4. EXCEPTIONS4.3 Detailed Exception Descriptions › 00057: TSO Command Security Violation

Previous Topic: 00056: Unauthorized Use of TSO Commands

Next Topic: 00100: System IPL Detected

00057: TSO Command Security Violation


FILE              TSO User Command Counts File
SAS FILE NAME     DETAIL.TSOTSC01
SOURCE LOCATION   sharedprefix.MICS.SOURCE(DYTSOEXC)

SEVERITY          Critical      (SEVERITY='C')
MANAGEMENT AREA   Security      (MGMTAREA='SECURITY')

PURPOSE      Identifies unauthorized users who have executed
             the ACCOUNT command.

RATIONALE    The TSO ACCOUNT command is used to add, change,
             delete, and list entries in the installation's
             User Attribute Data Set (UADS).  The ACCOUNT
             command checks UADS to determine if a user is
             authorized to enter accounting commands.
             Unauthorized users are prevented from entering
             accounting commands.  The use of this command by
             unauthorized users may indicate users who are
             probing the system to determine the limits of
             their access.  The UADS entry for the
             unauthorized user should be verified to ensure
             that it has not been tampered with.
             Unauthorized users could use this command to
             find/change passwords, create/delete userids,
             and give unauthorized access to restricted
             facilities to their own or other userids.

DEFINITION   This exception is detected when an unauthorized
             user executes the TSO ACCOUNT command.

EXCEPTION    The SAS statements identifying the exception
STATEMENTS situation and describing the condition are
             stored in the source member named in SOURCE
             LOCATION and are described below:

************************************************************;
*
** 00057
** TSO COMMAND SECURITY VIOLATION
*;
IF  (COMMAND='ACCOUNT' AND NOT(ID=:'user-id'))
 THEN DO;
  EXCCODE='00057'; SEVERITY='C'; MGMTAREA='SECURITY';
  EXCDESC1='TSO COMMAND SECURITY VIOLATION';
  EXCDESC2='USE COUNT=' || PUT(TSCCOUNT,3.);
  LINK HIT;
END;

THRESHOLD     Modify the list of authorized ACCOUNT users
MODIFICATION  according to the following conventions:

    user-id   The name of the userids to be used for
              selection is specified as a one to eight
              character alphanumeric field, and must be
              enclosed in quotes as a standard SAS character
              literal.  Additional userids must be included
              in the parentheses and be connected to the
              list with an OR.  For all users whose ids do
              not begin with SYS or ABC, the specification
              would be:

                 AND NOT(USER=:'SYS' OR USER=:'ABC')

              For all users whose ids do not begin with SYS
              or user ABC006, the specification would be:

                 AND NOT(USER=:'SYS' OR USER='ABC006')