Use SMF as an audit trail. Subversive activity can often be traced through SMF long before a perpetrator can accomplish any deceptive maneuver. Look for an increase of activity to certain sensitive files and audit the SMF options in PARMLIB member SMFPRMxx for missing record types.
An APF‑authorized program can obliterate all evidence of activity in its address space by altering memory locations; making it appear to z/OS that SMF is not active for the user. Using the CA Top Secret Audit/Tracking File is not dependent upon whether SMF is active, and its use cannot be subverted.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|