If the Secure Identification Facility is available on your system, a count of security violations can be maintained for each usercode or accesscode, and the usercode or accesscode can be automatically suspended when the number of security violations reaches a specified limit.
The following attributes control this feature:
-
For usercodes: SAVEVIOLCOUNT and VIOLATIONLIMIT
-
For accesscodes: ACSAVEVIOLCOUNT, ACDEFVIOLLIMIT, and ACVIOLLIMIT of ACVIOLINFO
You can enable security violation counting for usercodes, accesscodes, or both. The SAVEVIOLCOUNT and ACSAVEVIOLCOUNT attributes determine which counter is incremented. If both are enabled, each security violation will affect only one counter. If accesscode violations are being counted and the process was using an accesscode, the accesscode counter is incremented; otherwise the usercode counter is incremented. You can count logon violations separately from other security violations. Refer to Counting Logon Violations for additional information.
SAVEVIOLCOUNT Attribute
The usercode attribute SAVEVIOLCOUNT causes security violations for the usercode to be tallied. If SAVEVIOLCOUNT is set to TRUE:
-
A count of security violations caused by that usercode is maintained in the VIOLATIONCOUNT attribute.
-
The count accumulates for a day—the date is saved in the VIOLATIONDATE attribute.
-
If VIOLATIONDATE is the current date, VIOLATIONCOUNT is incremented.
-
If VIOLATIONDATE is not the current date, VIOLATIONCOUNT is set to 1 and VIOLATIONDATE is set to the current date.
-
VIOLATIONCOUNT and VIOLATIONDATE are system-maintained usercode attributes. For additional information about system-maintained usercode attributes, refer to System-Maintained Usercode Attributes.
If both the SAVELOGONVIOL and SAVEVIOLCOUNT attributes are set, logon violations are only tallied in the LOGONVIOLCOUNT attribute; other violations are tallied in the VIOLATIONCOUNT attribute.
VIOLATIONLIMIT Attribute
The usercode attribute VIOLATIONLIMIT is used to determine whether the usercode is to be automatically suspended after a specified number of security violations have occurred in a day. If the VIOLATIONCOUNT value is greater than the VIOLATIONLIMIT attribute value, then the usercode is suspended. If VIOLATIONLIMIT is set to 255, then the 256th violation will mark the usercode as suspended; VIOLATIONCOUNT will remain at 255.
When the usercode is suspended:
-
The SUSPENDED usercode attribute is assigned the value TRUE.
-
The SUSPENDEDCODE usercode attribute is assigned the value 2.
ACSAVEVIOLCOUNT Attribute
The usercode attribute ACSAVEVIOLCOUNT causes security violations for the accesscodes for the usercode to be tallied. If ACSAVEVIOLCOUNT is set to TRUE:
-
A count of security violations caused by each accesscode for the usercode is maintained in the ACVIOLCOUNT attribute (a member of the ACVIOLINFO group)
-
The count accumulates for a day - the date is saved in the ACVIOLDATE attribute
-
If ACVIOLDATE is the current date, ACVIOLCOUNT is incremented.
-
If ACVIOLDATE is not the current date, ACVIOLCOUNT is set to 1 and ACVIOLDATE is set to the current date.
ACVIOLCOUNT and ACVIOLDATE are system-maintained usercode attributes. For additional information about system-maintained usercode attributes, refer to System-Maintained Usercode Attributes.
ACDEFVIOLLIMIT Attribute
The usercode attribute ACDEFVIOLLIMIT is used to determine the default value of the ACVIOLLIMIT group attribute when an accesscode security violation causes a new group entry to be made in the ACVIOLINFO group.
ACVIOLLIMIT Attribute
The ACVIOLLIMIT attribute is an item in the ACVIOLINFO group. It is used to determine whether an accesscode is to be automatically suspended after a specified number of security violations have occurred in a day. If the ACVIOLCOUNT value is greater than the ACVIOLLIMIT attribute value, then the accesscode is suspended. When a new entry is made to the ACVIOLINFO group, the value of ACVIOLLIMIT is set from the ACDEFVIOLLIMIT attribute.
When the accesscode is suspended:
-
The ACSUSPENDED attribute is assigned the value TRUE
-
The ACSUSPENDEDCODE attribute is assigned the value 2
Reactivating a Suspended Usercode
When a usercode is reactivated from the suspended state, the VIOLATIONCOUNT is not automatically reset. When activating a usercode, the security administrator should
-
Reset the VIOLATIONCOUNT attribute to 0 (zero), so that the usercode is not suspended again after the next subsequent violation.
-
Reset the SUSPENDED attribute to FALSE.
-
Reset the SUSPENDEDCODE attribute to 0 (zero).
When an accesscode is reactivated from the suspended state, the ACVIOLCOUNT is not automatically reset. When activating the accesscode, the security administrator should
-
Reset the ACVIOLCOUNT attribute to 0 (zero), so that the accesscode is not suspended again after the next subsequent violation.
-
Reset the ACSUSPENDED attribute to FALSE.
-
Reset the ACSUSPENDEDCODE attribute to 0 (zero).
Violations Recorded in a Log Record
Any security violation detected by the MCP results in the violation count being incremented. These violations are recorded in a log record with major type 6 (LOGMAJMISC) and minor type 4 (SECURITY).
Some security violations detected by an MCS (or TASKING program) result in the violation count being incremented. These violations are recorded in a log record with major type 4 (LOGMAJMCS) and minor type 6 (MCSSECURITY).
However, not all MCS security violations affect the violation count. The following violations do not result in the violation count being incremented because the violation count has already been incremented by the system. The “Violation Already Logged” column shows the violation code for the security violation that caused the violation count to be incremented.
|
MCS Error Code |
Description |
Violation Already Logged |
|---|---|---|
|
3 |
Invalid usercode/password at log-on |
10 |
|
5 |
Invalid accesscode/password at log-on |
21 |
|
8 |
Invalid accesscode/password changing accesscode |
21 |
|
9 |
Invalid old password changing usercode password |
19 |
|
10 |
Invalid old password changing accesscode password |
21 |
MCS security violations are counted against the usercode or accesscode recorded in the log record. This item is analyzed as USERCODE or ACCESSCODE in a LOG SECURITY report. If both the items are empty, no violation count is incremented.
