Post on 13-May-2018
transcript
Vanguard Active Alerts™
Jim McNeill
Sr Consultant
©2016 Vanguard Integrity Professionals, Inc.
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard SecurityCenter for DB2
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
2
©2015 Vanguard Integrity Professionals, Inc.
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
3
©2016 Vanguard Integrity Professionals, Inc.
Topics
• A Brief History
• What are Vanguard Active Alerts™?
• Which Alerts are Available?
• Which Alerts are Active?
• Who will receive which Alerts?
• Masking for Alerts
• Customizing the Email Notices
• Setting up the Started Tasks
• Migration
4
©2016 Vanguard Integrity Professionals, Inc.
A Brief History
• Originated as a feature of Vanguard Advisor™ in
the late 1990s
• Alerts were added to Vanguard Enforcer™ in
2002
• Over time the two sets of alerts diverged
– Some alerts in Vanguard Advisor™ only
– Some alerts in Vanguard Enforcer™ only
• In VSS 2.1 the alerts were consolidated
– Packaged as a new product
– Datecode for Vanguard Advisor™ or Vanguard Enforcer™
will work
– Can be used standalone with it’s own datecode
5
©2016 Vanguard Integrity Professionals, Inc.
A Brief History - VANOPTS members
Vanguard Vanguard Vanguard
Advisor™ Enforcer™ Active Alerts™
-------------- ------------- -----------------
RFxxxTXT EAxxxTXT AAxxxTXT
VRSOPT00 VEAOPT00 VAAOPT00
VSREAL00 VEAEAL00 VAAEAL00
VSRRTNxx VEARTNxx VAARTNxx
EMAILOPT EMAILOPT EMAILOPT
EMAILLST EMAILLST EMAILLST
Shared by ALL products
6
©2016 Vanguard Integrity Professionals, Inc.
What are Active Alerts?
• The ability to be notified immediately
when a security event or combination of
events occur.
• Notification can be: – SNMP (listeners)
– WTO
7
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Violation Notices and 16 Others
• Immediate notifications sent when certain events occur (within 30-60 seconds)
• Requires 2 Started Tasks to be running
– VAAJTASK
– VAAJRTN
• Must be run on each LPAR
• Requires an SMTP server somewhere in your NJE network (for email)
8
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Violation Notices
– An email will be sent for selected violations.
Notices are sent based on 6 selection criteria.
One or more emails can be sent per violation.
• User
• Group
• Jobname
• Profile mask
• Owner
• Dataset mask
9
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 1 – RACF® Command text is scanned and an Email is sent if
an Add User profile (ADDUSER or AU) or an Alter User
Profile (ALTUSER or ALU) command was issued with
OPERATIONS, SPECIAL, AUDITOR, UID(0) or NOPASS.
• Active Alert 2 – RACF Command text is scanned and an Email is sent if a
Connect (CONNECT or CO) command was issued with
OPERATIONS, SPECIAL or AUDITOR or with CREATE,
CONNECT or JOIN via the AUTHORITY parameter.
10
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 3 – RACF Command text is scanned and an Email is sent if
an Add Data Set profile (ADDSD or AD) or an Alter Data
Set Profile (ALTDSD or ALD) command was issued with a
UACC of ALTER, CONTROL, or UPDATE.
• Active Alert 4 – RACF Command text is scanned and an Email is sent if
an Add Data Set profile (ADDSD or AD) or an Alter Data
Set Profile (ALTDSD or ALD) command was issued with a
UACC of READ, ALTER, CONTROL, or UPDATE.
11
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 5 – Mimics Violations Notices, except it looks for warnings. An
Active Alert 5 can be thought of as a "Warning Notice".
• Active Alert 6 – Intrusion Detection, will send an email whenever a single
userid experiences n logon failures due to an invalid
password within t minutes or seconds, where n and t are
values specified in the options file.
12
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 7 – Password Recycling will send an email whenever a single
userid has its password changed more than n times in t
minutes or seconds, where n and t are values specified in
the options file.
• Active Alert 8 – By Default, any SETROPTS command is issued or any
RVARY command(except LIST) is issued. --- OR ---
– Any command specified by an enhanced masking pattern
or patterns specified by the user.
13
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 9 – Lost SMF will send an email whenever an “SMF Data Lost
” record is detected in the SMF data stream, signaling the
loss of potentially critical SMF logging data.
• Active Alert 10 – Auto revoke will send an email whenever a userid is
revoked due to too many invalid password attempts.
14
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 11 – “Firecall id” usage - will send an email if a userid is
activated (logon, started task initialization, batch job, etc.). The user can specify selection criteria to specify the userids to be reported on or ignored.
• Active Alert 12 – Intrusion detection via Vanguard ez/SignOn™.
15
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 13 – An Active Alert is sent when access to a resource is
attempted – regardless of the success. A Resource and Access by Userid Detail Report is executed. You can specify any masking criteria available for this report in a RTNAA13(xx) member to narrow the scope of the Active Alert.
• Active Alert 14 – An Active Alert message will be sent when the REVOKE
operand is present and either a RACF ALTUSER or RACF CONNECT command is issued. An administrator can specify filters to select events to be processed by specifying the RTNAA14(xx) parameter in VAAOPT00.
16
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Available
• Active Alert 15 – An Active Alert is sent when a member of a library (PDS or
PDSE) is added, deleted, renamed or replaced. An administrator can specify filters to select events to be processed by specifying the RTNAA15(xx) parameter in VAAOPTxx.
• Active Alert 16 – An Active Alert is sent when a DB2® audited table is
altered, created or dropped. An administrator can specify filters to select events to be processed by specifying the RTNAA16(xx) parameter in VAAOPTxx.
17
©2016 Vanguard Integrity Professionals, Inc.
Which Alerts are Active
18
©2016 Vanguard Integrity Professionals, Inc.
Who will receive which Alerts
• Alerts 1 – 4, 6 – 16 have individual addresses
• Violation notices and Warn notices (Alert 5) – You can send one or more notices per event
– Multiple criteria available
19
©2015 Vanguard Integrity Professionals, Inc.
Who will receive which Alerts
20
©2016 Vanguard Integrity Professionals, Inc.
Who will receive which Alerts
Up to 6 criteria for Violation notices and Warn notices
3 based on who caused the Violation
3 based on what resource was Violated
USERID(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)
GROUP(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)
JOBNAME(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)
OWNER(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)
DATASET(1-44 CHARACTERS) EMAILADDR (1-60 CHARACTERS)
PROFNAME(1-44 CHARACTERS) EMAILADDR (1-60 CHARACTERS)
NOMATCH EMAILADDR (1-60 CHARACTERS)
21
©2016 Vanguard Integrity Professionals, Inc.
Who will receive which Alerts
In the VANOPTS data set member VSREAL00 for Violation Notices and Active Alert 5
SELECTBY(USERID,DATASET,OWNER)
USERID(AB*) EMAILADDR(BOBS@GO2VANGUARD.COM)
USERID(*) EMAILADDR(JIMM@GO2VANGUARD.COM)
OWNER(VANGUARD) EMAILADDR(JIMM@GO2VANGUARD.COM)
DATASET(PAYROLL*) EMAILADDR(ARTH@GO2VANGUARD.COM)
DATASET(*) EMAILADDR(PHILE@GO2VANGUARD.COM)
DATASET(OS*) EMAILADDR(JHICKMA@VIPLINK.COM)
NOMATCH EMAILADDR(NOMATCH@VIPLINK.COM)
In VSROPT00, keyword SENDALLEMAIL(YES|NO) determines if multiple emails will be sent
22
©2016 Vanguard Integrity Professionals, Inc.
Masking for Alerts
In VAAOPT00: RTNVIOLATIONS(01)
RTNAA5(05)
In VAARTN01: (USERID EQ DICKM* OR USERID EQ JIM*) AND (DATASET
EQ SYS1*)
In VAARTN05: (DATASET EQ PAYROLL* OR DATASET EQ SYS1.*)
23
©2016 Vanguard Integrity Professionals, Inc.
Masking for Alerts
24
©2016 Vanguard Integrity Professionals, Inc.
Customizing the Email Notices
• You control what the notice looks like
• Variables from the SMF record are available
• Blank lines for readability
25
©2016 Vanguard Integrity Professionals, Inc.
Customizing the Email Notices
26
©2016 Vanguard Integrity Professionals, Inc.
Customizing the Email Notices
27
©2016 Vanguard Integrity Professionals, Inc.
Customizing the Email Notices
28
©2016 Vanguard Integrity Professionals, Inc.
Customizing the Email Notices
29
©2016 Vanguard Integrity Professionals, Inc.
Setting up the Started Tasks
• VAAJTASK
– Collection Task
– Writes SMF records to wrap-around data space
– Selects which records to collect
• VAAJRTN
– Notification task
– Creates and send the notices
30
©2016 Vanguard Integrity Professionals, Inc.
Setting up the Started Tasks
• Customize JCL and put in PROCLIB
• Select Options in VAAOPT00
• Setup Started Class Profiles
– STCIDs need READ to VANOPTS
– STCIDs need READ to VANLOAD
• Start VAAJTASK, then VAAJRTN
31
©2016 Vanguard Integrity Professionals, Inc.
Migration
• In VANSAMP: – VAACVEA convert Vanguard Enforcer™ alerts to VAA
alerts
– VAACVSR convert Vanguard Advisor™ alerts to VAA
alerts
• These 2 utilities will read the old members of
VANOPTS and create the new VAA members.
• At some point in the future, support for Vanguard
Enforcer™ and Vanguard Advisor™ active alerts will
be withdrawn. That date has not been announced
yet.
32
©2016 Vanguard Integrity Professionals, Inc.
Summary
• You control everything
– Which Alerts
– Format of the alert
– Who receives the alerts
• Questions ??????
33
May 23 – May 26 Basics of RACF Administration 24 CPE 4 days Online
June 1 – June 3 RACF Security for z/OS Applications – ALL MODULES 18 CPE 3 days Online
June 1 RACF Security for z/OS Applications – MODULE 1 – RACF for DB2 6 CPE 1 day Online
June 2 – June 3 RACF Security for z/OS Applications – MODULE 2 – RACF for CICS 12 CPE 2 days Online
June 6 – June 9 Beyond RACF Basics 24 CPE 4 days Online
June 13 – June 15 Auditing z/OS and RACF 18 CPE 3 days Online
June 21 – June 24 Beyond RACF Basics 24 CPE 4 days Jacksonville,
FL
June 27 – June 30 Basics of RACF Administration 24 CPE 4 days Online
Vanguard zSecurity University™
Register to attend a course, or to get more information: http://www.go2vanguard.com/training
Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.
Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
To register for a webinar or training course:
go2vanguard.com Select - Training
Vanguard zSecurity University™
Software Solutions Services Training International About Customer
Register to attend a course, or to get more information: http://www.go2vanguard.com/training
Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.
Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees
36