Kisco Systems

Kisco U

Monitoring sign-on activity

Home : Kisco U : Monitoring sign-on activity

For powerful user profiles, such as Security Officer, it may be advisable to track when and where these profiles initiate terminal sessions. Intercepting and logging new sessions via the user profile's Initial Program (INLPGM) settings is a quick and efficient way to monitor logins. The initial program is, in effect, IBM's implementation of a terminal session signon exit process.

  • Create a simple CL program. It will not require any parameters from the OS.
  • In your CL program, retrieve the user profile using the Retrieve Job Attributes (RTVJOBA) command.
  • Send a message using the Send Program Message (SNDPGMMSG) command to a pre-defined message queue indicating that the user profile has performed a sign-on operation. For example, use the QSYSMSG message queue since it gets used by the operating system for security related events.

For profiles where an initial program has already been configured, create a data area and store those values before you change the initial program setting. The data area is 20 characters long and contains the initial program and library associated with the user profile. Modify the CL to check for the data area. If one exists, end your CL program by calling the program stored in the data area after logging the profile login.

Compile the CL program by setting the USRPRF parameter to *OWNER and running the compile under the profile of a security officer. This ensures that all user profiles can run the program

Other login routes (not terminal sessions)

Be advised that some user profiles can access your system through means other than just terminal logins. You will need to monitor key exit points to capture these other actvities. For users establishing a TCP/IP connection (using ACS, for example) there is a system TCP Signon Server exit point. The Telnet Device Initialization exit point can't really be used for signon tracking because it is called before the signon is completed and, as a result, does not have the user profile of the person doing the signon, only their IP address.

Our SafeNet/i software firewall can help monitor these types of logins.

Here is a log of LOGIN activity captured from exit point monitoring:

You can see *SIGNON activity (this is the TCP Signon Server) which does capture the correct user profile signing on and *TELNETON activity which is the Telnet Device Initialization, all captured under the system user profile of QSYS.

Our iEventMonitor software can log and alert on 5250 logins including user name details.