S 2.292 Monitoring of z/OS systems

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

In order to be able to detect and eliminate error situations and security problems quickly, it is necessary to monitor the live operation of the z/OS systems. For this, different data sources of the operating system are available. These may either by analysed manually via Operating or automatically by programs.

The following recommendations must be taken into consideration for monitoring z/OS systems:

MCS console

The MCS console (Multiple Console Support) displays important system messages (errors, security violations, etc.) the operator can react promptly to. In order to filter the important messages from the wealth of messages, using the MPF function (Message Processing Facility) is absolutely necessary. In doing so, it is recommendable to direct the important messages to a specific console, while the communication with the operating system should be performed on other consoles. It should be considered to use colours for highlighting critical messages.

SMF evaluation

Virtually all activities of the operating system are logged using SMF records (System Management Facility). These records must be used for analysis purposes after security violations (see also safeguard S 2.291 Security reporting and security audits under z/OS). In order to also be able to analyse events which occurred in the past, there must be a corresponding archiving procedure for the SMF data. Since the SMF data may be used for settlement and for performance analyses of the z/OS system, it must furthermore be considered whether a corresponding reporting system should be established.

SYSLOG evaluation

All essential events are furthermore recorded by the operating system in the so-called SYSLOG (system log), available for manual analyses via SDSF (System Display and Search Facility) for JES2 or via Flasher for JES3. It must be considered whether evaluation programs should be developed and used that browse the SYSLOG for critical messages and produce the corresponding reports.

Automation

It must be considered whether automation programs should be used that can recognise predefined SYSLOG messages and trigger the corresponding reactions in the system. For this, there is a host of products on the market; MPF including exit programming may also be used.

Application logs

Many applications write their own logged data, for example the USS subsystem (Unix System Services). These logs must also be

analysed for security violations and important messages must be made available to the operators.

Central control

In larger installations with different locations, there should be a central location (focal point) that all information important for operation is reported to. It must be considered to use programs that are capable of presenting - possibly graphically - the events in a clear manner.

Review questions:

• Is live operation of z/OS systems monitored?
• Is the MPF function used in z/OS in order to filter the important system messages from the messages provided by the MCS console?
• Are the SMF records used in z/OS in order to analyse security violations?
• Does the process of monitoring the z/OS systems include the analysis of logged data obtained from applications for security violations and are the operators provided with important messages?
• For installations with different locations: Is there a central location that all information important for operating the z/OS system is reported to?