S 2.291 Security reporting and security audits under z/OS

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Auditor, IT Security Officer

A process must therefore be set up to monitor all security-relevant operations. The security reports to be produced regularly must be specified in this process and the procedure for handling deviations from the specifications must also be defined. These security reports should be used to provide the auditors with information.

Furthermore, security audits must be conducted regularly to increase the operational reliability of a z/OS system. Such audits are used to check if the required security settings are properly set and if the required procedures are being followed. Audit specifications can be found in S 2.288 Drawing up a security policy for z/OS systems.

Security reporting

SMF (System Management Facility) records as a source of the reports

The SMF records of type 80 are important for monitoring the information security of z/OS systems. They record all accesses to resources that are protected by RACF profiles. RACF definitions in these profiles can be used to specify if unauthorised accesses only will be logged or if authorised accesses will also be logged. All unauthorised accesses must be logged. In the case of system-critical files in a production system, authorised accesses should also be logged using the SMF when the files are changed during these. When logging using SMF records, it should always be ensured that the activation of the SMF functions does not generate too much logged data. There should only be a minor impact on the capacity and the performance of the system due to logging.

It must be ensured that the SMF records of type 80 are also actually written. This is defined in the SMFPRM00 member in the Parmlib. Protecting the Parmlib is described in more detail in safeguard S 4.209 Secure basic configuration of z/OS systems.

Use of tools

• Use of the RACFICE tool
  Consideration should be given to using IBM's ICE tool (RACFICE) based on IBM's DFSORT and to use the predefined reports, customise existing reports, or create new reports in so doing.
  With the SMF records, it is possible to generate reports on failed attempts to access resources, authorised accesses using special authorisations (OPERATIONS), and failed access attempts due to the use of the wrong password, for example.
  Reports can also be generated from the RACF database, for example of the file profiles filtered by UACC (Universal Access) or the blocked user IDs and profiles that have changed within the last 90 days.
• Use of the RACF program DSMON
  Consideration should be given to using the RACF program DSMON as the basis for additional reports. This is always recommended for monitoring changes to vital z/OS definitions in cases where a real-time monitor will not be used.
• Use of independent vendor tools
  The evaluation of the information logged in the SMF records requires special knowledge of the system, for example of the function of the SMF program. For this reason, consideration should be given to using separate tools to evaluate these records. Corresponding programs can be obtained from various ISVs (Independent Software Vendors).
• Use of a real-time monitor
  If there are special security requirements, it should be examined if a batch reporting system is sufficiently up-to-date or if it makes more sense to use a real-time monitor to detect certain security violations. When a real-time monitor is used, the SMF records are intercepted directly via SMF exits (IEF083, IEF084, and IEF085) and forwarded to a monitor program that then analyses and presents the information (see also safeguard S 4.209 Secure basic configuration of z/OS systems).
  Important information relevant to real-time-monitoring includes the following, for example:
  • changes to APF files
  • use of IDs with the
  • SPECIAL or OPERATIONS attribute
  • accesses authorised based on the OPERATIONS attribute
  • multiple attempts to gain access using the wrong password
  • use of the emergency user

z/OS security audits

Independence of the auditors

The audits must be performed by independent auditors, which means someone performing an audit is not permitted to audit himself/herself or his/her own work.

The auditors will need knowledge of the z/OS system and RACF in order to perform their tasks. This knowledge is to be obtained and updated through regular training.

Authorisation of the auditors

The auditors must be granted access to the system using the RACF attribute AUDITOR. This attribute also needs to be enabled for the files in the HFS in the corresponding file security packet (FSP).

Control over SMF records

The audit is based on the SMF records of record type 80. In this, the information in the RACF database specifies which events will be logged in the SMF records. For this reason, it must be ensured that these SMF records are actually written and available for assessment.

Examination of RACF profiles

The auditors should check the following for new RACF profiles and changes to existing RACF profiles:

• whether the corresponding operation was authorised,
• whether the scope of authorisation granted for the functions and attributes (SPECIAL, OPERATIONS) is justified (this also applies to GROUP-SPECIAL and GROUP-OPERATIONS).

Object of the security audits

A full security audit is very complex and a large number of security-relevant functions must be monitored for this purpose. The following functions should be monitored at a minimum:

• critical system settings:
  • program properties table (PPT)
  • control of the authorised Programming Facility (APF) files
  • control of the files from the link list
  • use of SVCs (SuperVisor Calls)
  • ICHRIN03 table (Started Task Table)
• critical RACF functions:
  • RACF Authorised Caller
  • use of RACF exits
  • RACF Started Procedures (especially the Privileged and Trusted attributes)
  • RACF Global Access Table
• critical operations:
  • operations performed using IDs with SPECIAL, OPERATIONS (also applies to GROUP-SPECIAL and GROUP-OPERATIONS), or emergency user, IBMUSER
  • changes to sensitive RACF parameters using the SETROPTS command
  • all RACDEF-SVC (SVC 133) calls and all changes to RACF profiles made using this RACF command
• information indicating potential security violations:
  • concentrations of failed login or access attempts
  • changes to audit attributes
  • claimed and/or confirmed user identities
  • types of access attempted (success or failure)

Use of audit tools

The RACF DSMON and the RACFICE package should be used at a minimum to check the definitions to be monitored. It should be checked if an additional program package needs to be purchased to help the auditors perform the audits.

It is important to note that an audit should only serve to determine the facts and not who is at fault (see also S 2.199 Maintaining information security).

Review questions:

• Has a process for monitoring all security-relevant operations in z/OS been established defining which security reports must be drawn up regularly?
• Is the z/OS system subjected to regular security audits?
• Do z/OS security audits ensure that the performing personnel do not audit themselves and their work?
• Have the auditors been trained for auditing z/OS systems and is their knowledge up to date?
• Are the z/OS auditors allowed to access the system with the RACF attribute AUDITOR?