File Access Control and security is a concern of the file monitoring metrics. So far the following optional security features have been introduced.
- Virus Scan (introduced with ST-A/PI 01S SP03): subroutine FILMON_VIRUS_SCAN
This check is optional, it is only performed in case an appropriate virus scan profile is installed on the managed system. In case the virus scan is active all files which match the selection criteria are scanned for a potential infection before they are processed further. Files with positive check result (infection detected) are disregarded and don’t contribute to the monitoring result. This check affects all key figures of the data collector. For further details refer to note 2493402.
- Logical File Path:
Optional check which can be configured with the corresponding parameter in the monitoring setup. Affected key figures: 05 – 09 (all key figures which access the file content via OPEN DATASET statement). If the Logical File Path is configured in the setup the corresponding entry must also be available on the managed system (trx. FILE), and the files to be opened must be reflected in the corresponding physical file path, otherwise the files can’t be opened. There’s no possibility to maintain a whitelist for the files so we recommend that you control access at operating system level. At operating system you can protect or allow access to files and directories.
How Operating System Controls File Access
Operating system controls the file access by setting permissions to files and directories. Permissions can be set to grant or deny access to specific files and directories. When a permission is granted, you can access and perform any function on the file or directory. When permission is denied, you are prevented from accessing that file or directory. The most common permissions are Read, Write, Delete, and Execute.
- Read permission allows a user to open and read a file or directory.
- Write permission allows you to open the file or directory, make changes, and save those changes.
- Delete permission allows you to delete the file or directory.
- Execute permission allows you to run an executable file. Certain files are executable files, usually ending in .exe or .com which starts an application on your computer.