HPE Community
Operating System - OpenVMS
1752755 Members
5306 Online
108789 Solutions
New Discussion юеВ

ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

 
SOLVED
Go to solution
Craig A
Valued Contributor

тАО08-27-2009 12:02 AM

тАО08-27-2009 12:02 AM

ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Hi!

I would like to run a report that only shows me those users that have used AUTHORIZE to change the privileges (default or authorised) of other users.

ANAL/AUDIT/EVENT and ANAL/AUDIT/SELECT doesn't *appear* to be able to offer this.

I'm aware that I could generate a generic AUTHORIZE changes report and then parse it for what I need:

$SEARCH -
"Privileges","New" /MATCH=AND /WIND=(x,y)

but that approach is messy if multiple changes to an accout have occured.

I was just wondering if I was missing something blindingly obvious.

Many thanks

Craig A
0 Kudos
Reply
3 REPLIES 3
Richard Brodie_1
Honored Contributor

тАО08-27-2009 01:40 AM

тАО08-27-2009 01:40 AM

Solution

Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Not blindingly obvious but:

/SELECT=(FIELD=("DEFAULT PRIVILEGES", "PRIVILEGES"))
Reply
John Gillings
Honored Contributor

тАО08-27-2009 02:36 PM

тАО08-27-2009 02:36 PM

Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Craig,

The selection qualifiers for ANALYZE/AUDIT and ACCOUNTING are somewhat useful, but, as you've found, it's not always easy to work out the exact combination that gets the information you want, or even work out if it exists. Often it's easier to just dump the whole time window you're interested in and SEARCH the text.

If you have a longer, or regular task, it's fairly simple to build a DCL parser that can discriminate the start and end of audit records, outputting whole records which match your search strings.

PIPE comes in handy here:

$ PIPE ANALYZE/AUDIT/OUT=SYS$OUTPUT ... | @yourparser string string...

If the records aren't too big, you can glue them together into a single string and output as CSV, or something sortable. Parsing the text can be very simple, just split the lines on the first ":", collapse the left hand side to form a symbol name, and replace the : with =" to turn each record into a symbol assignment which you can then execute (though you'll need some continuation line logic). So, for example, convert:

Event time: 28-AUG-2009 00:00:38.16

into:

Eventtime="28-AUG-2009 00:00:38.16"

This makes it easy to throw away fields you're not interested in, even if you don't know their names. Just run the event through the symbolizer then output what you're interested in:

$ WRITE SYS$OUTPUT Auditableevent,",",Eventtime,",",Username
A crucible of informative mistakes
Reply
Craig A
Valued Contributor

тАО08-28-2009 04:04 AM

тАО08-28-2009 04:04 AM

Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Richard: Thanks - Perfect!

John: Very useful. Many thanks.

Craig A
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.