When your system is vulnerable and possibly under attack,your first indications may come from the following sources:
Reports from users
System monitoring, for example:
Unexplained changes or behavior inapplications or normal processes
Unexplained messages from OPCOM or the audit server
Unexplained changes to user accounts in the systemauthorization database (privilege changes, protections, priorities,quotas)
Reports from Users
User observations frequently point to system security problems.A user may contact you with the following situations:
Files are missing.
There are unexplained forms of last login messages,such as successful logins the user did not perform or unexplainedlogin failures.
A user cannot log in, suggesting the user passwordmight have been changed since the last successful login or someother form of tampering has occurred.
Break-in evasion appears to be in effect, and theuser cannot log in.
Reports from the SHOW USERS command indicate thatthe user is logged in on another terminal when the user did notdo so.
A disconnected job message appears during a loginfor a process the user never initiated.
Files exist in the user's directories that the userdid not create.
Unexplained changes have been found in the protectionor ownership of user files.
Listings appear that are generated under the username without the user requesting the listing.
A sudden reduction occurs in the availability ofresources, such as dialup lines.
Follow up promptly when one of these items is reported toyou. You must confirm or deny that the condition exists. If youfind the complaint is valid, seek a cause and solution.
Monitoring the System
Ongoing Tasks to Maintain a Secure System lists thosetasks that can help you detect potential security breaches on yoursystem. The following list details possible warning signs you mayuncover while performing the recommended tasks:
A user appears on the SHOW USERS reportthat you know could not be currently logged in.
You observe an unexplained change in the systemload or performance.
You discover media or program listings are missingor notice other indications that physical security has degraded.
Your locked file cabinet has been tampered with,and the list of authorized users has disappeared.
You find unfamiliar software in the system executableimage library [SYSEXE] or in [SYSLIB].
You observe unfamiliar images running when you examinethe MONITOR SYSTEM report.
You observe unauthorized user names when you enterthe DCL command SHOW USER. When you examine the listing that theAuthorize utility (AUTHORIZE) produces with the SHOW command, you findthat those users have been given system access.
You discover proxy users that you never authorized.
The accounting report reveals unusual amounts ofprocessing time expended recently, suggesting outside access.
You observe unexplained batch jobs on the batchqueues.
You observe unexpected device allocations when youenter the SHOW DEVICE command.
You observe a high level of processing activityat unusual hours.
The protection codes or the access control lists(ACLs) change on critical files. Identifiers are added, or holdersof identifiers are added to the rights list.
There is high personnel turnover or low morale.
All these conditions warrant further investigation. Some indicatethat you already have a problem, and some may have simple explanations,while others may indicate serious potential problems.