Professional Documents
Culture Documents
Db2 Audit Program
Db2 Audit Program
AUDIT: DB2
SECURITY ADMINISTRATION
there any control over the granting of authority to ensure that all
ADMINISTRATIVE FUNCTIONS
follows. Ensure that these facilities are restricted to those persons who
1. DBADM Determine who has DBADM for the particular database under review
from review of the SYSDBAUTH table in the DB2 catalog. Ensure that these
are not held with the GRANT option unless absolutely necessary.
2. DBCTRL Determine who has DBCTRL authority for the database under review
from the SYSDBAUTH table of the catalog. Ensure that these are not held
3. DBMAINT Determine who has DBMAINT authority for the database under
review from the SYSDBAUTH table of the catalog. Ensure that these are not
held with the GRANT option unless absolutely necessary. MONITORING
SECURITY
3. Are sensitive DB2 functions logged for review. These are the sensitive
functions used by those with SYSADM, DBADM, DBCRTL, DBMAINT AND SYSOPR.
regular basisand listed (or further analysed) for review by the DBA or
security administrator.
DATABASE SECURITY
1. For each database, determine the names of all relevant tables and
views. This can be found from the SYSTABLES table of the catalog.
For each table and view in the relevant database, review the SYSTABAUTH
alter the table, delete rows, create indexes, insert rows, select rows
update rows,
Ensure that this authority is conducive to good security and that all
columns are contained in each table or view. This can be found from the
SYSCOLUMNS table of the catalog.
Determine which data items are significant and ensure that adequate access
controls exist to limit access to data. Review the SYSCOLAUTH table of the
catalog to determine who has UPDATE authority over the data item in
question.
3. For each view of the data in the relevant database, determine what
columns are in the view. This can be found from the SYSVTREE table in the
maintain confidentiality.
EXIT ROUTINES
1. For each database table under review determine whether use is made of
the Edit and Validation exits. The procedure names associated with each
Determine what processing is carried out by each exit and evaluate what
effect it will have on the control and security over the particular table.
Ensure that each exit load module is contained within a library which is
protected using RACF or some other mechanism and that updating of exit
procedures.
2. For each field within each table, determine if there are attached field
procedures. This can be determined from the FIELDPROC indicator in the
SYSCOLUMNS table in the catalog. The name of the particular procedure can
evaluate what effect it will have on the control and security over the
protected using RACF or some other mechanism and that updating of field
mechanism.
restricted to those persons who have a need to use them for the
maintenance of the databases. Determine who has the authority to use the
implications:
1. COPY AND MERGECOPY Determine who has the authority to run these
database the utility can also be run by anyone who has been granted the
IMAGCOPY privilege for the database containing the table space named. This
in the catalog. Ensure that this authority is limited. Ensure that back-up
image copies are taken regularly and that MERGECOPY is used only when
2. LOAD Determine who has the authority to use this utility to load data
*************************************************************************************
DB2 AUDIT PROGRAM 2 of 2
DB2
_________ the DB2 software and operating environment and that adequate
standards and procedures are in place for applications which use DB2.
development.
1. Review all standards as they pertain to the use of DB2 within the
framework within which the software can be controlled and applications can
b. The control over the data which is to be applied. This should include
requirements for editing and validating the data which is entered into the
database, the requirements for control totalling and the requirement for
audit trail. These standards should cover the use of the standard SQL
followed when designing applications which use DB2. These standards should
specify the responsibility for database design and should also cover such
areas as standard naming conventions. This has a beneficial effect when
systems are being maintained. Other items which can be included are
software. This should lay down responsibility for starting and stopping
DB2 and individual databases and should cover the emergency procedures to
image copies for recovery purposes. The frequency of copying and the use
minimise recovery time, while minimising the time to take the copies.
there any control over the granting of authority to ensure that all
ADMINISTRATIVE FUNCTIONS
against the SYSUSERAUTH table in the DB2 catalog and by determining who
can use the relevant authorisation ids specified in DSNZPARM. Ensure that
these are not held with the GRANT option unless absolutely necessary.
2. SYSOPR - Determine who has SYSOPR authority from the SYSUSERAUTH table
of the catalog. Ensure that these are not held with the GRANT option
MONITORING SECURITY
2. Are SMF records showing the number of failed access attempts produced
4. Are sensitive DB2 functions logged for review. These are the sensitive
functions used by those with SYSADM, DBADM, DBCRTL, DBMAINT AND SYSOPR.
The DB2 software is parameter driven. The auditor should examine the
current values of these parameters and evaluate the effect on control and
security.
*******************************************************************************
SUBMITTED BY:
Dr Frederick Cohen
Audit Plan:
Protection Management
the equipment?
agreements available?
this checklist?
Protection Policy
Are there things it should not have, and what are they? Why
is the policy set as it is, who sets it, how does it change,
report errors?
during off-hours?
in writing?
traffic reports?
* There are a lot of good standards and procedures questions here, but
they are not tracked to policy requirements, they don't track to the
Documentation
leased lines?
fully documented?
about where the documentation is kept and who has access, how
Protection Audit
Technical Safeguards
Is there a UPS?
Incident Response
tested?
response time?
How do we detect them? Who does it? What tools do they need? etc.
Testing
equipment?
tested?
Personnel Issues
checklist.
Legal Considerations
telecom equipment?
Protection Awareness
awareness.
Organizational Suitability
* This is not addressed in the audit at all.
Supplied by
***********************************************************************************
SUBMITTED BY:
-------------------------------------------------------------------------------
Denis Kelly, | Phone: 7027137 / 6765831
Senior Computer Auditor | Fax: 6778463 / 6615376
Electricity Supply Board | Int Phone: 353-1-7027137.
Lr Fitzwilliam St, | Internet: Denis.Kelly@N1.ESB.IE
Dublin 2. Ireland. | < Standard Disclaimers Apply>
--------------------------------------------------------------------------------
This audit program was designed to look at both the financial and technical
controls employed. The control objectives and standards of both ISACA and the
Institute of Internal Auditors (IIA) were incorporated into the design of tests.
In addition relevant local and corporate regulations were considered. This
audit program is a prototype of how a telecommunications function can be
audited. Each auditor needs to consider the specific needs of their own
organisation and the jurisdiction where the organisation operates. These
differences may have a very significant impact on the emphasis and coverage of
the audit program. However this program should give a good general framework
for such an audit.
TELECOMMUNICATIONS AUDIT
AUDIT SCOPE
DETAILED OBJECTIVES
- Briefings.
- Library/ Standards Files.
- Reviews and Technical Audits.
- Safety Manuals.
- Training Records.
- Security Documentation.
- Operating and Maintenance.
- Circulation and Update of same.
- Safety.
- Broadcasting Act.
- Conditions of Service from TE.
- Communications Regulations and Licensing Conditions.
- Equipment Supplier Conditions.
- Procedures for work at Third Party sites including
insurance.
- Briefings.
- Library/ Standards Files.
- Legal advice.
- Reviews and Technical Audits.
4.4 Review the controls in place that ensure assets are acquired in
compliance with established policies and procedures including
VFM.
5.1 Review the controls which ensure Telecomms management and staff
are aware of Customer requirements.
5.2 Review the controls which ensure the Services Delivered are
those requested by users and are provided in a timely and cost
effective manner.
5.4 Assess the controls in place to assure that value for money is
maximised in the provision of services to customer.
- Authority
- Procedures (Stores)
- Handover to customers
1. Commissioning Procedures.
DISCLAIMER:
*************************************************************************************
TELEPHONE INFORMATION AUDIT PROGRAM
* Physical Security
Do the cables entering and leaving the PBX or equipment room pass through
fire-
stop material?
Are power circuits clearly marked?
* Facilities Management
policy and procedure guides. Are they up to date and easily understood?
Are Customer Service Records listing the equipment reviewed and retained? By
whom? Are they reconciled with the Property Accounting Fixed Asset Register.
Are PBX traffic, performance, circuit outage, and problem reports reviewed
by
telecom management?
Is there an agreement with the LEC, the IXC, and the equipment vendors for
the
report
errors?
* PBX Control
Are circuit numbers clearly marked on channel banks, CSU/DSUs, and modems?
lines to
ports on the PBX?
Is there a regular dump of Incoming Peg Count, Attendant Response, All Trunks
Busy, Service Queue, and Trunk Group Overflow reports? Reported to telecom
management?
What are the procedures for making PBX SW or HW changes. Are they fully
documented?
* Disaster Recovery
Does it
or
tested?
off-site?
carry a
Does the telecom manager have a list of home phone numbers for the LEC, IXC,
* Cost Management
What are the purchase/lease/rental agreements for telecom equipment?
What maintenance agreements are signed? Are they the most cost effective
maintenance bills reviewed, broken down, and verified? By who? How and who
Are all orders for services in writing? Are confirmations in writing? Are
service
Has a "bounty hunter" telecom payment consultant been used in the past?
Results?
* Training
What training is provided telecom staff for the PBX? Are operating manuals
available to them?
Is there a company written policy on phone use? Are there education programs
for users?
* Billing
with
phone bills?
Do
they sign approval and return them?
How are phone charges allocated to each cost center? Are they accurate?
Are all toll calls billed verified against the PBX traffic reports?
Are all leased trunks, lines, and circuits billed verified against the PBX
inventory
reports?
*************************************************************************************
MVS PARMLIB
DSNZPARM ENTRIES
Review the DSNTIJUZ job which contains the macros used to build DSNZPARM.
Ensure that this job is held in a protected library and that changes to
*************************************************************************************
CICS COMPUTER AUDIT PROGRAM
A. CICS SET-UP
ensure that the appropriate control tables, data sets and terminals are used
1. Obtain a PDS listing of the CICS load libraries. Obtain a copy of the start
up procedures.
2. Determine the following from a review of the CICS Analyser report and the
PDS listing:
b. the procedures for determining and authorising the SIT used during
initialisation,
available,
d. the procedures for determining and authorising the version of the control
modules,
f. the procedures for determining, authorising and reviewing any override
contains the current production versions of the control tables and management
a. determine that the current production version of the SIT was used.
c. Where overriding parameters have been used, ensure that they have been
correct control tables were initialised and only valid libraries were
included.
procedures.
a. review the current production version of the SIT to determine that the
b. review the sample of actual start-up job streams to ensure that any
7. Review the PDS listing of CICS load libraries for members with names other
8. Review the naming convention for tables. Select samples from the production
B. GENERATING CICS
To determine that jobs which are assigned Security privileges and are designed
for initiating CICS subsystems (either started tasks) or standard batch jobs)
CMD="S,CICS").
(STC if a started task) are associated with the LOGONID, attributes which
involve program pathing RESTRICT, SUBAUTH, PROGRAM and also validate APF
authority.
3. Determine if the default LOGONID for started tasks (STCDFLT LID =) exists
5. Review and evaluate the attributes given to the CICS default LOGON ID
authorised purposes.
are available. By enquiry, determine if any have been renamed. At least the
following transactions and programs should be identified:
CECI
FDOD
CEDF
CEMT, CSMT
ADYN (=DALL)
OLTEP
CORE (=DBUG)
XAMS
OLIB
ADSP
DFH99
DFHBUG
2.a. Have the following attributes been included in the PCT for each
transaction:
ii. Transaction work area (TWA) length used to determine the size acquired for
this transaction.
NOTE - If RACF is used, determine the extent to which RACF controls these
transactions.
transactions.
a. CEMT, CEST, CSMT, CSST, CEDA, CECI, by reviewing the PCT entry (DFHPCT TYPE
b. Using these values, review the SNT to determine the operators who have
4. For all other sensitive transactions (including CEBR) review the PCT to
operand).
is used by examining the PCT entry (for DFHPCT TYPE = ENTRY, RSLC = YES should
resource rules.
7. For each temporary storage queue that can be browsed by CEBR, review the
TST entry for DFHTST TYPE = SECURITY, to ensure that security checking is
required.
1.b. Have the following attributes been specified for each data set in the
FCT.
Note: DL/I data bases are the only resources that are automatically
defined as protected. All others are optionally protected.
entries)
3. For files that are journalled, review procedures for swapping journal files
to tape.
4. For files that are not journalled or logged, determine how files are backed
up for restart and recovery purposes. Determine how program FDP, PEP,NEP and
6. Review the start up job streams to determine the START option used, to
8. Review SMF record, CICS statistics to determine the number of times for
CICS start-up shut down daily. Determine reasons for excessive start-up.
9. What SMF record will be recorded when CICS goes down. Perform applicable
tests as required.
1.By enquiry and review of available evidence, ensure that there are
2. Review the standards and assess their adequacy in the areas of:
a. coding requirements
*************************************************************************************
General Description
The VM operating system was developed during the mid-1960s in order to create a
virtual system that would appear to each user as a dedicated machine.
Requirements vary among organizations of different sizes. Because of this,
there are different variations of VM to better meet these needs. Virtual
Machine/System Product (VM/SP) is really VM in its simplistic form. Running
VM/SP requires system programmer expertise for both installation and
maintenance, but provides flexibility to meet the needs of the organization.
CP is a set of programs which manages the real machine resources and creates
the virtual machine environment. The major functions of the CP can be
summarized as follows:
o user scheduling and dispatching;
o real storage management;
o virtual memory management;
o spool management;
o CP command processing;
o error recovery and recording.
CMS is an interactive operating system within VM, that operates under the
control of CP to manage the virtual machine environment. The basic components
of CMS are:
o editor;
o EXEC processor;
o Debug environment;
o OS simulation;
o commands, e.g., COMPARE, SORT, COPYFILE, etc.
System generation is the process that compiles the selected operating features
into an executable version of the operating system. System generation options
are specified in one of three CP source modules: DMKSYS, DMKSNT and DMKRIO.
DMKSYS, also known as the CP System Control File, consist of macro statements
that describe the following:
o CP system residence device;
o system storage device;
o CP-owned direct access devices;
o system operator's user identification;
o system timer value;
o system pointer variables;
o automatic performance monitoring parameters;
o accounting parameters;
o system identification;
o system spool parameters;
o security journalizing parameters;
o system dump space parameters;
o system T-DISK security parameters;
o missing I/O interruption timer intervals.
The System Name Table (DMKSNT) consists of entries that identify the name and
location of saved systems or discontinuous saved segments.
After the three system generation modules are ready, the CP nucleus is
generated through a program called VMFLOAD. The CP nucleus can basically be
defined as the core of the VM system. It is the brains of the system, or the
code that gives the environment its basic VM attributes. After the system
generation is completed, and VM has gone through the Initial Program Load
(IPL), CP exists. The new CP resident nucleus is now loaded in real memory and
VM is available for further use.
Audit Program
2. Check the value of the SYSCLR operand of the SYSRES macro in DMKSYS;
SYSCLR=YES should be specified to prevent unauthorized access to sensitive data
placed on T-disks. SYSCLR=YES is default. If SYSCLR=NO is specified, the
installation should have a published disclaimer for T-DISK security.
4. Inspect the DMKRIO to verify that device specifications reflect the actual
hardware configuration and that excessive number of additional devices have not
been defined.
5. Verify the specifications of shared and saved systems in DMKSNT and check
for overlapping assignments on DASD.
6. Inspect the load list used by VMFLOAD and compare it with the IBM-supplied
list to ensure that no critical system modules have been deleted; verify that
deleted modules do not implement facilities that have been implied in DMKRIO or
DMKSYS and review any frequently used pagable modules that are or should be
resident.
VM/SP Modifications
The systems programmer should maintain a log of all these changes, whether they
are IBM-supplied or local, including the date of the application, modules
affected, PTF (program temporary fix) number, and reason for the change. All
changes should be reviewed by the technical support manager so that users and
operations staff are aware of modifications that might affect them.
Audit Program
1. Review the latest PUT process output to verify that IBM-supplied maintenance
has been properly installed.
3. Spot-check the CP nucleus map to verify that both IBM- and user-supplied
modifications have been included in the system nucleus.
4. Determine whether the systems supervisor or systems staff, other that the
original systems programmer, reviews all system and utility testing before
cataloging into production.
Audit Program
2. Confirm that critical user IDs have password protection on their minidisks.
Verify that users have adequate level of privilege class.
4. Check the journal data for improper access attempts; note and check write
accesses to nonowner disks.
6. Inspect the file PROFILE EXEC on the 191 disk of user AUTOLOG1; review the
sequence of actions performed with AUTOLOG1 activated.
Sources/References
VM/BATCH
Audit Program
Key files for the VMBATCH configuration file that should be reviewed here are:
- ACCESS - identifies the VMBATCH database minidisks. Make sure that these
are restricted to the appropriate users only.
- DIRECT - contains the virtual address of the read-only link between VMBATCH
and the CP object directory minidisk. Verify that access has been provided
only on an as needed basis.
- USEREXIT - these optional records are used to specify the filenames of user
routines to receive control at various points in VMBATCH's operation.
Determine whether any exits are being used, and if so, which ones. Obtain the
source code for these exits and review them. Briefly describe their function
and evaluate their effect on VMBATCH controls.
2. Identify the users and groups that have been provided with access to the
production worker machines. This can be determined by reviewing the VMBATCH
user and group limits.
a. Using the VMBATCH configuration file, determine whether any of the AUTHORIZ
USER users are defined in (VMBATCH configuration file's) GROUP records.
User and groups can be only belong to one group; in the event that multiple
entries of this type have been made, VMBATCH insiders only the first entry to
be valid.
Evaluate the limits on the groups for the AUTHORIZ USER User-IDs first (i.e.
the User-IDs defined to the GROUP records). This is because group level limits
override user level limits ( and system level limits and user level limits).
Compare these limits with the characteristics defined to the production worker
machines in the WORKER records of the VMBATCH configuration file). Determine
who can run their jobs under the production WORKER User-IDs.
Reference Manual
VM/Secure
Audit Program
2. Obtain and review the VMSECURE configuration file listing. Examine the
parameters established for the key configuration file records.
The key configuration file records (for installations that are not using the
rules facility) and their associated audit concerns are:
- ENCRYPT - this optional record tells VMSECURE that the directory database is
encrypted. This record is important because only where read access to the
directory database is not adequately restricted and the minidisk and/or logon
passwords in the directory are critical components to the access control
methodology at this location.
- USEREXIT - these optional records are used to specify the filenames of user
routines to receive control at various points in VMSECURE's operation.
Determine where any exits are being used, and if so, which ones. Obtain the
source code for these exits and review them. Briefly describe their function
and evaluate their effect on VMSECURE data security controls.
- VOLUME - identifies real and DASD volumes managed by VMSECURE. Make sure
that all intended volumes are included here.
3. Obtain and review the VMSECURE MANAGERS file listing (the file resides on
the VMSECURE 191 minidisk). Examine the MANAGER record(s) 'mgrid' parameter.
The User-ID(s) defined in this record have directory manager authority
(provided that MANGE subcommand capability has also been granted in the
VMSECURE configuration file). Determine whether the MANAGER capability has
been appropriately designated.
VMSECURE
Reference manuals