Setting up an intrusion detection policy

 

Intrusion detection allows you to set up policies to notify you of any network intrusions that are detected on your system.

An intrusion detection policy consists of two parts:

The IDS policy file, idspolicy.conf, is included with the i5/OS® operating system and stored in the /QIBM/ProdData/OS400/QOS/idspolicy.conf directory. A sample IDS policy, which is commented out, is included in this shipped file. This file is copied to /QIBM/UserData/OS400/QOS/ETC when installed. (Use Option 3 of i5/OS in the character-based interface.) Ensure that you have authority to the /QIBM/UserData/OS400/QOS/ETC/ directory and the idspolicy.conf file. To set up your intrusion detection policy for the first time, follow these steps:

  1. Type 2 to display the QAUDCTL system value. Enter *AUDLVL to activate QAUDLVL.

  2. Issue the following command to set IP QoS enablement to Yes: CHGTCPA IPQOSENB(*YES)

  3. Issue the WRKSYSVAL command to set the auditing system values. You will see a list of system values.
    1. Type 2 (Change) to see the auditing options for the QAUDLVL system value.
    2. Add *ATNEVT to the list of auditing options.

      If there is no room in QAUDLVL to set *ATNEVT, be sure that *AUDLVL2 is set in QAUDLVL, as described below. Press F3 to exit.

    3. Type 2 (Change) to see the auditing options for the QAUDLVL2 system value.
    4. Add *ATNEVT to the list of auditing options. Press F3 (Exit).

  4. To configure the IDS policy file, edit the copy of idspolicy.conf in /QIBM/UserData/OS400/QOS/ETC/. If the file is not there, copy it from /QIBM/ProdData/OS400/QOS/.

  5. Edit the IDS policy file.

  6. Start the QoS server using the following command: strtcpsvr *qos

  7. Issue the Work with Active Jobs (WRKACTJOB) command to verify that the QoS server has started. You will see QTOQSRVR in the list of started servers.
Now your system is ready to catch suspicious events coming in through the TCP/IP network.

 

Parent topic:

Intrusion detection