Domain: | SECURITY-ADMINISTRATION |
Privileges: | SECURITY-ADMINISTRATION |
The /MODIFY-SAT-PRESELECTION command can be used by the security administrator to specify modifications to the following:
the default selection values which determine the events to be logged by SATCP; actual logging is dependent on the result of the operation, the event type and the user ID
the selection rule (see “Selection of events to be logged” above)
the authorization to invoke the system exit; the exit is not activated unless the exit routine has been loaded by system administration.
the recording scope which serves to specify whether *EXTENDED fields are recorded. *EXTENDED fields are marked in the “Tables of auditable information on object-related events (1)” by means of an “E”.
the default value for the audit setting (“user audit default”) for newly created user IDs.
Irrespective of the /MODIFY-SAT-PRESELECTION, the selection of files and library members may also be affected by modifications to the audit entry in the catalog.
MODIFY-SAT-PRESELECTION | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
EVENT-AUDITING =
This defines the events for which auditing is to be activated or deactivated.
EVENT-AUDITING = *UNCHANGED
The current selection of events to be logged is retained.
EVENT-AUDITING = list-poss(50): <name 3..3>(...)
This specifies the event for which auditing is to be activated or deactivated, using the3-character event name, e.g. FCD, FRD,... (see “Table of object-related events”). If you specify POSIX events, please pay special attention to Note 4.
AUDIT-SWITCH =
This defines which events are to be audited.
AUDIT-SWITCH = *ON(...)
The specified event is selected for auditing.
RESULT =
This defines the circumstances under which the event is to be logged:
RESULT = *ALL
The event is always to be logged.
RESULT = *SUCCESS
The event is to be logged if the operation has been successful.
RESULT = *FAILURE
The event is to be logged if the operation has not been successful.
AUDIT-SWITCH = *OFF
The specified event is not selected for auditing.
USER-AUDITING =
This serves to specify the user IDs for which the SAT preselection is to be modified. The new selection for the auditing of a user ID is entered in the user catalog and takes effect immediately.
USER-AUDITING = *UNCHANGED
The current selection of user IDs subject to auditing is retained.
USER-AUDITING = *ALL-SWITCHABLE(...)
Defines the events which are to be logged for all switchable user IDs. Switchable user IDs are all user IDs apart from the security administrator’s ID, the user ID SYSAUDIT and user IDs possessing the SAT file management privilege.
AUDIT-SWITCH = *ON / *OFF
This defines which events are to be logged.
AUDIT-SWITCH = *ON
All events triggered by a switchable user ID are to be logged.
AUDIT-SWITCH = *OFF
Events triggered by a switchable user ID will only be logged if they have been selected using the EVENT-AUDITING operand and/or affect a selected file object (dependent on the logic rule defined with the PRESELECTION-RULE operand).
USER-AUDITING = *DEFAULT(...)
Specifies the default value for the audit setting for newly created user IDs. Newly created user IDs are all user IDs which are created after execution of the current /MODIFY-SAT-PRESELECTION command.
NEW-USER = *ON / *OFF
Defines which events are to be logged.
NEW-USER = *ON
All events triggered by a newly created user ID are to be logged.
NEW-USER = *OFF
Events triggered by a newly created user ID will only be logged if they have been selected using the EVENT-AUDITING operand and/or affect a selected file object (dependent on the logic rule defined with the PRESELECTION-RULE operand).
USER-AUDITING = list-poss(50): <name 1..8>(...)
Defines for each user ID which events are to be logged.
AUDIT-SWITCH = *ON / *OFF
This defines which events are to be logged.
For systems with BS2000 OSD/BC > V11.0:
With this specication logging can also switched on for non-switchable user IDs, if it was switched off due to an error.
AUDIT-SWITCH = *ON
All events triggered by the respective user IDs are to be logged.
AUDIT-SWITCH = *OFF
Events triggered by the respective user ID will only be logged if they have been selected using the EVENT-AUDITING operand and/or affect a selected file object (dependent on the logic rule defined with the PRESELECTION-RULE operand).
PRESELECTION-RULE =
This defines the logic rule governing selection.
PRESELECTION-RULE = *UNCHANGED
The current selection rule is retained.
PRESELECTION-RULE = *INDEPENDENT
This forces compulsory logging of an event if either the event or the subject (user ID) or the file object (file, library, ACL) has been selected and is affected by the event. This is equivalent to ORing as follows:
subject OR event OR file object
The INDEPENDENT selection rule causes an event to be logged when the object or subject has been selected even if the event itself has not been selected. A user ID may also be logged because of certain selected events or objects (see section “Selection procedure”) even though it is not selected itself.
PRESELECTION-RULE = *FILES-BY-EVENTS
This rule always results in auditing provided the subject has been selected. If the subject has not been selected, no auditing takes place unless both event and file object have been selected and the event result matches their audit attributes. If the event is not a file object event, the INDEPENDENT rule applies (see section “Selection procedure”).
The logic rule for *FILES-BY-EVENTS is as follows:
subject OR (event AND file object)
EXIT = *UNCHANGED / *YES / *NO
This defines whether system exit 110 (writing of SAT data) may be invoked.
LOGGING-QUANTITY = *UNCHANGED / *STD / *EXTENDED
Determines whether *EXTENDED fields are included in the SATLOG file.
LOGGING-QUANTITY = *STD
*EXTENDED fields are not included in the SATLOG file.
LOGGING-QUANTITY = *EXTENDED
*EXTENDED fields are included in the SATLOG file.
Note
The specification of *EXTENDED is also required if *EXTENDED fields are to be evaluated by a SAT exit routine.
Command return codes
(SC2) | SC1 | Maincode | Meaning |
0 | CMD0001 | Command successfully executed | |
32 | SAT0000 | Unrecoverable error | |
64 | SAT1000 | User not privileged for command | |
64 | SAT1010 | Event already exists in event list | |
64 | SAT1020 | User already exists in user list | |
64 | SAT1030 | Command permitted only if logging function is activated | |
128 | SAT1050 | Another command is currently being processed | |
128 | SAT1080 | Exchange being prepared |
Notes
The selection settings for SAT when first used or without individual changes having been made are as follows:
User ID:
For existing user IDs, the selection settings correspond to the entries in the user catalog. In the case of newly created user IDs, all the events are logged.
Event:
default setting of security-relevant events (see “Table ofobject-related events”)
File object:
in accordance with the entries in the file catalog
Logic rule:
INDEPENDENT rule
Exit activation:
system exit 110 not active
Recording scope:
*EXTENDED fields are not recorded
An error message is returned if one or more of the specified user IDs do not exist in the user catalog. The command is executed for those user IDs present in the user catalog. The same rule applies to unknown event types.
By default, AUDIT-SWITCH=ON is set for any new user ID created with ADD-USER. If user IDs are taken over from a previous version of BS2000/OSD-BC, the user IDs retain the previous settings.
If an event belongs to a product for which the activation of SAT support can be controlled with /MODIFY-SAT-SUPPORT-PARAMETERS (in the current version, this is restricted to POSIX), then any setting for this event made with /MODIFY-SAT-PRESELECTION is always accepted. However, if the event occurs, this setting is only effective if SAT support is activated for the product in question.
See also the general notes on SAT commands on "Functional overview".
Examples
The security administrator wishes to:
have the event types READ-DATA and DELETE-DATA logged in any case
have RENAME FILE (DMS) logged in the event of FAILURE
subject the user IDs HUGO and BILL to auditing
exempt the user ID JAMES from auditing
apply the FILES-BY-EVENTS selection rule
To this end, the security administrator first has to look up the event names for the operations ’read file’ (=FRD), ’delete file’ (=FDD) and ’rename file’ (=FRN) under FILE in “Table of object-related events”.
Then the security administrator must issue the following command:
/modify-sat-preselection -/ event-auditing=(frd(audit-switch=*on(result=*all)), -/ fdd(audit-switch=*on(result=*all)), -/ frn(audit-switch=*on(result=*failure))), -/ user-auditing=(hugo(audit-switch=*on), -/ bill(audit-switch=*on), -/ james(audit-switch=*off)), -/ preselection-rule=*files-by-eventsThe security administrator wants to activate default system logging for all user IDs, i.e. the default setting for events’ audit attribute (see “Table of object-related events”). This setting is also to apply for user IDs which are to be created in the future. To do this, two commands are necessary. The first defines audit logging for already existing user IDs. The second command applies to newly created user IDs:
/modify-sat-preselection -/ user-auditing=*all-switchable(audit-switch=*off)/modify-sat-preselection -/ user-auditing=*default(new-user=*off)