Working with Status and Active Job Rules
IBM and Raz-Lee Entry Types include (see Appendix A: Raz-Lee Entry Types):
- IBM Entry Types – STRAUD > 11 (see Setting up the Audit Scheduler).
- Raz-Lee Entry Types @J, @K, @P, @S - STRAUD > 13 (see Working with Status and Active Job Rules).
- Raz-Lee Entry Types @0…@9 - STRAUD > 14 (see Working with Message Queues).
- Other Raz-Lee Entry Types (see Appendix A: Raz-Lee Entry Types).
The following can be achieved using the Entry Type screens:
- Define rules triggered by specific field contents for each entry type. Resulting actions can generate messages, run command language (CL) commands and more.
- Generate reports using the iSecurity report generator and scheduler which controls, via field filters, which of the collected QAUDJRN entries are to be outputted to e-mail, message queue (MSGQ), Syslog, etc. The report generator can be accessed at STRAUD> 41 > 1.
To Work with Status & Active Job Rules:
- Select 13. Status & Active Job (SysCtl) in the Main menu (STRAUD> 13). The Work with Status & Active Job Rules screen appears. The table below describes the four standard entries that are included with the product.
| Work with Status & Active Job Rules Rules for WRKACTJOB⁄WRKSYSSTS Subset by entry . . by description . . Type option, press Enter. by classification. C=Compliance,.. 1=Select 3=Copy 4=Delete 8=Msg 9=Explanation & Classification Opt Entry Seq Act Cont. Description @J 999.9 N N Default for: Active job information @J @K 999.9 N N Default for: Job not active @K @P 999.9 N N Default for: Pool not active @P @S 999.9 N N Default for: System status and pool information @S Bottom F3=Exit F6=Add New F8=Print F11=No⁄Default F12=Cancel F22=Renumber Modify data, or press Enter to confirm. |
|
Entry |
Rule Description |
|
@J |
Logs Active job information, while comparing every line in the WRKACTJOB to the rule that uses it. |
|
@K |
Logs Inactive Jobs, while performing a check to verify whether the job is active. |
|
@P |
Logs Inactive Pools, while performing a check to verify whether a particular pool is active. |
|
@S |
Logs System status & pool information, while checking filter conditions to verify if response criteria are met, and activating that response. |
- Select 1=Select to modify an existing rule or F6 to create a new rule. The Add Selection Rule screen appears.
| Add Selection Rule Firewall and Screen (after decision) Entry type . . . . . . . Sequence . . . . . . . .0 Description . . . . . . Sub-type list . . . . . *ALL *ALL, List N Name Check if in Time group . Perform action . . . . . Y *ADD Name, *NONE, *ADD If event rate exceeds. 0 ⁄ 0 Events⁄Seconds, 1⁄1=Always Run action once per . 0 Seconds, 0=Always If true, re-check after. 0 Seconds, 0=Default If false, re-check after 0 Seconds Continue to rule seq . . .0 Y=Yes, N=No. 0=Following rule F3=Exit F4=Prompt F12=Cancel |
|
Parameter or Option |
Description |
|---|---|
|
Audit Type |
IBM i (OS/400) Audit journal entry type F4 = Choose from a list of available types |
|
Sequence |
Enter a sequence number or accept the default as presented. The sequence number determines the order of rule processing when there is more than one rule for a given audit type. |
|
Description |
Enter a meaningful description of the rule. |
|
Time Group – Not |
You can optionally limit this group only to a specific Time Group. Blank = Apply rule only to events occurring during time group N = Apply rule only to events occurring outside the times defined in the time group |
|
Time Group – Group Name |
Name = Time Group name F4 = Choose Time Group name from list Blank = Do NOT use Time Group name for rule selection |
|
Perform Action |
Y= Perform this action according to the rule N = Do NOT perform this action |
|
Action |
Optionally trigger an action (the Action module must be installed) Name = Name of the action to trigger by this rule F4 = Select an action from list Add = Define a new action for this rule *NONE = No actions are triggered by this rule |
|
If event rate exceeds |
Only perform the action if the event occurs more than a given number of times in a given time period. For example, 10 times in every 5 seconds. If you want to run the action always, enter 1/1. |
|
Run action once per |
The number of seconds between each performance of the action. |
|
If true, delay interval |
Define the number of seconds to wait before performing the action. The default is 0. |
|
Continue to rule seq |
Y= After performing the actions, continue to the rule sequence. |
- Enter parameters and data as described in the table. Press Enter when finished. The Filter Conditions screen appears. Filter criteria allow you to limit application of real-time detection rules to certain specific conditions.
See Working with Current Setting and Setting up the Audit Scheduler.