Re: Changing to security level 40.

[Ed Fishel <edfishel@xxxxxxxxxx>]

Rob Berendt wrote on 01/26/2006 03:49:56 PM:

> Thanks.  Doing that I noticed
> ....+....1....+....2....
> Violation    COUNT ( * )
> type
> (AFVIOL)
>     A              5,691   Not authorized to object
>     P                  2   Profile swap error
>     K                126
>     J                310   Submit job profile error
> ********  End of data  *
>
> Based on the table below I need to resolve the 'J' entries
> B Restriction (blocked) instruction violation
> C Object validation failure
> D Unsupported interface (domain) violation
> J Job-description and user-profile authorization failure
> R Attempt to access protected area of disk (enhanced hardware storage
> protection)
> S Default sign-on attempt
>
> And the J entries seem almost exclusively related to some EDI
enhancements
> we've done.

The next version of the Security Reference book will include text to say
that the "K" violation type is for a "Special Authority violation". Support
for this was PTFed into V5R3 after the book was finished for that release.

I am not an auditor, and I do not know the length of time you have had
auditing turned on, but if this were my system I would be concerned about
the 5,691 attempts made to use an object where the users was not authorized
to the object. The 129 attempts to use a function that required the user to
have a special authority is also a concern. These audit records should be
studied to see if there is some type of pattern. Perhaps some of this is
caused by an application that should be changed to check a users authority
before attempting to access an object. Then again it might be something
more devious.

Ed Fishel,
edfishel@xxxxxxxxxx