> SMF and console messages to record logon/authentication failures. > These could be intercepted in real time to alert someone of unusual probing > while it is occurring
Yup! Come to either of my sessions at SHARE to learn about how to do that (albeit with one of several commercial products). Unfortunately I know of no way to intercept in real time the invalid userid at its initial usage and possible "validation" as opposed to when it is actually used for a logon with password. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Joel Ewing Sent: Monday, January 05, 2015 8:18 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?) On 01/05/2015 09:35 AM, Paul Gilmartin wrote: > On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote: > >>> For TSO, you can probe for known user ids, but you will see a lot of LOGON >>> and IEA989I message in the SYSLOG. >> >> Only if you set a specific SLIP trap for this condition. >> > In the video cited: > >> On Jan 2, 2015, at 3:31 PM, Mark Regan wrote: >>> >>> Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, by a >>> Philip Young and it's about an hour long. >>> >>> http://youtu.be/uL65zWrofvk > > ... the speaker opined that such probing is less likely to be detected > by Security than by Operations as a spike in CPU usage. > > -- gil > RACF uses SMF and console messages to record logon/authentication failures. These could be intercepted in real time to alert someone of unusual probing while it is occurring. We used independent review of daily summary reports generated from RACF SMF records to verify that such probing had not occurred, just the typical typos and forgotten passwords from terminals within the corporation. With our normal system workload, someone would have been more likely to notice a flood of unusual console messages than see any noticeable impact on CPU. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN