Access Monitoring

(OS/390 RACF specific)

Control Point Ref #: accmoaad
-------------
Successive violations to critical resources and invalid access
attempts are being investigated

Audit Steps
-----------
1) Ensure that RACF is enabled to log all security violations
associated with issuing RACF commands to alter RACF
security.

1.1) Review the SETROPTS listing (Ref GL PAS mgpasabc) and ensure
that CMDVIOL is specified in the ATTRIBUTES parameter.

2) Determine the types of resources that are defined to log
failed access attempts.

2.1) Review the RACF CLASS Descriptor Table section of the DSMON
listing (Ref GL PAS mgpasabc) and identify the resource
types defined in the CLASS NAME field which have an active
status.

2.2) Review the SETROPTS listing (Ref GL PAS mgpasabc) and
determine whether each of the resource types are defined in
the LOGOPTIONS "FAILURES" CLASSES = or LOGOPTIONS "ALWAYS"
CLASSES = fields.

2.3) For the resource types that are not defined in the
LOGOPTIONS "FAILURES" field, determine whether their logging
for failed access attempts is controlled by the resource
profile that is defined for the resource by the resource
type being defined in the LOGOPTIONS "DEFAULTS" CLASSES =
field.

For the failed access attempts to resources that are defined
at the profile level, review the Generic and Discrete
Profiles datasets and the Resource Profiles for other
general resources for each profile and ensure that
FAILURES(UPDATE,ALTER) is specified in the AUDITING field.

3) Determine the process in place for monitoring successive
logon violations.

4) Determine the process in place for monitoring successive
access violations to critical resources.

5) Determine if logon violations are being reviewed.

5.1) Review the reports created by your installation to monitor
logon violations over a selected sample period and determine
if there is evidence of a follow-up investigation by the
Security Administrator.

6) Determine if access to resource violations are being
reviewed.

6.1) Review the reports created by your installation to monitor
access violations over a selected sample period and
determine if there is evidence of a follow-up investigation
by the Security Administrator.

F1 - Info Screen Ref #: accmoaad
Background
----------
The CMDVIOL is a RACF installation option which enables RACF to
record SMF records associated with RACF commands that are used to
administer security. Therefore, if NOCMDVIOL is specified in the
RACF installation options (SETROPTS), then RACF will not generate
a SMF record to log users who attempt to issue a RACF command to
change a user, group, dataset, or resource profile but are
prevented due to not having the necessary access entitlements
(e.g., SPECIAL attribute).

Unauthorized access attempts should also be monitored based on
access attempts to datasets and other general resources wither
through a submitted job or through changed performed online
(i.e., via TSO). The LOGOPTIONS RACF installation option has the
FAILURES parameter which monitors all failed attempts and the
ALWAYS parameter which monitors all access attempts. The type of
resource is specified in the LOGOPTIONS parameters to allow
installations to define which resource types should be logged.
Since the LOGOPTIONS parameter logs both READ and UPDATE
attempts, the installation might choose to log only UPDATE
accesses which is of the most concern. This is done using the
LOGOPTIONS DEFAULT parameter along with associated resource
classes. The LOGOPTIONS DEFAULT parameter specifies that the
profile used to define and protect the resource will indicate the
type access the loggings will occur for.

RACF provides a report writer that allows installations to create
their job which generates reports of site specified events which
includes violations. The events that are selected to be printed
are based on predefined RACF provided parameters that are
specified within the JCL's SYSIN statement.

Audit Step Info
---------------
The exposure of resource access violations is limited since
access to the resource was not granted. However, successive
attempts to access a resource by an individual should be
investigated for two reasons.

o The individual might legitimately require access to a
particular resource but is prevented. In this case an
analysis should be performed to determine the sensitivity of
the resource to determine the level of access that should be
granted.

o The individual might be attempting to gain unauthorized
access to a resource and is attempting to circumvent the
access controls through various methods. In this case, the
owner of the logonid and the manager should be notified, and
an investigation should be performed to determine if it was
the owner of the ID that caused the violation or a hacker.

An overall process should be in place which identifies the steps
that should be taken to identify when an unauthorized user is
attempting to gain access to a logonid. Unless every violation
is being investigated, which not reasonable to expect, specific
patterns of review should be documented. For instance, only
multiple violations to the same resource by a specific userid
should be investigated which can be focused primarily on
sensitive resources.

************************************************************************
Copyright 1991 - 2000, Audit Serve, Inc. All rights reserved. All Audit
Programs are copyrighted and may not be posted electronically or
redistributed unless written permission is granted by Audit Serve, Inc.
The Audit Programs may be used for internal use within organizations.
Audit Programs may not be resold.
************************************************************************