I've been spending some time with my favourite software, IBM Tivoli zSecure. I'm actually on the beta test programme for release 1.12 but that release is embargoed so I'll stick to the new features in the current GA release. Version 1.11 comes with additional Detective controls in zSecure Audit, and today I'll look at PDS member auditing.
To quote from the zSecure Newsletter #2, 2010: "For many years, customers have been asking for the ability to be able to log and report when a member within a dataset has been initialised, deleted, added, changed, replaced or renamed. Well the good news is that from z/OS V1.11 this is now finally possible. SMF record type 42 now records this information and providing your system programmer has not disabled this record type in your SMFPRMxx member, member level changes will be recorded. Even more good news, using zSecure Audit or Alert V1.11, you can report and alert on this record type."
I'm going to try this out, with a PROCLIB library called USER.PROCLIB. Because it is in the proclib concatenation in the JES2 started task, is considered sensitive. If someone was to update a member in here, they could change, augment or adversely affect running processes. They could do this accidentally, where the effect most likely would be to prevent a started task from starting correctly thus impacting availability of service, or deliberately. Deliberate attacks on a JES2 proclib might include addition of a job step to copy data, escalate user privileges or start a second privileged process. As many started tasks run either PRIVILEGED, TRUSTED or with a highly-privileged user account, this is quite a fruitful attack vector if not closed down.
So let's have a look at auditing for PROCLIB changes action. I'm going to edit "USER.PROCLIB" and change a started task, then see what zSecure knows about this. Here I am editing USER.PROCLIB member ITIAGNT (incidentally this is the ITIM agent for RACF which I installed recently):-
Now I'm going to change something. If I was an attacker I could add some JCL "payload" here, but I'm just going to add a comment instead for this demonstration.
I've saved this now, so in theory a new SMF record type 42 has been cut for my actions, because we're running z/OS 1.11 here. So what does zSecure think? Let's go into zSecure and select the Events, Data Set options EV.D
In the resulting panel, we can fill in USER.PROCLIB and see the events that have been logged against that dataset.
Now I hit Enter and see the results of this query, and we can see that with my UserID "PIREAN1" I replaced the member ITIAGNT today.
This is the new functionality, only available with z/OS 1.11 and zSecure 1.11 or later, and assuming your sysprogs have not suppressed the new SMF record type 42.
Don't forget, preventive controls always trump detective ones so make sure you operate Least Privilege access control (and zSecure Admin will help, while zSecure Command Verifier will prevent drift) but you may want to Audit the small group of privileged users who have sensitive library access, and this is a new tool in the box. Have fun with it!