Default settings

The selection settings for SAT when first used or without individual changes having been made are as follows:

Selection for the current session

Security-relevant user IDs and events, and the logic rule, and the logging quantity, can be selected by the security administrator with the /MODIFY-SAT-PRESELECTION command, provided that SAT is active.

If SAT is suspended by the security administrator by means of the /HOLD-SAT-LOGGING command and is restarted in the same session with the /RESUME-SAT-LOGGING command the same selection settings apply as before suspension.
If SAT is suspended it is not possible to modify the selection of security-relevant events; the /MODIFY-SAT-PRESELECTION command is not executed.

Selection for subsequent sessions

The security administrator is also able to specify the relevance to security of user IDs and events and the logical operation rule for subsequent sessions.

Settings for user IDs (USER) and file objects (FILE) apply automatically in later sessions because they are stored in the user catalog or file catalog, as appropriate. With regard to events, default settings for new user IDs, the logic rule and the logging quantity the specifications must be stored explicitly in the SAT parameter file with the /SAVE-SAT-PARAMETERS command if they are to take effect the next time the system is started up.

Note on the selection of user IDs

Every new user ID is given the audit attribute ON, i.e. all events for these user IDs are automatically logged. If the security administrator does not consider this necessary, he or she can modify this default setting so that all new user IDs receive the audit attribute OFF:

Example

The audit attribute for all new and switchable user IDs is set to OFF (switchable user IDs are all IDs with the exception of SYSAUDIT and IDs with the SECURITY-ADMINISTRATION or SAT-FILE-MANAGEMENT privilege). For the user IDs <user1>, <user2>, <user3>, ... the audit attribute is set to ON. This means that all events that are initiated by the user IDs <user1>, <user2>, <user3>, ... are security-relevant and will be logged.

The user ID TSOS and all user IDs which have been assigned a privilege other than STD-PROCESSING should always be logged. The security administrator’s user IDs, the SYSAUDIT user ID and user IDs with the SAT-FILE-MANAGEMENT privilege are always logged. The logging cannot be switched of for these user IDs. If the privilege SECURITY-ADMINISTRATION (only via startup parameter service) or SAT-FILE-MANAGEMENT (/SET-PRIVILEGE command) is assigned to a user ID whose audit attribute is OFF, then the audit attribute is automatically set to ON.

Note on the selection of events

Specific selection settings that are to take effect on startup can either be stored in the SAT parameter file or they have to be declared again by the security administrator after every system initialization using the /MODIFY-SAT-PRESELECTION command (for example in an automatically executed batch job).

Example

The events “load/execute program” (XLD) and “unload program” (XUL) are to be selected for logging, irrespective of their result. The “add user ID” event (UAD) is to be logged if it is executed successfully, while the “check user ID” event (UCK) is to be logged if it is not executed successfully. Deviating from the default system setting, the security administrator does not consider UTM events (TRM) to be security-relevant and therefore does not want to log them.
These settings are also to apply in subsequent sessions.

The following command is needed to set the selection:

To ensure that this setting automatically takes effect on startup, it is possible to execute the command in a batch job that runs with every system startup. Instead of that, however, it is advisable to save the setting in the SAT parameter file after the MODIFY-SAT-PRESELECTION command has been executed once. To save the setting:

/save-sat-parameters event-preselection=*current

Minimizing the number of logged events

The volume of logged events can be minimized with the aid of the following command:

/modify-sat-preselection event-auditing=(                               -
/ cep(audit-switch=*off),cip(audit-switch=*off),gad(audit-switch=*off), -
/ gmd(audit-switch=*off),grm(audit-switch=*off),jbe(audit-switch=*off), -
/ jde(audit-switch=*off),jfk(audit-switch=*off),jin(audit-switch=*off), -
/ jvg(audit-switch=*off),jvm(audit-switch=*off),jvs(audit-switch=*off), -
/ kea(audit-switch=*off),ked(audit-switch=*off),kpa(audit-switch=*off), -
/ kpd(audit-switch=*off),kpm(audit-switch=*off),ktc(audit-switch=*off), -
/ kxm(audit-switch=*off),mac(audit-switch=*off),psc(audit-switch=*off), -
/ psd(audit-switch=*off),scr(audit-switch=*off),sct(audit-switch=*off), -
/ sdl(audit-switch=*off),shd(audit-switch=*off),srm(audit-switch=*off), -
/ srs(audit-switch=*off),tba(audit-switch=*off),tbd(audit-switch=*off), -
/ tbe(audit-switch=*off),tbi(audit-switch=*off),tka(audit-switch=*off), -
/ tkc(audit-switch=*off),tkp(audit-switch=*off),tkr(audit-switch=*off), -
/ trm(audit-switch=*off),tvm(audit-switch=*off),twk(audit-switch=*off), -
/ uad(audit-switch=*off),uck(audit-switch=*off),udm(audit-switch=*off), -
/ uds(audit-switch=*off),uml(audit-switch=*off),ump(audit-switch=*off), -
/ uop(audit-switch=*off),urm(audit-switch=*off),usl(audit-switch=*off), -
/ uul(audit-switch=*off),uup(audit-switch=*off),uus(audit-switch=*off), -
/ vda(audit-switch=*off),vdu(audit-switch=*off),vid(audit-switch=*off), -
/ vip(audit-switch=*off))

This has the effect of disabling logging for all events for which an audit attribute has already been defined as a default setting by BS2000 but which are allowed to be changed (see section “Table of object-related events”).