Record ID |
Information in Record |
What to Look For |
Examples of Concerns |
O10 |
IPL volume and device unit address |
||
O20 |
DASD Volumes |
||
O30 |
SMF parameters |
Global settings for SMF recording |
Inactivating SMF |
O40 |
SMF subsystem parameters |
SMF Options |
|
O41 |
SMF subsystem exit activity |
SMF exits |
New exits |
O42 |
SMF subsystem recording inactivity |
Suppressed SMF records |
Suppressing audit trails (RACF 80 Dataset I/O) |
O50 |
Supervisor Calls (SVCs) |
New, altered or removed SVCs |
Rogue SVCs |
O51 |
Supervisor Calls (SVCs Details) |
New, altered or removed SVCs |
Rogue SVCs |
O60 |
I/O Appendages |
New, altered or removed appendages |
Appendages that have been added or deleted |
O61 |
I/O Appendages (Details) |
New, altered or removed appendages |
Appendages that have been added or deleted |
O80 |
MVS Subsystems |
New, altered or removed subsystems |
Subsystems that have been added or deleted |
O90 |
Modules with Scan Hits |
Modules that have suspicious instructions |
Programs that appear to be setting authorization/authority bits: FakeSpecial (flipping bit in ACEE); FakeOperations (ACEE); FakePriv (ACEE). |
O91 |
Monitored Load Modules |
Changes in modules that have been specifically identified to be watched |
Unexpected changes |
O92 |
Monitored Text Members |
Changes in text that have been specifically identified to be watched |
Unexpected changes |
P10 |
RACF dataset profiles to be monitored |
Monitor dataset profiles that do not comply with standard / policy; Monitor dataset profiles of identified "sensitive" datasets |
Installation specific violations of standards for profiles |
P11 |
RACF dataset profiles to be monitored – Access lists |
Access lists of above profiles |
|
P14 |
RACF APPL dataset profiles to be monitored |
Monitor dataset profiles that do not comply with standard / policy; Monitor dataset profiles of identified "sensitive" datasets |
Installation specific violations of standards for profiles |
P15 |
RACF APPL dataset profiles to be monitored – Access lists |
Access lists of above profiles |
|
P20 |
RACF general resource profiles to be monitored |
Monitor protection of system wide general resources, e.g. MVS operator commands; JES commands; CICS / IMS transactions… |
|
P21 |
RACF general resource profiles to be monitored – Access lists |
||
P22 |
RACF general resource profiles to be monitored – Members |
||
P30 |
RACF dataset profiles for Sensitive Datasets |
Dataset profiles for datasets that are critical to the integrity of the operating system |
Unexpected changes |
P31 |
RACF dataset profiles for Sensitive Datasets – Access lists |
UPDATE access (or higher) |
|
P40 |
RACF STDATA segments for STARTED class |
All STDATA segments in STARTED class |
Started tasks with TRUSTED or PRIVILEGED |
P50 |
Sensitive Datasets - dsnames |
See list of automatically detected system datasets |
Unexpected changes |
P51 |
Sensitive Datasets - details |
||
P60 |
RACF Segment Usage |
Indicates number of profiles in the RACF database |
For Information Only |
P61 |
RACF Database Size |
Indicates size of RACF database in terms of Bytes |
For Information Only |
R10 |
System software releases and status(RACF only) |
RACF, DFP, HSM, JES, MVS, RMF, SMS, TSO, VTAM |
An unexpected RACF upgrade / regression |
R15 |
CONSOLES logon required |
System consoles - security settings |
Unexpected changes |
R21 |
SETROPTS – part a |
System wide RACF settings |
Unexpected changes |
R22 |
SETROPTS – part b |
System wide RACF settings |
|
R23 |
SETROPTS – part c |
System wide RACF settings |
|
R30 |
RACF Database Name Table |
Names of your RACF datasets |
Changes to table |
R31 |
RACF Range Table |
If you have multiple RACF datasets, table specifying which profiles go on which dataset |
Changes to table |
R40 |
RACF Authorized Caller Table |
Programs that can run APF authorized within TSO |
New programs |
R50 |
RACF Class Descriptor Table – details a |
All RACF classes and their attributes |
New classes; Deleted classes; Activation/inactivation of a class; modification to characteristics of a class |
R60 |
RACF Global access table (GLOBAL class) |
GLOBAL class entries have no SMF auditing |
Unexpected changes |
R70 |
SAF Router Table |
MVS SAF table that routes SAF requests |
|
R80 |
Modules with PPT attributes |
APF Modules, their library and access list for programs that are present in the PPT with BYPASS or a system key, or TSO authorizations (AuthCMD, AuthPGM, AuthTSF). |
Any modules that can bypass RACF |
RB2 |
System exits |
See table of exits |
RACF exits; SMF exits; Exits can modify expected security behavior; can modify SMF data |
RC0 |
RACF Started Task Table (ICHRIN03) |
Contents of table ICHRIN03 |
Started tasks with TRUSTED or PRIVILEGED |
U00 |
Info for monitored userids |
||
U01 |
Info for monitored groups |
||
U10 |
RACF Userids with system attributes/privileges |
Special attributes: SPECIAL allows you to make any change on RACF; OPERATIONS is like a "back door" to dataset access; AUDITOR allows you to look at any RACF profile, and change global auditing settings |
Verify any new users |
U11 |
RACF userids with UAUDIT |
||
U12 |
RACF userids with PROTECTED |
||
U13 |
RACF userids with RESTRICTED |
||
U21 |
RACF Userids with Class Authorizations |
Users who have class authorizations (CLAUTH) |
Verify any new users |
U31 |
RACF Groups to be monitored |
Groups that have access to sensitive data and/or commands |
Verify any new members in these groups are OK |
U40 |
RACF Userids with non-conforming password interval |
Users with password interval other than 30 |
Verify any user who has NOINTERVAL |
U50 |
RACF ‘Critical’ userids that are revoked |
"Hot ids", CA7 ids, AutoOps ids etc |
Could cause outages |
U60 |
RACF Userids that have never been used, Created > nn days ago |
Userid probably not needed |
Cleanup / housekeeping |
U70 |
RACF Userids that are inactive, Last Use > mm days ago |
"Stale" userids, probably not needed any more |
Cleanup / housekeeping |
U81 |
RACF Userids with Group attributes/privileges |
All users with either GROUP SPECIAL, OPERATIONS, AUDITOR |
Verify any new users - allows administrative capabilities within RACF |
U90 |
Sensitive Unix UIDs |
Sensitive UIDs that should or should not exist. (UID of 0 is superuser in OMVS. Users can also get via access to BPX.SUPERUSER) |
Verify that sensitive UIDs exist |
U91 |
Users with Sensitive Unix UIDs |
UID of 0 is superuser in OMVS (Can also get via access to BPX.SUPERUSER) |
Verify that Users with sensitive UIDs are restricted to those authorized |
U95 |
Sensitive Unix GIDs |
Some GIDs may be restricted |
Verify that restricted GIDs exist are not used by unauthorized groups |
U96 |
Groups with Sensitive Unix GIDs |
Groups with sensitive GIDs may be restricted |
Verify that Groups with sensitive GIDs are restricted to those authorized |
U97 |
Users in Groups with Sensitive Unix GIDs |
Users in Groups with sensitive GIDs may be restricted |
Verify that Users in Groups with sensitive GIDs are restricted to those authorized |