Auditing Users
The principles of good security mandate Individual Accountability. It must be possible to link each action on the system to the user who actually performed the action. In other words, accurate and complete auditing is necessary.
What Can Be Audited
The amount of auditing available depends on whether or not Safeguard software or third party security products are in use on the system.
Without the Safeguard Subsystem or CMON
Without Safeguard software or CMON or a third party access control product, user activity and maintenance cannot be audited.
With CMON
If $CMON is running, it can be configured to audit LOGONs, LOGOFFs, PROCESS starts, user adds, user deletes, and process priority changes.
With the Safeguard Subsystem
Safeguard software can be configured to audit the following user- related activities:
Logons and Logoffs
Changes to Safeguard User Records
Process Creates and Opens
Attempts to access objects such as files, processes and devices
BP-USER-ADMIN-05 To provide accountability of user activities, Safeguard software should be configured to perform the auditing mandated by the Corporate Security Policy and Standards.
With Third Party Products
3P-ACCESS-AUDIT-01 Third party access control products can provide audits of user activities, capturing not just file opens but the commands issued within utilities.
3P-PROCESS-AUDIT-01 Third party process control products can audit the commands such as ALTPRI, SUSPEND or STOP requests with or without Safeguard software .
Auditing Users With the Safeguard Subsystem
The amount and type of auditing is determined by both Safeguard Global and/or User Record audit parameters.
Audit-Related Global Parameters
The Global parameters that affect user management auditing are:
AUDIT-AUTHENTICATE-PASS / FAIL
AUDIT-SUBJECT-MANAGE-PASS / FAIL
AUDIT-AUTHENTICATE-PASS FAIL
The AUDIT-AUTHENTICATE-PASS and AUDIT-AUTHENTICATE-FAIL global parameters determine whether or not Safeguard software will write audits when someone attempts to logon. Valid entries are: ALL, NONE, LOCAL and REMOTE.
How the AUDIT-AUTHENTICATE-PASS and AUDIT-AUTHENTICATE- FAIL parameters are configured depends on the Corporate Security Policy and Parameters.
BP-SAFEGARD-GLOBAL-34 The AUDIT-AUTHENTICATE-PASS global parameter should be ALL.
BP-SAFEGARD-GLOBAL-35 The AUDIT-AUTHENTICATE-FAIL global parameter should be ALL.
AUDIT-SUBJECT-MANAGE-PASS FAIL
The AUDIT-SUBJECT-MANAGE-PASS and AUDIT-SUBJECT-MANAGE- FAIL global parameter determines whether or not Safeguard software will write User Record changes to the Safeguard Audit Trail. Valid entries are: ALL, NONE, LOCAL and REMOTE.
BP-SAFEGARD-GLOBAL-36 The AUDIT-SUBJECT-MANAGE-PASS global parameter should be ALL.
BP-SAFEGARD-GLOBAL-37 The AUDIT-SUBJECT-MANAGE-FAIL global parameter should be ALL.
Audit-Related User Record Parameters
The parameters in the User Record that determine which actions related to the record will be audited are:
AUDIT-USER-ACTION-PASS / FAIL
AUDIT-AUTHENTICATE-PASS / FAIL
AUDIT-MANAGE-PASS / FAIL
AUDIT-AUTHENTICATE{ -PASS -FAIL }
The AUDIT-AUTHENTICATE-PASS and AUDIT-AUTHENTICATE-FAIL parameters determine whether or not successful or unsuccessful logon attempts will be audited. The value can be ALL, NONE, LOCAL, or REMOTE.
This global attribute supplements the audit parameter for the individual User Record. If the parameter in the individual object's Protection Record is LOCAL and the Global Attribute is REMOTE, then both LOCAL and REMOTE management attempts will be audited.
The default value for both PASS and FAIL is NONE.
BP-USER-CONFIG-04 AUDIT-AUTHENTICATE-PASS = ALL
BP-USER-CONFIG-05 AUDIT-AUTHENTICATE-FAIL = ALL
The conditions specified for this attribute also apply to the system-wide auditing of automatic logoffs
AUDIT-MANAGE{ -PASS -FAIL }
The AUDIT-MANAGE-PASS and AUDIT-MANAGE-FAIL User Record parameters determine whether or not Safeguard software will write audits when someone attempts to change this particular User Record. The value can be: ALL, NONE, LOCAL and REMOTE.
BP-USER-CONFIG-06 If the Global AUDIT-SUBJECT-MANAGE-PASS attribute is not ALL, then each user record should be configured AUDIT-MANAGE-PASS ALL.
BP-USER-CONFIG-07 If the Global AUDIT-SUBJECT-MANAGE-FAIL attribute is not ALL, then each user record should be configured AUDIT-MANAGE-FAIL ALL.
AUDIT-USER-ACTION{ -PASS -FAIL }
The AUDIT-USER-ACTION-PASS and AUDIT-USER-ACTION-FAIL User Record parameters determine whether or not Safeguard software will write audits when the user accesses objects such as files, processes or devices, regardless of whether or not a Safeguard Protection Record for the target object exists . The value can be: ALL, NONE, LOCAL and REMOTE.
BP-USER-CONFIG-08 If the AUDIT-USER-ACTION-PASS attribute is not NONE, then each user record should be configured AUDIT-USER-ACTION-PASS NONE.
BP-USER-CONFIG-09 If the AUDIT-USER-ACTION-FAIL attribute is not ALL, then each user record should be configured AUDIT-USER-ACTION-FAIL ALL.
| Note | It is also important to realize that a single user action will generate multiple underlying events, each of which generates a Safeguard audit record. For example, if a user issues a SAFECOM INFO USER command it causes the following three underlying events: |
The attempt to run SAFECOM
The attempt to open the user's terminal
The attempt to open the $ZSMP process
Simply logging on to the system will generate Safeguard audits not only as Safeguard software reads the USERID file and authenticates the user, but as the user reads the TACLLOCL and TACLCSTM files and opens any files or macros run from within these files.
RISK Setting AUDIT-USER-ACTION-PASS to call can increase the amount of auditing enough to cause an impact on system performance, especially if the SUPER.SUPER user record is configured to audit all activity.
