Auditing sign-on and sign-off
A user signs onto a CICS® region through interfaces, such as a 3270 terminal, the CICS Client Management Interface (CMCI) or the (stabilized) CICSPlex® SM Web User Interface (WUI). RACF® can log all sign-on and sign-off activity to SMF, including any invalid or unsuccessful sign-on attempts. You can use this information as an audit trail, to identify possible attempts to breach security, and to help with capacity planning. Recording the successful sign-on and sign-off activities establishes an audit trail of the access to particular systems by the terminal user population. This may also be useful for systems capacity planning, and generally constitutes a very modest portion of the information recorded to SMF.
- Finding information about sign-on and sign-off through a 3270 terminal
- Finding information about sign-on and sign-off through CMCI
- Finding information about sign-on and sign-off through CICSPlex SM WUI
- Finding information about sign-on and sign-off through Liberty
Finding information about sign-on and sign-off through a 3270 terminal
CICS uses its CSCS Transient Data Queue (TDQ) for security messages. Messages of interest to the security administrator for the CICS region are directed to this destination. In some instances, when security-related messages are directed to terminal users, corresponding messages are written to the CSCS TDQ: for example, when DFHCE3544 and DFHCE3545 messages are sent to terminal users, the corresponding messages DFHSN1118 and DFHSN1119 are sent to CSCS. The DFHSNnnnn messages include reason codes that indicate the exact nature of the invalid sign-on attempt.
DFHSN1100 27/11/2020 16:15:34 IYK2ZDL1 CESN Signon at netname IYCWT126 by user CRPTST3 in group TSOUSER is complete.
DFHSN1200 27/11/2020 16:55:58 IYK2ZDL1 Signoff at netname IYCWT126 by user CRPTST3 is complete. 25 transactions entered with 1
errors.
DFHXS1201 27/11/2020 16:40:11 IYK2ZDL1 The password supplied in the verification request for userid CRPTST2 was invalid. This
occurred in transaction CESN when userid CICSUSER was signed on at netname IYCWT126.
DFHSN1102 27/11/2020 16:40:11 IYK2ZDL1 Signon at netname IYCWT126 by user CRPTST2 has failed. Password not recognized.
16.40.11 JOB39558 ICH408I USER(CRPTST2 ) GROUP(TSOUSER ) NAME(USERA ) 624
624 LOGON/JOB INITIATION - INVALID PASSWORD ENTERED AT TERMINAL IYCWT126
Finding information about sign-on and sign-off through CMCI
For information about CMCI, see CICS management client interface (CMCI).
Finding information about sign-on and sign-off through CICSPlex SM WUI
CICSPlex SM WUI is stabilized.
Finding information about sign-on and sign-off through Liberty
For more information, see HTTP access logging.
Finding authentication issues in CICS statistics
You can only properly interpret the logging of unsuccessful sign-on attempts and authentications by also recording successful sign-on and authentication instances. For example, if a user makes one or two unsuccessful attempts followed immediately by a successful sign-on, the unsuccessful attempts to sign on can be interpreted as the result of a mistake. However, several unsuccessful attempts for a variety of user IDs that occur within a short space of time, and without any subsequent successful activity being recorded, might be cause for a security concern and you should investigate further.
This is an example of messages
Successful fastpath authentications : 651
Successful fullpath authentications : 212 Failed fullpath authentications . . : 4
Successful kerberos authentications : 0 Failed kerberos authentications . . : 0
Successful JWT creations . . . . . : 0 Failed JWT creations . . . . . . . : 0
Successful JWT authentications . . : 0 Failed JWT authentications . . . . : 0