Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Monitoring special security-relevant activities

&pagelevel(4)&pagelevel

Before the security administrator is able to monitor certain security-relevant activities, he or she must first define which events can occur in the course of these activities. This section contains examples of a number of such problem situations. Specifying a preselection reduces the amount of data accruing during the current session.

Examples of the generation of complex condition expressions are given on "ADD-SELECTION-CONDITIONS Define selection conditions".A detailed example of evaluation with SATUT is provided on "Example of evaluation".

Detecting potential intrusion attempts

In order to detect potential intrusion attempts at the time of logon, all failed access attempts are to be evaluated. To achieve this, the security administrator selects the “check user ID” event (UCK) with the result “FAILURE” for logging.

Selection for preselection:

/modify-sat-preselection -
/ event-auditing=uck(audit-switch=*on(result=*failure))

In order to log failed access attempts, the setting is made in the same way for evaluation (postselection):

//add-selection-conditions name=conlog1, -
// condition=evt equal ’uck’ and res equal f
//start-selection from-file=*input-files, -
// to-file=*par(condition-name=conlog1)

Detecting file manipulation

File manipulation can be considered to be the successful execution of the following events: “create file” (FCD), “modify file” (FMD), “delete file” (FDD), “rename file” (FRN), “delete protection attributes” (FDS), “convert to decrypted file” (FDC) and “convert to decrypted file” (FEC). They should therefore by selected for logging with the RESULT=SUCCESS.

Selection for preselection:

//modify-sat-preselection -
//       event-auditing=(fcd(audit-switch=*on(result=*success)), -
//                       ..., -
//                       fec(audit-switch=*on(result=*success)))

Setting for evaluation (postselection):

//add-selection-conditions name=confile, -
//    condition=evt in-list (’fcd’,’fmd’,’fdd’,’frn’,’fds’,’fdc’,’fec’) -
//              and -
//              res equal s and filname equal ’<destroyed file name>’
//start-selection from-file=*input-files, -
//                to-file=*par(condition-name=confile)

Logging of UTM events

The logging of UTM events (TRM) can be controlled both in SAT and in openUTM.

Selection for preselection:

/modify-sat-preselection event-auditing= -
/          trm(audit-switch=<*on/*off>(result=<*all/*success/*failure>), -
/          user-auditing=(<utm-userid1>,<utm-userid2>,...)

Setting for evaluation (postselection):

//add-selection-conditions name=conutm, -
//                         condition=evt equal ’trm’ and <conditions>...
//start-selection from-file=*input-files, -
//                to-file=*par(condition-name=conutm)

Control and setting of SAT logging for an UTM application is dealt with by UTM generation and UTM administration. UTM SAT administration is taken care of by UTM users with the appropriate authorization. However, if the SAT logging shall start with the starting of UTM this can only be achieved via the UTM generateion. Generated logging values can be changed with the aid of KDCMSAT.

Detailed information about SAT logging is to be found in the openUTM manual “Generating Applications” [17].

Powered by Atlassian Confluence and Scroll Viewport.