OssKillTargetRealUID specifies the target's real user ID. This field is not present for Process Group kill. Field value is OSS UserID. OssKillTargetRealAuthType specifies the target's real authentication type. This field is not present for Process Group kill. Field type is enumerated. Possible values are: Local, Remote, Invalid, and Unauth. OssKillTargetSavedUID specifies the target's saved-set user ID. This field is not present for Process Group kill.
OSS Link Record SAFEART Field Descriptions OSS Link Record A link record is generated whenever the link count of a file is changed due to operations such as link() and unlink(). However, if the link count becomes zero, a File Attributes record is generated instead. These fields appear in the text area representing the Link record: OssLinkCount specifies the number of links. Field type is numeric. OssLinkPathName specifies the pathname of the file.
OSS Process Set ID Record SAFEART Field Descriptions OSS Process Set ID Record A Process Set ID record is generated whenever the user or group IDs of a process are changed by calls such as setuid(), setgid(), setreuid(), or setregid(). A pair of records is generated, one for the value of IDs before the operation and one for the value of IDs after the operation.
OSS File Times Record SAFEART Field Descriptions OssProcessEffGID specifies the effective group ID of the process. Field value is OSS Group ID. OssProcessSavedGID specifies the saved-set group ID of the process. Field value is OSS Group ID. OSSProcessOperPrivSetID specifies whether the setgid operation is authorized to access the restricted-access filesets. Note. The OSSProcessOperPrivSetID field is supported only on systems running on J06.11 and later J-series RVUs and H06.22 and later H-series RVUs.
OSS File Privileges Attribute Record SAFEART Field Descriptions This field appears in the text area representing the Rename record: OssPathName specifies the old pathname of the file. Field type is character. OSS File Privileges Attribute Record The secondary text area type associated with this record is FilePrivAttr. This record is used for recording the file privileges of an OSS or Guardian file, whenever the privileges are set or modified.
SAFEART Field Descriptions OSS File Privileges Attribute Record Safeguard Audit Service Manual — 520480-031 7 - 82
8 SAFEART Error Messages SAFEART issues these error messages: ERROR: A maximum of 4 title lines is allowed. Cause. You used more than four TITLE commands. Effect. All title lines are discarded, and the previous valid title is used. Recovery. Reissue with four or fewer title lines. ERROR: A quote must be finished before the end of the command. Cause. The syntax required a pair of quotation marks around a character string. The beginning or ending pair is missing. Effect. The command is not executed.
SAFEART Error Messages ERROR: Audit file specified must have a file code of 541. Cause. You specified a file that is not an audit file in an AUDIT FILE command. Effect. The AUDIT FILE command is not executed. Recovery. Reenter the command specifying an audit file name known to the system. ERROR: Before prefix not allowed for item item-name. Cause. You used the before prefix for a primary record. This prefix is allowed only for secondary records. Effect. The SET WHERE command is not executed. Recovery.
SAFEART Error Messages ERROR: Could not open obey file. Cause. The command file could not be opened. Effect. Processing ends, and you are returned to the SAFEART prompt. Recovery. Check the spelling of the command file name. If the name is correct, check that the file exists in the volume and subvolume you specified or in the default volume and subvolume if you provided only a file name. ERROR: Could not open OUT file. Cause. The file defined in an OUT command could not be opened. Effect.
SAFEART Error Messages ERROR: Invalid date. Cause. You specified an invalid date in a SET START TIME or SET END TIME command; for example, 91/12/42. Effect. The command is not executed. Recovery. Reenter the command using a valid date. *** ERROR *** Invalid File Name file. Cause. The named audit file could not be opened. Effect. Processing ends, and you are returned to the command interpreter prompt rather than the SAFEART prompt. Recovery. Check the spelling of the audit file name.
SAFEART Error Messages ERROR: Numbers must contain only digits. Cause. You used a number that contains characters other than the digits 0 through 9. Effect. The command is not executed. Recovery. Reenter the command using a valid number. ERROR: Only operators '=' and '<>' allowed for item item-name. Cause. You used an invalid operator for a record item in a comparison statement for a SET WHERE command. Effect. The SET WHERE command is not executed. Recovery.
SAFEART Error Messages ERROR: Prompt string must be 80 characters or less. Cause. The new SAFEART prompt you defined with a DISPLAY PROMPT command is longer than 80 characters. Effect. The DISPLAY PROMPT command is not executed. Recovery. Reenter the command using a shorter prompt definition. (Use fewer parameters or a shorter character string within parentheses.) ERROR: SET WHERE ignored. Cause. Enough errors were found in a SET WHERE command to prevent SAFEART from using it. Effect.
SAFEART Error Messages *** ERROR *** Unable to Obtain Memory. Cause. Not enough memory was available to process the SAFEART report. Effect. Processing ends, and you are returned to the command interpreter prompt rather than the SAFEART prompt. Recovery. Rerun the SAFEART commands. If the problem persists, contact your service provider. ERROR: Unexpected I/O error while reading commands. Cause. An input/output (I/O) error occurred while SAFEART was reading commands. Effect.
SAFEART Error Messages WARNING error-number Event Flushed Cause. An event was not used because of an error in the audit file, identified by error-number. error-number is in one of these ranges: 10 - 49 A link from a primary to secondary record is damaged. 52 - 57 A secondary record has no primary record. The error-number is the record type. 102 An incomplete primary record is incomplete. Some of the secondary records are missing. Effect.
A Audit File Record Formats This appendix describes the structure of the records in the audit files. If you are writing programs to extract information from the audit trail, read this appendix. However, if you are using SAFEART to get information from the audit trail, you do not need to read this appendix. Instead, see Section 7, SAFEART Field Descriptions. About the Audit Trail The security audit trail consists of one or more audit pools.
Audit File Structure Audit File Record Formats • • • • • • • Full name of the preceding audit file Full name of the audit file Full name of the next audit file Time, specified as a Greenwich mean time (GMT) timestamp, when the audit file was initialized and the header record written Safeguard version number Operating system TOSVERSION Local time zone offset relative to Greenwich mean time Audit Records The audit file also contains primary audit records and secondary audit records.
Audit Record Definitions Audit File Record Formats Audit Record Definitions This subsection contains DDL definitions for each type of record that appears in the audit files. For more information about DDL definitions, see the Data Definition Language (DDL) Reference Manual. Some fields in the audit records are optional. That is, they are blank or set to zero if they are not defined or not applicable. For example, for an unnamed system, the field ZAUDITING-SYSTEMNAME is blank.
Audit File Header Record Audit File Record Formats Field Definitions ZRECORD-TYPE is the audit record type. For header records, it is always the value of ZSFG-VALAUD-REC-HEADER. ZRECORD-LEN is the length, in bytes, of this audit record. ZAUDIT-RECORD-VERSION is the revision level that is incremented only when the fields in existing records (either primary or secondary) are modified to change their location or redefine the content of the field, or a change occurs to the audit header record itself.
Primary Audit Record Audit File Record Formats ZAUDITING-SYSTEMNAME is the system name of the system containing the audit file. ZTIMEZONE-OFFSET is, in microseconds, the local standard time zone of the auditing system as a signed, 64-bit integer offset relative to Greenwich mean time. The offset for time zones longitudes 0 and 180 degrees West is negative. For all others, it is positive. ZAUDIT-FILENAME is the name, including the volume name and subvolume name, of this audit file when it was first opened.
Primary Audit Record Audit File Record Formats 02 02 02 02 02 02 02 02 02 ZAUDITNUMBER ZTIME-REPORTED ZTIME-RECEIVED ZVERACITY ZGROUP-COUNT ZOPERATION ZOUTCOME ZMASTER-AUDITNUMBER ZSUBJECT 04 ZSUBJECT-TYPE 04 ZUSERNUMBER 04 ZUSERNAME 04 ZCREATORNUMBER 04 ZCREATORNAME 04 ZSYSTEMNUMBER 04 ZSYSTEMNAME 04 ZAUTHLOCNUMBER 04 ZAUTHLOCNAME 04 ZPROCESSNAME 04 ZSUBSYSTEMID 04 ZTERMINALNAME 02 ZAUDIT-CREATOR 04 ZSUBJECT-TYPE 04 ZUSERNUMBER 04 ZUSERNAME 04 ZCREATORNUMBER 04 ZCREATORNAME 04 ZSYSTEMNUMBER 04 ZSYSTEMNA
Primary Audit Record Audit File Record Formats ZRECORD-LEN is the length, in bytes, of this audit record. ZAUDITNUMBER is a binary integer that identifies an audited event in the security audit pool. For events whose descriptions span more than one record, the several records involved are linked by a common value of ZAUDITNUMBER.
Primary Audit Record Audit File Record Formats ZSFG-VAL-VER-UNTR-IN-ERROR indicates that the request originated from an untrusted client and errors were detected. Audit requests are not rejected because of errors detected in the request. Instead, the audit records resulting from such requests are marked to indicate that they might contain erroneous data. ZSFG-VAL-VER-UNTR-UNCHECKED indicates that the request originated from an untrusted client and was not checked for errors.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-CONNECT indicates the establishment of a connection between UNIX datagram sockets when a connect operation is performed on the object socket. This description is used for OSS sockets. Note. This is supported only on systems running H06.26 and later H-series RVUs and J06.15 and later J-series RVUs. ZSFG-VAL-OPER-CHANGE-OWNER indicates an explicit change in object ownership made by a command such as the FUP GIVE command.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-EXCLUDE indicates a TMF EXCLUDE operation. ZSFG-VAL-OPER-EXECUTE indicates opens of program files for execution. ZSFG-VAL-OPER-GIVE is reserved for future use. ZSFG-VAL-OPER-GRANT indicates an SQL grant or transmission of access rights to an SQL object by one user to another. ZSFG-VAL-OPER-INITIALIZE indicates a TMF INITIALIZE operation.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-NEXTTAPE indicates a NEXTTAPE operation. ZSFG-VAL-OPER-ONLINE-DUMP indicates a TMF online dump operation. ZSFG-VAL-OPER-OPEN indicates that an object has been opened and a connection has been made to the subject process. This description is not used for audited Safeguard events. Safeguard software uses more specific descriptions, such as READ and WRITE. ZSFG-VAL-OPER-OTHER indicates an operation other than one of those listed here.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-RESET indicates the action of resetting a flag or condition. ZSFG-VAL-OPER-RESOLVE indicates a TMF RESOLVE operation. ZSFG-VAL-OPER-REVIVE indicates an object's change of state from inactive to active. ZSFG-VAL-OPER-REVOKE indicates an SQL revocation of a user's access rights to an SQL object by another user. ZSFG-VAL-OPER-ROLLFORWARD indicates a TMF rollforward operation.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OPER-UPDATE indicates the same type of operation as ZSFG-VAL-OPER-READWRITE. ZSFG-VAL-OPER-USETAPE indicates a USETAPE operation. ZSFG-VAL-OPER-VERIFYUSER indicates a user authentication and subsequent logon performed by the operating system or the Safeguard subsystem. ZSFG-VAL-OPER-WRITE indicates an attempt to open an object for a write operation. ZSFG-VAL-OPER-TACLLOGOFF indicates an attempt to audit the TACL session Logoff events.. Note.
Primary Audit Record Audit File Record Formats ZSFG-VAL-AUTH-USER-PW-EXPIRED The authentication attempt failed because the user's password expired. ZSFG-VAL-AUTH-USER-PW-INVALID The authentication attempt failed because the user supplied an incorrect password. ZSFG-VAL-AUTH-USER-VALID The user was successfully authenticated. If the operation is not an authentication, the possible outcomes are: ZSFG-VAL-OUTCOME-DENIED Permission to attempt the requested operation was denied.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OUTCOME-WARNING The operation would have been denied, but the system was in Safeguard warning mode. ZMASTER-AUDITNUMBER is a binary integer. It currently contains the same value as ZAUDITNUMBER. ZSUBJECT is an instance of the ZSFG-DDL-GUARD-SUBJECT template. For most events, this template describes the process that attempted the audited operation.
Primary Audit Record Audit File Record Formats ZAUTHLOCNUMBER is, as a 32-bit integer, the system number where the user was authenticated. The value is zero if the system is remote and authentication information is not available or if the subject is an NFS client. ZAUTHLOCNAME is, as an ASCII string, the name corresponding to ZAUTHLOCNUMBER. The field is blank if the system is remote and authentication information is not available or if the subject is an NFS client.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-CONFIG-RECORD indicates a generic configuration record defined and managed by a client subsystem. The object name of an object of this type follows the lexical and syntactic rules defined by the client subsystem for identifying configuration records under its control. ZSFG-VAL-OBJ-CONTROLLER indicates a description of a controller. ZSFG-VAL-OBJ-DEVICE indicates a nondisk device.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-PROCESS indicates a process. The object name of an object of this type is a process name in external form or a CRTPID. ZSFG-VAL-OBJ-PROT-RECORD indicates a protection record maintained by the Safeguard subsystem or a privileged client. A protection record contains access rules and permissions for the object that it controls.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-SUBDEVICE indicates a subdevice. The object name of an object of this type is a subdevice name explicitly qualified with a device name in external form. ZSFG-VAL-OBJ-SUBPROCESS indicates a subprocess. The object name of an object of this type is a valid subprocess name explicitly qualified with a process name in either external form or in a CRTPID. ZSFG-VAL-OBJ-SUBSYSTEM indicates a subsystem.
Primary Audit Record Audit File Record Formats ZSFG-VAL-OBJ-TMF-TAPEMEDIA indicates the tape volumes in the TMF catalog. ZSFG-VAL-OBJ-TMF-TRANSACTION indicates a TMF transaction. ZSFG-VAL-OBJ-USER indicates a class of users known to and managed by a client subsystem. An example of this class is Transfer Correspondents. The object name of an object of this type is formed according to rules defined by the subsystem.
Primary Audit Record Audit File Record Formats ZOWNER-USERNUMBER is the user ID of the owner of the object. ZOWNER-USERNAME is the user name of the owner of the object. ZOBJECTNAME-VAR is an instance of the ZSFG-DDL-AUD-VARSREC template that gives the length and offset of the object name of the audited operation. The component fields are: zlength indicates the length of the object name of the audited operation. zoffset indicates the offset of object name from ZOBJECT-NAME.
Primary Audit Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-USER-REMPASSWORD. 02 ZSYSTEMNUMBER TYPE ZSPI-DDL-INT2. 02 ZSYSTEMNAME TYPE ZSPI-DDL-BYTE OCCURS 8 TIMES. 02 ZUSERNUMBER TYPE ZSFG-DDL-AUD-USERNUMBER. 02 ZUSERNAME TYPE ZSPI-DDL-BYTE OCCURS 18 TIMES. 02 ZALIASNAME TYPE ZSPI-DDL-BYTE OCCURS 32 TIMES. END. Field Definitions ZSYSTEMNUMBER is the system number, as a 32-bit integer, of the subject. ZSYSTEMNAME is the system name, as an ASCII string, corresponding to ZSYSTEMNUMBER.
Primary Audit Record Audit File Record Formats Field Definitions ZUSERNUMBER is, in internal form, the group number, member number of the subject. ZUSERNAME is, in external form, the group name.member name of the subject. This field is blank if an alias is used to gain access to the system. ZALIASNAME is the alias name under which the user gained access to the system. This field is blank if the underlying ID, rather than an alias, is used to gain access to the system.
Primary Audit Record Audit File Record Formats Field Definitions ZPRIVLOGONOPER indicates the conditions for auditing privlogon attempts on the system. ZUSERCREATORNUMBER is, in internal form, the group number.member number of the subject who has created the requested subject. ZUSERCREATORNAME is, in external form, the group name.member name of the subject who has created the requested subject. ZUSERCREATORISALIAS indicates, when true, that ZUSERCREATORNAME is an alias name.
Secondary Audit Record Audit File Record Formats ZGROUPCREATORISALIAS indicates, when true, that ZUSERCREATORNAME is an alias name. ZGROUPNODENUMBER denotes the node number where the requested subject is created. ZGROUPCREATIONTIME is a 64-bit GMT timestamp specifying the date and time when the requested subject was created.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-AUD-REC-BEFORE indicates that the text area contains a representation of an object before an attempted change or read operation. ZSFG-VAL-AUD-REC-DELETE indicates that the text area contains a representation of an object before an attempted delete operation. ZSFG-VAL-AUD-REC-NEW indicates that the text area contains a representation of a newly added object.
Secondary Audit Record Audit File Record Formats indicate that they might contain erroneous data before they are written to the audit pool. ZSFG-VAL-VER-TR-UNCHECKED indicates that the request originated from a trusted client and was not checked for errors. In this product revision of the audit service, this value does not normally occur. ZSFG-VAL-VER-UNTR indicates that the request originated from an untrusted client and no errors were detected in the audit request.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-TEXT-DISPLAY-OUTPUT The text area contains displayable ASCII text that represents command outputs. ZSFG-VAL-TEXT-GROUP The text area contains a group profile record. ZSFG-VAL-TEXT-INPUT The text area contains generic command text input defined by the subsystem. ZSFG-VAL-TEXT-LOGOFF The text area contains a ZSFG-DDL-VERIFYUSER-SUBREC variant. ZSFG-VAL-TEXT-LU The text area contains a ZSFG-DDL-LU-SUBREC variant.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-TEXT-PATTERNSEARCH The text are contains a pattern-search access record. ZSFG-VAL-TEXT-PROCESS The text area contains an event-exit process configuration record. ZSFG-VAL-TEXT-PROTECTION The text area contains a ZSFG-DDL-PROTECTION-SUBREC variant. ZSFG-VAL-TEXT-PROTECTION-EXT The text area contains a ZSFG-DDL-PROT-SUBRECEXT variant.
Secondary Audit Record Audit File Record Formats ZSFG-VAL-TEXT-USER-PROFILEEXT1 The text area contains a ZSFG-DDL-USER-SUBRECEXT1 variant. ZSFG-VAL-TEXT-GROUPPROFILEEXT The text area contains a ZSFG-DDL-GROUP-SUBRECEXT variant. Note. This attribute is supported only on systems running J06.14 and later J-series RVUs and H06.25 and later H-series RVUs. ZSFG-VAL-TEXT-AUTHNIPADD The text area contains a ZSFG-DDL-AUTHN-IPADDRESS variant. Note. This attribute is supported only on systems running J06.
Safeguard Object Representations Audit File Record Formats Safeguard Object Representations The audit records include representations of several Safeguard internal data structures. All of these representations occur as variants of the ZTEXT-AREA of secondary audit records. This section specifies the DDL subrecord templates for the variants of ZTEXT-AREA.
Event-Exit Configuration Record Audit File Record Formats 02 ZPRIMARY-EXTENTS 02 ZSECONDARY-EXTENTS 02 ZMAXEXTENTS 02 ZAUDITCLEARONPURGE END. TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-BOOLEAN Field Definitions ZAUDIT-POOL-NAME is the $volume.subvolume name of the audit pool to which this record refers. ZMAXFILES is the maximum number of files that can be allocated in this audit pool. ZCURRENT-FILE-NUMBER is the current audit file number in this audit pool.
Event-Exit Configuration Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-PROCESS-SUBREC. 02 ZPNAME TYPE ZSPI-DDL-BYTE OCCURS 02 ZPROG TYPE ZSPI-DDL-BYTE OCCURS 02 ZLIB TYPE ZSPI-DDL-BYTE OCCURS 02 ZSWAP TYPE ZSPI-DDL-BYTE OCCURS 02 ZCPU TYPE ZSPI-DDL-INT 02 ZPRI TYPE ZSPI-DDL-INT 02 ZRSPTIMEOUT TYPE ZSPI-DDL-UINT 02 ZENABLED TYPE ZSPI-DDL-BOOLEAN. 02 ZENA-SEEP-AUTHN TYPE ZSPI-DDL-BOOLEAN. 02 ZENA-SEEP-AUTHZ TYPE ZSPI-DDL-BOOLEAN. 02 ZENA-SEEP-PSWD TYPE ZSPI-DDL-BOOLEAN.
Event-Exit Configuration Record Audit File Record Formats ZENABLED indicates whether the Safeguard event exit process is enabled. ZENA-SEEP-AUTHN indicates whether authentication events are sent to the event-exit process. ZENA-SEEP-AUTHZ indicates whether authorization events are sent to the event-exit process. ZENA-SEEP-PSWD indicates whether password change events are sent to the event-exit process.For more information on change events, see Password Change Events on page 6-20.
Event-Exit Configuration Record Audit File Record Formats Field Definitions ZOWNERTYPEID indicates how the following ZOWNERUSERNUMBER and ZOWNERUSERNAME fields are to be are to be interpreted. The defined values for ZOWNERTYPEID are: ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTESPECIFIC is a local or remote user ID that matches: \*.USERID.GROUPNUMBER, USERID.
IP Address Authentication Record Audit File Record Formats ZDELMEMBER contains a list of users that were specified in an attempt to delete members from a group. Each entry in the list can contain up to 32 characters. A maximum of 32 entries can appear. IP Address Authentication Record The Safeguard subsystem audits the IP address in the authentication record. The IP address appears in its own secondary record if the IP address was provided during the authentication.
Protection Record Audit File Record Formats Field Definitions ZUSERNUMBER is the user ID of the newly logged-on user. ZUSERNAME is, in external form, the group name.member Name of the newly logged-on user. This field is blank if an alias is used to gain access to the system. ZALIASNAME is the alias name of the newly logged-on user. This field is blank if the underlying ID, rather than an alias, is used to gain access to the system.
Protection Record Audit File Record Formats 04 04 04 04 04 ZAUTHORITY-CREATE ZAUTHORITY-PURGE ZAUTHORITY-EXECUTE ZAUTHORITY-WRITE ZAUTHORITY-READ TYPE TYPE TYPE TYPE TYPE ZSPI-DDL-UINT. ZSPI-DDL-UINT. ZSPI-DDL-UINT. ZSPI-DDL-UINT. ZSPI-DDL-UINT. END. Field Definitions ZSFG-DDL-PROTECTION-SUBREC has these fields: ZOTYPE indicates the type of object this record describes. The defined values for ZOTYPE are: ZSFG-VAL-OTYPE-DEVICE indicates a device authorization record.
Protection Record Audit File Record Formats ZLASTMODTIME is a 64-bit GMT timestamp specifying when the protection record was last modified. ZCLEARONPURGE indicates, if nonzero, that the disk space used by this file is to be overwritten with zeros when the file is purged. ZPROGID indicates, if nonzero, that the disk file is a program object code file with the PROGID attribute. ZLICENSE indicates, if nonzero, that the disk file is a program object code file with the LICENSE attribute.
Protection Record Audit File Record Formats ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-MANAGE-PASS indicates that successful attempts to manage the protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts.
Protection Record Audit File Record Formats ZFREEZE indicates, if nonzero, that the protection record is frozen. ZOWNERTYPEID indicates how the following ZOWNERUSERNUMBER and ZOWNERUSERNAME fields are to be are to be interpreted. The defined values for ZOWNERTYPEID are: ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTESPECIFIC is a local or remote user ID that matches: \*.USERID.GROUPNUMBER, USERID.
Protection Record Audit File Record Formats ZSFG-VAL-TYPEID-LOCALANYONE is any user ID that matches: *,* ZSFG-VAL-TYPEID-LOCALGROUP is any local user ID that matches: USERID.GROUPNUMBER, * ZSFG-VAL-TYPEID-LOCALSPECIFIC is a local user ID that matches: USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-REMOTEANYONE is any local or remote user ID that matches: \*.*,* ZSFG-VAL-TYPEID-REMOTEGROUP is any remote or local user ID that matches: \*.USERID.
Protection Record Extension Audit File Record Formats ZSUBJECTUSERNAME is the user name of the subject. ZAUTHORITY-OWNER indicates, if nonzero, that the subject is granted or denied OWNER authority. ZAUTHORITY-CREATE indicates, if nonzero, that the subject is granted or denied CREATE authority. ZAUTHORITY-PURGE indicates, if nonzero, that the subject is granted or denied PURGE authority. ZAUTHORITY-EXECUTE indicates, if nonzero, that the subject is granted or denied EXECUTE authority.
Pattern Protection Record Audit File Record Formats Field Definitions ZSFG-DDL-PROT-SUBRECEXT has these fields: ZNONEXISTENT indicates, if nonzero, that a diskfile did not exist when the protection record was added. ZTRUST specifies the TRUST setting for the objects protected by this record. ZWARNINGMODE indicates, if nonzero, that warning mode is enabled for the object protected by this protection record.
Pattern Protection Record Audit File Record Formats 02 02 02 02 02 02 02 02 02 02 02 02 02 02 ZCREATORUSERNUM TYPE ZSFG-DDL-AUD-USERNUMBER. ZCREATORUSERNAME TYPE ZSPI-DDL-BYTE OCCURS 32 TIMES. ZCREATORISALIAS TYPE ZSPI-DDL-BOOLEAN. ZCREATORNODE TYPE ZSPI-DDL-INT2. ZCREATORNODENAME TYPE ZSPI-DDL-BYTE OCCURS 8 TIMES. ZCREATORTIME TYPE ZSPI-DDL-TIMESTAMP. ZLASTMODTYPEID TYPE ZSPI-DDL-ENUM. ZLASTMODUSERNUM TYPE ZSFG-DDL-AUD-USERNUMBER. ZLASTMODUSERNAME TYPE ZSPI-DDL-BYTE OCCURS 32 TIMES.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-OTYPE-PROCESS indicates a process authorization record. ZSFG-VAL-OTYPE-SUBDEVICE indicates a subdevice authorization record. ZSFG-VAL-OTYPE-SUBPROCESS indicates a subprocess authorization record. ZSFG-VAL-OTYPE-SUBVOLUME indicates a subvolume authorization record. ZSFG-VAL-OTYPE-VOLUME indicates a disk volume authorization record. ZLASTMODTIME is a 64-bit GMT timestamp specifying when the protection record was last modified.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-ACCESS-FAIL indicates that unsuccessful attempts to access the protected object are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZFREEZE indicates, if nonzero, that the protection record is frozen. ZOWNERTYPEID indicates how the following ZOWNERUSERNUMBER and ZOWNERUSERNAME fields are to be are to be interpreted.
Pattern Protection Record Audit File Record Formats ZCREATORUSERNUM contains the user number of the user that created this pattern protection record. ZCREATORUSERNAME contains the user name of the user that created this pattern protection record. ZCREATORISALIAS indicates, when true, that ZCREATORUSERNAME is an ALIAS name. ZCREATORTIME contains the time when the pattern protection record was created. ZLASTMODUSERNUM contains the user ID of the user that last modified this pattern protection record.
Pattern Protection Record Audit File Record Formats ZLASTMODNODENAME includes the last authenticated node name of the user that last modified the pattern protection record. ZACLENTRY is a repeated structure, each instance of which specifies an ACL entry. The component fields are: ZGRANT indicates, if nonzero, that this entry grants authorities to its subject; otherwise, this entry denies authorities to its subject.
Pattern Protection Record Audit File Record Formats ZSFG-VAL-TYPEID-NODEANYONE is any remote user ID authenticated on a specific node node that matches: \node.*,* ZSFG-VAL-TYPEID-NODEGROUP is any remote user ID authenticated on node that matches: \node.USERID.GROUPNUMBER, * ZSFG-VAL-TYPEID-NODESPECIFIC is a remote user ID authenticated on node that matches: \node.USERIDGROUPNUMBER, \node.USERID.USERNUMBER ZSUBJECTUSERNUMBER is the user ID of the subject. ZSUBJECTUSERNAME is the user name of the subject.
Pattern Search Access Record Audit File Record Formats Pattern Search Access Record DDL Definition DEF ZSFG-DDL-PATTERN-SUBREC. 02 ZPATNUMSEARCH 02 ZPATAUTHZMETHOD 02 ZPATREDUCTIONLEVEL 02 ZPATAUTHZRESULT 02 ZPATTSSTART 02 ZPATTSEND 02 ZPATAUTHZSPEC TIMES. END. TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-ENUM. TYPE ZSPI-DDL-ENUM. TYPE ZSPI-DDL-ENUM. TYPE ZSPI-DDL-TIMESTAMP. TYPE ZSPI-DDL-TIMESTAMP.
Safeguard Configuration Record Audit File Record Formats ZPATAUTHZRESULT indicates the result of the pattern search. Possible values are GRANTED, NORECORD, and DENIED. ZPATTSSTART indicates when the pattern search began. ZPATTSEND indicates when the pattern search ended. Safeguard Configuration Record The Safeguard subsystem maintains a record of its own configuration attributes.
Safeguard Configuration Record Audit File Record Formats 02 ZCHECK-DISKFILE 02 ZDIRECTION-DISKFILE 02 ZCOMBINATION-DISKFILE 02 ZACL-REQUIRED-DISKFILE 02 ZAUDIT-DISKFILE-ACCESS-PASS 02 ZAUDIT-DISKFILE-ACCESS-FAIL 02 ZAUDIT-DISKFILE-MANAGE-PASS 02 ZAUDIT-DISKFILE-MANAGE-FAIL 02 ZCLEARONPURGE-DISKFILE 02 ZAUDIT-SUBJECT-AUTH-PASS 02 ZAUDIT-SUBJECT-AUTH-FAIL 02 ZAUDIT-SUBJECT-MANAGE-PASS 02 ZAUDIT-SUBJECT-MANAGE-FAIL 02 ZAUDIT-OBJECT-ACCESS-PASS 02 ZAUDIT-OBJECT-ACCESS-FAIL 02 ZAUDIT-OBJECT-MANAGE-PASS 02 ZAUD
Safeguard Configuration Record Audit File Record Formats 02 ZPASSWORD-LOWERCASE-REQUIRED 02 ZPASSWORD-NUMERIC-REQUIRED 02 ZPASSWORD-SPECIALCHAR-REQUIRED 02 ZPASSWORD-SPACES-ALLOWED 02 ZPASSWORD-MIN-QUALITY-REQUIRED 02 ZAUDIT-FILE-PRIV-LGN 02 ZAUDIT-EXC-FIELD 02 ZAUDIT-EXC-VALUE1 32 TIMES. 02 ZAUDIT-EXC-VALUE2 32 TIMES. 02 ZAUDIT-EXC-VALUE3 32 TIMES. 02 ZAUDIT-EXC-VALUE4 32 TIMES. 02 ZAUDIT-EXC-VALUE5 32 TIMES.
Safeguard Configuration Record Audit File Record Formats Field Definitions ZSFG-DDL-CONFIG-SUBREC contains these fields: ZAUTH-MAX-ATTEMPTS is the maximum number of consecutive failed authentication attempts for a user before some action is taken. ZAUTH-FAIL-TO-VAL is the amount of time to delay a process after ZAUTH-MAX-ATTEMPTS is exceeded as an integral number of ZAUTH-FAIL-TO-UNITS. ZAUTH-FAIL-TO-UNITS indicates what the smallest increment of ZAUTH-FAIL-TO-VALUE represents.
Safeguard Configuration Record Audit File Record Formats ZPASSWORD-ENCRYPT indicates, if nonzero, that all user passwords are stored in encrypted form. ZCHECK-DEVICE indicates, if nonzero, that the Safeguard software looks for protection records for devices. ZCHECK-SUBDEVICE indicates, if nonzero, that the Safeguard software will look for protection records for subdevices. ZDIRECTION-DEVICE is the order in which the Safeguard software will look for protection records for devices and subdevices.
Safeguard Configuration Record Audit File Record Formats ZAUDIT-DEVICE-ACCESS-PASS indicates that successful attempts to access a protected device are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZAUDIT-DEVICE-MANAGE-FAIL indicates that unsuccessful attempts to manage a device protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source.
Safeguard Configuration Record Audit File Record Formats ZCOMBINATION-PROCESS is the manner in which the Safeguard software checks protection records for processes. These values are defined: ZSFG-COMBINATION-1ST-RULE indicates first rule. ZSFG-COMBINATION-ALL indicates all. ZACL-REQUIRED-PROCESS indicates, if nonzero, that access is denied to all processes not protected by an ACL.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-PROCESS-MANAGE-PASS indicates that successful attempts to manage a process protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts.
Safeguard Configuration Record Audit File Record Formats ZCHECK-DISKFILE indicates, if nonzero, that the Safeguard software searches for protection records for disk files. ZDIRECTION-DISKFILE is the order in which the Safeguard software searches for protection records for disk files and volumes. These values are defined: ZSFG-VAL-DIR-DISK-FILE-1ST indicates that the Safeguard software will look at protection records for disk files before those for volumes.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-DISKFILE-ACCESS-FAIL indicates that unsuccessful attempts to access a protected disk file are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZCLEARONPURGE-DISKFILE indicates, if nonzero, that disk files are cleared when purged.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-NONE No attempts are audited. ZSFG-VAL-AUDIT-REMOTE No attempts are audited. Authentication attempts can be audited only on the system where they occur. ZAUDIT-SUBJECT-MANAGE-PASS indicates that successful attempts to manage a user authentication record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-ALL Audit local and remote attempts. ZSFG-VAL-AUDIT-LOCAL Audit local attempts. ZSFG-VAL-AUDIT-NONE Do not audit attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote attempts. ZAUDIT-OBJECT-ACCESS-FAIL indicates that unsuccessful attempts to access a protected object are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote attempts. ZSFG-VAL-AUDIT-LOCAL Audit local attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZAUDIT-OBJECT-MANAGE-FAIL indicates that unsuccessful attempts to manage an object protection record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-RECOVERY-DENYGRANTS Deny Safeguard authorizations until the condition is removed. ZSFG-VAL-RECOVERY-RECYCLE Recycle audit files in the current audit pool. ZSFG-VAL-RECOVERY-SUSPAUDIT Suspend auditing until the condition is removed. ZPASSWORD-EXPIRY-GRACE is the number of days after password expiration during which users can change their password.
Safeguard Configuration Record Audit File Record Formats ZCMONERROR indicates whether a failure to communicate with $CMON results in the authentication being denied. These values are defined: ZSFG-VAL-CMON-ERROR-ACCEPT A failure does not cause the authentication to be denied. ZSFG-VAL-CMON-ERROR-DENY A failure causes the authentication to be denied. ZBLINDLOGON indicates, if nonzero, that passwords are not displayed and cannot be entered on the same line as the user name during logon.
Safeguard Configuration Record Audit File Record Formats ZSFG-VAL-ALLOW-DF-PERST-NORMAL ADD commands for disk-file persistent protection records for nonexistent disk files result in an error. ZSFG-VAL-ALLOW-DF-PERST-ALWAYS ADD commands for disk-file persistent protection records for nonexistent disk files are accepted as if the file did exist. ZWARNOBJECTLEVEL indicates, if nonzero, that warning mode is enabled for individual object protection records.
Safeguard Configuration Record Audit File Record Formats • • After the diskfile protection record search returns NORECORD when Direction-Diskfile is set to Filename-First. Before the diskfile protection record search, when the Direction-Diskfile is set to Volume-First, and the Volume and Subvolume protection record search returns NORECORD. Note. This field is supported only on systems running J06.08 and later J-series RVUs and H06.18 and later H-series RVUs.
Safeguard Configuration Record Audit File Record Formats ZPASSWORD-UPPERCASE-REQUIRED indicates whether a user password will be enforced to have at least one uppercase character. The initial value is OFF. Note. This attribute is supported only on systems running G06.31 and later G-series RVUs and H06.09 and later H-series RVUs. ZPASSWORD-LOWERCASE-REQUIRED indicates whether a user password will be enforced to have at least one lowercase character. The initial value is OFF. Note.
Safeguard Configuration Record Audit File Record Formats PASSWORD-MIN-QUALITY-REQUIRED specifies the mininum quality criteria that must be met when a password is set or changed. The initial value is 0. Note. When any of the following password quality attributes is enabled, PASSWORD-MINQUALITY-REQUIRED will be automatically set from 0 to 1: • • • • • PASSWORD-UPPERCASE-REQUIRED PASSWORD-LOWERCASE-REQUIRED PASSWORD-NUMERIC-REQUIRED PASSWORD-SPECIALCHAR-REQUIRED PASSWORD-ALPHA-REQUIRED Note.
Safeguard Configuration Record Audit File Record Formats ZPASSWORD-MIN-NUMERIC-REQ indicates that the user password must contain the specified minimum number of numeric characters. The initial value is 0, and the valid range is 0 through 8. Note. This attribute is supported only on systems running J06.11 and later J-series RVUs and H06.22 and later H-series RVUs. ZPASSWORD-MIN-SPECIALCHAR-REQ indicates that the user password must contain the specified minimum number of special characters.
Safeguard Configuration Record Audit File Record Formats • • • • • • • • • • • • • • • • • • • • • • • • zSFG-val-audexc-ownerusernum zSFG-val-audexc-ownerisremote zSFG-val-audexc-subjusername zSFG-val-audexc-subjusernum zSFG-val-audexc-subjsystname zSFG-val-audexc-subjcreatname zSFG-val-audexc-subjcreatnum zSFG-val-audexc-subjsystnum zSFG-val-audexc-subjprocname zSFG-val-audexc-subjautlocname zSFG-val-audexc-subjtermname zSFG-val-audexc-subjautlocnum zSFG-val-audexc-creatrusername zSFG-val-audexc-creatr
Safeguard Configuration Record Audit File Record Formats ZAUDIT-EXC-VALUE4 specifies value for the respective field name in the zaudit-exc-field. ZAUDIT-EXC-VALUE5 specifies value for the respective field name in the zaudit-exc-field. Note. The ZAUDIT-EXC-FIELD, ZAUDIT-EXC-VALUE1, ZAUDIT-EXC-VALUE2, ZAUDITEXC-VALUE3, ZAUDIT-EXC-VALUE4 and ZAUDIT-EXC-VALUE5 attributes are supported only on systems running J06.03 and later J-series RVUs, H06.14 and later H-series RVUs, and G06.32 and later G-series RVUs.
Terminal Definition Record Audit File Record Formats ZPROMPT-BEFORE-STOP ON indicates that the user is prompted with a confirmation message when the STOP command is issued. The default is OFF. Note. The ZPROMPT-BEFORE-STOP attribute is supported only on systems running J06.16 and later J-series RVUs, and H06.27 and later H-series RVUs. Terminal Definition Record The Safeguard software maintains a terminal definition record for each terminal that has been secured with the ADD TERMINAL command.
User Authentication Record Audit File Record Formats ZCI-SWAP is the swap volume or file used with this command interpreter. ZCI-NAME is the process name assigned to the command interpreter when it runs at this terminal. ZCI-CPU is the processor number in which this command interpreter runs. ZCI-PRI is the priority at which this command interpreter runs. ZCI-PARAM-TEXT is the startup parameter text passed to the command interpreter when it is started at this terminal.
User Authentication Record Audit File Record Formats 02 ZLASTMODTIME 02 ZLASTLOGONTIME 02 ZPASSWORDEXPIRES 02 ZUSEREXPIRES 02 ZPASSWORDMAYCHANGE 02 ZPASSWORDLASTCHANGE 02 ZSTATICLOGONFAILCOUNT 02 ZPASSWORD-EXPIRY-GRACE 02 ZOWNERTYPEID 02 ZOWNERUSERNUMBER 02 ZOWNERUSERNAME 02 ZCI-PROG 02 ZCI-LIB 02 ZCI-SWAP 02 ZCI-NAME 02 ZCI-CPU 02 ZCI-PRI 02 ZCI-PARAM-TEXT TIMES.
User Authentication Record Audit File Record Formats ZDEFAULTSECURITY is a 16-bit field specifying the default Guardian security vector that applies to disk files created by this user and not protected by the Safeguard software. Bits <4:15> of this field are defined by the SETMODE 1 (file security) system procedure call. For more information, see the Guardian Procedure Calls Reference Manual. Bit <2>, when set, indicates that the user profile record includes Safeguard default protection attributes.
User Authentication Record Audit File Record Formats ZSFG-VAL-AUDIT-REMOTE No authentication attempts are audited. Authentication attempts can be audited only on the system where they occur. ZAUDIT-MANAGE-PASS indicates that successful attempts to manage the user authentication record are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote management attempts. ZSFG-VAL-AUDIT-LOCAL Audit local management attempts.
User Authentication Record Audit File Record Formats ZSFG-VAL-AUDIT-ALL Audit local and remote attempts by the user. ZSFG-VAL-AUDIT-LOCAL Audit local attempts performed by the user. ZSFG-VAL-AUDIT-NONE Do not audit attempts performed by the user. ZSFG-VAL-AUDIT-REMOTE Audit remote attempts performed by the user. ZAUDIT-USER-ACTION-FAIL indicates all failed attempts by the user to access protected objects or manage Safeguard protection records.
User Authentication Record Audit File Record Formats ZLASTLOGONTIME is a 64-bit GMT timestamp specifying when the last successful authentication of this user occurred. ZPASSWORDEXPIRES is a 64-bit GMT timestamp specifying when the user's password expires. ZUSEREXPIRES is a 64-bit GMT timestamp specifying when the user ID expires. An expired user ID cannot be successfully authenticated. ZPASSWORDMAYCHANGE is a 64-bit GMT timestamp specifying when the password for this user can next be changed.
User Authentication Record Audit File Record Formats ZOWNERUSERNAME is the user name of the owner of the profile record. ZCI-PROG is the name of the object file for the command interpreter started after this user is authenticated at a Safeguard terminal. ZCI-LIB is the file name of the library used with this command interpreter. ZCI-SWAP is the swap volume or file used with this command interpreter. ZCI-NAME is the process name assigned to this command interpreter.
User Authentication Record Audit File Record Formats ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts. ZAUDIT-ACCESS-FAIL indicates that unsuccessful attempts to access the disk file are audited depending on these values: ZSFG-VAL-AUDIT-ALL Audit local and remote access attempts. ZSFG-VAL-AUDIT-LOCAL Audit local access attempts. ZSFG-VAL-AUDIT-NONE Do not audit access attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote access attempts.
User Authentication Record Audit File Record Formats ZSFG-VAL-AUDIT-LOCAL Audit local management attempts. ZSFG-VAL-AUDIT-NONE Do not audit management attempts from any source. ZSFG-VAL-AUDIT-REMOTE Audit remote management attempts. ZFREEZE indicates, if nonzero, that disk files protected for the user through DEFAULTPROTECTION are initially frozen. ZOWNERTYPEID indicates how the following ZOWNERUSERNUMBER and ZOWNERUSERNAME fields are to be are to be interpreted.
User Authentication Record Audit File Record Formats ZGRANT indicates, if nonzero, that this entry grants authorities to its subject; otherwise, this entry denies authorities to its subject. ZSUBJECTTYPEID indicates how the following ZSUBJECTUSERNUMBER and ZSUBJECTUSERNAME fields are interpreted to define the set of user IDs controlled by this ACL entry.
User Record Extensions Audit File Record Formats ZSFG-VAL-TYPEID-NODEGROUP is any remote user ID authenticated on node that matches: \node.USERID.GROUPNUMBER, * ZSFG-VAL-TYPEID-NODESPECIFIC is a remote user ID authenticated on node that matches: \node.USERIDGROUPNUMBER, \node.USERID.USERNUMBER ZSUBJECTUSERNUMBER is the user ID of the subject. ZSUBJECTUSERNAME is the user name of the subject. ZAUTHORITY-OWNER indicates, if nonzero, that the subject is granted or denied OWNER authority.
User Record Extensions Audit File Record Formats ZSFG-DDL-USER-SUBRECEXT-1 extension record contains attributes effective as of the G06.27 product version of the Safeguard subsystem. DDL Definition of ZSFG-DDL-USER-SUBRECEXT DEF 02 02 02 02 02 02 02 02 02 02 ZSFG-DDL-USER-SUBRECEXT. ZPRIMARY-GROUP TYPE ZSPI-DDL-INT2. ZGROUP-COUNT TYPE ZSPI-DDL-INT ZGROUP-LIST TYPE ZSPI-DDL-INT2 OCCURS 32 TIMES ZINITIAL-PROGTYPE TYPE ZSPI-DDL-INT. ZINITIAL-PROGLEN TYPE ZSPI-DDL-INT.
User Record Extensions Audit File Record Formats ZINITIAL-DIRLEN is the length of the pathname for the user's initial working directory within the OSS file system. ZINITIAL-DIRECTORY is the pathname for the user's initial working directory within the OSS file system. ZNUMOWNENTS Note. This field is supported only on systems running G06.27 and later G-series RVUs and H06.07 and later H-series RVUs. denotes the number of entries in the owner list defined in the user authentication record.
User Record Extensions Audit File Record Formats *.* ZSFG-VAL-TYPEID-REMOTEANYONE is any local or remote user ID that matches \*.*.* ZSFG-VAL-TYPEID-NODESPECIFIC is any local or remote user ID that matches \NODENUMBER.USERID.GROUPNUMBER, USERID.USERNUMBER ZSFG-VAL-TYPEID-NODEGROUP is any local or remote user ID that matches \NODENUMBER.USERID.GROUPNUMBER,* ZSFG-VAL-TYPEID-NODEANYONE is any local or remote user ID that matches \NODENUMBER.*.* ZOWNENT-USERNUMBER denotes the user ID of the owner.
User Record Extensions Audit File Record Formats ZDESCRIPTIONTEXT is a field of descriptive text associated with the user authentication record. ZLENDESCBIN is the length in bytes of the binary description associated with the user authentication record. ZFAILEDLOGONCOUNTRESETTIME is the last time the attribute STATIC FAILED LOGON COUNT was RESET. Note. This field is supported only on systems running J06.03 and later J-series RVUs, H06.10 and later H-series RVUs, and G06.32 and later G-series RVUs. Note.
DDL Definition of ZSFG-DDL-GROUP-SUBRECEXT Audit File Record Formats ZDESCRIPTIONTEXT is a field of descriptive text associated with the user authentication record. This field can hold text description data of variable length. Note. ZSFG-DDL-USER-SUBRECEXT-1n is supported only on systems running J06.03 and later J-series RVUs, H06.14 and later H-series RVUs, and G06.32 and later G-series RVUs.
Object Program File Name Error Record Audit File Record Formats Field Definitions ZSFG-DDL-FSERROR-SUBREC has this field: ZERROR is the error number returned by File System for a failed diskfile operation. Note. This information is supported only on systems running H06.19 and later H-series RVUs. Object Program File Name Error Record The Object Program File Name error record is generated when a Guardian process start event is audited.
OSS Audit File Record Format Audit File Record Formats OSS Audit File Record Format The Audit record format for OSS audits is the same as Guardian audits. The secondary text area is utilized for reporting additional attributes. OSS audit support applies only to systems running G06.12 and later RVUs. ZTEXT-AREA-TYPE indicates the type of text contained in the ZTEXT-AREA field. This field can have these additional values: ZSFG-VAL-TEXT-OSSACCESS The text area contains a ZSFG-DDL-OSSACCESS-SUBREC variant.
OSS Object Representations Audit File Record Formats ZSFG-VAL-TEXT-OSSSEEPATTR The text area contains a ZSFG-DDL-OSSSEEPATTR-SUBREC variant. Note. This information is supported only on systems running H06.26 and later Hseries RVUs and J06.15 and later J-series RVUs. ZSFG-VAL-TEXT-FILEPRIVATTR The text area contains a ZSFG-DDL-FILPRVATTR-SUBREC variant. ZSFG-VAL-TEXT-OBJECT For an OSS rename operation, the text area contains a ZSFG-DDL-OSSRENAME-SUBREC variant.
OSS Access Mode Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-OSSUTIME-SUBREC. 02 ZATIME TYPE ZSPI-DDL-INT2. 02 ZMTIME TYPE ZSPI-DDL-INT2. 02 ZCTIME TYPE ZSPI-DDL-INT2. END. Field Definitions ZATIME is the date and time of last access. ZMTIME is the date and time of last modification. ZCTIME is the time of the last file status change. OSS Access Mode Record Any attempt to determine the accessibility of a file is audited.
OSS Process Startup Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-OSSAUDIT-SUBREC. 02 ZAUDIT-ENABLE-ATTR 02 ZAUDIT-RESTRICTED-FILESET-ATTR 02 ZAUDIT-SEEP-PROTECTED-FILESET END. TYPE ZSPI-DDL-UINT. TYPE ZSPI-DDL-ENUM. TYPE ZSPI-DDL-BOOLEAN Field Definitions ZAUDIT-ENABLE-ATTR indicates whether the OSS fileset represented by the Objectname is audited. A nonzero value indicates that the fileset is audited.
OSS File Attributes Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-OSSAUDIT-SUBREC. 02 ZPROG TYPE ZSPI-DDL-BYTE OCCURS 44 TIMES. 02 ZUSER-ID TYPE ZSPI-DDL-INT2. 02 ZGROUP-ID TYPE ZSPI-DDL-INT2. END. Field Definitions ZPROG is the name of the physical file representing the OSS object. The program file name is in the format: $VOL.ZYQnnnnn.
OSS ACL Attributes Record Audit File Record Formats Field Definitions ZVARIANT-TYPE indicates which fields are present in the record. Possible values are: • • • • • Only ZFILE-MODE ZFILE-MODE, ZUSER-ID, ZGROUP-ID ZFILE-MODE, ZUSER-ID, ZGROUP-ID, ZRDEV ZFILE-MODE, ZUSER-ID, ZGROUP-ID, ZRDEV, ZPATHNAME-LEN, ZPATHNAME ZFILE-MODE, ZUSER-ID, ZGROUP-ID, ZRDEV, ZSIZE, ZTIMES ZFILE-MODE is the file mode. ZUSER-ID is the OSS user ID of the file owner. ZGROUP-ID is the OSS group ID.
OSS ACL Attributes Record Audit File Record Formats secondary records generated depends on the type of operation. The record is represented in the ZTEXT-AREA of secondary audit record with this template overlay: Note. The OSS ACL entry structure is supported only on systems running G06.29 and later G-series RVUs and H06.08 and later H-series RVUs. DDL Definition DEF ZSFG-DDL-OSSACLATTR-SUBREC. 02 ZVARIANT-TYPE TYPE ZSPI-DDL-UINT. 02 ZFILE^MODE TYPE ZSPI-DDL-INT2. 02 ZUSER-ID TYPE ZSPI-DDL-INT2.
OSS ACL Attributes Record Audit File Record Formats 4 - Includes only ZNUMACLENTRIES and ZACLENTRY (used with additional secondary records to list ACL entries that were not in the original secondary record). Note. This information is supported only on systems running J06.01 and later J-series RVUs, H06.08 and later H-series RVUs, and G06.29 and later G-series RVUs. ZCREATORUSERNUM contains the user number of the user that created the OSS ACL.
OSS Kill Record Audit File Record Formats ZSFG-VAL-ACETYPEID-USER indicates that the ACETYPEID is owning user. ZSFG-VAL-ACETYPEID-GROUP indicates that the ACETYPEID is owning group. ZSFG-VAL-ACETYPEID-CLASS indicates that the ACETYPEID is class. ZSFG-VAL-ACETYPEID-OTHER indicates that the ACETYPEID is other. ZSFG-VAL-ACETYPEID-OPT-USER indicates that the ACETYPEID is optional user. ZSFG-VAL-ACETYPEID-OPT-GROUP indicates that the ACETYPEID is optional group.
OSS Kill Record Audit File Record Formats process group ID (pgid), all processes with process group ID pgid that the caller has permission to kill receive the signal. In this case, the target information is not present in the audit record. The kill record is represented in the ZTEXT-AREA of secondary audit record with this template overlay: DDL Definition DEF ZSFG-DDL-OSSKILL-SUBREC.
OSS Link Record Audit File Record Formats ZRAUTHTYPE-REQUESTOR is the OSS real authentication type of the requestor. ZRAUTHTYPE-TARGET is the OSS real authentication type of the target. ZSAUTHTYPE-TARGET is the OSS saved-set authentication type of the target. OSS Link Record A link record is generated whenever the link count of a file is changed due to operations such as link() and unlink(). However, if the link count becomes zero, a File Attributes record is generated with variant type 5.
OSS Process Group ID Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-OSSOPEN-SUBREC. 02 ZOPEN-FLAGS TYPE ZSPI-DDL-INT2. END. Field Definitions ZOPEN-FLAGS specifies the flags used to open the file. These flags indicate the type of access, special open processing, the type of update, and the initial state of the open file. OSS Process Group ID Record A Process Group ID record is generated whenever there is a change in the process group ID of a process.
OSS Process Set ID Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-OSSPROCID-SUBREC. 02 ZVARIANT-TYPE TYPE 02 ZREAL-ID TYPE 02 ZEFFECTIVE-ID TYPE 02 ZSAVED-SET-ID TYPE 02 ZREAL-AUTHTYPE TYPE 02 ZEFFECTIVE-AUTHTYPE TYPE 02 ZSAVED-SET-AUTHTYPE TYPE 02 ZGROUP-COUNT TYPE 02 ZGROUP-LIST TYPE 02 ZOPER-PRIV-SETID TYPE END. ZSPI-DDL-UINT. ZSPI-DDL-INT2. ZSPI-DDL-INT2. ZSPI-DDL-INT2. ZSPI-DDL-INT. ZSPI-DDL-INT. ZSPI-DDL-INT. ZSPI-DDL-INT. ZSPI-DDL-INT OCCURS 32 TIMES. ZSPI-DDL-BOOLEAN.
OSS Rename Record Audit File Record Formats ZOPER-PRIV-SETID indicates whether the change to the process' subject identity attribute is a result of a PRIV-SETID operation. Note. This field is supported only on systems running J06.10 and later J-series RVUs and H06.22 and later H-series RVUs. OSS Rename Record The Rename record is generated whenever an OSS file residing in an OSS audited fileset is renamed.
OSS SEEP Attribute Record Audit File Record Formats Field Definitions ZFILE-OPER specifies the type of operation that changes the file privileges of an OSS or a Guardian file. The defined values are: ZSFG-VAL-FILE-OPER-SETFPRIV specifies that a setfilepriv operation was performed on the file. ZSFG-VAL-FILE-OPER-GUARDIAN-OPEN specifies that the file was opened to perform a WRITE operation by a Guardian process.
OSS SEEP Attribute Record Audit File Record Formats DDL Definition DEF ZSFG-DDL-OSSSEEPATTR-SUBREC. 02 ZENABLED TYPE ZSPI-DDL-BOOLEAN. 02 ZRESPTIMEOUT TYPE ZSPI-DDL-UINT. 02 ZPRI TYPE ZSPI-DDL-INT. 02 ZCPU TYPE ZSPI-DDL-INT. 02 ZPROGFILENAME TYPE ZSPI-DDL-BYTE OCCURS 02 ZSWAPVOL TYPE ZSPI-DDL-BYTE OCCURS 02 ZPROCESSNAME TYPE ZSPI-DDL-BYTE OCCURS 02 ZPARAMTEXT TYPE ZSPI-DDL-BYTE OCCURS END 47 TIMES. 47 TIMES. 47 TIMES. 255 TIMES. Field Definitions ZENABLED specifies whether SEEP is enabled.
Index Numbers 02 ZPROMPT-BEFORE-STOP A-55 A Abbreviating audit attributes 2-14 Aclentries 7-32, 7-41 ADD AUDIT POOL command 3-5, 4-2 Adding an audit pool 4-2 Alias auditing 2-1 ALL audit specification for attempts to add protection records 2-7 for attempts to manage protection records 2-10 for auditing user actions 2-12 for authentication attempts 2-2 for object access attempts 2-5 ALTER AUDIT POOL command 3-8, 3-9, 4-3 ALTER AUDIT SERVICE command 3-6, 4-5 Altering audit pool configuration 4-3 Altering aud
B Index audit service commands 2-35 automatic logoffs 2-4 client subsystems 2-15 EVENT-EXIT-PROCESS commands 2-36 for objects 2-5 NonStop clients 2-15 object access attempts 2-5 TERMINAL commands 2-36 user actions 2-12 user authentication 2-2 Auditing user actions enabling 2-12 performance considerations 2-13 AuditMaxExtents 7-13 AuditMaxFiles 7-13 Auditnumber 7-4 AuditPrimaryExtents 7-13 AuditSecondaryExtents 7-13 AUDIT-ACCESS attributes description of 2-1 for OBJECTTYPE records 2-7 AUDIT-AUTHENTICATE at
C Index ConfigAuditDiskfileAccessPass 7-16 ConfigAuditDiskfileManageFail 7-16 ConfigAuditDiskfileManagePass 7-16 ConfigAuditDiskfilePrivLogon 7-16 ConfigAuditObjectAccessFail 7-16 ConfigAuditObjectAccessPass 7-16 ConfigAuditObjectManageFail 7-17 ConfigAuditObjectManagePass 7-17 ConfigAuditProcessAccessFail 7-17 ConfigAuditProcessAccessPass 7-17 ConfigAuditProcessManageFail 7-17 ConfigAuditProcessManagePass 7-17 ConfigAuditSubjectAuthFail 7-17 ConfigAuditSubjectAuthPass 7-17 ConfigAuditSubjectManageFail 7-
D Index CreatorCreatorName 7-4 CreatorCreatorNumber 7-4 CreatorProcessName 7-4 CreatorSystemName 7-4 CreatorSystemNumber 7-4 CreatorTerminalName 7-4 CreatorUserName 7-4 CreatorUserNumber 7-4 SecondaryRecordType 7-63 Veracity 7-69 Errors in SAFEART command files 6-15 EVENT-EXIT-PROCESS commands, auditing of 2-36 Event-Exit-Process rulings 2-6 D Global auditing configuring 2-27 for all objects 2-32 for devices 2-29 for disk files 2-30 for processes 2-31 for subvolumes 2-30 for users and aliases 2-33 for
M Index for attempts to manage protection records 2-10 for auditing user actions 2-12 for authentication attempts 2-2 for object access attempts 2-5 Logical operators for SAFEART 6-6 LogonAliasName 7-31 LogonUserName 7-31 LogonUserNumber 7-31 LuCiCpu 7-31 LuCiLib 7-31 LuCiName 7-31 LuCiParamText 7-31 LuCiPri 7-32 LuCiProg 7-32 LuCiSwap 7-32 LuFreeze 7-32 LuTerminalName 7-32 M Managing protection records 2-9 N Next audit pool 3-6 NEXTFILE command 3-8, 4-13 NONE audit specification for attempts to add pro
P Index OssKillTargetRealUID 7-77 OssKillTargetSavedAuthType 7-77 OssKillTargetSavedUID 7-77 OssLinkCount 7-78 OssLinkPathName 7-78 OssOpenFlags 7-78 OssPathName 7-81 OssProcessEffAuthType 7-79 OssProcessEffGID 7-80 OssProcessEffUID 7-79 OssProcessRealAuthType 7-79 OssProcessRealGID 7-79 OssProcessRealUID 7-79 OssProcessSavedAuthType 7-79 OssProcessSavedGID 7-80 OssProcessSavedUID 7-79 OssProcGroupID 7-78 OssUtimeAccessTime 7-80 OssUtimeChangeTime 7-80 OssUtimeModTime 7-80 Outcome 7-4 OwnerEntries 7-52 Ow
T Index comments in command files 6-15 comparison statements 6-5, 6-11 description of 1-3 DISPLAY PROMPT command 5-4 EXIT command 5-5 FC command 5-5 field types 7-1 HELP ITEMS command 5-6 HISTORY command 5-6 LOG command 5-7 logical operators 6-6 OBEY command 5-7 OUT command 5-7 primary record fields 7-4 relational operators 6-6 report format 6-18, 7-1 RESET command 6-3 secondary records 6-19, 7-11 secondary text area 7-12 session commands 5-4 SET DESTINATION FILE command 6-4 SET END TIME command 6-5 SET P
U Index U User alias auditing 2-1 User authentication auditing 2-2 UserAliasName 7-8 UserAuditAuthenFail 7-46 UserAuditAuthenPass 7-47 UserAuditManageFail 7-47 UserAuditManagePass 7-47 UserAuditUserActionFail 7-47 UserAuditUserActionPass 7-47 UserBinDescription 7-53 UserCiCpu 7-47 UserCiLib 7-47 UserCiName 7-47 UserCiParamText 7-48 UserCiPri 7-48 UserCiProg 7-48 UserCiSwap 7-48 UserDefaultSecurity 7-48 UserDefaultVolume 7-48 UserDfltProtAuditAccessFail 7-48 UserDfltProtAuditAccessPass 7-48 UserDfltProtAud
Z Index ZAUDIT-DEVICE-MANAGE-FAIL A-59 ZAUDIT-DEVICE-MANAGE-PASS A-58 ZAUDIT-DISKFILE-ACCESS-FAIL A-63 ZAUDIT-DISKFILE-ACCESS-PASS A-62 ZAUDIT-DISKFILE-MANAGE-FAIL A-63 ZAUDIT-DISKFILE-MANAGE-PASS A-63 ZAUDIT-FILENAME A-5 ZAUDIT-FILE-PREDECESSOR A-5 ZAUDIT-FILE-PRIV-LGN A-74 ZAUDIT-FILE-SUCCESSOR A-5 ZAUDIT-MANAGE-FAIL in protection record A-40, A-47 in user record A-81 ZAUDIT-MANAGE-PASS in protection record A-40, A-47 in user record A-81 ZAUDIT-OBJECT-ACCESS-FAIL A-66 ZAUDIT-OBJECT-ACCESS-PASS A-65 ZAUD
Z Index ZCPU A-33 ZCREATION-PROGRAM A-4 ZCREATION-TIME A-4 ZCURRENT-AUDIT-FILE A-67 ZCURRENT-AUDIT-POOL A-67 ZCURRENT-FILE-NUMBER A-32 ZDEFAULTSECURITY A-80 ZDEFAULTVOLUME A-79 ZDEFAULT-PROTECTION A-84 ZDELMEMBER A-36 ZDELMEMBER-COUNT A-35 ZDESCRIPTION A-35 ZDESCRIPTIONTEXT A-92, A-93 ZDIRECTION-DEVICE A-57 ZDIRECTION-DISKFILE A-62 ZDIRECTION-PROCESS A-59 ZENABLED A-34 ZENA-SEEP-AUTHN A-34 ZENA-SEEP-AUTHZ A-34 ZENA-SEEP-PSWD A-34 ZEOF-REFRESH A-67 ZFILLER A-44 ZFREEZE in protection record A-41, A-48 in te
Z Index ZPASSWORD-COMPATIBILITYMODE A-71 ZPASSWORD-ENCRYPT A-57 ZPASSWORD-EXPIRY-GRACE in Safeguard configuration record A-68 in user authentication record A-83 ZPASSWORD-HISTORY A-56 ZPASSWORD-LOWERCASEREQUIRED A-72 ZPASSWORD-MAXIMUM-LENGTH A-71 ZPASSWORD-MAY-CHANGE A-56 ZPASSWORD-MINIMUM-LENGTH A-56 ZPASSWORD-NUMERICREQUIRED A-72 ZPASSWORD-REQUIRED A-56 ZPASSWORD-SPACES-ALLOWED A-72 ZPASSWORD-SPECIALCHARREQUIRED A-72 ZPASSWORD-UPPERCASEREQUIRED A-72, A-73, A-74 ZPERSISTENT A-39, A-46 ZPNAME A-33 ZPRI A-
Special Characters Index in logoff record A-37 in primary record A-23 ZVERACITY in header record A-7 in secondary record A-26 ZWARNFALLBACKSECURITY A-69 ZWARNINGMODE A-44, A-48 ZWARNOBJECTLEVEL A-70 ZWARNSYSTEMLEVEL A-69 ZWRITE-THROUGH-CACHE A-67 Special Characters ! (exclamation point) to reexecute a previous SAFEART command 5-8 & (ampersand sign) as a SAFEART continuation character 5-3 - - (two hyphens) for including SAFEART comments 5-3 ? (question mark) to display a previous SAFEART command 5-8 Safe
