Reference Guide › Configuration File Reference › JOURNAL Record

JOURNAL Record

Use the JOURNAL record to control the monitoring of invalid password conditions.

JOURNAL warning maximum

Configuration File

JOURNAL is defined in the SECURITY CONFIG file.

Definitions

warning

Specifies the number of consecutive invalid password attempts recorded for a user ID or device address after which a warning message appears on the system operator’s console. The minimum is 0, the maximum is 99999999.

maximum

Specifies the number of consecutive invalid password attempts recorded for a user ID or device address after which a restrictive action is taken. The minimum is 0, the maximum is 99999999. This option is valid only if the Rules Facility is implemented.

After this maximum is reached, the attempting user ID or the device address from which the invalid attempts were made can no longer do any of the following:

• Use CA VM:Secure commands if the password violations were in response to the logon password validation prompt for a CA VM:Secure command.
• Define a directory link for any minidisks belonging to the user ID whose link passwords were violated.
• Use the CP AUTOLOG, DIAL, LINK, LOGON, LOGON BY, XAUTOLOG commands, LOGONBY Facility requests, or attempts at password checking using Diagnose X’A0’ subcode 4 depending on which monitored condition went over the maximum:
  • When the maximum number of invalid autolog or xautolog attempts is reached, CA VM:Secure adds the applicable rule to the rules file for the user ID being autologged or xautologged:

       REJECT userid AUTOLOG (NOTIFY
       REJECT userid XAUTOLOG (NOTIFY
    

    These rules prevent the requesting user ID from further AUTOLOG and XAUTOLOG attempts on the target user ID. The addition of these rules is not subject to the TERMPASS or the USERPASS user exits.

  • When the maximum number of invalid link attempts is reached, CA VM:Secure adds the following rule to the target user’s rules file:

        REJECT userid LINK vaddr (NOTIFY
    

    These rules prevents the requesting user ID from further link attempts on the target user ID ’s virtual address. CA VM:Secure adds the previous rules whether or not the RULEUPDT user exit is implemented.

  • When the maximum number of invalid logon attempts is reached, CA VM:Secure adds the REJECT LOGON rule to the system override rules and the target user ID’s rules. The addition of this rule is subject to the implementation of both the TERMPASS and the USERPASS user exits: addition of the rule to the system override rules requires that the TERMPASS user exit be implemented; addition of the rule to the target user ID requires that the USERPASS user exit be implemented.
  • When the maximum number of invalid DIAL attempts is reached, CA VM:Secure adds the REJECT DIAL rule to the system override rules. The addition of this rule is subject to the implementation of the TERMPASS user exit.

Description

If you are using the Rules Facility with the JOURNAL record, the following invalid password conditions are monitored:

• Invalid logon passwords entered for the same user ID during LOGON processing
• Invalid logon passwords entered from the same device address during LOGON processing
• Invalid dial passwords entered from the same device address during DIAL command processing
• Invalid logon passwords entered during AUTOLOG or XAUTOLOG command processing
• Invalid link passwords entered during LINK command processing and LINK processing associated with Diagnose X’88’ sub-code X’04’ calls
• Invalid logon passwords specified during Diagnose X’A0’ sub-code 4 calls
• Invalid logon passwords specified during Diagnose X’88’ sub-code 8 calls
• Invalid logon passwords entered when issuing CA VM:Secure commands
• Invalid link password entered from the "Define a Link to Another User’s Minidisk" selection on the "User Selection Menu"

If you are not using the Rules Facility, only the last two invalid password conditions are monitored.

Separate journal counters are maintained for each monitored condition. The counters are reset to zero whenever a password is correctly entered or when CA VM:Secure is shut down; the appropriate counter is incremented by one whenever its password is incorrectly entered. If consecutive invalid attempts exceed the limit specified on this JOURNAL record, CA VM:Secure prevents further attempts until someone issues the JOURNAL command with the RESET parameter against that password, or issues the REST command.

When the limit of consecutive invalid logon attempts is reached, CA VM:Secure calls either the TERMPASS or USERPASS user exit, or both, if they are defined. Use both these user exits because they prohibit further attempts when the limit of invalid attempts is reached.