vanguard active alerts™ - vanguard integrity professionals · ©2016 vanguard integrity...

Vanguard Active Alerts™

Jim McNeill

Sr Consultant

©2016 Vanguard Integrity Professionals, Inc.

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard SecurityCenter for DB2

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University

2


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks

CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF

3


Topics

• A Brief History

• What are Vanguard Active Alerts™?

• Which Alerts are Available?

• Which Alerts are Active?

• Who will receive which Alerts?

• Masking for Alerts

• Customizing the Email Notices

• Setting up the Started Tasks

• Migration

4


A Brief History

• Originated as a feature of Vanguard Advisor™ in

the late 1990s

• Alerts were added to Vanguard Enforcer™ in

2002

• Over time the two sets of alerts diverged

– Some alerts in Vanguard Advisor™ only

– Some alerts in Vanguard Enforcer™ only

• In VSS 2.1 the alerts were consolidated

– Packaged as a new product

– Datecode for Vanguard Advisor™ or Vanguard Enforcer™

will work

– Can be used standalone with it’s own datecode

5


A Brief History - VANOPTS members

Vanguard Vanguard Vanguard

Advisor™ Enforcer™ Active Alerts™

-------------- ------------- -----------------

RFxxxTXT EAxxxTXT AAxxxTXT

VRSOPT00 VEAOPT00 VAAOPT00

VSREAL00 VEAEAL00 VAAEAL00

VSRRTNxx VEARTNxx VAARTNxx

EMAILOPT EMAILOPT EMAILOPT

EMAILLST EMAILLST EMAILLST

Shared by ALL products

6


What are Active Alerts?

• The ability to be notified immediately

when a security event or combination of

events occur.

• Notification can be: – SNMP (listeners)

– EMAIL

– WTO

7


Which Alerts are Available

• Violation Notices and 16 Others

• Immediate notifications sent when certain events occur (within 30-60 seconds)

• Requires 2 Started Tasks to be running

– VAAJTASK

– VAAJRTN

• Must be run on each LPAR

• Requires an SMTP server somewhere in your NJE network (for email)

8



• Violation Notices

– An email will be sent for selected violations.

Notices are sent based on 6 selection criteria.

One or more emails can be sent per violation.

• User

• Group

• Jobname

• Profile mask

• Owner

• Dataset mask

9



• Active Alert 1 – RACF® Command text is scanned and an Email is sent if

an Add User profile (ADDUSER or AU) or an Alter User

Profile (ALTUSER or ALU) command was issued with

OPERATIONS, SPECIAL, AUDITOR, UID(0) or NOPASS.

• Active Alert 2 – RACF Command text is scanned and an Email is sent if a

Connect (CONNECT or CO) command was issued with

OPERATIONS, SPECIAL or AUDITOR or with CREATE,

CONNECT or JOIN via the AUTHORITY parameter.

10



• Active Alert 3 – RACF Command text is scanned and an Email is sent if

an Add Data Set profile (ADDSD or AD) or an Alter Data

Set Profile (ALTDSD or ALD) command was issued with a

UACC of ALTER, CONTROL, or UPDATE.

• Active Alert 4 – RACF Command text is scanned and an Email is sent if

an Add Data Set profile (ADDSD or AD) or an Alter Data

Set Profile (ALTDSD or ALD) command was issued with a

UACC of READ, ALTER, CONTROL, or UPDATE.

11



• Active Alert 5 – Mimics Violations Notices, except it looks for warnings. An

Active Alert 5 can be thought of as a "Warning Notice".

• Active Alert 6 – Intrusion Detection, will send an email whenever a single

userid experiences n logon failures due to an invalid

password within t minutes or seconds, where n and t are

values specified in the options file.

12



• Active Alert 7 – Password Recycling will send an email whenever a single

userid has its password changed more than n times in t

minutes or seconds, where n and t are values specified in

the options file.

• Active Alert 8 – By Default, any SETROPTS command is issued or any

RVARY command(except LIST) is issued. --- OR ---

– Any command specified by an enhanced masking pattern

or patterns specified by the user.

13



• Active Alert 9 – Lost SMF will send an email whenever an “SMF Data Lost

” record is detected in the SMF data stream, signaling the

loss of potentially critical SMF logging data.

• Active Alert 10 – Auto revoke will send an email whenever a userid is

revoked due to too many invalid password attempts.

14



• Active Alert 11 – “Firecall id” usage - will send an email if a userid is

activated (logon, started task initialization, batch job, etc.). The user can specify selection criteria to specify the userids to be reported on or ignored.

• Active Alert 12 – Intrusion detection via Vanguard ez/SignOn™.

15



• Active Alert 13 – An Active Alert is sent when access to a resource is

attempted – regardless of the success. A Resource and Access by Userid Detail Report is executed. You can specify any masking criteria available for this report in a RTNAA13(xx) member to narrow the scope of the Active Alert.

• Active Alert 14 – An Active Alert message will be sent when the REVOKE

operand is present and either a RACF ALTUSER or RACF CONNECT command is issued. An administrator can specify filters to select events to be processed by specifying the RTNAA14(xx) parameter in VAAOPT00.

16



• Active Alert 15 – An Active Alert is sent when a member of a library (PDS or

PDSE) is added, deleted, renamed or replaced. An administrator can specify filters to select events to be processed by specifying the RTNAA15(xx) parameter in VAAOPTxx.

• Active Alert 16 – An Active Alert is sent when a DB2® audited table is

altered, created or dropped. An administrator can specify filters to select events to be processed by specifying the RTNAA16(xx) parameter in VAAOPTxx.

17


Which Alerts are Active

18


Who will receive which Alerts

• Alerts 1 – 4, 6 – 16 have individual addresses

• Violation notices and Warn notices (Alert 5) – You can send one or more notices per event

– Multiple criteria available

19



20



Up to 6 criteria for Violation notices and Warn notices

3 based on who caused the Violation

3 based on what resource was Violated

USERID(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)

GROUP(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)

JOBNAME(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)

OWNER(1-8 CHARACTERS) EMAILADDR (1-60 CHARACTERS)

DATASET(1-44 CHARACTERS) EMAILADDR (1-60 CHARACTERS)

PROFNAME(1-44 CHARACTERS) EMAILADDR (1-60 CHARACTERS)

NOMATCH EMAILADDR (1-60 CHARACTERS)

21



In the VANOPTS data set member VSREAL00 for Violation Notices and Active Alert 5

SELECTBY(USERID,DATASET,OWNER)

USERID(AB*) EMAILADDR([email protected])

USERID(*) EMAILADDR([email protected])

OWNER(VANGUARD) EMAILADDR([email protected])

DATASET(PAYROLL*) EMAILADDR([email protected])

DATASET(*) EMAILADDR([email protected])

DATASET(OS*) EMAILADDR([email protected])

NOMATCH EMAILADDR([email protected])

In VSROPT00, keyword SENDALLEMAIL(YES|NO) determines if multiple emails will be sent

22


Masking for Alerts

In VAAOPT00: RTNVIOLATIONS(01)

RTNAA5(05)

In VAARTN01: (USERID EQ DICKM* OR USERID EQ JIM*) AND (DATASET

EQ SYS1*)

In VAARTN05: (DATASET EQ PAYROLL* OR DATASET EQ SYS1.*)

23


Masking for Alerts

24


Customizing the Email Notices

• You control what the notice looks like

• Variables from the SMF record are available

• Blank lines for readability

25



26



27



28



29


Setting up the Started Tasks

• VAAJTASK

– Collection Task

– Writes SMF records to wrap-around data space

– Selects which records to collect

• VAAJRTN

– Notification task

– Creates and send the notices

30


Setting up the Started Tasks

• Customize JCL and put in PROCLIB

• Select Options in VAAOPT00

• Setup Started Class Profiles

– STCIDs need READ to VANOPTS

– STCIDs need READ to VANLOAD

• Start VAAJTASK, then VAAJRTN

31


Migration

• In VANSAMP: – VAACVEA convert Vanguard Enforcer™ alerts to VAA

alerts

– VAACVSR convert Vanguard Advisor™ alerts to VAA

alerts

• These 2 utilities will read the old members of

VANOPTS and create the new VAA members.

• At some point in the future, support for Vanguard

Enforcer™ and Vanguard Advisor™ active alerts will

be withdrawn. That date has not been announced

yet.

32


Summary

• You control everything

– Which Alerts

– Format of the alert

– Who receives the alerts

• Questions ??????

33

May 23 – May 26 Basics of RACF Administration 24 CPE 4 days Online

June 1 – June 3 RACF Security for z/OS Applications – ALL MODULES 18 CPE 3 days Online

June 1 RACF Security for z/OS Applications – MODULE 1 – RACF for DB2 6 CPE 1 day Online

June 2 – June 3 RACF Security for z/OS Applications – MODULE 2 – RACF for CICS 12 CPE 2 days Online

June 6 – June 9 Beyond RACF Basics 24 CPE 4 days Online

June 13 – June 15 Auditing z/OS and RACF 18 CPE 3 days Online

June 21 – June 24 Beyond RACF Basics 24 CPE 4 days Jacksonville,

FL

June 27 – June 30 Basics of RACF Administration 24 CPE 4 days Online

Vanguard zSecurity University™

Register to attend a course, or to get more information: http://www.go2vanguard.com/training

Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.

Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees

https://www.regonline.com/racfsecurityforzosapplicationsallmodulesc_1817384

https://www.regonline.com/racfsecurityforzosapplicationsallmodules




https://www.regonline.com/racfsecurityforzosapplicationsallmodulescopy















https://www.regonline.com/auditingzosandracf



http://www.go2vanguard.com/training



To register for a webinar or training course:

go2vanguard.com Select - Training

Vanguard zSecurity University™

Software Solutions Services Training International About Customer

Register to attend a course, or to get more information: http://www.go2vanguard.com/training

Don’t forget that all of the Vanguard zSecurity University™ courses are eligible for CPE Credits.

Customer Savings: Special Discounts for Software Customers and VSC 2016 Attendees




vanguard active alerts™ - vanguard integrity professionals · ©2016 vanguard integrity...

Documents