Setting up an intrusion detection policy
Intrusion detection allows you to set up policies to notify you of any network intrusions that are detected on your system.
An intrusion detection policy consists of two parts:
- An IDS condition that identifies the conditions (such as the port, protocol, or IP address) that apply to the intrusion detection policy.
- An IDS action that identifies the actions to take when a condition is met. Multiple conditions can point to the same action.
The IDS policy file, idspolicy.conf, is included with the i5/OS® operating system and stored in the /QIBM/ProdData/OS400/QOS/idspolicy.conf directory. A sample IDS policy, which is commented out, is included in this shipped file. This file is copied to /QIBM/UserData/OS400/QOS/ETC when installed. (Use Option 3 of i5/OS in the character-based interface.) Ensure that you have authority to the /QIBM/UserData/OS400/QOS/ETC/ directory and the idspolicy.conf file. To set up your intrusion detection policy for the first time, follow these steps:
Now your system is ready to catch suspicious events coming in through the TCP/IP network.
- Type 2 to display the QAUDCTL system value. Enter *AUDLVL to activate QAUDLVL.
- Issue the following command to set IP QoS enablement to Yes: CHGTCPA IPQOSENB(*YES)
- Issue the WRKSYSVAL command to set the auditing system values. You will see a list of system values.
- To configure the IDS policy file, edit the copy of idspolicy.conf in /QIBM/UserData/OS400/QOS/ETC/. If the file is not there, copy it from /QIBM/ProdData/OS400/QOS/.
- Edit the IDS policy file.
- Start the QoS server using the following command: strtcpsvr *qos
- Issue the Work with Active Jobs (WRKACTJOB) command to verify that the QoS server has started. You will see QTOQSRVR in the list of started servers.
- Editing the intrusion detection policy file
Follow these steps to edit your intrusion detection policy file.- Backing up the intrusion detection policy file
You should back up your intrusion detection policies to eliminate the need to re-create your policies in the event of a system outage or power loss.
Parent topic:
Intrusion detectionRelated tasks
Editing the intrusion detection policy fileRelated reference
Overview: Intrusion detection policy directives