So what TSO logon should be doing if the userid is invalid or not
authorized for TSO is not give any error indication on the logon screen
but populate the panel fields with plausible default values that look as
if a RACF TSO segment was found and force the user to supply the
password field before giving a failure message. Doesn't sound like a
big change to implement, but what do I know.
J C Ewing
On 01/05/2015 07:20 PM, Lou Losee wrote:
> The problem is, that when TSO populates the logon panel, it does not do
> a(RACROUTE REQUEST=INIT (RACINIT) but rather does an RACROUTE
> REQUEST=EXTRACT (RACXTRT) against the user id specified to populate the
> fields on the logon panel. This does not result in any RACF message or SMF
> record, but TSO does use the RC to inform the user if the user id specified
> is defined or not.
>
> Lou
>
> --
> Artificial Intelligence is no match for Natural Stupidity
> - Unknown
>
> On Mon, Jan 5, 2015 at 6:05 PM, Frank Swarbrick <
> 0000002782105f5c-dmarc-requ...@listserv.ua.edu> wrote:
>
>> Something like this?ICH408I USER(MYPSWD99) GROUP( )
>> NAME(??? )
>> LOGON/JOB INITIATION - USER AT TERMINAL DVDU NOT RACF-DEFINED
>>
>> The above was generated using the CICS CESN signon transaction.
>> From: Tony's Basement Computer <tbabo...@comcast.net>
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Sent: Monday, January 5, 2015 9:57 AM
>> Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?)
>>
>> Back years ago I worked at a Top Secret shop. That product wrote a
>> console message when a log on attempt has occurred that specified an
>> unknown user. Sadly, what was usually seen was a password. It's been
>> years since I was in that business so I don't know if that display is a
>> configurable option.
>>
>> Sidebar: I watched video and I found it dismaying. The presenter spoke
>> in demeaning tone of the traditional terminology to which we are all
>> familiar which I found insulting. I felt he acted proud that *his*
>> technology was superior because *his* terms are more "current", thus
>> better. I felt he made some assumptions in his presentation that would lead
>> the uninitiated to believe that these exposures exist in all cases and in
>> all environments. Stipulating that a deficiently configured z/OS-RACF (or
>> TS or ACF2) shop could present these opportunities, I feel he should have
>> made this disclaimer at the outset. Had he done so I might have taken him
>> more seriously.
>>
>> -----Original Message-----
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
>> Behalf Of Charles Mills
>> Sent: Monday, January 05, 2015 10:35 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?)
>>
>>> SMF and console messages to record logon/authentication failures.
>>> These could be intercepted in real time to alert someone of unusual
>>> probing while it is occurring
>>
>> Yup! Come to either of my sessions at SHARE to learn about how to do that
>> (albeit with one of several commercial products).
>>
>> Unfortunately I know of no way to intercept in real time the invalid
>> userid at its initial usage and possible "validation" as opposed to when it
>> is actually used for a logon with password.
>>
>> Charles
>>
>> -----Original Message-----
>> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
>> Behalf Of Joel Ewing
>> Sent: Monday, January 05, 2015 8:18 AM
>> To: IBM-MAIN@LISTSERV.UA.EDU
>> Subject: Re: Enumerating User IDs (was: CANCEL TSO Logon?)
>>
>> On 01/05/2015 09:35 AM, Paul Gilmartin wrote:
>>> On Mon, 5 Jan 2015 07:21:28 -0800, Charles Mills wrote:
>>>
>>>>> For TSO, you can probe for known user ids, but you will see a lot of
>> LOGON and IEA989I message in the SYSLOG.
>>>>
>>>> Only if you set a specific SLIP trap for this condition.
>>>>
>>> In the video cited:
>>>
>>>> On Jan 2, 2015, at 3:31 PM, Mark Regan wrote:
>>>>>
>>>>> Black Hat 2013 - Mainframes: The Past Will Come to Haunt You, by a
>>>>> Philip Young and it's about an hour long.
>>>>>
>>>>> http://youtu.be/uL65zWrofvk
>>>
>>> ... the speaker opined that such probing is less likely to be detected
>>> by Security than by Operations as a spike in CPU usage.
>>>
>>> -- gil
>>>
>> RACF uses SMF and console messages to record logon/authentication
>> failures. These could be intercepted in real time to alert someone of
>> unusual probing while it is occurring. We used independent review of daily
>> summary reports generated from RACF SMF records to verify that such probing
>> had not occurred, just the typical typos and forgotten passwords from
>> terminals within the corporation. With our normal system workload, someone
>> would have been more likely to notice a flood of unusual console messages
>> than see any noticeable impact on CPU.
>>
>...
--
Joel C. Ewing, Bentonville, AR jcew...@acm.org
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
