Set up a new intrusion detection policy

Learn how to set up an intrusion detection policy for the first time.

An intrusion detection (IDS) policy consists of two parts:

The IDS policy file, idspolicy.conf, is shipped with the i5/OS™ system and stored in the /QIBM/ProdData/OS400/QOS/idspolicy.conf directory. A sample IDS policy, which is commented out, is included in this shipped file.

Ensure that you have authority to the /QIBM/UserData/OS400/QOS/ETC/ directory and the idspolicy.conf file. Follow these steps to set up your intrusion detection policy for the first time:
  1. Issue the following command to set IP QoS enablement to Yes: CHGTCPA IPQOSENB(*YES)
  2. Issue the WRKSYSVAL command to set the auditing system values. Then you will see a list of system values.
    1. Type 2 to display the auditing options for the QAUDLVL system value.
    2. Add *ATNEVT to the list of auditing options.

      If there is no room in QAUDLVL to set *ATNEVT, be sure that *AUDLVL2 is set in QAUDLVL, as described below. Press PF3 to exit.

    3. Type 2 to display the auditing options for the QAUDLVL2 system value.
    4. Add *ATNEVT to the list of auditing options. Press PF3 to exit.
  3. To configure the IDS policy file, copy the file from /QIBM/ProdData/OS400/QOS/idspolicy.conf to /QIBM/UserData/OS400/QOS/ETC/.
  4. Edit the IDS policy file.
  5. Start the QoS server using the following command: strtcpsvr *qos

    When you start the QoS server, it looks in the ETC directory for the idspolicy.conf file. If the idspolicy.conf file is not found, it is copied from the /QIBM/ProdData/OS400/QOS/ directory into the /QIBM/UserData/OS400/QOS/ETC/ directory.

  6. Issue the Work with Active Jobs (WRKACTJOB) command to verify that the QoS server has started. You will see QTOQSRVR in the list of started servers.
Now your system is ready to catch suspicious events coming in through the TCP/IP network.
Parent topic: Intrusion detection
Related reference
Keywords in the IDS policy file