Logging and audit trails

Edit online

When the security characteristics of a computer system like the HMC are understood and trusted, facilities must be in place to monitor and audit the security of the system to ensure that it is operating correctly. For this reason, the HMC uses its security log to record important security-related events. The customer can use the View Security Logs task to view these security events and the Archive Security Logs task to offload security logs for storage. The offloaded security logs should be protected from modification to prevent subsequent view of the archived security logs (View Security Logs task) from becoming compromised.

The security log contains entries for security-related events. A short list that illustrates the types of events that are contained in the security log is as follows:

  • User logon or logoff
  • Failed logon attempts
  • Password changes
  • Creation, deletion, and alteration of users
  • Creation, deletion, and alteration of user roles
  • Creation, deletion, and alteration of the IBM mainframe activation profiles
  • Processing of disruptive commands
  • Change management activity
  • Network traffic that is blocked by the firewall.

The customer is intended to use the security log to determine when events occurred that altered the security characteristics of the HMC. The security log might indicate an action that might have security implications to the HMC or the system resources that it manages. The View Security Logs task allows the customer to search the open log by date, event, category, or new in version 2.13.0, by user. This search capability limits the list of entries to just what is of particular interest.

For auditing purposes, the Audit and Log Management task generates a report that can be viewed and offloaded to a remote workstation or removable media. There are various data types (such as Configuration, Security Log, or User profiles) that can be chosen to tailor the report. A range of dates and times can also be entered to limit the report to a specific time.

Event Monitoring

The Monitor System Events task allows the creation and management of event monitors. An event monitor listens for events from managed objects. When an event is received, the monitor tests it with user-defined time and text filters. If the event passes the tests, the monitor enables an email to be sent to interested users. This function requires a Simple Mail Transfer Protocol (SMTP) server that must be accessible from the HMC.

Customers might want to use the Monitor System Events task to automate notification of certain critical security log events. In this case, system programmers and system administrators need not manually monitor the security log as frequently.