Indications of Trouble
» Table of Contents |  | | » Glossary | | | » Index | | |
| | |
| ||
| ||
When your system is vulnerable and possibly under attack, your first indications may come from the following sources:
Reports from users
System monitoring, for example:
Unexplained changes or behavior in applications or normal processes
Unexplained messages from OPCOM or the audit server
Unexplained changes to user accounts in the system authorization database (privilege changes, protections, priorities, quotas)
User observations frequently point to system security problems. A user may contact you with the following situations:
Files are missing.
There are unexplained forms of last login messages, such as successful logins the user did not perform or unexplained login failures.
A user cannot log in, suggesting the user password might have been changed since the last successful login or some other form of tampering has occurred.
Break-in evasion appears to be in effect, and the user cannot log in.
Reports from the SHOW USERS command indicate that the user is logged in on another terminal when the user did not do so.
A disconnected job message appears during a login for a process the user never initiated.
Files exist in the user's directories that the user did not create.
Unexplained changes have been found in the protection or ownership of user files.
Listings appear that are generated under the user name without the user requesting the listing.
A sudden reduction occurs in the availability of resources, such as dialup lines.
Follow up promptly when one of these items is reported to you. You must confirm or deny that the condition exists. If you find the complaint is valid, seek a cause and solution.
“Ongoing Tasks to Maintain a Secure System” lists those tasks that can help you detect potential security breaches on your system. The following list details possible warning signs you may uncover while performing the recommended tasks:
A user appears on the SHOW USERS report that you know could not be currently logged in.
You observe an unexplained change in the system load or performance.
You discover media or program listings are missing or notice other indications that physical security has degraded.
Your locked file cabinet has been tampered with, and the list of authorized users has disappeared.
You find unfamiliar software in the system executable image library [SYSEXE] or in [SYSLIB].
You observe unfamiliar images running when you examine the MONITOR SYSTEM report.
You observe unauthorized user names when you enter the DCL command SHOW USER. When you examine the listing that the Authorize utility (AUTHORIZE) produces with the SHOW command, you find that those users have been given system access.
You discover proxy users that you never authorized.
The accounting report reveals unusual amounts of processing time expended recently, suggesting outside access.
You observe unexplained batch jobs on the batch queues.
You observe unexpected device allocations when you enter the SHOW DEVICE command.
You observe a high level of processing activity at unusual hours.
The protection codes or the access control lists (ACLs) change on critical files. Identifiers are added, or holders of identifiers are added to the rights list.
There is high personnel turnover or low morale.
All these conditions warrant further investigation. Some indicate that you already have a problem, and some may have simple explanations, while others may indicate serious potential problems.