Analyzing Recent Data on Native Objects with the Rule Wizard
The Rule Wizards analyze data on recent system activity to develop and improve rules for filtering future activity.
To develop rules to filter incoming activity by the native object on which it is requesting to operate, first create a data set of recent activity, as shown in Creating a Data Set on Native Objects with the Rule Wizard.
Once you have created a data set, select 42. Work with Rule Wizard from the Native Object Security screen (STRFW > 4).
The Native AS/400 Objects Wizard (WZRNTVSEC) screen appears:
| Native AS⁄400 Objects Wizard (WZRNTVSEC) Type choices, press Enter. Set name . . . . . . . . . . . . *TEMP Name, *USER, *SELECT, *S... Wizard type . . . . . . . . . . *FAST *STD, *FAST Object . . . . . . . . . . . . . *ALL Character value Library . . . . . . . . . . . . *ALL Character value Object Type . . . . . . . . . . *ALL *ALL, *FILE, *CMD, *PGM... User . . . . . . . . . . . . . . *ALL Name, *ALL Bottom F3=Exit F4=Prompt F5=Refresh F12=Cancel F13=How to use this display F24=More keys |
To select the existing data set and additional specifications to use with the wizard, enter values in the following fields:
Set name
The name of the data set that will contain the records. You can set this to your own value or choose one of these options:
- *TEMP: The default name for temporary data sets. The data set is removed when the session ends.
- *USER: Your user name
- *S: Equivalent to *SELECT
- *SELECT: If the wizard has been run before, a list appears of previous names that had been used for the data set.
Wizard type
The type of wizard to be created. Possible values include:
- *STD: The Rule Wizard screen that appears next has all the standard options
- *FAST: The Rule Wizard screen that appears next has a limited set of options for faster processing, as documented there.
- *NO: The data set will only be used to batch processing.
Object
The object on which the activity requests to operate. This can be the name of the specific object, a generic name ending in an asterisk ("*"), or *ALL for all objects.
Library
The library containing the object on which the activity requests to operate. This can be the name of the specific library, a generic name ending in an asterisk ("*"), or *ALL for all libraries.
Object Type
The type of object on which the activity requests to operate. Possible values include:
- *ALL: All objects
- *FILE: Files
- *LIB: Libraries
- *DTAQ: Data queues
- *PRTF: Printer files
- *PGM: Programs
- *CMD: Commands
User, <GrpPrf or '%GROUP'
The user or group requesting the activity. This can be a user name, a generic* name, a group name, a group profile, or *ALL for all users.
After entering the specifications, press Enter.
The Plan Security for Native Objects screen appears:
| Plan Security for Native Objects Subset: Type . . . Type choices, press Enter. Library . 1=Display statistics 2=Allow by use Object . . 4=Delete 5=DSPFWLOG 6=Create Rule User . . . 7=WRKOBJ 8=EDTOBJAUT 9=Add similar Higher level only (Y-Yes) G=Groups U=Users E=CHGUSRPRF O=WRKOBJ C>R=Current to Revised Specify revised authority in the R column. Y/S Alw/Skip Y=Allow, S=Skip N Rejected N=Reject Non-existing objects marked with red. Y/S Alw/Skip (fr higher level) N Rejected (fr higher level) Rd Wrt Crt Dlt Rnm Otr User Group/ Opt C>R C>R C>R C>R C>R C>R Type Object Library *User Entries Y N N N N N FILE MNTLOG QNEWNAVSRV QWEBADMIN 2 Y N N N N N FILE QINAVMNTRG QNEWNAVSRV QWEBADMIN 30 Y Y Y Y Y S FILE QAS9AUDLOG QSRVAGT QSRVAGT 6 Bottom F3=Exit F6=Add New F8=Print F12=Cancel F17=Allow by use globally |
Each line on the lower part of the screen represents requests within the data set by a single user or group to access a single object.
After the Opt field, the first six pairs of fields show ways that objects can be accessed. (Some are not possible, and therefore not included, for some types of objects.)
- Rd: Read
- Wrt: Write
- Crt: Create
- Dlt: Delete
- Rnm: Rename
- Otr: Other
The pairs of fields for each are:
- a letter on a colored background, showing how Firewall responded to the activity according to current rules
- an underscore in which you can revise the rule
The letter codes are:
- Blank or N: Reject all incoming activity
- S: Allow activity, but do not log this
- Y: Allow activity
The color codes are:
- Green: A rule specifically referring to this user or group and object accepts this activity
- Red: A rule specifically referring to this user or group and object rejects this activity
- Blue: A rule for a generic set of users, groups, or objects that includes this one accepts this activity
- Purple: A rule for a generic set of users, groups, or objects that includes this one rejects this activity
The following fields show the object Type, the Object name, and the Library that contains it.
The User Group/*User field shows the name of the user or group whose made the requests.
The Entries field shows the number of requests made during the time period in the data set.
Thus, for example, the first item on the bottom of the screen shows that the user RLTOOLS is allowed, because of a group or generic set of users to which it or the object belongs, to read the file named ADTSLAB in the DLT211 library, and had requested to do so 33 times within the time period of the data set.
To view the statistics on activity by a specific user or group on a specific object during the time period in the data set, type 1 in the Opt column for that row and press Enter. The Display Statistics for Native Object window appears.
|
Display Statistics for Native Object Object: ADTSLAB Library: DLT211 Type: FILE User: RLTOOLS Total Read Write Create Delete Rename Other Entries 33 33 Rejected F3=Exit Y Allowed (from higher level) N Rejected(from higher level) Rd Wrt Crt Dlt Rnm Otr User Group/ Opt C>R C>R C>R C>R C>R C>R Type Object Library *User Entries Y CMD CHGCURLIB QSYS %GROUP1 1 Y CMD CHGCURLIB QSYS GS 39 Y CMD CHGCURLIB QSYS YOEL 15 N N N N N N FILE RAZLEE3 AU GS 4 N N N N N N FILE RUNAUQRY DLT %GROUP1 1 N N N N N N FILE TRANSFER DLT %GROUP1 11 N N N N N N FILE TRANSFER DLT GS 6 1 N N N N N N FILE ADTSLAB DLT211 RLTOOLS 33 More... F3=Exit F6=Add New F8=Print F12=Cancel F17=Allow by use globally |
Continuing from the previous example, we see that the user requested to access the file 33 times. All of them were for Read access and none of them was rejected.
To add a new rule, press the F6 key. The Add Native AS/400 Revised Security screen appears, as shown in Analyzing Recent Data on Native Objects with the Rule Wizard.
To add a rule for an object and a user or group similar to an existing one, enter 9 in the Opt field for that rule. The Add Similar Revised Security screen appears, as shown in Adding Firewall Rules for Native Files.
To change rules based on activity in the data set, enter 2 in the Opt field. If a rule had set a particular activity on an object by a user or group to be rejected, a specific new rule is set for that activity, object, and user to accept it. Otherwise, the option has no effect. NOTE: If the rule is changed, it disappears from the screen.
To change rules manually, see Setting Firewall Rules Manually based on Native Objects with the Rule Wizard
To delete a line in the subfile, enter 4 in the Opt field for that line. NOTE: You are not prompted for confirmation, and the entry of the subfile is immediately deleted.
To display the firewall log entries relevant to this rule, enter 5 in the Opt field for that rule. The Display Firewall Log screen appears, as shown in Displaying Firewall Logs.
To view a list of the users in a group, enter G in the Opt column for that group. The List of Users in User Group window appears, listing the users in the group.
To view a list of the groups containing a user, enter U in the Opt column for that group. The List of Users in Group Profile window appears, listing the users in the group.
To work with the object in a rule, enter 7 in the Opt column for the rule. The OS/400 Work with Objects screen appears.
To edit the object authority for the object in a rule, enter 8 in the Opt column for the rule. The OS/400 Edit Object Authority screen appears, as described in IBM documentation.
To print the information from the data set, press the F8 key.