Using the System Integrity Violation scanner

The System Integrity Violation (SIV) scanner identifies system settings that might be vulnerable to an outside attack. When an anomaly is found, the SIV scanner generates and passes messages to the BMC AMI Command Center for Security.

The SIV scanner also helps identify supervisor call (SVC) intercepts. The scanner detects when SVCs change, verifies that the expected SVC type matches the actual SVC type, and verifies that the SVC resides in the storage location it is expected to be in. For example, SVC types 1, 2, and 6 should reside in the z/OS nucleus; SVC types 3 and 4 should reside in the link pack area (LPA).

Related topic

Using

By using the SIV scanner to monitor SVCs, you can watch for unexpected SVC intercepts. While SVC intercepts are a part of normal operations for many products, unexpected SVC intercepts can be difficult to detect manually with 255 SVCs to watch.

The SIV scanner runs at the following times:

  • Whenever there is an address space startup
  • Every day at midnight
  • When it is notified of SAF security system (RACF, ACF/2, CA Top Secret) changes
    Whenever there are SAF changes, all address spaces that have registered interest in these changes are notified through the z/OS Event Notification Facility (ENF) function 79.

Enabling the SIV scanner

The SIV scanner is disabled by default.

To enable the SIV scanner

  1. Open $$$CONFG member. 

  2. Delete the semicolon preceding SWITCH ON(SIV) to uncomment the option.

    ; SWITCH ON(SIV) ; System Integrity Violation Scanner

This enables the OPTIONS statement parameter, SIVSCANNER, which enables the SIV scanner. For more information, see OPTIONS-statement.

Running the SIV scanner manually

To run the SIV scanner manually, issue the following MODIFY command to the BMC AMI Datastream for z/OS address space.

F czagentName,$ZINTEG,SCAN

For more information, see "MODIFY command for System Integrity Violation (SIV) scanner" in the MODIFY-command topic.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*