The following examples all make these assumptions:
-
The utility is run from CANDE.
-
LOGANALYZER is on the user disk pack.
-
Output from LOGANALYZER is directed to the user terminal.
If LOGANALYZER is run from the MARC Utilities screen, a series of screens is presented. These screens permit you to select the required options.
Example of a LOGANALYZER Heading
When you run LOGANALYZER, the first information returned consists of the following items:
-
The release level of LOGANALYZER, SDASUPPORT, and JOBFORMATTER
-
The date and time LOGANALYZER was run
-
The MCP identification and level and the system serial number
-
The LOGANALYZER option designating what types of records were to be returned in the report
-
The name, disk location, and length in records of the log file that was analyzed, and the time period encompassed by that log.
The following example illustrates the reported information:
LOGANALYZER : SSR 59.1 (59.180.0020), SDASUPPORT : SSR 59.1
(59.180.0015/IG),JOBFORMATTER : SSR 59.1
(59.180.0073).
MCP *SYSTEM/EPSILONIOA/MCP/DIAGNOSTICS/59180 : SSR 59.1 (59.180.0495)
ANALYZED BY ADM AT CS4180 (HOSTNAME = IRVMCP02, SYSTEM SERIAL = 3242)
ON 02/28/2017 07:01:03
REQUEST: 0815 MIX 7667 USERCODE .
SUMLOG #001209 CREATED BY CS4180 (SYSTEM SERIAL = 3242) ON 02/28/2017
02:31:42
TITLE = *SYSTEM/SUMLOG ON PACK (CURRENT SUMLOG).
FILE CONTAINS 57260 RECORDS FROM 02/28/2017 02:31:43 TO 02/28/2017
07:00:39
SECURITYLOG #001209 CREATED BY CS4180 (SYSTEM SERIAL = 3242) ON
02/28/2017 02:31:42
TITLE = *SYSTEM/SECURITYLOG ON PACK (CURRENT SECURITYLOG).
FILE CONTAINS 125 RECORDS FROM 02/28/2017 02:31:42 TO 02/28/2017
06:59:40
HWERRORSUPPORT : SSR 59.1 (59.180.0008)Example of a SECURITY Report
The following example assumes the following specifications:
-
The user wants to extract data from the current log for the time period between 7:30 a.m. and the present.
-
The log records on security violations are to be included in the report.
-
The log report is to appear on the user terminal.
To request the report, the user enters
RUN $SYSTEM/LOGANALYZER ("0730 SECURITY")The following example illustrates the information returned:
08:19:36 3487 SECURITY VIOLATION - INCORRECT USERCODE
VIOLATION CODE: 9
ERROR ITEM: USR.
ORIGINATING UNIT NUMBER: 0
08:19:36 3487 MCS SECURITY VIOLATION:
INVALID USERCODE/PASSWORD AT LOG ON
ORIGINATING LSN: 353 ORIGINATING MCS: 2
STATION NAME: TD2910DB/CANDE/2
USERCODE: USR
ERROR ITEM: USR.
08:29:40 8342 SECURITY VIOLATION - UNAUTHORIZED USER ATTEMPTED TO
ACCESS USERDATAFILE.
VIOLATION CODE: 15
USERCODE: JOHNSON.
ERROR ITEM: JOHNSON.
ORIGIN: STATION TB109A/CANDE/1
ORIGINATING MCS: SYSTEM/CANDE
08:30:24 8361 SECURITY VIOLATION - INVALID TASK ATTRIBUTE: USERCODE
VIOLATION CODE: 32
USERCODE: USR.
ERROR ITEM: USR.
ORIGIN: STATION TB103/CANDE/2
ORIGINATING MCS: SYSTEM/CANDE
09:02:38 8703 SECURITY VIOLATION - ATTEMPTED TO COPY A PRIVATE FILE
VIOLATION CODE: 14
USERCODE: SMITH.
ERROR ITEM: (ADMIN)PERSONNEL/FILES.
ORIGIN: STATION TB105/CANDE/1
ORIGINATING MCS:SYSTEM/CANDEExample of a SECURITY VIOLATION Network Error Log
01/28/2013 15:22:28.5659 5260 TCPIP SECURITY HEADER CONTROL LEVEL = 1 SOURCE HOST = USTRMCP0089 SOURCE TIME STAMP = 01/28/2013, 15:22:28.56,IMMEDIATE LCF HOST = USTRMCP0089 MESSAGE IS A LOG REPORT @ CONTROL LEVEL 1 TCPIP SECURITY REPORT : REQUEST DENIED = LOCAL PORT 23, FOREIGN PORT 64363, LOCAL IP 192.62.175.189, FOREIGN IP 192.63.212.60, USER CODE , FILE NAME *SYSTEM/TELNETSUPPORT, ACCESS DENIED BY NO MATCHING RULE FOUND
Example of USERCODE Auditing
The following example assumes the following specifications:
-
The user wants to extract data from the current log.
-
The report is to include log records on security violations that occurred for processes running under the usercode SMITH.
-
The log report is to appear on the user terminal.
When usercode activity is to be audited, your first step is to make certain that appropriate events relating to this usercode are being recorded in the system log.
Two factors control the events logged for a usercode:
-
The system wide logging specification designated by the LOGGING system command
-
The usercode-specific logging designated by the value of the LOGSELECT attribute for the usercode in the USERDATAFILE
The events designated by the value of LOGSELECT are logged in addition to those events designated with the LOGGING system command, which are logged for all users and activities.
If security-relevant information is being logged for all users, you only need to run LOGANALYZER with the USERCODE option.
If security-relevant information is not being logged for all users, you must run MAKEUSER and designate the appropriate value for the LOGSELECT entry for the usercode. For example, to enable logging of security-related actions and security violations for usercode SMITH, use the MAKEUSER statement
USER = SMITH LOGSELECT = 12;
The value of LOGSELECT can indicate that any combination of the following events are to be logged for the usercode: all successful actions, all failed actions, all security violations, and all security-related actions. For a description of the LOGSELECT attribute and how the various usercode logging options are designated, see Standard Usercode Attributes.
Once the system is logging appropriate events for the usercode, you only need to run LOGANALYZER with suitable options:
RUN $SYSTEM/LOGANALYZER ("USERCODE SMITH SECURITY")This request generates a report of all the security violations attributed to processes running under the usercode SMITH.
An example of the information is returned follows:
12:10:33 3710 SECURITY VIOLATION - ILLEGAL USE OF
SECURITY FILE ATTRIBUTES
VIOLATION CODE: 13
USERCODE: SMITH.
ACCESSCODE: GUESS.
ERROR ITEM: (USR)SENSITIVE/DATA.
ORIGIN: STATION TB105/CANDE/1
ORIGINATING MCS: SYSTEM/CANDE
12:11:08 3363 SECURITY VIOLATION - ATTEMPTED TO
REMOVE FILE OF ANOTHER USER
VIOLATION CODE: 11
USERCODE: SMITH.
ACCESSCODE: GUESS.
ERROR ITEM: (USR)PERSONNEL/FILES.
ORIGIN: STATION TB105/CANDE/1
ORIGINATING MCS: SYSTEM/CANDE
12:08:34 6276 SECURITY VIOLATION - ATTEMPTED TO
COPY A PRIVATE FILE
VIOLATION CODE: 14
USERCODE: SMITH.
ACCESSCODE: GUESS.
ERROR ITEM: (USR)PAYROLL.
ORIGIN: STATION TB105/CANDE/1
ORIGINATING MCS: SYSTEM/CANDE
STATION ATTRIBUTE LSN: 150
12:12:00 6278 SECURITY VIOLATION - UNAUTHORIZED
USER ATTEMPTED TO ACCESS USERDATAFILE
VIOLATION CODE: 15
USERCODE: SMITH.
ACCESSCODE: GUESS.
ERROR ITEM: USR.
ORIGIN: STATION TB105/CANDE/1
ORIGINATING MCS: SYSTEM/CANDE
STATION ATTRIBUTE LSN: 150Example of a Report of Security Violations and Relevant Events
Use the following command to extract all security violations and security relevant events from the current log. To retrieve security violations, the user must have security administrator privileges.
LOG UC. RESULT RELEVANT VIOLATION
The following example illustrates the information returned:
Wednesday, December 11, 2013
05:28:06 3029 SECURITY VIOLATION - INCORRECT PASSWORD
VIOLATION CODE: 10
ERROR ITEM: ADM.
05:28:06 3029 MCS SECURITY VIOLATION:
INVALID USERCODE/PASSWORD AT LOG ON
ORIGINATING LSN: 174 ORIGINATING MCS: 1
STATION NAME: CCFPORT1/CANDE/1
USERCODE: ADM
ERROR ITEM: ADM
05:28:13 3029 USERDATA FUNCTION 3
USER = ADM LASTLOGONTIME = 05:28:13 2/11/2013
LASTLOGONSTATION = CCFPORT1/CANDE/1
05:28:13 LOGON 32456 USERCODE: ADM.
USERCODE PRIVILEGE: PU SECADMIN
MCS: 1 LSN: 174
STATION NAME: CCFPORT1/CANDE/1.
SIGN ON BY HELLO
05:28:30 BOJ 3285 *SYSTEM/IGSDASUPPORT ON PACK.
CODE COMPILED: 12/09/2013 16:39:23
BY DCALGOL 57.114
RELEASE ID: MCP 16.0 [57.114.000] (57.114.0002)
PROGRAM PRIVILEGES: PU
QUEUE: 0, ORIGINATING LSN: 174 MCS: 1
STACK NUMBER: 027E, PRIORITY: 50, SOURCENAME:
CCFPORT1/CANDE/1.
USERCODE: ADM. REALUSERCODE: ADM.
INITIATING MCS: SYSTEM/CANDE. 