djk,
Auditing /ENABLE=(ACCESS=(SYSPRV,BYPASS)) tracks every USE of the privilege, which may be too fine grained for what you want.
It may be simpler to audit all logins and filter them for the usernames you're interested in:
$ SET AUDIT/AUDIT/ENABLE=LOGIN=ALL
Login audits are a fairly useful thing to have anyway.
There's a fairly general approach to generating audits for arbitrary events which allows you to be highly specific, using files with audit ACLs which generated audits when touched in various ways. In this case, here's a possibility:
First create a file with a distinctive name to identify the event you're auditing. Leave the file empty.
$ CREATE SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT
Apply security and ACE which will audit SUCCESSFUL access to that file:
$ SET SECURITY /PROTECTION=(S:R,O,G,W) -
SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT -
/ACL=(AUDIT=SECURITY,ACCESS=READ+SUCCESS)
Since it's protected S:R, only users with SYSPRV and BYPASS can access the file.
Now, plant an access to the file in SYLOGIN.COM in a path that's executed by everyone. Since non-privileged users will get an error, use PIPE output redirection to block the message
$ SET NOON ! Don't exit on error
$ PIPE TYPE SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT >nl: 2>nl:
Make sure ACL audits are enabled:
$ SET AUDIT/AUDIT/ENABLE=ACL
You can now search the audit journal for audit records with filename = SYS$MANANGER:SYSPRV_BYPASS_LOGIN.AUDIT these will identify the users and times they executed SYLOGIN (note that anyone can execute SYLOGIN at any time!).
As others have stated, privileged users can do anything, so this won't necessarily work if they're hostile (but if that's the case they shouldn't have privileges!).
A crucible of informative mistakes
