Descriptions of the various Operating System rule sets are already included earlier in the document, but this appendix is meant to capture the details that might not be covered earlier.
As discussed earlier in the users guide, there are two types of monitoring capabilities, or rule sets, in the Configuration Change Console. The first is the monitoring done at the OS level, such as Files (changes, reads), Processes (starts and stops), and OS Users (login and logouts). The second type is referred to as Component Internal Rule Sets. These are monitoring capabilities for entities inside of an application or piece of software.
The following lists the operating system rule set capabilities that this release of Configuration Change Console supports with a description of capabilities.
Files
Processes
OS Users
Each rule set is discussed in detail in the rest of this chapter.
This monitoring capability uses the various operating system capabilities to monitor file changes in near real-time. This rule set can capture file changes and reads, as well as the user that performed the action, exact time, process id and type of change.
The operation of the file rule set depends on many specific setup requirements per operating system. To view requirements, please see the Configuration Change Console Installation Guide for instructions related to the agent for your operating system.
You can create up to 50 include or exclude rules for this rule set in a single component. The following pattern types are available for creating rules.
Table B-1 Pattern Types for Rules
| Pattern Type | Description |
|---|---|
|
Write |
For this rule, you are only looking for write activity of a file or the directory name specified in the Files column. |
|
Read |
For this rule, you are only looking for read activity of a file or the directory name specified in the Files column. |
|
Access |
For this rule, you are only looking for access activity of a file or the directory name specified in the Files column. |
You can use the Is Relative Path option to specify that the first part of the pattern in the File column is relative to some other directory. Then in the Default Path field, enter the prefix path that is used in front of each rule that has Is Relative Path selected. You can see the actual full path that will be used under the Effective File/Directory Path column. Later after you create multiple instances of this component by assigning it to multiple devices, you can override the default path for specific devices. For instance, on some devices your default path might be c:\ and on some others it might be d:\. You can still handle this with just one component definition.
To filter the changes against files by the user that made them, you can add an OS User rule set to the same component and check the box on the OS rule set that indicates these users are for filtering other types of rule sets. Then in this file rule screen, check the Filter change data by Users defined in component box.
To save a copy of a file when it changes so that it can be recovered later or used to compare other versions, click the Archive checkbox for the rule. This checkbox will only work if the rule specifies one specific file. If a directory is specified for this rule, then the archive checkbox will be ignored.
The following guidelines should be followed when creating rules for this rule set:
On Unix platforms, file separator is '/'; on Windows platform, file separator is '\'.
A pattern matching a directory includes all of its sub-directories and files under the directories.
Use a wildcard (*) after the last slash for pattern matching.
Example: Pattern c:\mydocs\*.doc matches any file under c:\mydocs ending in .doc.
If two or more patterns match the same file/path, the pattern with greater length takes precedence.
Example: Include c:\mydocs\*.doc and Exclude c:\mydocs\*oc match file c:\mydocs\calc.doc. Since c:\mydocs\*.doc takes precedence because it is longer, the file c:\mydocs\calc.doc will be included.
Include patterns take precedence over excludes when the pattern lengths are the same for a given pattern type.
For example: With two rules for User pattern type: Include *, exclude *, all events will be captured.
This monitoring capability uses the various operating system capabilities to monitor process starts and stops in near real-time.
You can create up to 50 include or exclude rules for this rule set in a single component. The following pattern types are available for creating rules.
Table B-2 Pattern Types for Creating Rules
| Pattern Type | Description |
|---|---|
|
Event |
For this Include Processes rule, only monitor for process start or stop activity. |
|
Resource |
For this rule, only monitor the cpu, memory usage of the process with a single value recorded every 5 minutes which is a rolling average calculation of multiple time points within that 5 minute period. These performance data are visible under Trend Visualization screens. This option will only work if you have set the devices this component is assigned to using the Change and Performance Agent Schedule template. See Agent Schedule Templates for more information. |
|
Both |
For this rule, capture both starts and stops as well as performance data. See the note for Resource as it also applies to this option. |
If you want to filter the changes against process by the user that made them, you can add an OS User rule set to the same component and check the box on the OS rule set that these users are for filtering other types of rule sets. Then in this process rule screen, check the box that says Filter change data by Users defined in component.
The following guidelines should be followed when creating rules for this rule set:
On Unix platforms, process names are case sensitive.
The process pattern should only contain the process name. It should not contain the file path. For example, use "bash", but not "/bin/bash" in the process name.
Use a wildcard (*) to match any characters. For example: use "v*" to match any process starting with "v".
If two or more patterns match the same file/path, the pattern with greater length takes precedence. For example: Include v* and Exclude pattern *ix match process fix. Since *ix takes precedence because it is longer, the process vix will be excluded.
This monitoring capability is a little different than processes on other operating systems. On the OS/400, there are two elements monitored under the processes rule set; jobs and commands. The way you configure the rules is similar to processes on other operating systems, but there are some minor differences.
You can create up to 50 include or exclude rules for jobs and commands for this rule set in a single component. The following pattern type is available for creating rules.
Event -- For this Include Processes rule, only monitor for process start or stop activity.
The pattern name for Job and Command is the name of the Job or Command you want to monitor for activity.If you want to filter the changes against process by the user that made them, you can add an OS User rule set to the same component and check the box on the OS rule set that these users are for filtering other types of rule sets. Then in this process rule screen, check the box that says Filter change data by Users defined in component. The following guidelines should be followed when creating rules for this rule set:
Job names and Command names are case-sensitive.
Job and Command pattern should only contain the name. It should not contain the file path.
Use a wildcard (*) to match any characters. For example: use "v*" to match any job or command starting with "v".
If two or more patterns match the same name, the pattern with greater length takes precedence. For example: Include v* and Exclude pattern *ix match process vix. Since *ix takes precedence because it is longer, a command named vix will be monitored.
This monitoring capability uses the various operating system capabilities to monitor user login and logouts in near real-time.
You can create up to 50 include or exclude rules for this rule set in a single component. The following pattern types are available for creating rules.
Table B-3 Pattern Types for Creating Rules
| Pattern Type | Description |
|---|---|
|
User |
The pattern will have a user name pattern you want to include or exclude. |
|
Connecttype |
The pattern is a connect type to filter events by. Values are like console, telnet, ssh, ftp, and rdp for windows only. |
If you want to use these user definitions in this rule set of this component to filter other types of events like file changes, process starts and stops, or windows registry changes, you can do this by creating rules and selecting the checkbox User for filtering other types only, not for inclusion/exclusion of user login/logout events. Then in the other rule sets of this component, check the box that says Filter change data by Users defined in component.
If you have integrated your Configuration Change Console server with an LDAP server, you can also import groups and users from your LDAP server instead of entering them directly as patterns. If the group structure changes in your LDAP server, it will be automatically updated to the agent to adjust the monitoring needs. You can add LDAP users and groups by clicking on the Add Instance() link under LDAP Users and Groups section of the Rules screen.
When adding patterns for pattern type user or osuser, you can also populate these patterns by selecting users that have been detected over time by the Configuration Change Console agent. Click on the Select from Detected Users link to select previously discovered users instead of entering the patterns manually.
The following guidelines should be followed when creating rules for this rule set:
User names are case-sensitive. Users root and ROOT are two different user names.
The relationship between connecttype and name rule is "and", which means, if both specified, only events that satisfy both will be reported.
You can use a wildcard '*' to match zero or more characters in the pattern. Pattern "ro*" matches user name root and ronald.
If two or more patterns match the same file/path, the longer pattern has higher priority. For example both include r* and exclude *ot match the user name root, but exclude *ot is longer, so the user name root will be excluded.