Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

 
SOLVED
Go to solution
Craig A
Valued Contributor

ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Hi!

I would like to run a report that only shows me those users that have used AUTHORIZE to change the privileges (default or authorised) of other users.

ANAL/AUDIT/EVENT and ANAL/AUDIT/SELECT doesn't *appear* to be able to offer this.

I'm aware that I could generate a generic AUTHORIZE changes report and then parse it for what I need:

$SEARCH -
"Privileges","New" /MATCH=AND /WIND=(x,y)

but that approach is messy if multiple changes to an accout have occured.

I was just wondering if I was missing something blindingly obvious.

Many thanks

Craig A
3 REPLIES 3
Richard Brodie_1
Honored Contributor
Solution

Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Not blindingly obvious but:

/SELECT=(FIELD=("DEFAULT PRIVILEGES", "PRIVILEGES"))
John Gillings
Honored Contributor

Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Craig,

The selection qualifiers for ANALYZE/AUDIT and ACCOUNTING are somewhat useful, but, as you've found, it's not always easy to work out the exact combination that gets the information you want, or even work out if it exists. Often it's easier to just dump the whole time window you're interested in and SEARCH the text.

If you have a longer, or regular task, it's fairly simple to build a DCL parser that can discriminate the start and end of audit records, outputting whole records which match your search strings.

PIPE comes in handy here:

$ PIPE ANALYZE/AUDIT/OUT=SYS$OUTPUT ... | @yourparser string string...

If the records aren't too big, you can glue them together into a single string and output as CSV, or something sortable. Parsing the text can be very simple, just split the lines on the first ":", collapse the left hand side to form a symbol name, and replace the : with =" to turn each record into a symbol assignment which you can then execute (though you'll need some continuation line logic). So, for example, convert:

Event time: 28-AUG-2009 00:00:38.16

into:

Eventtime="28-AUG-2009 00:00:38.16"

This makes it easy to throw away fields you're not interested in, even if you don't know their names. Just run the event through the symbolizer then output what you're interested in:

$ WRITE SYS$OUTPUT Auditableevent,",",Eventtime,",",Username
A crucible of informative mistakes
Craig A
Valued Contributor

Re: ANAL/AUDIT for AUTHORIZE PRIV and DEFPRIV changes

Richard: Thanks - Perfect!

John: Very useful. Many thanks.

Craig A