Analyzing Recent Data on IFS Objects with the Rule Wizard
The Rule Wizards analyze data on recent system activity to develop and improve rules for filtering future activity.
To develop rules to filter incoming activity by the IFS object on which it is requesting to operate, first create a data set of recent activity, as shown in Creating a Data Set on IFS Objects with the Rule Wizard.
Once you have created a data set, select 42. Work with Rule Wizard from the IFS Security screen (STRAUD > 5).
The Plan IFS Security screen appears:
| Plan IFS Security Subset: Type choices, press Enter. File Sys⁄Root 1=Statistics 2=Allow by use 3=Display Dir⁄Filename 4=Delete 5=DSPFWLOG Grp⁄User 7=WRKLNK 8=WRKAUT 9=Add similar Higher level only (Y-Yes) G=Groups U=Users C>R=Current to Revised Specify revised authority in the R column. Y Allowed Y=Allow Press Enter to apply revised authority. N Rejected N=Reject Y Allowed (from higher level) Rd Wrt Rnm Dlt Mov File Sys⁄ N Rejected(from higher level) Opt C>R C>R C>R C>R C>R Root Dir Directory⁄File name Grp⁄User Entries N N N N N HOME N501232⁄BLABLAX#.TXT 232X 4 N N N N N HOME N501232⁄NEW FOLDER 232X 6 N N N N N HOME N501232⁄TEST 232X 2 N N N N N HOME PTF⁄PC050003.DAT %GROUP1 8 N N N N N HOME PTF⁄PC050003.TXT %GROUP1 4 N N N N N HOME PTF⁄PJ090014.DAT %GROUP1 2 N N N N N HOME PTF⁄PJ090016.DAT %GROUP1 10 N N N N N HOME PTF⁄PJ090016.TXT %GROUP1 4 N N N N N HOME PTF⁄PO050016.DAT %GROUP1 38 More... F3=Exit F6=Add New F8=Print F12=Cancel F17=Allow by use globally |
Each line on the lower part of the screen represents requests within the data set by a single user or group to access a single object.
After the Opt field, the first five pairs of fields show ways that objects can be accessed.
- Rd: Read
- Wrt: Write
- Rnm: Rename
- Dlt: Delete
- Mov: Move
The pairs of fields for each are:
- a letter on a colored background, showing how Firewall responded to the activity according to current rules
- an underscore in which you can revise the rule
The letter codes are:
- Blank: Reject all incoming activity
- A: Allow activity without checking
- B: Allow only activity over an SSL connection, without parsing SQL statements
- L: Log and allow activity, without checking
- M: Log and allow only activity over an SSL connection, with parsing SQL statements
- S: Allow only activity over an SSL connection
- Y: Allow activity after parsing any SQL statement in the activity
The color codes are:
- Green: A rule specifically referring to this user or group and object accepts this activity
- Red: A rule specifically referring to this user or group and object rejects this activity
- Blue: A rule for a generic set of users, groups, or objects that includes this one accepts this activity
- Purple: A rule for a generic set of users, groups, or objects that includes this one rejects this activity
The following fields show the location of the object and the user or group accessing it.
The File Sys/Root Dir field shows the file system or root directory containing the object.
The Directory/File name field shows the directory containing the object and the file name of the object itself. The field is truncated to twenty characters. To see the full file path, type 3 in the Opt field for the rule and press Enter.
The Entries field shows the number of requests made during the time period in the data set.
Thus, in the example, the first item on the bottom of the screen shows that the group %GROUP1 is not allowed, because of a group or generic set of users to which it or the object belongs, to read a file with a name that begins with the string JOE-QPADEV001L within the SCREEN directory in the HOME filesystem and had requested to do so 12 times within the time period of the data set. Entering 3 in the Opt field for the rule reveals that the full file name is SCREEN/JOE-QPADEV001L-191202-183959.HTML.
To view the statistics on activity by a specific user or group on a specific object during the time period in the data set, type 1 in the Opt column for that row and press Enter. The Display Statistics for IFS object window appears.
| Display Statistics for IFS object File Sys: HOME Dir: SCREEN⁄JOE-QPADEV001L User: %GROUP1 Total Read Write Rename Delete Move Entries 12 12 Rejected 12 12 F3=Exit Rd Wrt Rnm Dlt Mov File Sys⁄ N Rejected(from higher level) Opt C>R C>R C>R C>R C>R Root Dir Directory⁄File name Grp⁄User Entries 1 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 24 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 24 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 N N N N N HOME SCREEN⁄JOE-QPADEV001L %GROUP1 12 More... F3=Exit F6=Add New F8=Print F12=Cancel F17=Allow by use globally |
Continuing from the previous example, we see that members of %GROUP1 requested to access the file twelve times. All of them were for Read access and all of them were rejected.
To add a new rule, press the F6 key. The Add Native AS/400 Revised Security screen appears, as shown in .
To add a rule for an object and a user or group similar to an existing one, type 9 in the Opt field for that rule and press Enter. The Add Similar Revised Security screen appears, as shown in Adding Firewall Rules for a Similar IFS Object with the Rule Wizard.
To change rules based on activity in the data set, type 5 in the Opt field for that rule and press Enter. If a rule had set a particular activity on an object by a user or group to be rejected, a specific new rule is set for that activity, object, and user to accept it. Otherwise, the option has no effect.
To change rules manually, see Setting Firewall Rules Manually based on IFS Objects with the Rule Wizard.
To delete a rule, type 4 in the Opt field for that rule and press Enter. NOTE: You are not prompted for confirmation, and the rule is immediately deleted.
To display the firewall log entries relevant to this rule, type 5 in the Opt field for that rule and press Enter. The Display Firewall Log screen appears, as shown in Displaying Firewall Logs.
To view a list of the users in a group, type G in the Opt column for that group and press Enter. The List of Users in User Group window appears, listing the users in the group.
To view a list of the groups containing a user, type U in the Opt column for that group and press Enter. The List of Users in Group Profile window appears, listing the users in the group.
To work with object links in a rule, type 7 in the Opt column for the rule and press Enter. The OS/400 WOrk with Object Links screen appears, as described in IBM documentation.
To edit the object authority for the object in a rule, type 8 in the Opt column for the rule and press Enter. The OS/400 Work with Authority screen appears, as described in IBM documentation.
To print the information from the data set, press the F8 key.