Domain: | SECURITY-ADMINISTRATION |
Privileges: | SECURITY-ADMINISTRATION |
The security administrator uses this command to define conditions for the occurrence of an alarm situation.
The alarm definition can be displayed by the /SHOW-SAT-ALARM-CONDITIONS
command. It can be removed again by means of /REMOVE-SAT-ALARM-CONDITIONS.
The events which are to trigger alarms are specified as follows:
by the event name and the result on occurrence of the event
by the user ID of the recorded event
by the information relating to the event
If a certain number of such events occur within a specified period of time, an alarm is triggered in the form of a message on the operator console.
ADD-SAT-ALARM-CONDITIONS | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
NAME = <name 1..8>
Name of the alarm.
SELECT = *PARAMETERS(...)
This defines which conditions must be fulfilled in order to trigger the action specified for the TRIGGER-ACTION operand of this command.
EVENT-NAME =
Type and result of the event(s) to be monitored.
EVENT-NAME = *ALL
All events which can be recorded by SAT are to be monitored for the alarm function.
EVENT-NAME = list-poss(50): <name 3..3>(...)
The explicit name of an event. This name must be taken from “Table of object-related events”. If you specify POSIX events, please pay special attention to Note 4.
RESULT = *ALL / *SUCCESS / *FAILURE
Specifies the result the event is to have.
USER-IDENTIFICATION =
The user IDs which are to be monitored.
USER-IDENTIFICATION = *ALL
All user IDs are to be monitored.
USER-IDENTIFICATION = list-poss(50): <name 1..8>
The specified user IDs are to be monitored. The user ID does not need to exist at the time when the alarm condition is defined.
FIELD-NAME =
This specifies which field of an event is to be monitored.
FIELD-NAME = *ALL
All fields of an event are to be monitored.
FIELD-NAME = list-poss(50): <name 3..7>(...)
Only a field specified here are to be monitored. A list of the possible field names can be found in “Tables of auditable information on object-related events (1)”.
VALUE = *ALL / *MATCH(...) / *NOT-MATCH(...) / list-poss(10): <text> /
list-poss(10): <integer 0..2147483647>(...)
A list of the field names and the information output in these fields can be found in “Tables of auditable information on object-related events (1)”.
<text> depends on the field being logged.
VALUE = *MATCH(...)
Specifies a pattern for the field name. The condition is valid if the value for comparison matches this pattern. The pattern specification is only permitted for field names whose values represent a string (<c-string>, <filename>, <name>).
PATTERN = <text>
Pattern specification in the format <c-string 1..255> in which, similarly to the SDF data type <c-string with-wild (n)>, parts of the string can be replaced by wildcards.
The available wildcard characters are as follows:
* | Stands for any desired character string, including a blank string |
/ | Stands for precisely one character |
\ | Nullifies the effect of “wildcards” (* / < > : ,) actually forming part of the character string |
<sx:sy> | Replaces a character string where the following applies:
|
| |
<s1,...> | Replaces all character strings to which one of the character combinations specified by s applies. s may also be a blank character string. Any character string s may also be a range specification <sx:sy> |
VALUE = *NOT-MATCH(...)
Specifies a pattern for the field name. The condition is valid if the value for comparison does not match this pattern. The pattern specification is only permitted for field names whose values represent a string (<c-string>, <filename>, <name>).
PATTERN = <text>
Pattern specification as in VALUE=*MATCH.
VALUE = <integer 0..2147483647>(...)
Specifies a numerical value for the field name. This value is only allowed for fields whose value is of type <integer>.
UNIT = *BYTES / *KB / *MB / *GB
Specifies the units to be used in interpreting the value specified with the VALUE operand. This entry is only allowed for field names filpos, curlim2 and maxlim2.
The following thereby applies:
If UNIT=*BYTES is implicitly or explicitly defined, the value must be a multiple of 512.
The maximum value of 240-512 (=1 099 511 627 264) bytes may also not be exceeded if UNIT=*KB / *MB / *GB is specified. This results in the following maximum values, depending on the UNIT entry:
UNIT=
Maximum value for VALUE
Corresponds in bytes to
*BYTES
231-1 = 2 147 483 647
231-1 = 2 147 483 647
*KB
230-1 = 1 073 741 823
240-210 = 1 099 511 626 752
*MB
220-1 = 1 048 575
240-220 = 1 099 510 579 200
*GB
210-1 = 1 023
240-230 = 1 098 437 885 952
TIME-LIMIT =
The period within which x (defined with REPEAT) occurrences of an event are to trigger an alarm.
TIME-LIMIT = *UNDEFINED
The entire period of SAT logging is to be evaluated. This means that x occurrences of an event cause an alarm to be triggered. If, for example, incorrect entry of passwords is to be monitored, specifying TIME-LIMIT=UNDEFINED will eventually cause the alarm to be triggered even if a user enters the password incorrectly (perhaps due to a typing error) only once per week. Alarms of this kind are clearly less effective; for this reason, long-time monitoring is better executed by evaluation of the SATLOG files.
TIME-LIMIT = *WITHIN(...)
The period within which the specified number of events must occur in order to trigger an alarm. Values must be specified for all three operands.
DAYS = <integer 0..365>
Specification of the period in days.
HOURS = <integer 0..23>
Specification of the period in hours.
MINUTES = <integer 0..59>
Specification of the period in minutes.
REPEAT= 3 / <integer 1..255>
The number of times the event must occur within the specified period in order to trigger an alarm.
TRIGGER-ACTION = *OPERATOR-MESSAGE(...)
The action to be executed when the alarm is triggered, and the expected response to this action. In this version, the only possible action is the output of a message (SAT2200) on the operator console.
WAIT-RESPONSE = *YES / *NO
Specifies whether or not the message must be acknowledged.
Command return codes
(SC2) | SC1 | Maincode | Meaning |
0 | CMD0001 | Command successfully executed | |
32 | SAT0000 | Unrecoverable error | |
64 | SAT1000 | User not privileged for command | |
64 | SAT1020 | Event already exists in event list | |
64 | SAT1022 | Field already exists in field list | |
64 | SAT1023 | Field contains duplicate values | |
64 | SAT1026 | Specified time limit invalid | |
64 | SAT1027 | Alarm already exists | |
64 | SAT1029 | Event unknown | |
64 | SAT1030 | User already exists in user list | |
64 | SAT1035 | Value is not a multiple of 512 or too big | |
64 | SAT1050 | Command permitted only if logging function is activated | |
64 | SAT1071 | Alarm table is full | |
128 | SAT1010 | Another command is currently being processed | |
128 | SAT1080 | Exchange being prepared |
Notes
There are no predefined alarm definitions. When SAT is started for the first time, there is no parameter file and it is thus not possible to read any definitions from this file.
It is, however, possible to save a SAT parameter file for the next session with the aid of the /SAVE-SAT-PARAMETERS command. The next time SAT is started, definitions with the default values are then available. There are no default values for alarm definitions; if the current values are not stored in the SAT parameter file, no alarm definitions will exist for the next session.
Up to 32 alarm definitions can be stored.
If an alarm definition contains a product event for which the activation of SAT support can be controlled with /MODIFY-SAT-SUPPORT-PARAMETERS (in the current version, this is restricted to POSIX) then, if the event occurs, this alarm can only be issued if SAT support is activated for the product in question.
When evaluating an alarm condition with a UNIT entry, only the value resulting from multiplying the VALUE and UNIT entries together is relevant, but not how this value is reached.
Examples
The following values are considered to be equivalent since they all represent the same value of 3145728 bytes:
VALUE=3145728(UNIT=*BYTES) VALUE=3072(UNIT=*KB) VALUE=3(UNIT=*MB)
An ADD-SAT-ALARM-CONDITIONS command with the entry
FIELD-NAME=*FILPOS(VALUE=(3072(UNIT=*KB),3(UNIT=*MB)))is therefore rejected with the following message:
SAT1023 FIELD 'FILPOS' CONTAINS DUPLICATE VALUES. COMMAND REJECTEDAn alarm condition with the following entry
FIELD-NAME=*FILPOS(VALUE=3072(UNIT=*KB))is valid if the record to be logged contains
FILPOS=6144. Reason: the entry in the record represents a multiple of 512 bytes (see “filpos in Table of auditable information (field names)”) and 6144*512 Bytes = 3145728 Bytes = 3072 KB.
Posix filenames und Kerberos names are logged by SAT without any restriction. The following SAT fields are case-sensitive in the definition of SAT alarm conditions: AUDITID, HOMEDIR, LINKNAM, NEWPATH, PATHNAM, PRINCCL, PRINCSV, SHELL, SYMBDEV. With the exception of SYMBDEV, however, these field can be specified with a maximum length of 255 bytes only. Events with longer field contents may be specified by using wildcards. In the specification of a single name (without wildcard) the same special characters are allowed as for posix filenames or Kerberos names.
See also the general notes on SAT commands on "Functional overview".
Example
Each incorrect attempt to log on to terminal DSN30151 under the user ID SYSPRIV is to trigger an alarm (for the purposes of this example, it is assumed that the specified terminal is mostly used by the security administrator):
|