When your system is vulnerable and possibly under
attack, your first indications may come from the following sources:
Reports from users
System monitoring, for
Unexplained changes or
behavior in applications or normal processes
Unexplained messages from
OPCOM or the audit server
Unexplained changes to
user accounts in the system authorization database (privilege changes,
protections, priorities, quotas)
Reports from Users
User observations frequently point to system security
problems. A user may contact you with the following situations:
Files are missing.
There are unexplained
forms of last login messages, such as successful logins the user did
not perform or unexplained login failures.
A user cannot log in,
suggesting the user password might have been changed since the last
successful login or some other form of tampering has occurred.
Break-in evasion appears
to be in effect, and the user cannot log in.
Reports from the SHOW
USERS command indicate that the user is logged in on another terminal
when the user did not do so.
A disconnected job message
appears during a login for a process the user never initiated.
Files exist in the user's
directories that the user did not create.
Unexplained changes have
been found in the protection or ownership of user files.
Listings appear that are
generated under the user name without the user requesting the listing.
A sudden reduction occurs
in the availability of resources, such as dialup lines.
Follow up promptly when one of these items is
reported to you. You must confirm or deny that the condition exists.
If you find the complaint is valid, seek a cause and solution.
Monitoring the System
“Ongoing Tasks to Maintain a Secure System” lists those tasks that can help you
detect potential security breaches on your system. The following list
details possible warning signs you may uncover while performing the
A user appears on the
SHOW USERS report that you know could not be currently logged in.
You observe an unexplained
change in the system load or performance.
You discover media or
program listings are missing or notice other indications that physical
security has degraded.
Your locked file cabinet
has been tampered with, and the list of authorized users has disappeared.
You find unfamiliar software
in the system executable image library [SYSEXE] or in [SYSLIB].
You observe unfamiliar
images running when you examine the MONITOR SYSTEM report.
You observe unauthorized
user names when you enter the DCL command SHOW USER. When you examine
the listing that the Authorize utility (AUTHORIZE) produces with the
SHOW command, you find that those users have been given system access.
You discover proxy users
that you never authorized.
The accounting report
reveals unusual amounts of processing time expended recently, suggesting
You observe unexplained
batch jobs on the batch queues.
You observe unexpected
device allocations when you enter the SHOW DEVICE command.
You observe a high level
of processing activity at unusual hours.
The protection codes or
the access control lists (ACLs) change on critical files. Identifiers
are added, or holders of identifiers are added to the rights list.
There is high personnel
turnover or low morale.
All these conditions warrant further investigation.
Some indicate that you already have a problem, and some may have simple
explanations, while others may indicate serious potential problems.