The filter mechanism allows the security administrator to refine the preselection and thus offers the facility to achieve a targeted reduction in the recording quantity.
CAUTION!
If recording in accordance with security standard F2/Q3 is required, no filters may be used. The standard preselection must be used.
A maximum of 32 filter conditions can be defined with the following specifications:
- events and result
subjects (USER-ID)
information (fields and their contents).
For field values which can be represented in character form (e.g. <c-string>, <filename>), wildcards may be specified.
These specifications can be made in the form of positive lists (individual listings) or negative lists (*ALL, apart from individual listings). They are logically ANDed to produce a condition. A filter condition thus applies to an audit record whenever all the partial specifications apply to the audit record.
For each filter condition, the TRIGGER-ACTION operand of the /ADD-SAT-FILTER-CONDITIONS or /MODIFY-SAT-FILTER-CONDITIONS command is used to specify an action which is to be performed when the filter condition applies to the audit record.
The following can be specified for TRIGGER-ACTION:
*LOGGING (RECORDING=*YES )
The audit record must be recorded when the condition applies.
*LOGGING (RECORDING=*NO )
The event is not to be recorded if no other applicable filter condition calls for recording.
An audit record is therefore only recorded whenever all the filter conditions applicable to the record contain the specification TRIGGER-ACTION=*LOGGING(RECORDING=*NO).
If no filter condition applies to an audit record, it will be recorded.
The filter mechanism is controlled by means of the following commands:
ADD-SAT-FILTER-CONDITIONS | Create a filter condition |
MODIFY-SAT-FILTER-CONDITIONS | Modify a filter condition |
REMOVE-SAT-FILTER-CONDITIONS | Remove a filter condition |
SHOW-SAT-FILTER-CONDITIONS | Display a filter condition |
The filter definitions can be saved in the SAT parameter file in order that they may be reused during the next session. Definitions which are not explicitly saved lapse on termination of the system session. Saved definitions are automatically activated on commencement of the next system session.
Evaluation of filter conditions
The filter conditions are evaluated following the preselection for the switchable user IDs and the non-permanent security-relevant events which have not already been removed by the preselection. Switchable user IDs are all those user IDs, apart from SYSAUDIT and the user IDs with the privilege SAT-FILE-MANAGEMENT or SECURITY-ADMINISTRATION. Non-permanent security-relevant events are all those events whose audit attribute is changeable (“Y” in the “Audit attribute Chg” column of the “Table of object-related events”ff).
Notes on the performance of the filter mechanism
The filter mechanism offers the facility, through comparison with the information relating to events (fields and their contents), to achieve a targeted reduction in the recording quantity. However, the requisite comparison operations inevitably result in degraded performance in SATCP compared with normal preselection. It is therefore necessary to consider carefully the definition and the utilization of filter conditions.
Activating a filter
A filter is activated immediately after it has been defined (/ADD-SAT-FILTER-CONDITIONS command) and remains active until the end of the system session or until it is deleted by means of the /REMOVE-SAT-FILTER-CONDITIONS command. During this time the definition can be stored, modified or displayed.