(OS/390 RACF specific)
Control Point Ref #: accmoaad ------------- Successive violations to critical resources and invalid access attempts are being investigated Audit Steps ----------- 1) Ensure that RACF is enabled to log all security violations associated with issuing RACF commands to alter RACF security. 1.1) Review the SETROPTS listing (Ref GL PAS mgpasabc) and ensure that CMDVIOL is specified in the ATTRIBUTES parameter. 2) Determine the types of resources that are defined to log failed access attempts. 2.1) Review the RACF CLASS Descriptor Table section of the DSMON listing (Ref GL PAS mgpasabc) and identify the resource types defined in the CLASS NAME field which have an active status. 2.2) Review the SETROPTS listing (Ref GL PAS mgpasabc) and determine whether each of the resource types are defined in the LOGOPTIONS "FAILURES" CLASSES = or LOGOPTIONS "ALWAYS" CLASSES = fields. 2.3) For the resource types that are not defined in the LOGOPTIONS "FAILURES" field, determine whether their logging for failed access attempts is controlled by the resource profile that is defined for the resource by the resource type being defined in the LOGOPTIONS "DEFAULTS" CLASSES = field. For the failed access attempts to resources that are defined at the profile level, review the Generic and Discrete Profiles datasets and the Resource Profiles for other general resources for each profile and ensure that FAILURES(UPDATE,ALTER) is specified in the AUDITING field. 3) Determine the process in place for monitoring successive logon violations. 4) Determine the process in place for monitoring successive access violations to critical resources. 5) Determine if logon violations are being reviewed. 5.1) Review the reports created by your installation to monitor logon violations over a selected sample period and determine if there is evidence of a follow-up investigation by the Security Administrator. 6) Determine if access to resource violations are being reviewed. 6.1) Review the reports created by your installation to monitor access violations over a selected sample period and determine if there is evidence of a follow-up investigation by the Security Administrator. F1 - Info Screen Ref #: accmoaad Background ---------- The CMDVIOL is a RACF installation option which enables RACF to record SMF records associated with RACF commands that are used to administer security. Therefore, if NOCMDVIOL is specified in the RACF installation options (SETROPTS), then RACF will not generate a SMF record to log users who attempt to issue a RACF command to change a user, group, dataset, or resource profile but are prevented due to not having the necessary access entitlements (e.g., SPECIAL attribute). Unauthorized access attempts should also be monitored based on access attempts to datasets and other general resources wither through a submitted job or through changed performed online (i.e., via TSO). The LOGOPTIONS RACF installation option has the FAILURES parameter which monitors all failed attempts and the ALWAYS parameter which monitors all access attempts. The type of resource is specified in the LOGOPTIONS parameters to allow installations to define which resource types should be logged. Since the LOGOPTIONS parameter logs both READ and UPDATE attempts, the installation might choose to log only UPDATE accesses which is of the most concern. This is done using the LOGOPTIONS DEFAULT parameter along with associated resource classes. The LOGOPTIONS DEFAULT parameter specifies that the profile used to define and protect the resource will indicate the type access the loggings will occur for. RACF provides a report writer that allows installations to create their job which generates reports of site specified events which includes violations. The events that are selected to be printed are based on predefined RACF provided parameters that are specified within the JCL's SYSIN statement. Audit Step Info --------------- The exposure of resource access violations is limited since access to the resource was not granted. However, successive attempts to access a resource by an individual should be investigated for two reasons. o The individual might legitimately require access to a particular resource but is prevented. In this case an analysis should be performed to determine the sensitivity of the resource to determine the level of access that should be granted. o The individual might be attempting to gain unauthorized access to a resource and is attempting to circumvent the access controls through various methods. In this case, the owner of the logonid and the manager should be notified, and an investigation should be performed to determine if it was the owner of the ID that caused the violation or a hacker. An overall process should be in place which identifies the steps that should be taken to identify when an unauthorized user is attempting to gain access to a logonid. Unless every violation is being investigated, which not reasonable to expect, specific patterns of review should be documented. For instance, only multiple violations to the same resource by a specific userid should be investigated which can be focused primarily on sensitive resources. ************************************************************************ Copyright 1991 - 2000, Audit Serve, Inc. All rights reserved. All Audit Programs are copyrighted and may not be posted electronically or redistributed unless written permission is granted by Audit Serve, Inc. The Audit Programs may be used for internal use within organizations. Audit Programs may not be resold. ************************************************************************
Free Audit Vision Newsletter Since 1991 Join 3,500 other subscribers
Advertise with Us