Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for Db2 7.1.

SMF record enrichment

Many system management facilities (SMF) record types were designed by IBM for accounting chargeback or performance analysis purposes, not for security monitoring. In many cases, data that would be useful in a security context is not present in a particular record type. For example, SMF record type 42 (DFSMS statistics and configuration) does not contain the job ID (job number) to uniquely identify a job, and the first character does not distinguish between batch jobs, time-sharing option sessions, and started tasks. Likewise, most records (other than RACF-generated records) do not contain any indication of the port of entry by which the job entered the system.

BMC AMI Defender addresses these shortcomings by providing security-related data with each SMF record, including non-IBM SMF records. IBM Db2 SMF records (SMF record types 100, 101, and 102) are an exception—the records are complete and the Db2 environment is stable and well known. Db2 SMF records generally originate from Db2, not from the calling programs.

For more information about the fields that BMC AMI Defender adds, see SMF-common-fields and the FIELDS parameter reference in Supported-API-event-types-SMF-types-and-associated-process-tags. The names of the added fields begin with Event and the name without a space, for example, EventJobID.

The following sections of this topic describe the various types of SMF record enrichment:

Privilege escalation detection

Privilege escalation is the act of exploiting a bug, design flaw, or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. In accordance with the defense in depth security practice, BMC AMI Defender implements a mechanism for detecting a specific privilege escalation technique.

According to one privilege escalation technique, attackers maliciously change the in-memory privilege bits of their executing process, thereby granting themselves additional z/OS privileges without an audit trail. If a z/OS user generates one or more routine BMC AMI Defender events, such as by logging on or submitting jobs, and then uses this technique to escalate privileges, a configured BMC AMI Defender sends a specific tagged field value (PrivStat: E -) to the SIEM on the next event (file access). For more information, see the EventPrivilege field in the SMF-common-fields topic.

You need to configure your SIEM to generate a high-priority alert upon receipt of the tagged field value. The BMC AMI Command Center for Security SIEM contains a preconfigured alert for this purpose.

APF-status enrichment

The authorized program facility (APF) authorization status of any referenced data set is a critical piece of data that is not present in SMF records. Storing a program in an APF-authorized library is an event that might be critical to the integrity of your system, but SMF cannot distinguish between this event and the routine storage of a program in a load library. For each SMF record type that contains a data set name, BMC AMI Defender adds the APF status of the data set to the fields available. The fields have identical or similar names to the data set name field with _APF appended, such as SMF18NDS_APF. These are Boolean fields, typically formatted as APF:Yes, when appropriate. The BOOLValues parameter in the OPTIONS-statement controls the formatting.

The fields are formatted by default for each SMF record type that represents a modification of an APF-authorized library and, optionally, for each SMF record type that represents a read reference to an APF-authorized library. For information about the fields, see the FIELDS-parameter branch and the FIELDS parameter of each SMF statement in the General-SMF-record-type-statement section.

You can also filter the APF status fields with Boolean filters, and you can disable APF-status enrichment with the NOAPFENRich parameter on the OPTIONS statement.

Duplicate data set names and false positives

If you have non-authorized libraries with the same data set name as an authorized library, then BMC AMI Defender might report accesses to the non-authorized libraries as authorized library accesses (false positives).

Best practice
Do not to give authorized and non-authorized libraries the same name. To be safe, BMC AMI Defender always reports authorized access.

For example, if you had an APF-authorized library named SYS1.CRITICAL.LOADLIB on volume 111111 and also a non-authorized library with the same name on volume 222222, then BMC AMI Defender would probably report accesses to the library on 222222 as APF-authorized accesses.

BMC AMI Defender avoids these false positives if both of the following conditions are true:

  • The authorized library is not SMS-managed.
  • The SMF record contains a volume serial number.

Other limitations

BMC AMI Defender builds its table of APF-authorized data sets at startup from the current APF-authorization and LNKLST lists. In IBM z/OS V2R2, if SMF record type 90 subtype 37 is active and processed by BMC AMI Defender, it updates the APF-authorized library list following each SET PROG= and SETPROG APF command. For more information, see the IBM documentation. After BMC AMI Defender startup, check CZAPRINT for messages CZA0286W and CZA0358W, and resolve any warnings. For help, contact BMC Support.

If LNKAUTH=LNKLST is specified, BMC AMI Defender treats all data sets in any LNKLST set (active or inactive at the time of BMC AMI Defender startup) as APF-authorized. z/OS has no facility to notify running programs of changes to the active LNKLST, unlike APF list changes with SMF type 90 subtype 37. If you add a library to the active LNKLST set, BMC AMI Defender reports accesses to it as APF-authorized if you explicitly APF-authorize it with SETPROG APF, ADD, or refresh the BMC AMI Defender APF-authorized list manually with the SET(APF) command (see MODIFY-command).

z/OS always treats the following data sets as APF-authorized:

  • SYS1.CSSLIB
  • SYS1.MIGLIB 
  • Their replacements, as specified in the SYSLIB statement in the PROGxx member of the parmlib concatenation

To accesses these data sets reported by BMC AMI Defender as APF-authorized, add them explicitly to the APF list in PROGxx.

Important

z/OS treats all programs in the Link Pack Area (LPA) as authorized, whether or not they were loaded from an APF-authorized library. BMC AMI Defender cannot report modifications to programs only because they might subsequently be loaded into the LPA. 

You can explicitly APF-authorize the data sets of your LPALIB concatenation.

z/OS Unix System Services (USS)-specific enrichment

(SPE2107)

z/OS Unix System Services (USS) allows some users to be defined as superusers with the ability to perform administrative functions that can affect multiple users or the entire USS environment. You can define a superuser using the following methods:

  • Specify a USS userid (UID) of zero (0).
  • Authorize READ access to BPX.SUPERUSER facility.
  • Authorize access to UNIXPRIV class profiles, which is the IBM recommended security mechanism because you can limit superuser functionality to specific tasks.

For information about UNIXPRIV class profiles, see the IBM Documentation topic Using UNIXPRIV class profiles.

For information about USS security mechanisms, see the IBM Documentation topic Abstract for z/OS UNIX System Services Planning.

BMC AMI Defender obtains USS superuser privileges regardless of how they are defined. Obtaining this information requires multiple calls to USS and your SAF security product such as RACF, ACF2, and TopSecret. There could be a significant amount of overhead when obtaining this information for each SMF record produced by the system. 

You can enable USS enrichment using the USSENRICH parameter in the Options statement.

ACF2-specific enrichment

For installations running the System Authorization Facility (SAF) product CA ACF2, BMC AMI Defender provides a number of ACF2-specific enrichment fields, possibly including installation-specific user LID fields. For more information, see SMF-ACF2-common-fields and CONFIG-statement.

SAF enrichment status

When a System Authorization Facility (SAF) data set, such as SYS1.RACF, is recorded in an SMF record, BMC AMI Defender flags the message with an SAF indicator.  

System library enrichment status

When system PARMLIB and PROCLIB data sets, such as SYS1.PARMLIB, are recorded in an SMF record, BMC AMI Defender flags the message with a SYSLIB indicator.

Encryption enrichment status

BMC AMI Defender flags encryption data set names recorded in an SMF record with an ENCRYPT indicator.


Related topics

OPTIONS-statement

Messages CZA0200 through CZA0299

Messages CZA0300 through CZA0399

Overview

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*