| ACF2 Administration | RACF Administration |
| OS/390 Auditing & Event Monitoring | Open Systems Event Monitoring |
| Other OS/390 Security | Security Matters | |
OS/390 auditing & event monitoring solutions on this page:
| Consul/Audit for RACF | AuditStar for OS/390 RACF |
| Consul/Audit for ACF2 | E-SRF |
| WWW Links |
Later called Consul/zAudit RACF, Consul InSight zAudit RACF, and now Tivoli zSecure Audit for RACF.
Consul/Audit for RACF provides extensive and clearly structured analysis options for mainframes running RACF.
Auditing IT systems is no simple task - you have to combine information from the operating system, the security system, and applications.
Consul/Audit for RACF provides a powerful system integrity analysis to look for potential problems in the environment and offers event reporting and analysis for automatic review of system and user activity.
And because Consul/Audit for RACF looks at both the SMF records and RACF information, the exceptions are separated from the insignificant data, and information can be presented to the person responsible for the event, not just to the system security officer.
Keeping up with security violations and preventing damage to your data is a matter of flagging problems on time.
Consul/Audit for RACF references live SMF and RACF data sets to watch over your entire mainframe system. This enables your helpdesk and auditing personnel to view information from the active system immediately after an event has taken place, without having to wait to unload the SMF.
With pertinent audit information at their fingertips, your auditors will find it easier than ever to verify whether your disk and tape databases, program libraries and current tasks are safe.
Consul/Audit for RACF can generate combined reports on multiple RACF databases, giving auditors and security officers a complete and coherent picture of the security level within their IT environment.
These reports can also check the status of key indicators for security in each of the systems. Reports can even be tailored to show specific activities, such as user access on each of the corresponding components.
The integrated reporting function makes it easy for system security officers to find profiles, view their contents a, track down exceptions and create installation-specific reports.
Consul/Audit for RACF also supports a wide variety of information on system events, including more than forty types of MVS, RACF and DB2 records in SMF.
By correlating the RACF information on the job that caused an SMF event to be recorded in the first place - even of the SMF record itself does not contain and RACF fields - Consul/Audit for RACF makes it easy to view the audit trail of any user or resource.
It is even possible to run an SMF log tape against any of the RACF databases to reveal possible access to data sets that are not defined to RACF.
Consul/Audit for RACF includes a powerful system integrity analysis feature that reveals breaches in system integrity and other irregularities.
Reports generated from the system integrity analysis identify exposures and potential threats based on intelligent analysis built into the system. These reports even rank the severity of the exposure to help you determine the type of corrective action that is needed.
Consul/Audit for RACF allows you to select the audit policy used to determine the audit concerns and priorities. In addition to the Consul default policy, you can choose the C1, C2 and B1 levels of the ITSEC Orange Book standards.
Consul/Audit for RACF analyses the active OS/390 system's control blocks and shows the actual status of security settings along with any irregularities that it encounters along the way.
Consul/Audit for RACF will also automatically monitors your system libraries and identifies updates using digital signature technology. The same technology can be used to find identical members in the same or different library, and members with the same names but different contents.
Consul/Audit for RACF even spots users whose passwords are very easily compromised.
The Consul Auditing and Reporting Language (CARLa) used in Consul/Audit for RACF enables auditor to customise displays and reports and implement a verification of the installation-specific security policy.
Because you sometimes need to look at unloaded or historical copies of your data instead of live data feeds, Consul/Audit for RACF gives you the flexibility to specify which data will be audited.
For more information, see CONSUL's Web page [now IBM's].
Later called Consul/zSecure RACF and Consul zSecure RACF; now part of Tivoli zSecure Suite.
Consul/Audit for RACF can be seamlessly combined with Consul/RACF to provide a powerful suite of tools for administering, monitoring and evaluating mainframe security. Key advantages of the combined product include:
Now called MASE for IBM RACF/zOS or simply MASE/zOS.
AuditStar is a knowledge-based security assurance tool for auditors and administrators. It automatically detects differences between your company-approved standards and what is actually found on your RACF & OS/390 systems. Utilizing a Windows based interface, you can now quickly focus attention where it is needed.
AuditStar uses the powerful Consul/Audit technology to gather the necessary information from your operating system and RACF database. AuditStar is the foundation for a security monitoring process that can keep pace with modern information technology. AuditStar reports on the discrepancies that you need to know about. A discrepancy is triggered when there is a difference between the installation-specific standard and the actual security parameter. With AuditStar, it will take just minutes a day to perform a complete security analysis. AuditStar is vigilant, complete and accurate. It is your total assurance solution or data security.
AuditStar automates the process of developing and managing security standards. A system extract is used to populate an initial load of the AuditStar standards. These can be edited within AuditStar and supplemented by manually entered standards. Once the standards are certified, AuditStar gathers daily extracts of all required security information from each monitored system. As these daily extracts are loaded into the AuditStar database, a deviation analysis is automatically performed. The resulting summary and detailed discrepancy reports list all items that do not meet standards and all discrepancies that have been resolved. Finally, AuditStar manages the process of resolving discrepancies. The security administrator uses AuditStar to acknowledge or close discrepancies.
AuditStar is the intelligent IBM OS/390 security system integrity monitoring tool that is easy to use. To accomplish the thorough monitoring without AuditStar, the user has to be a mainframe security expert, but with AuditStar the intelligence is built in. Anyone who is currently responsible for reviewing security settings will benefit from AuditStar. This includes security administrators, systems analysts, managers and auditors.
AuditStar extracts and reports information from multiple OS/390 images and multiple RACF databases with ease. AuditStar allows you to easily add additional systems to your reporting environment as needed.
AuditStar incorporates very high speed, optimized mainframe OS/390 RACF data-extraction routines. Information regarding access protection and system environment. For each OS/390 image is captured on the mainframe. Periodically, usually daily, the information is sent from the mainframe(s) to the AuditStar server. The AuditStar server stores the information and evaluates it based on a set of installation-specific standards. AuditStar detects any discrepancies and presents them to the AuditStar administrator for review. AuditStar also generates online and printed reports of discrepancies, standards and trends. AuditStar can also be used to compare standards or actual data between multiple systems. The AuditStar client will run on any Windows 32-bit platform, and the server can be on any platform that supports an Oracle database (R8i).
For more information, see MASE Technologies' Web page [PDF].
Later called Consul/zAudit ACF2, Consul InSight zAudit ACF2, and now Tivoli zSecure Audit for ACF2
The security of an OS/390 system with ACF2 relies on having secure programs and parameters installed, as well as properly defined rules, definitions and global options in ACF2. Unless the OS/390 operating system is completely secure, any knowledgeable programmer can bypass the access control system. With Consul/Audit for ACF2, you can check the security of the OS/390 operating system and identify flaws in its security.
Consul/Audit for ACF2 has the functions you need to review and secure an OS/390 system with CA-ACF2:
By combining all reporting and auditing functions for MVS, SMF and ACF2 in one application, the installation can improve the daily monitoring routines to cover all these three security-relevant areas in one set of reports. It also allows the creation of automated reaction routines against incorrect use of the system, thus increasing the overall security level.
With Consul/Audit for ACF2 you can define user-oriented reporting so your users may better understand the relevance of security measures. Finally, by replacing several products that were previously used to obtain similar results, the organization may become more efficient and cost-effective.
Consul/Audit for ACF2 uses the Consul/Collect data collection program to gather information about the OS/390 operating system. Consul/Collects finds all relevant control blocks and data sets automatically without requiring input from systems staff. This OS/390 system information is stored in a snapshot or "IOCONFIG" file.
Consul/Audit for ACF2 has the capability to create "UNLOAD" files containing information about all logonids and access rules defined to ACF2. The use of IOCONFIG and UNLOAD files enables cross-referencing, comparing and historical analysis of all security relevant data from one or from multiple systems. Questions that can be answered are "Did this logonid have access ten days ago?", "Is this access rule the same on all our systems?" and "Was this data set APF authorized last week?".
Consul/Audit for ACF2 uses the backup ACF2 database or an UNLOAD file to analyze the logonids and access rules defined to ACF2. The select facilities allow you to search on any field in the records; the selected records are shown in an ISPF scrollable display with detail information available on request.
You can answer questions like "Which rules allow write access to data set XXX?" and "Which logonids with a specific combination of unscoped authorities have logged on yesterday?". You can view these reports interactively under ISPF, or run them automatically in batch.
You may also combine the logonids and/or access rules from ACF2 databases from multiple systems in a single report to produce consolidated information from multiple systems. Examples are the access a user has on each of the systems or the different UID strings associated with logonids on each system.
The Global System Options report shows the GSO information and identifies risky definitions.
Customized control over the sorting and pagination of your report output is achieved with the Consul/Audit for ACF2 bundle feature. Reports can be produced centrally for automatic distribution to decentralized group administrators. A bundle is based on any field in an ACF2 logonid definition or access ruleaccess rule. Multiple reports are combined in a single bundle for automatic distribution.
Consul/Audit for ACF2 analyzes SMF from the live SMF data sets or from unloaded SMF data on tape or disk.
Using the live data sets, you can view information from the active system immediately after an event has taken place. You no longer have to unload your SMF just for the purpose of running a report, and you can analyze SMF data interactively.
Consul/Audit for ACF2 supports over 40 types of OS/390-specific event records, including ACF2 and DB2 audit records.
Consul/Audit for ACF2 remembers the ACF2 logonid for each TSO session, batch job or Started Task it finds in SMF. Subsequent SMF records from the same task are "tagged" with this information. You can create a complete audit trail of a specific logonid from SMF, including events from SMF records that do not contain ACF2 information and events from batch jobs with arbitrary names.
Consul/Audit for ACF2 analyzes OS/390 system and subsystem control blocks, and finds inconsistencies and integrity problems.
Consul/Audit for ACF2 provides displays to view definitions, tables, exits, and other vital OS/390 information, and explains where it found problems.
Problems are ranked by Audit priority, a number indicating the relative impact of a problem. An Audit priority of 40 or higher should be dealt with immediately.
Consul/Audit for ACF2 supports, amongst others, the following OS/390 components: APF, CA-1, DMS-OS, HSM, IO Appendages, JES2, JES3, Program Calls, PPT, SMF, Subsystems, SVCs, TSO, and Virtual Storage Management.
Consul/Audit for ACF2 also checks load modules and supervisor calls, looking for suspicious instructions. In addition, it can scan selected libraries for specific strings or the use of specific supervisor calls.
Consul/Audit for ACF2 identifies changes in the individual members of partitioned data sets, using digital signatures for each member of the libraries under scrutiny. Consul/Collect saves the member information in a snapshot (IOCONFIG) file.
Users or application owners can keep track of changes to their own libraries containing program sources, parameters, load modules, or any other members, which are to be Checked (or Frozen). When properly authorized, Consul/Collect will identify and Check the system sensitive libraries containing authorized load modules, parameters, catalogued procedures, etc.
Changes are detected by comparing two or more IOCONFIG files. A change in the attributes or contents of a member is reflected by a change of its digital signature. Consul/Audit for ACF2 indicates whether a member was added, deleted, or changed, and for each instance when the member was first or last detected. This provides an interval during which the change must have occurred.
For load modules, Consul/Audit for ACF2 also identifies PTFs and ZAPs applied to modules, and reports the difference in PTFs applied between two or more versions.
From a single IOCONFIG file, Consul/Audit for ACF2 can identify identical members in the same or different libraries, identically named members with different contents, and load module members touched by PTFs or ZAPs. The starter set provided with Consul/Audit for ACF2 contains sample daily reports to automatically identify changes, and ISPF dialogs to check out your system.
The Change Track application in Consul/Audit for ACF2 monitors the value of key indicators against a verified base (Security Baseline). Changes in the indicators can be used to update the verified base, or can be tagged for follow- up. The user can add installation/application-specific indicators to the set, such as access rules for application data sets, the required inactivity of emergency logonids, or access rules accessible to specific UID (sub-)strings.
The CONSUL Auditing and Reporting Language (CARLa) used in Consul/Audit for ACF2 gives the ability to modify the displays and reports, and build installation-specific System, ACF2 and SMF verification reports. With the DEFINE command you can add your own variables to Consul/Audit for ACF2 and use these in select and output functions, similar to the installation-specified Field Definition Entries.
Reports can be run under ISPF or in batch, on the backup ACF2 databases and live SMF data sets or on unloaded data, without changing the CARLa programs.
For more information, see CONSUL's Web page [now IBM's].
E-SRF is a comprehensive security reporting facility designed specifically for information security and audit professionals. The power and sophistication behind E-SRF is found in the two facets of the product: access analysis & event reporting. Together these tools give the security officer or auditor the necessary information in an efficient and easy-to-read manner. Pre-defined reports take the guesswork out of reporting.
For more information, see EKC's Web page
"The current state of technical security in the world's computer systems is appallingly bad."
Copyleft & Creative Commons (cc) 2000–2008 Ant: This XHTML encoding is dual-licensed under both ― |
||||
|
The GNU Free Documentation License |
|
A Creative Commons Attribution-Noncommercial-Share Alike 3.0 License |
|
|
http://homepage.mac.com/antallan/os390aud.html |
|
Last updated Friday 8 August 2008 |
|
 
|
|
 
|