VM370 System Programmers Guide (Rel6) page 241

J ou·rna ling LOGO N, AUTO LOG, and LI N
K
Commands LOGON, AUTOLOG, and LINK Journaling attempts to detect and record
certain occurrences of the LOGON, AUTOLOG, or LINK commands. using the
recorded information, an installation may be able to identify attempts
to logon to VM/370 by users that issue invalid passwords. Also, the
installation may be able to identify users that successfully issue the
LINK command to protected minidisks not owned by that user.
Briefly, LOGON, AUTOLOG, and LINK journaling works like this. While
journaling is turned on, CP monitors all occurrences of the LOGON, AUTOLOG, and LINK commands. CP keeps count of the number of times a
user issues one of these commands with an invalid password. When this
count exceeds an installation defined threshold value, CP optionally: I • Writes a record to the accounting data set to record the incident I • Rejects subsequent LOGON, AUTOLOG, or LINK commands issued by the I user I • Sends a message to an installation-defined user identification to I alert the installation to the incident
Also, each time CP detects,that a user has successfully issued a LINK
command to a protected minidisk not owned by that user, CP optionally
records the incident by writing a record to the accounting data set. A
protected minidisk is a minidisk whose password is anything but ALL for
the type of LINK attempted.
For a description of the accounting records that CP writes for LOGON, AUTOLOG, and LINK journaling, see the section "Accounting Records."
The SYSJRL macro instruction, the SET and the QUERY command
enable an installation to control LOGON, AUTOLOG, and LINK journaling.
To make journaling available and to specify options, code the SYSJRL macro instruction in module DMKSYS. Instructions for coding this macro
instruction are in the gng To
turn journaling on or off, lise the class A SET command. To determine
whether journaling is on or off, use the class A QUERY command. Part 2. Control Program (CP) 229

Suppressing Passwords Entered on the
Command-Line CP optionally rejects LOGON or LINK commands that have the password
entered on the same line as the command. these commands prp.vents passwords from being displayed or from being printed without masking -- a password means overprinting the password so it
cannot be read. This capability is also available to virtual machines that issue LINK commands via DIAGNOSE Code X'08'. For a description of DIAGNOSE Code X'08', see the section "DIAGNOSE Instruction in a virtual To request password suppression, specify it as an option on the SYSJRL macro instruction in module during system generation of VM/370. Once requested, password suppression is always on: an operator
cannot turn it off. 230 IBM VM/370 System Programmer's Guide

Previous Page Next Page

VM370 System Programmers Guide (Rel6) Page 241 (264 of 430)

Help