With the exception of permanently security-relevant events, the security administrator determines which events are security-relevant. If a system is to be operated in accordance with the security standard F2/Q3, the system administrator does not need to make any definitions because the system default setting (see section “Table of object-related events”) conforms to this standard. Should the security administrator require different security criteria, however, he/she can define selection rules for security-relevant events with the /MODIFY-SAT-PRESELECTION command.
The determining elements for selection of a security-relevant event are
the user ID (USER)
the auditable event (EVENT) and event result (RESULT)
the user specifications for the special objects file and library (FILE) and the event result (RESULT)
the logical operation rule for the above three elements
the output scope which serves to specify whether *EXTENDED fields are recorded (see section “Tables of auditable information on object-related events (1)”)
The SHOW-SAT-STATUS command can be used by the security administrator and the SAT file manager to display the selection.
User ID (USER)
Security-relevant user IDs are selected by the security administrator by assigning an audit attribute for the user ID with the USER-AUDITING operand of the SAT command /MODIFY-SAT-PRESELECTION.
The following audit attributes can be assigned:
OFF | User ID is not security-relevant |
ON | User ID is security-relevant |
The audit attribute that is assigned is entered in the user catalog. It takes effect immediately, and remains in effect until it is next changed, even it that is in another session.
Default setting
When SAT is used for the first time, the audit attribute of all user IDs is ON; their auditable events are security-relevant until the security administrator changes the audit attribute. Similarly, the audit attribute for new user IDs that are set up is also ON; their auditable events are security-relevant until the security administrator changes the audit attribute. The command /MODIFY-SAT-PRESELECTION can be used to modify this default setting.
The audit attribute for the SYSAUDIT user ID and user IDs with the SAT-FILE-MANAGEMENT or SECURITY-ADMINISTRATION privilege is also ON, and this cannot be changed; auditable events relating to these user IDs are always security-relevant.
Event (EVENT)
The selection of events is carried out by the security administrator by assigning an audit attribute with the SAT command /MODIFY-SAT-PRESELECTION, EVENT-AUDITING operand.
The following audit attributes can be assigned for the event:
NONE | Event is not security-relevant |
SUCCESS | Event is security-relevant if successfully executed |
FAILURE | Event is security-relevant if it is not successfully executed |
ALL | Event is security-relevant |
Audit attributes for events are recorded in SAT and remain valid in the current session only until they are next changed or until shutdown.
They can also be saved in the SAT parameter file for use in subsequent session (see section “SAT parameter file”).
In the next session the settings in the SAT parameter file apply, whether they are the old settings or modified settings.
Default setting
See section “Table of object-related events”.
The mandatory audit attribute for permanently security-relevant events is ALL; this cannot be changed.
User specifications (FILE)
The audit attribute for the special objects file and library is assigned with the aid of the DMS commands /CREATE-FILE or /MODIFY-FILE-ATTRIBUTES by
the owner of the file, if authorization to do so has been granted by the group administrator or the global user administrator
(user catalog entry FILE-AUDIT=*ALLOWED)the privileged user TSOS
The following audit attributes can be assigned for file objects:
NONE | Object is not security-relevant |
SUCCESS | Object is security-relevant if the event is successfully executed |
FAILURE | Object is security-relevant if the event is not successfully executed |
ALL | Object is security-relevant |
The audit attribute that is assigned is entered in the file catalog. It takes effect immediately, and remains in effect until it is next changed, even it that is in another session.
Default setting
The file objects are not security-relevant (audit attribute=NONE).
Logic rules
There are two logic rules (logical operation rules) for linking the determining elements for the purpose of selection:
INDEPENDENT rule
FILES-BY-EVENTS rule
The logic rule is defined by the security administrator with the PRESELECTION-RULE operand of the /MODIFY-SAT-PRESELECTION command.
The logic rule is recorded in SAT and is initially only valid until the next time that it is changed or until shutdown.
It can also be saved in the SAT parameter file for use in subsequent sessions (see section“SAT parameter file”).
In the next session the setting in the SAT parameter file applies, whether the old or a modified setting.
Default setting
INDEPENDENT rule
In the case of the INDEPENDENT rule the determining elements are ORed. An event is always logged if at least one of the three determining elements is security-relevant. Accordingly, an auditable event is security-relevant if
the subject (the user ID) is security-relevant
i.e. the audit attribute for the user ID is set (ON)OR
the event (EVENT) is security-relevant
i.e. combination of the audit attributes of EVENT with the event result returns the indicator “security-relevant” (see table).OR
the file object (FILE) is security-relevant
i.e. combination of the audit attributes of FILE with the event result returns the indicator “security-relevant” (see table).
In the case of objects that are not file objects, FILE is of no relevance and USER OR EVENT applies.
Audit attribute for EVENT or FILE | ||||
NONE | SUCCESS | FAILURE | ALL | |
Event successfully executed RESULT=SUCCESS | not | security-relevant | not | security-relevant |
Event not successfully RESULT=FAILURE | not | not | security-relevant | security-relevant |
Table 1: Combination of the audit attributes of EVENT and FILE with the event result
In the case of the FILES-BY-EVENTS rule, EVENT and FILE are ANDed. Accordingly, an auditable event is security-relevant if
the subject (the user ID) is security-relevant
i.e. the audit attribute for the user ID is set (ON)OR
the event (EVENT) is security-relevant
i.e. combination of the audit attribute of EVENT with the event result returns the indicator “security-relevant” (see table above)AND
the file object (FILE) is security-relevant
i.e. combination of the audit attribute of FILE with the event result returns the indicator “security-relevant” (see table above).
In the case of objects that are not file objects FILE is of no relevance and the condition USER OR EVENT applies, in the same way as for INDEPENDENT logic.
Note
The make-up of the logic rules shows that even when the set of security-relevant events is reduced to a minimum (see "Individual control of selection") at least all auditable events relating to the SYSAUDIT user ID and the user IDs with the SAT-FILE-MANAGEMENT or SECURITY-ADMINISTRATION privileges (see "Selection procedure") are security-relevant and are logged.
Logging quantity
*EXTENDED fields are fields which contain extended information about an event. They are marked in the “Tables of auditable information on object-related events (1)” with an “E”. These fields are only recorded if the security administrator permits recording by specifying LOGGING-QUANTITY=*EXTENDED in the /MODIFY-SAT-PRESELECTION command.
Default setting
*EXTENDED fields are not recorded.