×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC AMI Datastream for Db2 7.1 Getting started

SMF record enrichment

Many system management facilities (SMF) record types were designed by IBM for accounting chargeback or performance analysis purposes, not for security monitoring. In many cases, data that would be useful in a security context is not present in a particular record type. For example, SMF record type 42 (DFSMS statistics and configuration) does not contain the job ID (job number) to uniquely identify a job, and the first character does not distinguish between batch jobs, time-sharing option sessions, and started tasks. Likewise, most records (other than RACF-generated records) do not contain any indication of the port of entry by which the job entered the system.

Related topics

BMC AMI Datastream overview

OPTIONS statement

Messages CZA0200 through CZA0299 Open link

Messages CZA0300 through CZA0399 Open link

BMC AMI Datastream addresses these shortcomings by providing security-related data with each SMF record, including non-IBM SMF records. IBM Db2 SMF records (SMF record types 100, 101, and 102) are an exception—the records are complete and the Db2 environment is stable and well known. Db2 SMF records generally originate from Db2, not from the calling programs.

For more information about the fields that BMC AMI Datastream adds, see SMF common fields and the FIELDS parameter reference in Supported API event types, SMF types, and associated process tags. The names of the added fields begin with Event and the name without a space, for example, EventJobID.

The following sections of this topic describe the various types of SMF record enrichment:

Privilege escalation detection

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. In accordance with the defense in depth security practice, BMC AMI Datastream implements a mechanism for detecting a specific privilege escalation technique.

According to one privilege escalation technique, attackers maliciously change the in-memory privilege bits of their executing process, thereby granting themselves additional z/OS privileges without an audit trail. If a z/OS user generates one or more routine BMC AMI Datastream events, such as by logging on or submitting jobs, and then uses this technique to escalate privileges, a configured BMC AMI Datastream sends a specific tagged field value (PrivStat: E -) to the SIEM on the next event (file access). For more information, see the EventPrivilege field in the SMF common fields topic.

You need to configure your SIEM to generate a high-priority alert upon receipt of the tagged field value. The BMC AMI Command Center for Security SIEM contains a preconfigured alert for this purpose.

APF-status enrichment

The authorized program facility (APF) authorization status of any referenced data set is a critical piece of data that is not present in SMF records. Storing a program in an APF-authorized library is an event that might be critical to the integrity of your system, but SMF cannot distinguish between this event and the routine storage of a program in a load library. For each SMF record type that contains a data set name, BMC AMI Datastream adds the APF status of the data set to the fields available. The fields have identical or similar names to the data set name field with _APF appended, such as SMF18NDS_APF. These are Boolean fields, typically formatted as APF:Yes, when appropriate. The BOOLValues parameter in the OPTIONS statement controls the formatting.

The fields are formatted by default for each SMF record type that represents a modification of an APF-authorized library and, optionally, for each SMF record type that represents a read reference to an APF-authorized library. For information about the fields, see the Supported record field names branch and the FIELDS parameter of each SMF statement in the General SMF record type statement section.

You can also filter the APF status fields with Boolean filters, and you can disable APF-status enrichment with the NOAPFENRich parameter on the OPTIONS statement.

Duplicate data set names and false positives

If you have non-authorized libraries with the same data set name as an authorized library, then BMC AMI Datastream might report accesses to the non-authorized libraries as authorized library accesses (false positives).

Best practice

Do not to give authorized and non-authorized libraries the same name. To be safe, BMC AMI Datastream always reports authorized access.
For example, if you had an APF-authorized library named SYS1.CRITICAL.LOADLIB on volume 111111 and also a non-authorized library with the same name on volume 222222, then BMC AMI Datastream would probably report accesses to the library on 222222 as APF-authorized accesses.

BMC AMI Datastream avoids these false positives if both of the following conditions are true:

  • The authorized library is not SMS-managed.
  • The SMF record contains a volume serial number.

Other limitations

BMC AMI Datastream builds its table of APF-authorized data sets at startup from the current APF-authorization and LNKLST lists. In IBM z/OS V2R2, if SMF record type 90 subtype 37 is active and processed by BMC AMI Datastream, it updates the APF-authorized library list following each SET PROG= and SETPROG APF command. For more information, see the IBM documentation. After BMC AMI Datastream startup, check CZAPRINT for messages CZA0286W and CZA0358W, and resolve any warnings. For help, contact BMC Support.

If LNKAUTH=LNKLST is specified, BMC AMI Datastream treats all data sets in any LNKLST set (active or inactive at the time of BMC AMI Datastream startup) as APF-authorized. z/OS has no facility to notify running programs of changes to the active LNKLST, unlike APF list changes with SMF type 90 subtype 37. If you add a library to the active LNKLST set, BMC AMI Datastream reports accesses to it as APF-authorized if you explicitly APF-authorize it with SETPROG APF, ADD, or refresh the BMC AMI Datastream APF-authorized list manually with the SET(APF) command (see MODIFY command).

z/OS always treats the following data sets as APF-authorized:

  • SYS1.CSSLIB
  • SYS1.MIGLIB 
  • Their replacements, as specified in the SYSLIB statement in the PROGxx member of the parmlib concatenation

To accesses these data sets reported by BMC AMI Datastream as APF-authorized, add them explicitly to the APF list in PROGxx.

Important

z/OS treats all programs in the Link Pack Area (LPA) as authorized, whether or not they were loaded from an APF-authorized library. BMC AMI Datastream cannot report modifications to programs only because they might subsequently be loaded into the LPA. 

You can explicitly APF-authorize the data sets of your LPALIB concatenation.

Db2 audit table enrichment

(SPE2310) Open link

BMC AMI Datastream can enrich specified Db2 subsystems with schema, table names, and database names based on DBID and OBID fields (IFCID 143 and IFCID 144) when you use the DB2AUDITEnrich parameter in the SMF DB2 statement. You must bind the specified Db2 subsystems with the CZA plans by using the CZABIND member. For more information, see SMF DB2 statement.

z/OS Unix System Services (USS)–specific enrichment

z/OS Unix System Services (USS) allows some users to be defined as superusers with the ability to perform administrative functions that can affect multiple users or the entire USS environment. You can define a superuser using the following methods:

  • Specify a USS userid (UID) of zero (0).
  • Authorize READ access to BPX.SUPERUSER facility.
  • Authorize access to UNIXPRIV class profiles, which is the IBM recommended security mechanism because you can limit superuser functionality to specific tasks.

For information about UNIXPRIV class profiles, see the IBM Documentation topic  Using UNIXPRIV class profiles Open link .

For information about USS security mechanisms, see the IBM Documentation topic Abstract for z/OS UNIX System Services Planning Open link .

BMC AMI Datastream obtains USS superuser privileges regardless of how they are defined. Obtaining this information requires multiple calls to USS and your SAF security product such as RACF, ACF2, and Top Secret. There could be a significant amount of overhead when obtaining this information for each SMF record produced by the system. 

You can enable USS enrichment by using the USSENRICH parameter. (SPE2307) Open link

To select one or more SMF records for USSENRICH processing, you must specify the SMF types by using the USSSMF parameter. For more information on the USSENRICH and USSSMF parameters, see Options statement.

ACF2-specific enrichment

For installations running the System Authorization Facility (SAF) product CA ACF2, BMC AMI Datastream provides a number of ACF2-specific enrichment fields, possibly including installation-specific user LID fields. For more information, see SMF ACF2 common fields and CONFIG statement.

SAF enrichment status

When a System Authorization Facility (SAF) data set, such as SYS1.RACF, is recorded in an SMF record, BMC AMI Datastream flags the message with an SAF indicator.  

System library enrichment status

When system PARMLIB and PROCLIB data sets, such as SYS1.PARMLIB, are recorded in an SMF record, BMC AMI Datastream flags the message with a SYSLIB indicator.

Encryption enrichment status

BMC AMI Datastream flags encryption data set names recorded in an SMF record with an ENCRYPT indicator.

Was this page helpful? Yes No Submitting... Thank you
Last modified by Sara Kamen on Apr 08, 2024
getting_started spe2307 spe2310

Comments

Log in or register to comment.

SMF record type overview
SSL and TLS
© Copyright 2013 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use. BMC,the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.