Examples of the formation of complex condition expressions are given in "ADD-SELECTION-CONDITIONS Define selection conditions".Examples of evaluation in connection with preselection and postselection are provided in "Monitoring special security-relevant activities".
In this example, the SAT file manager would like to achieve the following:
Detect potential attempts at intrusion during the preceding session. To do this it is necessary to select the audit records of rejected LOGON attempts from the SATLOG file.
Create an analysis file containing all events that relate to file objects. This file is to be analyzed decentrally at a later time.
Prerequisites
The audit attribute for all switchable user IDs, in other words all except those with the SECURITY-ADMINISTRATION or FILE-MANAGEMENT privilege, has been set to OFF:
/modify-sat-preselection user-auditing=*all-switchable(*off)The audit attribute of all events for which it is allowed to be changed has been set to OFF in the preselection (see “Individual control of selection). Exception: if the “check user ID” event (UCK) with the result “FAILURE” has been selected for logging:
/modify-sat-preselection event-auditing=
uck(audit-switch=*on(result=*failure))The session to be evaluated was session number 137, beginning on 2018-03-01.
The SAT file manager begins evaluation by starting SATUT:
/ start-satut
The input file that is selected is the SATLOG file from session 137:
//select-input-files input-files=*std(session-number=137)
To obtain an overview of the activities in the selected session, the SAT file manager arranges for statistics to be output to SYSOUT:
//show-statistics output=*sysout
The following output is obtained (the precise meaning of the individual output fields is explained with the statement SHOW-STATISTICS):
Input-files of statement = :PCO4:$SYSAUDIT.SYS.SATLOG.2018-03-01.137.01
:PCO4:$SYSAUDIT.SYS.SATLOG.2018-03-01.137.02
:PCO4:$SYSAUDIT.SYS.SATLOG.2018-03-02.137.03
Begin of analyzed period : 2018/03/01 10:19:21.24
End of analyzed period : 2018/03/02 17:44:34.23
Elapsed time = 113113 s = 1 d 26713 s
Records/hour = 53.56
# of records = 1683
Mean length = 102.00
Mean kbytes/hour = 5.54SUMMARY OF EVENTS
-----------------
Event-class # events # events/h
----------- -------- ----------
1 : DMS
Files 711 22.63
Security 733 23.33
Rename Files 5 0.16
2 : Catalog Management 0 0.00
3 : Job Enable (Dialog & Batch)
Success 33 1.05
Failure 6 0.19
4 : Job (Rest) 33 1.05
5 : Job Variables 0 0.00
6 : BLS 15 0.48
7 : Spool
Jobs 0 0.00
Devices 0 0.00
8 : PLAM/ILAM 20 0.64
9 : DSSM
Connection/Disconnection 2 0.06
Catalog Management 17 0.54
10 : Syntax Files 0 0.00
11 : Users/Groups/Privileges
Users 87 2.77
Privileges 0 0.00
Groups 0 0.00
12 : Object Protection
GUARDS 0 0.00
Coowner Protection 0 0.00
Default Protection 0 0.00
Access Control List 0 0.00
13 : System Access Control Management
Terminal Sets 0 0.00
Operator Roles 0 0.00
Keys 13 0.41
14 : SAT 2 0.06
15 : UTM 0 0.00
16 : SESAM 0 0.00
17 : POSIX
Files and Directories 0 0.00
Child Processes 0 0.00
Processes 0 0.00
System Resources 0 0.00
18 : Communication Methods
DCAM 0 0.00
BCAM 0 0.00
IP Security 0 0.00
19 : Memory Pools 0 0.00
20 : Events
Serialization 0 0.00
Eventing 0 0.00
21 : Fast Intertask Communication 0 0.00
22 : Storage Class Events 0 0.00
23 : Data Spaces 0 0.00
24 : Volume 0 0.00
25 : ADAM device management 0 0.00
26 : ANY event (system exit) 0 0.00 # EVENT # SUCC # FAIL # NONE LEN SUCC LEN FAIL LEN NONE % EVENTS % FAIL(EVENT) RECORDS/HOUR --- ----- ------ ------ ------ -------- -------- -------- -------- ------------- ------------ 1 FCD 59 0 0 108.61 0.00 0.00 3.51 0.00 1.88 2 FCL 298 0 0 97.52 0.00 0.00 17.71 0.00 9.48 3 FCS 58 0 0 106.02 0.00 0.00 3.45 0.00 1.85 4 FDD 64 2 0 100.62 99.00 0.00 3.92 3.03 2.10 5 FDS 64 20 0 103.94 100.50 0.00 4.99 23.81 2.67 6 FED 33 0 0 101.09 0.00 0.00 1.96 0.00 1.05 7 FMD 92 0 0 95.16 0.00 0.00 5.47 0.00 2.93 8 FMS 11 0 0 121.91 0.00 0.00 0.65 0.00 0.35 9 FRD 162 1 0 100.68 97.00 0.00 9.69 0.61 5.19 10 FRN 5 0 0 148.60 0.00 0.00 0.30 0.00 0.16 11 FRS 391 189 0 106.45 110.13 0.00 34.46 32.59 18.46 12 JBE 16 2 0 81.06 71.50 0.00 1.07 11.11 0.57 13 JDE 17 4 0 79.29 83.75 0.00 1.25 19.05 0.67 14 JED 16 0 0 58.94 0.00 0.00 0.95 0.00 0.51 15 JIN 17 0 0 69.00 0.00 0.00 1.01 0.00 0.54 16 KTC 13 0 0 125.00 0.00 0.00 0.77 0.00 0.41 17 LCL 10 0 0 128.50 0.00 0.00 0.59 0.00 0.32 18 LEE 10 0 0 124.50 0.00 0.00 0.59 0.00 0.32 19 SCR 14 3 0 79.71 78.33 0.00 1.01 17.65 0.54 20 SDS 2 0 0 85.00 0.00 0.00 0.12 0.00 0.06 21 UAD 2 0 0 81.00 0.00 0.00 0.12 0.00 0.06 22 UCK 71 10 0 82.70 82.90 0.00 4.81 12.35 2.58 23 UML 2 0 0 81.00 0.00 0.00 0.12 0.00 0.06 24 URM 1 1 0 81.00 81.00 0.00 0.12 50.00 0.06 25 XLD 10 0 0 199.00 0.00 0.00 0.59 0.00 0.32 26 XUL 5 0 0 80.00 0.00 0.00 0.30 0.00 0.16 27 ZBG 3 0 0 245.33 0.00 0.00 0.18 0.00 0.10 28 ZCH 2 0 0 130.00 0.00 0.00 0.12 0.00 0.06 29 ZND 3 0 0 83.33 0.00 0.00 0.18 0.00 0.10 --- ----- ------ ------ ------ -------- -------- -------- -------- ------------- ------------ TOTAL: 1451 232 0 101.26 106.65 0.00 100.00 13.78 53.6
The SAT file manager defines the first selection condition with the name “badlog”. This condition relates to all records that concern the “check user ID” event with the result “FAILURE”.
//add-selection-conditions name=badlog, -// condition=evt equal ’uck’ and res equal f
The second selection condition by the name of “file” relates to records in which events are logged whose short name begins with the letter “F”. These are all events which relate to file objects.
//add-selection-conditions name=file,condition=evt match ’f*’
The following command has the effect that editing for both conditions is executed in one step. All records that satisfy the selection condition “badlog” are written to work file 0, while all records that satisfy the “file” condition are written to work file 5.
//start-selection from-file=*input-files, -//
to-file=(*parameters(condition-name=badlog), -//
*parameters(file=5,condition-name=file))
% SAE7001 'START-SELECTION' STATEMENT TERMINATED. '10' RECORDS SELECTED IN WORK FILE ' 0' % SAE7001 'START-SELECTION' STATEMENT TERMINATED. '1449' RECORDS SELECTED IN WORK FILE ' 5'
There were therefore 10 unsuccessful LOGON attempts and 1449 events relating to file objects.
The records with the events relating to file objects are written to the ANALYZE.FILE-EVENTS file for the purpose of decentralized analysis.
//save-selected-records to-reduction-name=analyze.file-events,from-file=5
As the SAT file manager considers the number of unsuccessful LOGON attempts to be too high for immediate evaluation, he would like to restrict the selection still further. The first step is to obtain information about the existing selection conditions.
//show-selection-conditions
SELECTION CONDITION NAME : BADLOG
SELECTION CONDITION :
EVT EQUAL 'UCK'
AND RES EQUAL F
================================================================================
SELECTION CONDITION NAME : FILE
SELECTION CONDITION :
EVT MATCH 'F*'
================================================================================
The SAT file manager would like to evaluate only failed LOGON attempts made with the “TSOS” user ID. To do that it is necessary to define another selection condition to select records containing the value TSOS in the logged data field OBJ-UID (see “Tables of auditable information on object-related events (1)”).
//add-selection-conditions name=uidtsos,condition=obj-uid equal ’tsos’
The SAT file manager then initiates a second stage of editing. All records from work file 0 that satisfy the “uidtsos” condition are to be written to work file 1. As the records in work file 0 already satisfy the “badlog” condition, the result of this editing is the set of all records for which both conditions (“badlog” and “uidtsos”) are true.
//start-selection from-file=0, -// to-file=*parameters(file=1,condition-name=uidtsos)
% SAE7001 'START-SELECTION' STATEMENT TERMINATED. '3' RECORDS SELECTED IN WORK FILE ' 1'
Now the result of this selection is only three records. These are to be output to SYSLST for detailed evaluation.
//show-selected-records from-file=1
Finally the SAT file manager outputs a set of statistics for the session, with a histogram, to SYSLST. The evaluation run is then terminated.
//show-statistics from-file=*input-files,histogram=*yes//end
% SAE5004 SAT FILE EVALUATOR TERMINATED NORMALLY
SYSLST shows the result of //SHOW-SELECTED-RECORDS on pages 1 and 2.
SATUT V05.5A 2018-03-06 15:44:22 PAGE 1
PROCESSED STATEMENT : SHOW-SELECTED-RECORDS
************************************************************************************************************************************
INPUT-FILES OF STATEMENT :
:PCO4:$SYSAUDIT.#SATUT.WORK-01.06.154351
SATUT V05.5A 2018-03-06 15:44:22 PAGE 2
PROCESSED STATEMENT : SHOW-SELECTED-RECORDS
************************************************************************************************************************************
EVT RES DATE TIME TSN USER-ID
UCK F 20180301 163627 0DHC TSOS OBJ-UID= TSOS STATION= $$$06015 PROCNAM= XYZ0231X
CHKMODE= DIALOG REJR = 03400001
UCK F 20180302 141855 0DHG TSOS AUDITID= D4C3C8C88995A97CC6E2C34BD5C5E3 OBJ-UID= TSOS
STATION= $$$06007 PROCNAM= XYZ4711X CHKMODE= NET-DIALOG-ACCESS
REJR = 02400001 PRINCCL= MCHHinz@FTS.NET
UCK F 20180302 144612 0DHI TSOS AUDITID= D4C3C8D2A495A97CC6E2C34BD5C5E3 OBJ-UID= TSOS
STATION= $$$06009 PROCNAM= XYZ0815X CHKMODE= NET-DIALOG-ACCESS
REJR = 1E400001 PRINCCL= MCHKunz@FTS.NETThe following part of the list shows the result of //SHOW-STATISTICS and is largely identical to the statistics output to SYSOUT at the start of the session. It also contains the histogram of the events.
SATUT V05.5A 2018-03-06 16:17:07 PAGE 1
PROCESSED STATEMENT : SHOW-STATISTICS
**********************************************************************************************************************************
Input-files of statement = :PCO4:$SYSAUDIT.SYS.SATLOG.2018-03-01.137.01
:PCO4:$SYSAUDIT.SYS.SATLOG.2018-03-01.137.02
:PCO4:$SYSAUDIT.SYS.SATLOG.2018-03-02.137.03
Begin of analyzed period : 2018/03/01 10:19:21.24
End of analyzed period : 2018/03/02 17:44:34.23
...
SATUT V05.5A 2018-03-06 16:17:07 PAGE 4
PROCESSED STATEMENT : SHOW-STATISTICS
***********************************************************************************************************************************
# +---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
2018/03/01 10:19 1 |ZZ
2018/03/01 10:20 37 |FFFFFFFFF|FFFFFFFFJ|JJJJJKKSS|SSSSSSSSS|SUUUU
2018/03/01 10:21 35 |FFFFFFFFF|FFFFFFFFF|FFFJJJJJJ|JJJSSSSUU|UU
2018/03/01 10:22 4 |JJKKUUU
2018/03/01 10:23 1 |UU
2018/03/01 10:24 4 |JJKKUUU
2018/03/01 10:25 2 |JJUU
2018/03/01 10:26 3 |JJUUU
2018/03/01 10:27 2 |JJUU
2018/03/01 10:28 0 |
2018/03/01 10:29 0 |
2018/03/01 10:30 0 |
2018/03/01 10:31 3 |FFFUU
2018/03/01 10:32 1 |UU
...
2018/03/02 16:48 30 |FFFFFFFFF|FFFFFFFFF|FFFFFFFFF|FFFXX
2018/03/02 17:27 2 |FFF
2018/03/02 17:28 22 |FFFFFFFFF|FFFFFFFFF|LLLLXXX
2018/03/02 17:42 5 |FFFFFJJ
2018/03/02 17:43 19 |FFFFFFFFF|FFFFFFJJJ|SSXX
2018/03/02 17:44 2 |FFZZ
# +---------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
SATUT V05.5A 2018-03-06 16:17:07 PAGE 9
PROCESSED STATEMENT : SHOW-STATISTICS
***********************************************************************************************************************************EXPLANATION ON USED LETTERS: ---------------------------- F : FCD, FCL, FCS, FDD, FDS, FED, FMD, FMS, FRD, FRN, FRS J : JBE, JDE, JED, JIN K : KTC L : LCL, LEE S : SCR, SDS U : UAD, UCK, UML, URM X : XLD, XUL Z : ZBG, ZCH, ZND
In a final evaluation stage, which can only partly be automated with SAT or by programming, the selected records must be evaluated in order to determine what further action needs to be taken, if at all.
In the example, the two selected records in SYSLST are evaluated manually on the basis of “Tables of auditable information on object-related events (1)”.
EVT RES DATE TIME TSN USER-ID
UCK F 20180301 163627 0DHC TSOS OBJ-UID= TSOS STATION= $$$06015 PROCNAM= XYZ0231X
CHKMODE= DIALOG REJR = 03400001
UCK F 20180302 141855 0DHG TSOS AUDITID= D4C3C8C88995A97CC6E2C34BD5C5E3 OBJ-UID= TSOS
STATION= $$$06007 PROCNAM= XYZ4711X CHKMODE= NET-DIALOG-ACCESS
REJR = 02400001 PRINCCL= MCHHinz@FTS.NET
UCK F 20180302 144612 0DHI TSOS AUDITID= D4C3C8D2A495A97CC6E2C34BD5C5E3 OBJ-UID= TSOS
STATION= $$$06009 PROCNAM= XYZ0815X CHKMODE= NET-DIALOG-ACCESS
REJR = 1E400001 PRINCCL= MCHKunz@FTS.NETAccording to the table for the object USERID on "Tables of auditable information on object-related events (2)", “obj-uid” and “chkmode” are always logged, “station”, “procnam”, “rejr” and “princcl” may be logged.
One possible approach is to examine whether a cluster of logon attempts that were rejected because of user error has occurred at a particular data terminal or in a batch. This could indicate that an attempt has been made to penetrate the system by trying out different passwords.
In this case the analysis shows that only three logon attempts for TSOS (obj-uid) in dialog mode (chkmode) were rejected due to user error (rejr) throughout the entire evaluation period of more than 24 hours (see table on "Tables of auditable information on object-related events (2)"). What is more, these attempts were made from different data terminals (station and procnam). As a consequence, analysis in this case would produce the overall result “harmless”.