4. EXCEPTIONS › 4.3 Detailed Exception Descriptions › 00056: Unauthorized Use of TSO Commands
00056: Unauthorized Use of TSO Commands
FILE TSO User Command Counts File
SAS FILE NAME DETAIL.TSOTSC01
SOURCE LOCATION sharedprefix.MICS.SOURCE(DYTSOEXC)
SEVERITY Warning (SEVERITY='W')
MANAGEMENT AREA Standards (MGMTAREA='STANDARDS')
PURPOSE Identifies unauthorized users who have executed
restricted commands.
RATIONALE Three commands (OPER, LOOK, and RMFMON) can
cause this exception. The rationale for each
command is given below.
o TSO OPER command is used to allow authorized users to
enter operator commands. The OPER command checks the
installation's User Attribute Data Set (UADS) to
determine if a user is authorized to enter operator
commands. Unauthorized users are prevented from
entering operator commands. The use of this command by
unauthorized users may indicate users who are probing
the system to determine the limits of their access.
The UADS entry for the unauthorized user should be
verified to ensure that it has not been tampered with.
o TSO LOOK command, a product of Applied Data Research,
Princeton, New Jersey, is used to display CPU
utilization, I/O activity, paging activity, Auxiliary
Storage Manager (ASM) information, and System Resource
Manager (SRM) information. In addition, jobs can be
canceled, address spaces terminated, jobs set
nonswappable, dispatching priorities changed, and
memory modified. The use of this command is limited to
authorized users of OPER commands. In addition, other
restrictions can be imposed during LOOK installation.
Unauthorized users are prevented from entering LOOK
commands. The use of this command by unauthorized
users may indicate users who are probing the system to
determine the limits of their access. The UADS entry
for the unauthorized user should be verified to ensure
that it has not been tampered with.
o TSO RMFMON command, a part of the Resource Measurement
Facility (RMF), IBM Program Product, is used to display
system performance information, including System
Resource Manager (SRM) information, paging activity,
address space state information, and resource
consumption information. Authorized users of this
command are specified during RMFMON installation.
Unauthorized users are prevented from entering RMFMON
commands. Because of the technical nature of the
information provided, the use of this command by
unauthorized users should be followed up to determine
the reason for their attempting access.
RMF provides a user authorization exit routine
(ERBTSOCK) which can be used to limit use of RMFMON
(reference (SC28-0922)).
DEFINITION This exception is detected when an unauthorized
user executes a restricted command.
EXCEPTION The SAS statements identifying the exception
STATEMENTS situation and describing the condition are
stored in the source member named in SOURCE
LOCATION and are described below:
************************************************************;
*
** 00056
** UNAUTHORIZED USE OF TSO COMMANDS
*;
IF (COMMAND='OPER' AND NOT(ID=:'user-id'))
OR (COMMAND='LOOK' AND NOT(ID=:'user-id'))
OR (COMMAND='RMFMON' AND NOT(ID=:'user-id'))
THEN DO;
EXCCODE='00056'; SEVERITY='W'; MGMTAREA='STANDARDS';
EXCDESC1='UNAUTHORIZED USE OF TSO COMMAND';
EXCDESC2='USE COUNT=' || PUT(TSCCOUNT,3.);
LINK HIT;
END;
THRESHOLD Modify the list of authorized users according
MODIFICATION to the following conventions:
user-id The name of the userids to be used for
selection is specified as a one to eight
character alphanumeric field, and must be
enclosed in quotes as a standard SAS character
literal. Additional userids must be included
in the parentheses and be connected to the list
with an OR. For all users whose userids do not
begin with SYS or ABC, the specification would
be:
AND NOT(USER=:'SYS' OR USER=:'ABC')
For all users whose userids do not begin with
SYS or user ABC006, the specification would be:
AND NOT(USER=:'SYS' OR USER='ABC006')
