SECOS V5.6 (en)

&pagelevel(4)&pagelevel

The //ADD-SELECTION-CONDITIONS statement is used to define and name a selection condition for audit records. Wildcard syntax is allowed in the selection condition.

ADD-SELECTION-CONDITIONS

NAME = <name 1..8>

, CONDITION = *NONE / <text 1..1800 with-low>

NAME = <name 1..8>
The name of the selection condition that is defined in the CONDITION operand.

CONDITION = *NONE / <text 1..1800>
The selection conditions are defined here.

CONDITION = *NONE
Selection is unrestricted.

CONDITION = <text 1..1800 with-low>
The editing condition is composed of one or more logical expressions which are ANDed, ORed or linked by a NOT operation. In addition, the order in which the expressions are evaluated can be determined by means of parentheses “(...)”. The logical operations are applied to expressions which may be either “TRUE” or “FALSE” (see truth tables, below). Those records which fulfill the condition are selected.

The editing condition is specified as follows for <text 1..1800 with-low>:

[NOT] cond1 [{ OR/AND [NOT] cond2} ...]

The editing condition can be used for:

searching within a list
searching within a range
comparison with a specific value
verifying the existence of a specific field
searching with wildcard syntax

In general, uppercase and lowercase are handled in the same way in the editing condition. A distinction is made only in the case of the values for the following field names: homedir, linknam, newpath, pathnam, shell and symbdev.

’cond’ may be:

searching within a list
field-name IN-LIST/NOT-IN-LIST (value,...)
field-name IN-LIST (value1,...valuen)
A record is selected if the specified field exists and its contents match any of the specified values.
field-name NOT-IN-LIST (value1,...valuen)
A record is selected if the specified field does not contain any of the specified values or if the specified field does not exist.
searching within a range
field-name IN-RANGE/NOT-IN-RANGE (value-range)
field-name IN-RANGE (value:value)
A record is selected if the specified field exists and its contents match any of the values within the specified range. Only the timestp field (format: yyyy-mm-dd/hh:mm:ss) and fields with the SDF data type integer are accepted.
field-name NOT-IN-RANGE (value:value)
A record is selected if the specified field does not contain any of the values within the specified range or if the specified field does not exist. Only the timestp field (format: yyyy-mm-dd/hh:mm:ss) and fields with the SDF data type integer are accepted.
comparison with a specific value
field-name EQUAL/NOT-EQUAL value
field-name EQUAL value
A record is selected if the specified field exists and contains the specified value.
field-name NOT-EQUAL value
A record is selected if the specified field contains a value other than the specified value or if the field does not exist.
searching for a specific field name
field-name PRESENT
All records containing the specified field are to be selected.
searching with wildcard syntax
field-name MATCH/NOT-MATCH pattern
field-name MATCH pattern
All records which match the specified search pattern are selected. Only fields with the SDF data type c-string, with the exception of plamrc, are accepted.
field-name NOT-MATCH pattern
All records which do not match the specified search pattern are selected. Only fields with the SDF data type c-string, with the exception of plamrc, are accepted.

Definitions

field-name

defines the types of auditable information, e.g. access, acckey,... (see table on "Table of auditable information (field names)"). All other specifications are interpreted as errors and rejected. Specification of the name of a *LNG field (see "Structure of the SATLOG files") for field-name is not permitted.

value

corresponds to the data types defined in SDF: <x-string>, <name>, <c-string>, <integer>, <keyword>. ’value’ must be of the data type specified for the appropriate field name (see table on "Table of auditable information (field names)"). For instance, if ’field-name’ is DMSRC, then ’value’ must be of type x-string.

Special features with field-name = filpos / curlim2 / maxlim2:

A special data type <integer-with-unit> exists for the filpos, curlim2 and maxlim2 file names.This differs from data type <integer> in that a unit value can be entered in parentheses, i.e. <integer>(<unit>). Where <unit> can be BYTES, KB (=Kilobytes), MB (=Megabytes) or GB (=Gigabytes). BYTES is assumed if the entry is omitted.

If BYTES is defined either explicitly or implicitly the numerical value must be a multiple of 512. Otherwise, the statement is rejected with an error message.
A numerical value specified with a unit is always converted internally into multiples of 512 bytes. Only this value is relevant for the result of a selection condition, but not the form of the entry. For example, the entries 3145728(BYTES), 3072(KB) and 3(MB) are taken to be equal since they each represent the same value of 3145728 bytes.

The maximum value of 2⁴⁰-512 (=1 099 511 627 264) bytes may not be exceeded, regardless of the UNIT entry. This results in the following maximum values, depending on the UNIT entry:

UNIT	Maximum numerical value	Corresponds in bytes to
BYTES	2³¹-1 = 2 147 483 647	2³¹-1 = 2 147 483 647
KB	2³⁰-1 = 1 073 741 823	2⁴⁰-2¹⁰= 1 099 511 626 752
MB	2²⁰-1 = 1 048 575	2⁴⁰-2²⁰= 1 099 510 579 200
GB	2¹⁰-1 = 1 023	2⁴⁰-2³⁰= 1 098 437 885 952

value-range

defines a value range in the following format: <value:value>.

pattern

identifies a c-string in which parts of the character string can be replaced by wildcards, in the same way as the SDF data type <c-string with-wild (n)>.
pattern may be up to 281 characters long.
The wildcard characters that may be used are as follows:

*	Replaces an arbitrary (even empty) character string
/	Replaces exactly one freely selectable character
\	Disables wildcards (* / < > : ,) in a character string (e.g. ab\c identifies the string “abc”)
<s_x:s_y>	Replaces a string that meets the following conditions: at least as long as the shortest string (s_x or s_y) not longer than the longest string (s_x or s_y) between s_x and s_y in the alphabetic collating sequence; numbers are sorted after letters (A...Z 0...9) s_x may also be an empty string, which is in the first position in the alphabetic collating sequence s_y may also be an empty string, which stands at this position for the string with the highest possible coding (contains only the characters X‘FF‘) s_x must be before s_y in the alphabetic collating sequence. If s_x isshorter than s_y, s_x is filled with X‘00‘ if s_y is shorter than s_x, s_y is filled with X‘FF‘ wildcards are not allowed either in s_x or in s_y
<s1,...>	Replaces all strings matching any of the character combinations specified by s. s may also be an empty string. Any such string may also be a range specification <s_x:s_y>

The wildcard “-” for negating information is not used here.
NOT-MATCH is provided for this purpose.

Notes

If the syntax analysis of the statement detects an error, the editing condition is output to SYSOUT. The error is marked by a question mark.
In guided dialog, this output to SYSOUT causes the SDF screen to be lost; it can be restored by means of the //RESTORE-SDF-INPUT statement.
Posix filenames und Kerberos names are logged by SAT without any restriction. The following SAT fields are case-sensitive in the definition of selection conditions: AUDITID, HOMEDIR, LINKNAM, NEWPATH, PATHNAM, PRINCCL, PRINCSV, SHELL, SYMBDEV. The fields that are not case-sensitive are internally converted into uppercase letters. With the exception of SYMBDEV, however, these field can be specified with a maximum length of 255 bytes only. Events with longer field contents may be specified by using wildcards. In the specification of a single name (without wildcard) the same special characters are allowed as for posix filenames or Kerberos names.

Examples

//add-selection-conditions name = filesel, -
//                    condition = filname in-list ('filex','filey') - —  (1) 
//                            and access equal input - ————————————————  (2) 
//                            and res    equal f - ————————————————————  (3) 
//                            and dmsrc  equal x'0d35' - ——————————————  (4)

Under the condition named filesel, events are selected if

(1)	the file ’FILEX’ or ’FILEY’ is affected and
(2)	the open mode is INPUT and
(3)	the operation result is ’failure’ and
(4)	the file is not shareable (DMS return code 0D35).

//add-selection-conditions name = groupsel,  -
//                    condition = (groupid equal c'g1' - ——————————————  (1) 
//                             and not auditid present) - —————————————  (2) 
//                             or (groupid in-list (c'g2',c'g3') - ————  (3) 
//                                 and user-id not-in-list ('u1','u2'))  (4)

Under the condition named groupsel, events are selected if

(1)	they were generated by users with group ID G1 and the users did not
(2)	use a chipcard to identify themselves to the system or
(3)	they were generated by users with group ID G2 OR G3 and
(4)	these users did not have the user ID U1 or U2.

//add-selection-conditions name = satsel, -
//   condition = evt equal 'FRD' -
//         and filname match '$sysaudit.sys.satlog.*' -
//         and timestp in-range (2017-05-01/00:00:00 : 2017-05-31/23:59:59) -
//         and userid not-in-list ('tsos','sysaudit')

Read accesses by nonprivileged user IDs to SATLOG files in May 2017 are selected under the condition with the name satsel.

Truth tables

The following truth tables apply to AND, OR and NOT:

cond1 AND cond2	TRUE	FALSE
TRUE	TRUE	FALSE
FALSE	FALSE	FALSE

cond1 OR cond2	TRUE	FALSE
TRUE	TRUE	TRUE
FALSE	TRUE	FALSE

cond1	TRUE	FALSE
NOT cond1	FALSE	TRUE

Identical operators are processed from left to right.

Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly

ADD-SELECTION-CONDITIONS Define selection conditions

Definitions

Notes

Examples

Truth tables