The SAT alarm function adds an effective checking function to the existing range of SAT functions, allowing immediate detection of violations of security rules or improper behavior during system operation.
Thanks to the SAT alarm function the security administrator is able to detect improper behavior immediately, rather than during subsequent evaluation of the SATLOG files, since a message reporting the violation is output on the system console. This is particularly useful in cases where security violations are committed by users. The classic case of trying out different passwords is an example of such security violations by users.
The alarm function does not replace SAT logging and the evaluation of the SATLOG files, since the violations detected by the alarm function are also entered in the SATLOG file. Furthermore, a large number of alarms resulting from different events will reduce the effectiveness of the alarm. For this reason, the events which are to trigger an alarm should be selected with care.
Whether a SAT alarm is triggered in the form of a message on the console is dependent on
the event and its result
the user ID
information related to the event
the period within which a certain number of events occurred
The SAT alarm function is controlled with the following commands:
ADD-SAT-ALARM-CONDITIONS | create new alarm definitions |
MODIFY-SAT-ALARM-CONDITIONS | modify existing alarm definitions |
REMOVE-SAT-ALARM-CONDITIONS | delete existing alarm definitions |
SHOW-SAT-ALARM-CONDITIONS | show existing alarm definitions |
The alarm definitions can be saved in the SAT parameter file for use in the next session. Definitions which are not explicitly saved are lost when the current session is terminated. Definitions which have been saved are automatically activated again at the beginning of the next session.
Activating an alarm definition
The alarm function is active only when SAT is in recording mode. If SAT is stopped (/HOLD-SAT-LOGGING), no alarm messages will be issued. It is also not possible to enter new alarm definitions or to modify existing definitions while SAT is stopped.
If SAT is in recording mode, an alarm definition becomes active immediately after it has been defined (/ADD-SAT-ALARM-CONDITIONS) and remains active until the end of the session or until it is deleted with /REMOVE-SAT-ALARM-CONDITIONS. In the period between creation and deletion, a definition can be stored, modified or displayed.
If the security administrator has deactivated the connection to SAT logging for a product by means of /MODIFY-SAT-SUPPORT-PARAMETERS then the alarm function for the events relating to this product is inactive (in the current version of SECOS this applies to events relating to the objects “POSIX-FILE-and-Directory”, “POSIX-CHILD-Process”, “POSIX-PROCESS”, “POSIX-SYSTEM-Resources”).
How the alarm function operates
The alarm function is called for every loggable event independently of the preselection. All the defined alarm conditions are then checked to determine whether they apply to the current audit record. An alarm condition is considered to apply to an audit record if all the subconditions it contains are true. A condition which contains a field name is only true if this field is present in the audit record. If a negative list is specified, the condition is true if none of the fields it contains are present in the log record. If all the subconditions in an alarm definition apply to an audit record, a warning is issued at the console.