Auditing with LOGANALYZER

The following pages present the basics of running LOGANALYZER, suggestions for how to use it to make security-related audits, and examples of running LOGANALYZER to generate certain kinds of security audits of the system. A description of how to read the log reports follows the examples.

LOGANALYZER can

  • Extract records from the current log or from a previous system log file.

  • Extract records from a specified time interval covered by a system log.

  • Extract records grouped according to specified subjects, such as maintenance log records or log records recording beginnings of jobs (BOJs).

  • Direct the extracted information to the terminal or ODT, a printer, or a disk file.

LOGANALYZER Access to the Entire Log

If a privileged user on a system with Secure Access Control Module or the Secure Accountability Facility security feature package needs LOGANALYZER access to the entire log, he or she uses the LOGANALYZER option USERCODE with the period (.) appended: 

USERCODE.

Used alone, this option enables the privileged user to access the entire system log. Used in conjunction with other LOGANALYZER options, it can enable the privileged user to access all the log records associated with those LOGANALYZER options. For example, the following command retrieves all the file open, close, and interval records: 

USERCODE. FILE

Auditing Long LOGANALYZER Reports

If the LOGANALYZER report is long, you might choose to generate both a printer listing and a disk file version of the log report. You can then use the CANDE command FIND on the disk file to pinpoint specific log records that are then included in the printer listing for examination. This procedure involves the following steps:

  1. Run LOGANALYZER with the appropriate options, specifying that a disk file is to be created.

  2. In CANDE, enter the following command to create a LOGANALYZER report of the entire current system log: 

    LOG TEXT "<file name>" ALL

  3. In CANDE,

    1. Use the GET command to get the disk file copy of the LOGANALYZER report as your CANDE work file.

    2. Use the WRITE command to get a printer copy of the LOGANALYZER report with line numbers.

    3. Use the FIND command to obtain the line numbers in the disk file of the LOGANALYZER report containing keywords.

    4. Look up the line numbers in the printer listing of the LOGANALYZER report.

LOGANALYZER Options Useful to Security Audits

The following LOGANALYZER options are likely to be of interest to those doing security auditing. Several other options exist and might also be useful for security auditing.

Substitute any of the following items for <loganalyzer options> in the LOGANALYZER syntax presented in the System Software Utilities Operations Reference Manual.

ACCESSCODE <accesscode>

Reports on activity related to the specified accesscode and, if one was designated, usercode. If no usercode was designated, this option reports on the specified accesscode associated with the usercode under which LOGANALYZER is running.

CHARGECODE <chargecode>

Reports on activities related to the specified chargecode.

COMS CONFIG

Reports changes to the Transaction Server configuration.

DMS

Reports on what happens when a database opens, closes, freezes, and resumes—that is, when a database unfreezes and resumes running as a regular program.

FILE

Reports on file opens and closes and interval records.

IDC

Reports on changes to the data communications network.

LIB

Reports on library linkages, delinkages, freezes, and resumes—that is, when a library unfreezes and resumes running as a regular program.

OPERATOR

Reports on executed controller commands, regardless of whether the commands originated at an ODT or from a SYSTEMUSER or SYSADMIN user.

RESULT

Reports on the results of the actions logged. These results can be any combination of successful actions, failed actions, security-relevant actions, and security violations. You can specify the results to be reported by entering RESULT followed by any combination of SUCCESS, FAILURE, RELEVANT, and VIOLATION.

Results reported for RESULT RELEVANT include each occurrence of the following events:

  • Changes to the USERDATAFILE and installation of a new USERDATAFILE

  • Use of the ??SECAD system primitive command

  • Beginning-of-job (BOJ) for privileged programs (programs marked with the MP (Mark Program) system command with the PU, TASKING, SECADMIN, SYSADMIN, or granulated privilege modifiers

  • Log-on by privileged users or security administrators

  • Change of security file attribute, including attachment of guard file to file

  • Change of Transaction Server usercode entities

  • Use of the MARC DIRECTIVE command

  • Use of the following system commands, their corresponding SETSTATUS calls, or both:

    • CF (Configuration File)

    • DL (Disk Location) with these options: LOG, USERDATA

    • HU (Host Usercode)

    • ID (Initialize Data Comm)

    • LG (Log for Mix Number)

    • LOGGING (Logging Options)

    • MP (Mark Program) with the COMPILER, EXECUTABLE, KERBEROS, PU, SECADMIN, SERVICE, SYSADMIN, TASKING or any granulated privilege modifiers

    • MU (Make User)

    • REMOTESPO (Activate REMOTESPO) with the OK option

    • RESTRICT (Set Restrictions)

    • SECOPT (Security Options)

    • SL (Support Library)

    • ACCOUNTING (Resource Accounting)

Results reported for RESULTS VIOLATION include security violations and MCS violations. Results also include security relevant networking log records (for details, see Logging of Security-Related Events.)

SECURITY

The LOGANALYZER option SECURITY is the primary means of uncovering actions on the system that have caused security violations. A detailed description of the violations reported by this option and appropriate responses appears under Security-Violation Records and Suggested Responses.

TCPIP (Security)

Reports on security violations related to the MCP TCP/IP network provider. Reports include

  • Denied by firewall

  • Broadcast filtering

  • Dynamic port filtering

USERCODE <usercode>

If you have reason to suspect that a user is misusing his or her access privileges, an audit of that user usercode is advisable. This audit can return reports on any chosen combination of failed activities, successful activities, security-relevant activities, and security violations by processes running under the designated usercode.

The activity reported is dependent on the system logging settings as designated by the LOGGING system command and the value of the usercode's LOGSELECT attribute in the USERDATAFILE.

USERDATA

Because the SYSTEM/USERDATAFILE is a keystone of system security, your installation might choose to audit activity on the USERDATAFILE on a daily basis. This policy is especially appropriate on systems where security-administrator status is not enabled, and privileged users have the ability to alter the USERDATAFILE.

The USERDATA option returns log records detailing any changes made to SYSTEM/USERDATAFILE. These records reveal any unwarranted changes that have been made.

Suggested Items to Audit

The following LOGANALYZER options are of particular interest when you are trying to identify attempts to violate system security. Include the RESULT option with any of the following options to request reports on only security-relevant actions, only security violations, or both:

  • SECURITY

  • USERDATA

  • USERCODE

Prev  Up  Next
Defining Auditing Policy  Home  LOGANALYZER Examples