Domain: | SECURITY-ADMINISTRATION |
Privileges: | SECURITY-ADMINISTRATION |
The /MODIFY-SAT-FILTER-CONDITIONS command can be used to modify an existing filter definition (/ADD-FILTER-CONDITIONS).
MODIFY-SAT-FILTER-CONDITIONS | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NAME = <name 1..8>
Name of the filter.
SELECT = *PARAMETERS(...)
This specifies which of the existing conditions are to be modified.
EVENT-NAME = *UNCHANGED / *ALL / list-poss(50): <name 3..3>(...)
Type and result of the events which satisfy the filter condition.
EVENT-NAME = *ALL
All events which can be recorded by SAT satisfy the filter condition.
EVENT-NAME = list-poss(50): <name 3..3>(...)
Explicit name of an event. The name of the event must be taken from “Table of object related events”.
SELECT-SWITCH =
This specifies whether the event is to be added or removed.
SELECT-SWITCH = *ON(...)
The event and result are to be added to the filter definition.
RESULT = *ALL / *SUCCESS / *FAILURE This specifies the result the event is to have.
SELECT-SWITCH = *OFF
The event is to be removed from the alarm definition.
USER-IDENTIFICATION = *UNCHANGED / *ALL / list-poss(50): <name 1..8>(...)
Specifies which user IDs satisfy the filter condition.
USER-IDENTIFICATION = *ALL
All user IDs satisfy the filter condition.
USER-IDENTIFICATION = list-poss(50): <name 1..8>(...)
Only events which concern the specified user IDs satisfy the filter condition. The user IDs do not need to exist at the time when the alarm condition is defined.
SELECT-SWITCH =
User ID to be added to or deleted from the filter definition.
SELECT-SWITCH = *ON
The user ID is to be added to the filter definition.
SELECT-SWITCH = *OFF
The user ID is to be deleted from the filter definition.
FIELD-NAME = *UNCHANGED / *ALL / list-poss(50): <name 3..7>(...)
Specifies which data field of an event is to be checked. The table with the possible field names can be found in the “Tables of auditable information on object-related events (1)”.
FIELD-NAME = *ALL
All data fields of an event satisfy the filter condition.
FIELD-NAME = list-poss(50): <name 3..7>(...)
A data field is specified.
SELECT-SWITCH =
Events are added to or removed from the definition when the associated information has a value defined by means of the VALUE operand. The table of field names and the information output there may be found in the “Tables of auditable informationobject-related events (1)”. <text> depends on the logged data field.
SELECT-SWITCH = *ON(...)
Adds information requiring checking to the filter definition.
VALUE = *ALL
All information satisfies the filter condition.
VALUE = *MATCH (...)
Specifies a pattern for the information. The condition is valid when the comparison value fits into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).
PATTERN = <text>
Pattern specification in the format c-string 1..255 where, analogously to the SDF data type <c-string with-wild (n)>, parts of the character string can be replaced by wildcards.
The available wildcard characters are as follows:
* | Stands for any desired character string, including a blank string |
/ | Stands for precisely one character |
\ | Nullifies the effect of “wildcards” (* / < > : ,) actually forming part of the character string (e.g. ab\*c denotes the actual character string “ab*c”) |
<sx:sy> | Replaces a character string where the following applies:
|
<s1,...> | Replaces all character strings to which one of the character combinations specified by s applies. s may also be a blank character string. Any character string s may also be a range specification <s x :s y > |
VALUE = *NOT-MATCH(...)
Specifies a pattern for the information. The condition is valid when the comparison value does not fit into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).
PATTERN=<text>
Pattern specification as under VALUE=*MATCH.
VALUE = list-poss(10):<text>
The information specified explicitly for the field satisfies the filter condition.
VALUE = list-poss(10): <integer 0..2147483647>(...)
The information specified explicitly for the field in the form of a numerical value satisfies the filter condition. This entry is only allowed for field names whose value is of type <integer>.
UNIT = *BYTES / *KB / *MB / *GB
Specifies the units to be used in interpreting the value specified with the VALUE operand. This entry is only allowed for field names filpos, curlim2 and maxlim2.
The following thereby applies:
If UNIT=*BYTES is implicitly or explicitly defined, the value must be a multiple of 512.
The maximum value of 240-512 (=1 099 511 627 264) bytes may also not be exceeded if UNIT=*KB / *MB / *GB is specified. This results in the following maximum values, depending on the UNIT entry:
UNIT=
Maximum value for VALUE
Corresponds in bytes to
*BYTES
231-1 = 2 147 483 647
231-1 = 2 147 483 647
*KB
230-1 = 1 073 741 823
240-210 = 1 099 511 626 752
*MB
220-1 = 1 048 575
240-220 = 1 099 510 579 200
*GB
210-1 = 1 023
240-230 = 1 098 437 885 952
SELECT-SWITCH = *OFF(...)
Removes events from the filter definition.
VALUE = *ALL
All information is removed from the filter definition.
VALUE = *MATCH(...)
Specifies a pattern for the information. The condition is valid when the comparison value fits into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).
PATTERN = <text>
Pattern specification in the format c-string 1..255 where, analogously to the SDF data type <c-string with-wild (n)>, parts of the character string can be replaced by wildcards.
The available wildcard characters are as follows:
* | Stands for any desired character string, including a blank string |
/ | Stands for precisely one character |
\ | Nullifies the effect of “wildcards” (* / < > : ,) actually forming part of the character string (e.g. ab\*c denotes the actual character string “ab*c”) |
<sx:sy> | Replaces a character string where the following applies:
|
| <s1,...> | Replaces all character strings to which one of the character combinations specified by s applies. s may also be a blank character string. Any character string s may also be a range specification <s x :s y > |
VALUE = *NOT-MATCH(...)
Specifies a pattern for the information. The condition is valid when the comparison value does not fit into this pattern. Pattern specification is permitted only for field names whose values represent a character string (<c-string>, <filename>, <name>).
PATTERN = <text>
Pattern specification as under VALUE=*MATCH.
VALUE = list-poss(10): <text>
The explicitly specified information for the field is removed from the filter definition.
VALUE = list-poss(10): <integer 0..2147483647>(...)
The information specified explicitly for the field in the form of a numerical value is removed from the filter definition. This entry is only allowed for field names whose value is of type <integer>.
UNIT = *BYTES / *KB / *MB / *GB
Specifies the units to be used in interpreting the value specified with the VALUE operand. This entry is only allowed for field names filpos, curlim2 and maxlim2.
The following thereby applies:
If UNIT=*BYTES is implicitly or explicitly defined, the value must be a multiple of 512.
The maximum value of 240-512 (=1 099 511 627 264) bytes may also not be exceeded if UNIT=*KB / *MB / *GB is specified. This results in the following maximum values, depending on the UNIT entry:
UNIT=
Maximum value for VALUE
Corresponds in bytes to
*BYTES
231-1 = 2 147 483 647
231-1 = 2 147 483 647
*KB
230-1 = 1 073 741 823
240-210 = 1 099 511 626 752
*MB
220-1 = 1 048 575
240-220 = 1 099 510 579 200
*GB
210-1 = 1 023
240-230 = 1 098 437 885 952
TRIGGER-ACTION = *UNCHANGED / *LOGGING(...)
Specifies which action is to be performed when the condition defined with the SELECT operand is satisfied.
TRIGGER-ACTION = *LOGGING(...)
Specifies whether an event is to be recorded.
RECORDING = *YES
The event is recorded.
RECORDING = *NO
The event is not recorded, provided no other filter condition calls for recording.
Command return codes
(SC2) | SC1 | Maincode | Meaning |
0 | CMD0001 | Command successfully executed | |
32 | SAT0000 | Unrecoverable error | |
64 | SAT1000 | User not privileged for command | |
64 | SAT1020 | Event already exists in event list | |
64 | SAT1022 | Field already exists in field list | |
64 | SAT1023 | Field contains duplicate values | |
64 | SAT1029 | Event unknown | |
64 | SAT1030 | User already exists in user list | |
64 | SAT1031 | Filter already exists | |
64 | SAT1035 | Value is not a multiple of 512 or too big | |
64 | SAT1050 | Command permitted only if logging function is activated | |
128 | SAT1010 | Another command is currently being processed | |
128 | SAT1080 | Exchange being prepared |
Notes
When using patterns for values of a field no check is made as to whether any overlaps occur.
Identically specified patterns for a value of a field are replaced.
Examples
Let us assume that a filter condition is defined as follows:
/add-sat-filter-conditions name=filter1, ... -
/ field-name=filname(value=*match('*abc*')), ...The command
/modify-sat-filter-conditions name=filter1, ... -
/ field-name=filname( -
/ select-switch=*on(value=*not-match('*abc*'))), ...overwrites the comparison pattern. The effect is as if the condition had been defined in the following manner:
/add-sat-filter-conditions name=filter1, ... -
/ field-name=filname(value=*not-match('*abc*')), ...Either specifying SELECT-SWITCH=*OFF(VALUE=*MATCH('*ABC*')) or specifying SELECT-SWITCH=*OFF(VALUE=*NOT-MATCH('*ABC*')) removes *MATCH('*ABC*') from the list of values.
The specification of a fixed value has no influence on a pattern specification.
For example, a /MODIFY-SAT-FILTER-CONDITIONS command with the specification VALUE='XABCY' has no effect on a filter condition which was defined using VALUE=*MATCH('*ABC*')). The value ’XABCY’ is already present in the pattern specification ’*ABC*’ and the condition VALUE=’XABCY’ is therefore automatically fulfilled if *MATCH=’*ABC*’ is fulfilled.
However, the specification VALUE=’XABCY’ does have an effect on a filter condition defined with VALUE=*NOT-MATCH('*ABC*')). In this case, the condition applies to all the values which do not match the pattern ’*ABC*’ as well as to the value ’XABCY’.
SELECT-SWITCH=*OFF removes the specified objects from a list defined with SELECT-SWITCH=*ON or a corresponding /ADD-SAT-FILTER-CONDITIONS command. If *ALL is in effect, the object is included in a negative list.
The specifications for the SELECT-SWITCH operand (in all cases) are only taken into consideration if they result in the creation of conditions. If, for example, USER-ID=*ALL was defined with the /ADD-SAT-FILTER-CONDITIONS command for a filter, then
specifying USER-ID=HUGO(SELECT-SWITCH=*ON) in the /MODIFY-SAT-FILTER-CONDITIONS command has no effect. Specifying USER-ID=HUGO(SELECT-SWITCH=*OFF) causes these fields to be entered in a negative list.
If a pattern is in effect for a field value, it is not possible to extract any subset from the pattern by means of SELECT-SWITCH= *OFF(VALUE=value): If, for example, a filter condition was defined with SELECT-SWITCH=*ON(VALUE=*MATCH('*ABC*')) or a corresponding /ADD-SAT-FILTER-CONDITIONS command, a /MODIFY-SAT-FILTER-CONDITIONS command SELECT-SWITCH=*OFF(VALUE= 'SYSABC') specified has no effect. The desired effect can, however, be achieved through the definition of a second filter condition:
Example
Let us assume that a filter condition is defined as follows:
/add-sat-filter-conditions name=filter1, -
/ field-name=filname(value=*match('*abc*')), -
/ trigger-action=*logging(recording=*no), ...The following command has no effect:
/modify-sat-filter-conditions name=filter1, ... -
/ field-name=filname( -
/ select-switch=*off(value=:cati:$tsos.sysabc))The definition of a second filter condition
/add-sat-filter-conditions name=filter2, -
/ field-name=filname(value=:cati:$tsos.sysabc), ...
/ trigger-action=*logging(recording=*yes)has the following effect:
Both these filter conditions are applicable to audit records which concern the file :CATI:$TSOS.SYSABC. Since one of the two conditions (FILTER2) calls for recording, the records are recorded. Audit records which concern other files whose names contain “ABC” are not recorded. Only the condition FILTER1 applies to them, and this excludes recording.
When evaluating a filter condition with a UNIT entry, only the value resulting from multiplying the VALUE and UNIT entries together is relevant, but not how this value is reached.
Examples
The following values are considered to be equivalent since they all represent the same value of 3145728 bytes:
VALUE=3145728(UNIT=*BYTES) VALUE=3072(UNIT=*KB) VALUE=3(UNIT=*MB)
A MODIFY-SAT-FILTER-CONDITIONS command with the entry
FIELD-NAME=*FILPOS(SELECT-SWITCH=*ON(VALUE=(3072(UNIT=*KB),3(UNIT=*MB))))is therefore rejected with the following message:SAT1023 FIELD 'FILPOS' CONTAINS DUPLICATE VALUES. COMMAND REJECTEDA filter condition that was set with the entry
VALUE=3145728(UNIT=*BYTES)in an ADD-SAT-FILTER-CONDITIONS command, can be removed from the filter table with the entryVALUE=3(UNIT=*MB)in a MODIFY-SAT-FILTER-CONDITIONS command.A filter condition with the following entry
FIELD-NAME=*FILPOS(SELECT-SWITCH=*ON(VALUE=3072(UNIT=*KB)))is valid if the record to be logged contains
FILPOS=6144. Reason: the entry in the record represents a multiple of 512 bytes (see “filpos” (Table of auditable information (field names))) and 6144*512 Bytes = 3145728 Bytes = 3072 KB.
Posix filenames und Kerberos names are logged by SAT without any restriction. The following SAT fields are case-sensitive in the definition of SAT filter conditions: AUDITID, HOMEDIR, LINKNAM, NEWPATH, PATHNAM, PRINCCL, PRINCSV, SHELL, SYMBDEV. With the exception of SYMBDEV, however, these field can be specified with a maximum length of 255 bytes only. Events with longer field contents may be specified by using wildcards. In the specification of a single name (without wildcard) the same special characters are allowed as for posix filenames or Kerberos names.
See also the general notes on SAT commands on "Functional overview".
Examples
Accesses to the files :A:$TSOS.SYSABC and :B:$SYS.SYSXXX are to be recorded only when they are effected by the users PAUL and HUGO. Two commands are needed in order to define the requisite filter:
One filter condition must first be defined which serves to exclude from recording all accesses to the two files.
/add-sat-filter-conditions name=filter1,select=*parameters( -
/ event-name=*all,user-identification=*all, -
/ field-name=filname(value=(:a:$tsos.sysabc,:b:$sys.sysxxx))), -
/ trigger-action=*logging(*recording = *no)Then the filter condition has to be modified in such a way that it does not apply to the users PAUL and HUGO whose accesses will consequently be recorded.
/modify-sat-filter-conditions name=filter1, select=*parameters( -
/ user-id=(paul(select-switch=*off),hugo(select-switch=*off)))Accesses to files are only to be recorded if the character string “SYS” or “ABC” occurs in the file name. In addition, accesses to the file :A:$TSOS.SRMLNK are to be recorded.
The following condition excludes from recording accesses to those files whose name does not contain “SYS”:
/add-sat-filter-conditions name=f1,select=parameters( -
/ event-name=*all,user-identification= *all, -
/ field-name=filname(value=*not-match(pattern='*sys*'))), -
/ trigger-action=*logging(recording=*no)This would mean that only accesses to files whose name contained the character string “SYS” would be recorded.
A second condition implements the recording requirement for the file :A:$TSOS.SRMLNK.
/add-sat-filter-conditions name=f2, select=parameters( -
/ field=filname(value=:a:$tsos.srmlnk)), -
/ trigger-action = *logging (recording = *yes)This condition is modified in such a way that it also applies to files whose name contains “ABC”:
/modify-sat-filter-conditions name=f2, select=parameters( -
/ field-name=filname(select-switch=*on(value=*match('*abc*'))))Both filter conditions are applicable to files whose name does not contain “SYS” but does contain “ABC”. Since recording is required in one of these conditions, the access is recorded.