Creating and Modifying Rules
To create or modify real time detection rules:
- Select 11. Audit (QAUDJRN, QIPFILTER...) in the Main menu (STRAUD). The Work with Real-Time Audit Rules screen appears.
| Work with Real-Time Audit Rules Rules & Actions for QAUDJRN, QIPFILTER, QZMF... Real-Time audit rules trigger alerts, responsive actions and event logging. Subset by entry . . by description . . Type option, press Enter. by classification. C=Compliance,.. 1=Select 3=Copy 4=Delete 5=Info 8=Msg 9=Explanation & Classification Opt Entry Seq Log Act Cont. Description AD N Default for: Auditing changes AD AF Y Default for: Authority failure AF AP Y Default for: Obtaining adopted authority AP AU Y Default for: Attribute change AU AX Y Default for: Row and Column Access Control (RCAC) C@ 1.0 Y N Y action for change user profile Y User profile changed (After & Previous images) CA Y Default for: Authority changes CA CD Y Default for: Command string audit CD CF Y Default for: Mail configuration info (QZMF) CF CO Y Default for: Create object CO More... F3=Exit F6=Add New F8=Print F11=No/Default F12=Cancel F14=Input sampling F22=Renumber |
|
Parameter or Option |
Description |
|
Opt |
1 = Select rule to modify 3 = Copy rule 4 = Delete rule 5 = Info 8 = Message – define a message that will be sent when the action occurs 9 = Explanation & Classification - type an explanation that will be displayed on any report that includes this rule |
|
Entry |
IBM i (OS/400) Audit journal entry type |
|
Sequence |
Rules for a given audit type are applied in sequential order according to the sequence number |
|
Log |
Y = Log this event in the history log |
|
Act |
Y = This rule triggers an action |
|
Cont |
Y = Continue with the rest of the rule after running the action |
|
F6 |
Create a new rule |
|
F11 |
No / Default |
|
F22 |
Recalculate rule sequence numbers |
- Select a rule from the list (option 1) or press F6 to create a new rule.
- The Add Selection Rule or Modify Selection Rule screen appears.
| Modify Selection Rule Rules & Actions for QAUDJRN, QIPFILTER, QZMF... Entry type . . . . . . . C@ User profile changed (After & Previous images) Sequence . . . . . . . 1.0 Description . . . . . . action for change user profile Sub-type list . . . . . *ALL *ALL, List N Name Check if in Time group . N Log . . . . . . . . . . Y Y=Yes, N=No Perform action . . . . . N VICT175734 Name, *NONE, *ADD If event rate exceeds. 1 / 1 Events/Seconds, 1/1=Always Run action once per . 0 Seconds, 0=Always Continue to rule seq . . Y .0 Y=Yes, N=No. 0=Following rule F3=Exit F4=Prompt F8=Print F12=Cancel |
|
Parameter or Option |
Description |
|---|---|
|
EntryType |
IBM i (OS/400) Audit journal entry type F4 = Choose from a list of available types |
|
Sequence |
Enter a sequence number or accept the default as presented. The sequence number determines the order of rule processing when there is more than one rule for a given audit type. |
|
Description |
Enter a meaningful description of the rule. |
|
Sub-Type list |
You can restrict this rule to one or more sub-types only: Sub-Type = One character sub-type code F4 = Choose a sub-type from the list List = Enter several sub-type codes separated by a space *ALL = All sub-types within this entry type |
|
Check if Time Group |
You can optionally limit this group only to a specific Time Group. Blank = Apply rule only to events occurring during time group N = Apply rule only to events occurring outside the times defined in the time group |
|
Log |
Y= Record this event in the history log N = Do NOT Record this event in the history log |
|
Perform Action |
Y= Perform this action according to the rule N = Do NOT perform this action |
|
Action |
Optionally trigger an action (the Action module must be installed) Name = Name of the action to trigger by this rule F4 = Select an action from list Add = Define a new action for this rule *NONE = No actions are triggered by this rule |
|
If event rate exceeds |
Only perform the action if the event occurs more than a given number of times in a given time period. For example, 5 times in every 10 seconds. If you want to run the action always, enter 1/1. |
|
Run action once per |
The number of seconds between each performance of the action. |
|
Continue to rule seq |
Y= After performing the actions, continue to the rule sequence. |
- Enter parameters and data as described in the table, then Press Enter. The Filter Conditions screen appears.
Filter criteria allow you to limit the application of real-time detection rules to certain specific conditions.
Filter conditions are optional. If you do not define any filter conditions, the rule will incorporate all events for the specified audit type or types.
| Filter Conditions Entry . . . . . . . . ZC Object accessed (change) Sequence . . . . . . . 1.0 React to unpermitted changes in prod files Subset by text . . Type conditions, press Enter. Specify OR to start each new group. Test: EQ, NE, LE, GE, LT, GT, N⁄LIST, N⁄LIKE, N⁄ITEM, N⁄START, N⁄PGM And For N⁄LIKE: % is "any string"; Case is ignored Or Field Test Value (If Test=ITEM use F4) UC Program library Library name Date & Time yyyy-mm-dd-hh.mm Name of job User of job LIST QSECOFR JOHN Number of job Name of program Program library Current user profile System name IP address family More... Pink fields are from the generic header. Green fields apply to this type only. F3=Exit F4=Prompt F6=Insert F8=UC⁄LC F12=Cancel |
|
Parameter or Option |
Description |
|---|---|
|
And/Or |
A or Blank = And O = Or |
|
Field |
Data field in the journal record: Pink fields are part of the generic header common to all journal types Green fields represent data specific to this journal type |
|
Test |
Comparison test type – see the table on the following page for details. |
|
Value |
Comparison value text; this field is case sensitive. |
|
F4 |
Displays explanatory information/options applicable to the data field on the line where the cursor is located |
|
F6 |
Select another comparison test from a pop-up window and insert it at the current cursor position |
|
F8 |
Change Caps Lock from lower to upper case. An indicator appears on the screen. |
- If desired, add filter conditions, then press Enter. The previous screen is displayed.