Versions Compared

Old Version 1

changes.mady.by.user Andrew Madge

Saved on

compared with

New Version Current

changes.mady.by.user Svetlana Sheptiy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Overview

Info

ACF2 (Access Control Facility) is an access control security system for MVS, z/OS, VSE, z/VSE, VM and z/VM IBM mainframe operating systems.

Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on the Snare Central server (/data/SnareCollect/ACF2Log). The reports will then be analysed and process by a scheduled Snare Central processes, on a daily basis.

The ACF2 processed reports are generated by specific utilities, provided with ACF2. The utilities produce formatted reports on the following activity on a mainframe:

  • ACFRPTLL - Logonid Modification Log

  • ACFRPTRL - Dataset Rule Modification Log

  • ACFRPTEL - Infostorate Modification Log

  • ACFRPTDS - Dataset Violation/Logging

  • ACFRPTRV - Resource Violation/Logging

  • ACFRPTPW - Invalid Password Authority Log

The NOTES section below contains a listing of an example JCL job which could be used to run, extract and send the ACF2 processed reports to Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.

Note: Newlines in the original report are transformed to 'carriage returns' (\r) in the data section of the event.

...

DATE

...

TIME

...

SYSTEM

...

TABLE

...

USERNAME

...

RESOURCE

...

LOGTYPE

...

EVENTID

...

RETURN

...

DATA

...

2017-08-07

...

10:46:08

...

DEVT

...

ACF2Log

...

ZXXX

...

APP

...

ACFRPTRL

...

BFORREPL

...

STORED

...

Check Point Anti-Malware is a component on Endpoint Security Windows Clients that protects clients from viruses, worms, Trojans, adwares and keyloggers.

The CheckPointAntiMalwareLog module identifies and parses logs ingested from Check Point Anti-Malware.

Sample Logs

2022-06-06 10:13:01 hostname 1XX.XXX.XXX.XXX CEF:0|Check Point|Anti Malware|Check Point|Log|Log|High|cp_severity=High deviceDirection=0 msg=Error occurred while accessing:www.example.com rt=1654481578000 alert=alert ifname=daemon loguid={0x629d62ac,0x1e,0x8a5a11ac,0x36886ca} origin=1XX.XXX.XXX.XXX sequencenum=26 version=5 product=Anti Malware reason=Failed to fetch Check Point resources. Couldn't resolve host name, check /opt/CPsuite-R81/fw1/log/rad_events/Errors/flow_140125_45982949 For more details

2022-06-06 10:10:37 hostname 1XX.XXX.XXX.XXX CEF:0|Check Point|Anti Malware|Check Point|Log|Log|Very-High|cp_severity=Very-High cs2Label=Update Status deviceCustomDate2Label=Subscription Expiration deviceCustomDate2= deviceDirection=1 rt=1654481436000 loguid={0x629d621d,0xd,0x8a5a11ac,0x36886ca} origin=1XX.XXX.XXX.XXX originsicname=CN=aaaaa,O=aaaaa..aaaaaa sequencenum=18 version=5 contract_name=Anti Bot Basic Metadata log_id=4 product=Anti Malware special_properties=0 subscription_stat=expired subscription_stat_desc=Contract is expired.

Fields

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

ACF2Log

CheckPointAntiMalwareLog

USERNAME

The user that ran the job

RESOURCE

The resource associated with the event

LOGTYPE

One of either:

  • RPTLL

  • RPTRL

  • RPTDS

  • RPTEL

  • RPTRV

  • Access

  • RPTPW

EVENTID

“ACCESS” in the case of RPTDS reports
Column 76 onward, in RPTRV reports

RETURN

RPTDS: Columns 38 - 48
RPTRV: Columns 50-55

DATA

A range of carriage-return delimited data that is not specifically injected into other fields.

Notes

The sample job below performs the following steps:

  • Deletes previous day's FTP transfer library.

  • Runs ACF2 report, placing output in a GDG (7 generations kept).

  • Allocate new FTP transfer library and copy report from GDG created in previous step.

  • FTP the transfer library to Snare Central.

    • The 'snarexfer' FTP user must be used.

    • This user's home directory defaults to "/data/SnareCollect" on the Snare Central server.

    • The ACF2 processed reports must be placed in the "ACF2Log" sub-directory ("/data/SnareCollect/ACF2Log").

    • Member level security is used to protect the FTP lid password.

The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved.

The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.

Code Block********************************** Top of Data ********************************** //CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J /*JOBPARM SYSAFF=PROD //----------------------------------------------------------------- //* //* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER //* //*---------- DELETE TEMP XFER LIB --------------------------------- //* //STEP1 EXEC PGM=IKJEFT01,REGION=8192K //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTERM DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * DELETE 'CSC.SNARE01.LIDMODS.XFER' //* //*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------ //* //STEP2 EXEC PGM=ACFRPTLL //SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1), // DISP=(,CATLG), // VOL=SER=BTCH52, // UNIT=SYSDA, // SPACE=(TRK,(60,5),RLSE), // DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974) //SYSUDUMP DD SYSOUT=* //REC01 DD DSN=CTF.SMFJR,DISP=SHR //SYSIN DD * MASK(********) DETAIL NOUPDATE SYSID(****) //* //*---------- COPY REPORT FROM GDG TO XFER LIB --------------------- //* //COPY EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSUT1 DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1), DISP=SHR //SYSUT2 DD DSN=CSC.SNARE01.LIDMODS.XFER, // DISP=(NEW,CATLG,DELETE), // VOL=SER=BTCH52, // UNIT=SYSDA, // SPACE=(TRK,(60,5),RLSE), // DCB=*.SYSUT1 //* DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974) //SYSIN DD DUMMY //* //*---------- FTP XFER FILE TO SNARE SERVER ------------------------ //* //STEP4 EXEC FTP, // SERVER='CSCSNARE', // FTPUSER='SNAREXFER', // FTPCMDS='CSCSNR01', // ENV='PROD', // SOUT='*' //* //*---------- Notify Security Monitoring Team if job fails --------- //* //*JOBFAIL IF ((RC > 4) | (ABEND)) THEN //* //SENDMEMO EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSUT1 DD * HELO NCC MAIL FROM:<PSC0SCHD@AGENCY.COM> RCPT TO:<ITSECMON@AGENCY.COM> DATA TO:ITSECMON<ITSECMON@AGENCY.COM> SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01 PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY. >> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE >> AGENCY'S MAINFRAME ENVIRONMENT. . QUIT /* //SYSUT2 DD SYSOUT=(B,SMTP) //SYSIN DD DUMMY //* //JOBFAIL ENDIF //*===================================================================

SEVERITY

Event severity

ORIGIN

Name of the first Security Gateway that reported this event

MESSAGE

Event Message

SNAREDATAMAP

Data that were not mapped to any of the above fields are pushed here.

Notes

  • The ORIGIN field is derived from origin or originsicname. CN value of originsicname will be used first. If originsicname is not available, origin will be used.

  • The MESSAGE field is derived from either msg or subscription_stat_desc values.

  • All other fields are appended in SNAREDATAMAP field.

References:

https://community.checkpoint.com/t5/Management/Log-Exporter-CEF-Field-Mappings/m-p/41060

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk144192