Using the System Integrity Violation scanner
The System Integrity Violation (SIV) scanner identifies system settings that might be vulnerable to an outside attack. When an anomaly is found, the SIV scanner generates and passes messages to the
.
The SIV scanner runs at the following times:
- Whenever there is an address space startup
- Every day at midnight
- When it is notified of SAF security system (RACF, ACF/2, TopSecret) changes
Whenever there are SAF changes, all address spaces that have registered interest in these changes are notified through the z/OS Event Notification Facility (ENF) function 79.
Enabling the SIV scanner
The SIV scanner is disabled by default.
To enable the SIV scanner
- Open $$$CONFG member.
Delete the semicolon preceding SWITCH ON(SIV) to uncomment the option.
; SWITCH ON(SIV) ; System Integrity Violation Scanner
This enables the OPTIONS statement parameter, SIVSCANNER, which enables the SIV scanner. For more information, see OPTIONS-statement.
Sample messages
The messages that the SIV scanner generates and passes to
in response to identified vulnerabilities, are broken into several categories.
Sensitive Data Set Violation (SDV) messages
The following messages begin with the prefix SDV. The fileType parameter can be APF List, Linklist, Parmlib, or Proclib.
Number | Description |
|---|---|
SDV1000I | fileType data set DSN=dataSetName does not have a fully qualified generic profile The data set name does not have a specific SAF security profile controlling access to the data set. Sample message: |
SDV1001I | fileType data set DSN=dataSetName found with inappropriate audit settings The data set name does not have the correct SAF security profile, which requires audit reporting of failed access attempts. Sample message: |
SDV1002I | fileType data set DSN=dataSetName found with UACC > NONE The data set name has a SAF security profile with some level of universal access. Sample message: |
SDV1003I | fileType data set DSN=dataSetName found with ID(*) > NONE The data set name has a SAF security profile with some level of universal access. Sample message: |
SDV1004I | fileType data set DSN=dataSetName found with WARNING attribute The data set name has a SAF security profile that allows access to a data set that causes an error or abend. Sample message: |
SDV1005I | Uncatalogued fileType data set DSN=dataSetName found The data set name is not catalogued on the correct volume. Sample message: |
Severe Warning Violation (SWV) messages
The following messages begin with the prefix SWV:
Number | Description |
|---|---|
SWV2001I | CICS region jobName has SEC=NO on lparName The CICS region has security checking disabled. Sample message: |
SWV2002I | DB2 region db2ID does not have AUTH=Yes on lparName The Db2 system has security checking disabled. |
SWV2003I | IMS region imsID does not have ISIS=R/A on lparName The IMS system has security checking disabled. |
SWV2004I | MQ region mqID "componentType" security is disabled Security for an MQ component is disabled. The components checked are Subsystem, QMGR, QSG, Command, Connection, Context Process, Namelist, Queue, Topic, and Command Resources. Sample message: |
SWV2005I | IKJTSOxx/AUTHTSF configuration is vulnerable to a full penetration attack IDCAMS is allowed to run in an authorized state under a TSO session. |
SWV2006I | DIAGxx/ALLOWUSERKEYCSA(YES) configuration is vulnerable to a full penetration attack Unauthorized programs can allocate or deallocate common storage. |
SWV2007I | Program=programName has "PRIVILEGED" specified in the Program Properties Table (PPT) The jobstep executing this program is automatically put into an elevated Workload Manager (WLM) Service Class (SYSSTC). Sample message: |
SWV2008I | Program=programName has "BYPASS PASSWORD PROTECTION" specified in the Program Properties Table (PPT). The program can bypass security protection (password protection and RACF). Sample message: |
Sensitive Data Set Violation Total (SDT) messages
The following messages begin with the prefix SDT:
Number | Description |
|---|---|
SDT1000I | count Sensitive data sets protected by non fully-qualified generic profiles This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1001I | count Sensitive data sets found with inappropriate audit settings This is the total number of sensitive data sets with a security profile that does not require audit reporting of failed access attempts. Sample message: |
SDT1002I | count Sensitive data sets found with UACC > NONE This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1003I | count Sensitive data sets found with ID(*) > NONE This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1004I | count Sensitive data sets found with WARNING attribute This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1005I | count Uncatalogued sensitive data sets found This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |