Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

ADD-SAT-FILTER-CONDITIONS Define filter conditions

&pagelevel(4)&pagelevel

Domain:

SECURITY-ADMINISTRATION

Privileges:

SECURITY-ADMINISTRATION

The security administrator uses this command to define conditions relating to preselection for SAT logging.
The filter definition can be displayed by the /SHOW-SAT-FILTER-CONDITIONS command. It can be removed again by means of /REMOVE-SAT-FILTER-CONDITIONS.

If preselection is possible for an event, this condition is also applied in order to decide whether or not the event is to be audited.

The events forming the basis for this decision are defined as follows:

  • by the event name and the result on occurrence of the event

  • by the user ID of the recorded event

  • by the information relating to the event

Notes

  • Audit records to which no filter condition applies are recorded.

  • If a single filter condition applies to an audit record, then the action specified in this condition is the action required to be taken.

  • If two or more filter conditions apply simultaneously to an audit record, then the following two cases must be differentiated:

    1. If at least one of the applicable filter conditions in the TRIGGER-ACTION operand contains the specification *LOGGING(RECORDING=*YES), the audit record is recorded.

    2. Only if all the applicable filter conditions in the TRIGGER-ACTION operand contain the specification *LOGGING(RECORDING=*NO) will the audit record not be recorded.

ADD-SAT-FILTER-CONDITIONS

NAME = <name 1..8>

, SELECT = *PARAMETERS(...)


*PARAMETERS(...)



|

EVENT-NAME = *ALL / list-poss(50): <name 3..3>(...)



|


<name 3..3>(...)



|



|

RESULT = *ALL / *SUCCESS / *FAILURE



|

, USER-IDENTIFICATION = *ALL / list-poss(50): <name 1..8>



|

, FIELD-NAME = *ALL / list-poss(50): <name 3..7>(...)



|


<name 3..7>(...)



|



|

VALUE = *ALL / *MATCH(...) / *NOT-MATCH(...) / list-poss(10): <text> /



|



|





list-poss(10): <integer 0..2147483647>(...)



|



|


*MATCH(PATTERN=<text>)



|



|


*NOT-MATCH(PATTERN=<text>)



|



|


<integer 0..2147483647>(...)



|



|



|

UNIT = *BYTES / *KB / *MB / *GB

, TRIGGER-ACTION = *LOGGING (...)


*LOGGING (...)



|

RECORDING = *YES / *NO

NAME = <name 1..8>
Name of the filter.

SELECT = *PARAMETERS(...)
This specifies which events satisfy the filter condition.

EVENT-NAME =
Type and result of the events which satisfy the filter condition.

EVENT-NAME = *ALL
All events which can be recorded by SAT satisfy the filter condition.

EVENT-NAME = list-poss(50): <name 3..3>(...)
The explicit name of an event. This name must be taken from “Table of object-related events”.

RESULT = *ALL / *SUCCESS / *FAILURE
Specifies the result the event is to have.

USER-IDENTIFICATION =
Specifies which user IDs satisfy the filter condition.

USER-IDENTIFICATION = *ALL
All user IDs satisfy the filter condition.

USER-IDENTIFICATION = list-poss(50): <name 1..8>
Only events which concern the specified user IDs satisfy the filter condition. The user IDs do not need to exist at the time when the filter condition is defined.

FIELD-NAME =
This specifies which field of an event is to be monitored.

FIELD-NAME = *ALL
All data fields of an event are checked.

FIELD-NAME = list-poss(50): <name 3..7>(...)
Only a data field specified here is checked. A list of the possible field names can be found in “Tables of auditable information on object-related events (1)”.

VALUE = *ALL / *MATCH(...) / *NOT-MATCH(...) / list-poss(10): <text> / list-poss(10): <integer 0..2147483647>(...)
A list of the field names and the information output in these fields can be found in Tables of auditable information on object-related events (1) . <text> depends on the field being logged.

VALUE = *MATCH(...)
Specifies a pattern for the field name. The condition is valid when the comparison value fits into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).

PATTERN = <text>
Pattern specification in the format <c-string 1..255> where, analogously to the SDF data type <c-string with-wild (n)>, parts of the character string can be replaced by wildcards.
The available wildcard characters are as follows:


*

Stands for any desired character string, including a blank string

/               

Stands for precisely one character

\

Nullifies the effect of “wildcards” (* / < > : ,) actually forming part of the character string (e.g. ab\*c denotes the actual character string “ab*c”)

<sx:sy>

Replaces a character string where the following applies:

  • it is at least as long as the shortest character string (sx or sy)

  • it is at most as long as the longest character string (sx or sy)

  • it falls between sx and sy in the alphabetical sort sequence; numbers are sorted after letters (A...Z 0...9)

  • sx may also be the blank character string which appears at the beginning of the alphabetical sort sequence

  • sy may also be the blank character string which stands at this position for the character string with the highest possible coding (contains only the characters X‘FF‘)

  • sx must precede sy in the alphabetical sort sequence. If sx is shorter than sy, sx will be padded with X‘00‘

  • if sy is shorter than sx, sy will be padded with X‘FF‘

  • no wildcards may occur either in sx or in sy

<s1,...>

Replaces all character strings to which one of the character combinations specified by s applies.

s may also be a blank character string. Any character string s may also be a range specification <sx:sy>


VALUE = *NOT-MATCH(...)
Specifies a pattern for the field name. The condition is valid when the comparison value does not fit into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>,
<name>).

PATTERN = <text>
Pattern specification as under VALUE=*MATCH.

VALUE = <integer 0..2147483647>(...)
Specifies a numerical value for the field name. This value is only allowed for fields whose value is of type <integer>.

UNIT = *BYTES / *KB / *MB / *GB
Specifies the units to be used in interpreting the value specified with the VALUE operand. This entry is only allowed for field names filpos, curlim2 and maxlim2.

The following thereby applies:

  • If UNIT=*BYTES is implicitly or explicitly defined, the value must be a multiple of 512.

  • The maximum value of 240-512 (=1 099 511 627 264) bytes may also not be exceeded if UNIT=*KB / *MB / *GB is specified. This results in the following maximum values, depending on the UNIT entry:

    UNIT=

    Maximum value for VALUE

    Corresponds in bytes to

    *BYTES

    231-1 = 2 147 483 647

    231-1 = 2 147 483 647

    *KB

    230-1 = 1 073 741 823

    240-210 = 1 099 511 626 752

    *MB

    220-1 = 1 048 575

    240-220 = 1 099 510 579 200

    *GB

    210-1 = 1 023

    240-230 = 1 098 437 885 952

TRIGGER-ACTION = *LOGGING(...)
Specifies which action is to be performed when the condition defined with the SELECT operand is satisfied.

RECORDING =
Specifies whether an event is to be recorded.

RECORDING = *YES
The event is recorded.

RECORDING = *NO
The event is not recorded, provided no other filter condition calls for recording.

Command return codes

(SC2)

SC1

Maincode

Meaning


0

CMD0001

Command successfully executed
Warning: user is unknown


32

SAT0000

Unrecoverable error


64

SAT1000

User not privileged for command


64

SAT1020

Event already exists in event list


64

SAT1022

Field already exists in field list


64

SAT1023

Field contains duplicate values


64

SAT1029

Event unknown


64

SAT1030

User already exists in user list


64

SAT1031

Filter already exists


64

SAT1035

Value is not a multiple of 512 or too big


64

SAT1050

Command permitted only if logging function is activated


64

SAT1073

Filter table is full


128

SAT1010

Another command is currently being processed


128

SAT1080

Exchange being prepared

Notes

  1. There are no predefined filter definitions. When SAT is started for the first time, there is no parameter file and it is thus not possible to read any definitions from this file.

  2. It is, however, possible to save a SAT parameter file for the next session with the aid of the /SAVE-SAT-PARAMETERS command. The next time SAT is started, definitions with the default values are then available. There are no default values for filter definitions; if the current values are not stored in the SAT parameter file, no filter definitions will exist for the next session.

  3. Up to 32 alarm definitions can be stored.

  4. The use of a negative list of field names and the trigger action RECORDING=*YES do not generally result in a reduction in the scope of recording since an audit record generally contains fields which then require recording.

  5. When evaluating a filter condition with a UNIT entry, only the value resulting from multiplying the VALUE and UNIT entries together is relevant, but not how this value is reached.

    Examples

    The following values are considered to be equivalent since they all represent the same value of 3145728 bytes:

    VALUE=3145728(UNIT=*BYTES)
VALUE=3072(UNIT=*KB)
VALUE=3(UNIT=*MB)

    1. An ADD-SAT-FILTER-CONDITIONS command with the entry

      FIELD-NAME=*FILPOS(VALUE=(3072(UNIT=*KB),3(UNIT=*MB)))

      is therefore rejected with the following message:

      SAT1023 FIELD 'FILPOS' CONTAINS DUPLICATE VALUES. COMMAND REJECTED

    2. A filter condition with the following entry

      FIELD-NAME=*FILPOS(VALUE=3072(UNIT=*KB))

      is valid if the record to be logged contains FILPOS=6144. Reason: the entry in the record represents a multiple of 512 bytes (see “filpos” in Table of auditable information (field names)) and 6144*512 Bytes = 3145728 Bytes = 3072 KB.

  6. Posix filenames und Kerberos names are logged by SAT without any restriction. The following SAT fields are case-sensitive in the definition of SAT filter conditions: AUDITID, HOMEDIR, LINKNAM, NEWPATH, PATHNAM, PRINCCL, PRINCSV, SHELL, SYMBDEV. With the exception of SYMBDEV, however, these field can be specified with a maximum length of 255 bytes only. Events with longer field contents may be specified by using wildcards. In the specification of a single name (without wildcard) the same special characters are allowed as for posix filenames or Kerberos names.

  7. See also the general notes on SAT commands in "Functional overview".

Example

  1. The following accesses are to be recorded if they refer to files which are cataloged in the catalog “CAT1” and their names contain the character strings “SYS” and “ABC”: “Read protection attributes” (FRS), if successful, and “Export catalog” (CEP)

    /add-sat-filter-conditions name=filter1,select=*parameters( -
    /        event-name=(frs,cep),trigger-action=*logging(recording=*no)
    /add-sat-filter-conditions name=filter2,select=*parameters( -
    /        event-name=(frs(result=*success),cep),user-identification=*all,-
    /        field-name=(filname(value=*match(pattern='*sys*abc')), -
    /                    catid(value='cat1')))

  2. Accesses to files having names beginning with “$TSOS.SYSLNK.” are not to be recorded.

    /add-sat-filter-conditions name=f1,select=*parameters( -
    /        event-name=*all,user-identification=*all,-
    /        field-name=filname(value=*match(pattern='*$tsos.syslnk.*'))), -
    /        trigger-action=*logging(recording=*no)

    The “Delete file” event (FDD), should be recorded for all files, however:

    /add-sat-filter-conditions name=f2,select=*parameters( -
    /        event-name=fdd,user-identification=*all,field-name=*all), -
    /        trigger-action=*logging(recording=*yes)

    As regards the deletion of a file whose name begins with $TSOS.SYSLNK., both conditions are applicable. Since one of these conditions calls for recording, the corresponding audit record is recorded.

Further examples may be found under /MODIFY-SAT-FILTER-CONDITIONS.

Powered by Atlassian Confluence and Scroll Viewport.