Ongoing Tasks to Maintain a Secure System

Use the MONITOR IO report to develop a familiarity with the normal amounts of I/O on your system at various times. Watch for abnormal changes.

Keep informed of the images installed on your system. Use the Install utility (INSTALL) to look for unexpected additions. When monitoring the known file list, compare the current list with a valid hardcopy listing.

Use the AUTHORIZE command SHOW on a regular basis to check for unauthorized user names.

Use the AUTHORIZE command SHOW/PROXY regularly to quickly recognize all proxy access that you have authorized. Watch for unexpected additions. Remove any remote users who no longer require access. Institute regular communications with system managers at remote nodes.

Apply the Accounting utility (ACCOUNTING) on a regular basis to give you a basis of normal amounts of processing time. Watch for unexplained changes.

Regularly check the accounting report produced by ACCOUNTING for known user names, unknown user names, and appropriate hours of system use.

Develop sufficient familiarity with your system's workload so that you notice normal (as well as abnormal) processing activity occurring at unusual hours.

Monitor device allocations routinely with the DCL command SHOW DEVICE so that you immediately notice any that are unexpected.

Become familiar with the recurring types of batch jobs that run on the batch queues and what times they are most likely to run.

Monitor the protection and ownership of critical files with the DIRECTORY/SECURITY command. Watch for unexplained changes in each.

Maintain familiarity with the rights list. Keep current listings so that you can recognize identifiers that have been added or new holders of the current identifiers.

Remove identifiers that are not in use. Keep the rights list current.

Regularly review the templates that you use to set up UAF records. Make any necessary changes.

Use the security-auditing features described in Chapter 9 “Security Auditing”.

Apply the Audit Analysis utility (ANALYZE/AUDIT) regularly to detect abnormal auditing activity.

When you allow new users to change their initial passwords, assign passwords that users will want to change or use the password generator. Check back to see if you can log in with the password you originally assigned. Where necessary, follow up with the user to determine why the change did not occur as requested.

Try searching unprotected user files for passwords embedded in network access control strings. The password will precede the 3-character terminator("::). Also search for the noun password, and see if any passwords are revealed nearby.

Check that your users are logging out properly. Make physical checks at the end of normal business hours.

Check that your users have appropriate default protections in place.

Keep informed about your inventory of magnetic tapes, disks, and program listings. Routinely check that inventory for possible indications that physical security has degraded.

Keep your office and all important listings locked up.