Auditing a Multilevel Secure System

An MLS system must create, maintain, and protect the audit records for all accesses to protected objects. Determine which security events to audit.
Security Events
The following events must always be audited in an MLS system:
  • Use of identification and authentication mechanisms
  • Introduction of objects into a user's address space
  • Deletion of objects from a user's address space
  • System access
  • Use of privileges
CA Top Secret creates records in the Audit/Tracking File or SMF data sets when:
  • A user attempts to sign on or access the JES system and CA Top Secret rejects or allows the access for any reason
  • A user with the AUDIT attribute set in his acid record accesses the system
  • A user with the TRACE attribute set in his acid record accesses a data set or resource
  • A user attempts to access a data set or resource and it is denied or allowed by CA Top Secret
  • A user accesses a data set or resource and CA Top Secret is instructed to log the access due to a system option or permit entry
  • An account manager adds, modifies, or deletes an acid record
  • An operator issues a MODIFY TSS command, and each time he stops or starts CA Top Secret
  • Security labels are added, updated or removed
  • A subject attempts to access an object
  • An administrator creates, updates, or deletes MLS-related records
  • A job, STC, or TSO session tries to enter the system
  • A security label violation occurs during processing of a RACROUTE REQUEST=DIRAUTH call
  • A “trusted” user enters the system or is allowed access to a resource during MAC label dominance checking
  • A user accesses a resource, both the user and the resource have a seclabel, and seclabel auditing is set 'on' on either seclabel
Audit Access to Resources
Any resource, specific resources, or all those matching a generic prefix, can be audited. All access attempts are recorded in the Audit/Tracking File and/or the SMF datasets.
To audit accesses, enter:
TSS ADD(AUDIT) resource(resource-name)
Audit by Seclabel
You can audit individual seclabels. (Except for SYSHIGH, SYSLOW, SYSNONE, and SYSMULTI). To specify the auditing, use the keyword MLAUDIT and specify an access type. To audit a seclabel with no specific access type, enter ALL.
The following access types are allowed:
Any other access type entered defaults to READ.
To activate the auditing feature on the seclabels, set the control option MLSECAUD to YES.
Seclabel auditing for all security labels in the system severely degrades performance and therefore auditing every security label in the system is not recommended.
To see the SMF records cut from the seclabel auditing, run TSSUTIL and specify the long report or run TSSTRACK. The seclabels involved in the event are displayed and the record is marked with +A (audited event). The audited seclabel(s) are marked with an “*”.
Report Generation
The CA Top Secret reports and utilities audit the activity on your system. They let you format the Audit/Tracking File or SMF records used to obtain user responses and reactions to controls enforced by CA Top Secret.
The available reports are:
    Batch report of any security related events that have been logged to the Audit/Tracking File and /or SMF. Multiple and varied reports can be produced and events can be archived to tape/DASD.
    This utility can be used to monitor security related events from an online terminal in a real-time manner. It also can go back to a specified date and time to focus on selected events.
    This batch utility monitors changes made to the Security File and sensitive z/Os facilities and data areas.
    This utility lets you generate the ACIDs and owned resource relationships within the CA Top Secret database in the form of an organization chart.
    Enable the simulation of access attempts to resources to test and verify resource permissions. It can aid an auditor in deciding whether or not users should have access to particular resources.
    This utility produces a fixed-format output file whose records closely parallel the output of a TSS LIST command. The output can then be used to generate custom reports.
    The z/OS UNIX System Services (UNIX) report identifies user activity in a USS environment. CA Top Secret logs security events under USS to SMF using the standard CA Top Secret SMF record. Log records are written for any security event that denies the user access to a USS facility. This report includes the UID, GID, and security label of the user involved in the attempted access as well as the security label of the resource in the attempted access.
  • CA Earl®
    CA Earl allows you to run the CA Top Secret reports. This gives you the capability of generating customized reports to accommodate local installation requirements.
Reports for Auditing
In all cases, the records in a given CA Top Secret report can be affected by:
  • The report generator JCL, which has parameter fields that enable you to specify various options and selection criteria
  • The actual Audit/Tracking File and/or SMF data sets used for input
  • The authorities of the user who ran the report
When you review the reports:
  • Include all proper inputs
  • Make sure that the selection parameters do not inappropriately exclude important records, such as records from a certain time period or for certain data set names or acids
  • Remember that various system options and the use of exits can affect the data that is or is not included in the report
Part of the CA Top Secret audit should be directed to review the normal processing of the CA Top Secret reports. Verify that the reports are produced regularly and that they include all appropriate records. The timely and proper use of the CA Top Secret reports is an important aspect of internal controls and should be carefully reviewed. The CA Top Secret report generators can also be executed at z/OS MVS/TSO sites by means of the CA Top Secret ISPF panels.
Report Execution
In general, you can execute the CA Top Secret reports with:
  • JCL supplied with CA Top Secret. The CA Top Secret distribution tape provides a prototype JCL procedure that you can use to generate CA Top Secret reports. The SAMPJCL file contains the JCL..
  • ISPF panels. With these panels, you can create a report generator online and have the results displayed on your terminal screen.
  • CA Top Secret utilities through the TSO CALL command
Vulnerabilities of Misused Audit Privileges
The potential for misuse or abuse by an auditor includes:
  • The auditor may lose audit log consistency due to failure to audit required events.
  • The auditor's actions may cause loss of privilege to audit files or loss of privacy due to misuse of audit file privileges (shared access with unauthorized users).
  • The auditor may deny service to administrative and other users. For example, the auditor may turn on the audit of a user action while processes of that user are already in execution. This may cause a large number of inconsistent or unusable events to be written, filling up the audit logs. Auditor inaction in emptying audit logs may cause the system to stop.