T,
Here's a neat trick for generating customised audits for whatever you like. An example for your specific case, I'll call your user AUDIT_ME.
First create an empty, world readable file, with a name that indicates what you want to audit:
$ CREATE/PROTECTION=(W:R) SYS$MANAGER:LOGIN.AUDIT
Now add an ACL which specifies a READ+FAIL security audit ACE, and an ACE to pick out who you want to trigger it:
$ SET SECURITY/ACL=((AUDIT=SECURITY,ACCESS=READ+FAIL),(IDENTIFIER=AUDIT_ME,ACCESS=NONE)) SYS$MANAGER:LOGIN.AUDIT
Now, in SYLOGIN.COM trigger the audit:
$ PIPE TYPE SYS$MANAGER:LOGIN.AUDIT >NL: 2>NL:
(we're using PIPE here to redirect any output or errors to NL:, since it's single stage PIPE everything occurs in the context of the current process, so no real expense).
Since the file is W:R, this will be a NOOP for most users. For user AUDIT_ME, they'll trigger the AUDIT ACE, and generate an event in the audit journal. You can identify it by the object name LOGIN.AUDIT.
In practice, I'd use identifier LOGIN_AUDIT and then:
UAF> GRANT/IDENTIFIER LOGIN_AUDIT AUDIT_ME
this gives you a simple way to request the audit for other users.
The same mechanism can be used for anything you like. Use the PIPE TYPE command to generate a message.
If you have a code path that only your target user(s) will execute, it's even easier. Same empty file, but:
$ SET SECURITY/ACL=(AUDIT=SECURITY,ACCESS=READ+SUCCESS)SYS$MANAGER:LOGIN.AUDIT
and:
$ TYPE SYS$MANAGER:LOGIN.AUDIT
(since you won't generate an error message, and the file is empty, you don't need to redirect output).
For this to work, you need to have ACL audits enabled. From your SHOW AUDIT posting, you already have that.
A crucible of informative mistakes
