Using the System Integrity Violation scanner
(SPE2101) The System Integrity Violation (SIV) scanner identifies system settings that might be vulnerable to an outside attack. When an anomaly is found, the SIV scanner generates and passes messages to the BMC AMI Command Center for Security.
(SPE2107) SIV scanner also scans Supervisor Calls (SVCs) to identify SVC intercepts. The SIV scanner detects when SVCs change, verifies that the expected SVC type matches the actual SVC type, and verifies that the SVC resides in the storage location it is expected to be in. For example, SVC types 1, 2, and 6 should reside in the z/OS nucleus, SVC types 3 and 4 should reside in the Link Pack Area (LPA).
The advantage of using SIV scanner to monitor SVCs is that while SVC intercepts are a part of normal operations for many products, unexpected SVC intercepts can be difficult to detect manually with 255 SVCs to watch.
The SIV scanner runs at the following times:
- Whenever there is an address space startup
- Every day at midnight
- When it is notified of SAF security system (RACF, ACF/2, TopSecret) changes
Whenever there are SAF changes, all address spaces that have registered interest in these changes are notified through the z/OS Event Notification Facility (ENF) function 79.
Enabling the SIV scanner
The SIV scanner is disabled by default.
To enable the SIV scanner
- Open $$$CONFG member.
Delete the semicolon preceding SWITCH ON(SIV) to uncomment the option.
; SWITCH ON(SIV) ; System Integrity Violation Scanner
This enables the OPTIONS statement parameter, SIVSCANNER, which enables the SIV scanner. For more information, see OPTIONS-statement.
Running the SIV scanner manually
To run the SIV scanner manually, issue the following MODIFY command to the BMC AMI Defender for z/OS address space.
F czagentName,$ZINTEG,SCAN
For more information, see MODIFY command for System Integrity Violation (SIV) scanner in the MODIFY-command topic.
Sample messages
The messages that the SIV scanner generates and passes to BMC AMI Command Center for Security in response to identified vulnerabilities, are broken into several categories.
Sensitive Data Set Violation (SDV) messages
The following messages begin with the prefix SDV. The fileType parameter can be APF List, Linklist, Parmlib, or Proclib.
Number | Description |
|---|---|
SDV1000I | fileType data set DSN=dataSetName does not have a fully qualified generic profile The data set name does not have a specific SAF security profile controlling access to the data set. Sample message: |
SDV1001I | fileType data set DSN=dataSetName found with inappropriate audit settings The data set name does not have the correct SAF security profile, which requires audit reporting of failed access attempts. Sample message: |
SDV1002I | fileType data set DSN=dataSetName found with UACC > NONE The data set name has a SAF security profile with some level of universal access. Sample message: |
SDV1003I | fileType data set DSN=dataSetName found with ID(*) > NONE The data set name has a SAF security profile with some level of universal access. Sample message: |
SDV1004I | fileType data set DSN=dataSetName found with WARNING attribute The data set name has a SAF security profile that allows access to a data set that causes an error or abend. Sample message: |
SDV1005I | Uncatalogued fileType data set DSN=dataSetName found The data set name is not catalogued on the correct volume. Sample message: |
Sensitive Data Set Violation Total (SDT) messages
The following messages begin with the prefix SDT:
Number | Description |
|---|---|
SDT1000I | count Sensitive data sets protected by non fully-qualified generic profiles This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1001I | count Sensitive data sets found with inappropriate audit settings This is the total number of sensitive data sets with a security profile that does not require audit reporting of failed access attempts. Sample message: |
SDT1002I | count Sensitive data sets found with UACC > NONE This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1003I | count Sensitive data sets found with ID(*) > NONE This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1004I | count Sensitive data sets found with WARNING attribute This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SDT1005I | count Uncatalogued sensitive data sets found This is the total number of sensitive data sets that do not have a fully qualified security profile. Sample message: |
SVC Warning Condition (SWC) messages
The following messages begin with the prefix SWC:
Number | Description |
|---|---|
SWC1000I | SVC SVCNumber SVCDescription. Type SVCType SVC expected to be in memoryLocation. Found at SVCAddress Based on the SVC Type, the SVC number was expected to be in either the Nucleus or LPA but it is not there. The memory address for the SVC is displayed. Sample message: |
SWC1001I | SVC SVCNumber SVCDescription modified. Old Address=oldSVCAddress New Address=newSVCAddress The SVC address was modified. The old and new SVC addresses are displayed. |
SWC1002I | Suspicious data data located in ASID ASIDNumber field ASCBMCC A non-zero value was found. The ASCBMCC field should be 0 for the specified ASID. |
SWC1003I | SVC SVCNumber SVCDescription Type SVCType SVC expected. Found type SVCType SVC at SVCAddress An IBM-supplied SVC (0–199) was expected for the SVCType but a different type was found. Sample message: |
Severe Warning Violation (SWV) messages
The following messages begin with the prefix SWV:
Number | Description |
|---|---|
SWV2001I | CICS region jobName has SEC=NO on lparName The CICS region has security checking disabled. Sample message: |
SWV2002I | DB2 region db2ID does not have AUTH=Yes on lparName The Db2 system has security checking disabled. |
SWV2003I | IMS region imsID does not have ISIS=R/A on lparName The IMS system has security checking disabled. |
SWV2004I | MQ region mqID "componentType" security is disabled Security for an MQ component is disabled. The components checked are Subsystem, QMGR, QSG, Command, Connection, Context Process, Namelist, Queue, Topic, and Command Resources. Sample message: |
SWV2005I | IKJTSOxx/AUTHTSF configuration is vulnerable to a full penetration attack IDCAMS is allowed to run in an authorized state under a TSO session. |
SWV2006I | DIAGxx/ALLOWUSERKEYCSA(YES) configuration is vulnerable to a full penetration attack Unauthorized programs can allocate or deallocate common storage. |
SWV2007I | Program=programName has "PRIVILEGED" specified in the Program Properties Table (PPT) The jobstep executing this program is automatically put into an elevated Workload Manager (WLM) Service Class (SYSSTC). Sample message: |
SWV2008I | Program=programName has "BYPASS PASSWORD PROTECTION" specified in the Program Properties Table (PPT). The program can bypass security protection (password protection and RACF). Sample message: |
Related topic