SMF record enrichment
Many system management facilities (SMF) record types were designed by IBM for accounting chargeback or performance analysis purposes, not for security monitoring. In many cases, data that would be useful in a security context is not present in a particular record type. For example, SMF record type 42 (DFSMS statistics and configuration) does not contain the job ID (job number) to uniquely identify a job, and the first character does not distinguish between batch jobs, time-sharing option sessions, and started tasks. Likewise, most records (other than RACF-generated records) do not contain any indication of the port of entry by which the job entered the system.
BMC AMI Datastream addresses these shortcomings by providing security-related data with each SMF record, including non-IBM SMF records. IBM Db2 SMF records (SMF record types 100, 101, and 102) are an exception—the records are complete and the Db2 environment is stable and well known. Db2 SMF records generally originate from Db2, not from the calling programs.
For more information about the fields that BMC AMI Datastream adds, see SMF common fields and the FIELDS parameter reference in Supported API event types, SMF types, and associated process tags. The names of the added fields begin with Event and the name without a space, for example, EventJobID.
The following sections of this topic describe the various types of SMF record enrichment:
Privilege escalation detection
Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. In accordance with the defense in depth security practice, BMC AMI Datastream implements a mechanism for detecting a specific privilege escalation technique.
According to one privilege escalation technique, attackers maliciously change the in-memory privilege bits of their executing process, thereby granting themselves additional z/OS privileges without an audit trail. If a z/OS user generates one or more routine BMC AMI Datastream events, such as by logging on or submitting jobs, and then uses this technique to escalate privileges, a configured BMC AMI Datastream sends a specific tagged field value (PrivStat: E -) to the SIEM on the next event (file access). For more information, see the EventPrivilege field in the SMF common fields topic.
You need to configure your SIEM to generate a high-priority alert upon receipt of the tagged field value. The BMC AMI Command Center for Security SIEM contains a preconfigured alert for this purpose.
APF-status enrichment
The authorized program facility (APF) authorization status of any referenced data set is a critical piece of data that is not present in SMF records. Storing a program in an APF-authorized library is an event that might be critical to the integrity of your system, but SMF cannot distinguish between this event and the routine storage of a program in a load library. For each SMF record type that contains a data set name, BMC AMI Datastream adds the APF status of the data set to the fields available. The fields have identical or similar names to the data set name field with _APF appended, such as SMF18NDS_APF. These are Boolean fields, typically formatted as APF:Yes, when appropriate. The BOOLValues parameter in the OPTIONS statement controls the formatting.
The fields are formatted by default for each SMF record type that represents a modification of an APF-authorized library and, optionally, for each SMF record type that represents a read reference to an APF-authorized library. For information about the fields, see the Supported record field names branch and the FIELDS parameter of each SMF statement in the General SMF record type statement section.
You can also filter the APF status fields with Boolean filters, and you can disable APF-status enrichment with the NOAPFENRich parameter on the OPTIONS statement.
Duplicate data set names and false positives
If you have non-authorized libraries with the same data set name as an authorized library, then BMC AMI Datastream might report accesses to the non-authorized libraries as authorized library accesses (false positives).
Best practice
BMC AMI Datastream avoids these false positives if both of the following conditions are true:
- The authorized library is not SMS-managed.
- The SMF record contains a volume serial number.
Other limitations
BMC AMI Datastream builds its table of APF-authorized data sets at startup from the current APF-authorization and LNKLST lists. In IBM z/OS V2R2, if SMF record type 90 subtype 37 is active and processed by BMC AMI Datastream, it updates the APF-authorized library list following each SET PROG= and SETPROG APF command. For more information, see the IBM documentation. After BMC AMI Datastream startup, check CZAPRINT for messages CZA0286W and CZA0358W, and resolve any warnings. For help, contact BMC Support.
If LNKAUTH=LNKLST is specified, BMC AMI Datastream treats all data sets in any LNKLST set (active or inactive at the time of BMC AMI Datastream startup) as APF-authorized. z/OS has no facility to notify running programs of changes to the active LNKLST, unlike APF list changes with SMF type 90 subtype 37. If you add a library to the active LNKLST set, BMC AMI Datastream reports accesses to it as APF-authorized if you explicitly APF-authorize it with SETPROG APF, ADD, or refresh the BMC AMI Datastream APF-authorized list manually with the SET(APF) command (see MODIFY command).
z/OS always treats the following data sets as APF-authorized:
- SYS1.CSSLIB
- SYS1.MIGLIB
- Their replacements, as specified in the SYSLIB statement in the PROGxx member of the parmlib concatenation
To accesses these data sets reported by BMC AMI Datastream as APF-authorized, add them explicitly to the APF list in PROGxx.
Important
z/OS treats all programs in the Link Pack Area (LPA) as authorized, whether or not they were loaded from an APF-authorized library. BMC AMI Datastream cannot report modifications to programs only because they might subsequently be loaded into the LPA.
You can explicitly APF-authorize the data sets of your LPALIB concatenation.
Db2 audit table enrichment
BMC AMI Datastream can enrich specified Db2 subsystems with schema, table names, and database names based on DBID and OBID fields (IFCID 143 and IFCID 144) when you use the DB2AUDITEnrich parameter in the SMF DB2 statement. You must bind the specified Db2 subsystems with the CZA plans by using the CZABIND member. For more information, see SMF DB2 statement.
z/OS Unix System Services (USS)–specific enrichment
z/OS Unix System Services (USS) allows some users to be defined as superusers with the ability to perform administrative functions that can affect multiple users or the entire USS environment. You can define a superuser using the following methods:
- Specify a USS userid (UID) of zero (0).
- Authorize READ access to BPX.SUPERUSER facility.
- Authorize access to UNIXPRIV class profiles, which is the IBM recommended security mechanism because you can limit superuser functionality to specific tasks.
For information about UNIXPRIV class profiles, see the IBM Documentation topic Using UNIXPRIV class profiles .
For information about USS security mechanisms, see the IBM Documentation topic Abstract for z/OS UNIX System Services Planning .
BMC AMI Datastream obtains USS superuser privileges regardless of how they are defined. Obtaining this information requires multiple calls to USS and your SAF security product such as RACF, ACF2, and Top Secret. There could be a significant amount of overhead when obtaining this information for each SMF record produced by the system.
You can enable USS enrichment by using the USSENRICH parameter. (SPE2307)
To select one or more SMF records for USSENRICH processing, you must specify the SMF types by using the USSSMF parameter. For more information on the USSENRICH and USSSMF parameters, see Options statement.ACF2-specific enrichment
For installations running the System Authorization Facility (SAF) product CA ACF2, BMC AMI Datastream provides a number of ACF2-specific enrichment fields, possibly including installation-specific user LID fields. For more information, see SMF ACF2 common fields and CONFIG statement.
SAF enrichment status
When a System Authorization Facility (SAF) data set, such as SYS1.RACF, is recorded in an SMF record, BMC AMI Datastream flags the message with an SAF indicator.
System library enrichment status
When system PARMLIB and PROCLIB data sets, such as SYS1.PARMLIB, are recorded in an SMF record, BMC AMI Datastream flags the message with a SYSLIB indicator.
Encryption enrichment status
BMC AMI Datastream flags encryption data set names recorded in an SMF record with an ENCRYPT indicator.
Comments
Log in or register to comment.