T 5.117 Covering up tampering in z/OS

By changing log files or shutting down log functions, it is possible to cover up tampering on the z/OS system.

The majority of components in the z/OS system generate logging information on system activities and system events. These data are regularly cleared and saved in the related log files (e.g. system log, SMF data records) that can be evaluated later.

Log files can be modified or tampered with if an appropriate access right to the file is held. This right may, for instance, have been granted unintentionally due to carelessness in the system administration, or an attacker may have obtained this right, for example by appropriate tampering.

A further possible method of attacking the system logging is preventing the generation of log data by means of appropriate tampering with the generating components. Which SMF data records are written is, for example, in z/OS entered in a configuration member. By making changes to this member or by setting exits, it is possible to ensure that certain SMF data records are no longer written. The usual security monitors are not able to detect suppressed violations and to report that no SMF records or no system messages are written.

Example:

• In a computer centre, a user managed to deactivate the writing of SMF data records. The user then tampered with the system in various ways and re-activated the SMF function afterwards. It was not possible to subsequently identify the changes made to the z/OS system during this period, as there were no log data. It was only possible to demonstrate in the system log that the commands were entered on a MVS console to which several people had access.