TSSAUDIT JCL

JCL for using TSSAUDIT in batch is outlined below. Sample listings for TSSAUDIT appear at the end of this chapter.

//STEP1        EXEC PGM=TSSAUDIT[,PARM='control statement(s)'
//AUDITOUT     DD SYSOUT=*
//RECOVERY     DD DSN=name.of.recovery.file,DISP=SHR
//ddname       DD DSN=name.of.apf.file,DISP=SHR
//AUDITIN      DD *
   TSSAUDIT control statement(s)
/*

The use of each of the above DD statements is described next.

AUDITIN: Defines an input data set containing TSSAUDIT control statements. This data set is normally included in the input stream, but can also be a sequential data set or member of a PDS. The following DCB attributes are set by TSSAUDIT and cannot be changed: DSORG=PS and LRECL=80. Block size may be any multiple of 80.
AUDITOUT: Defines an output data set containing messages issued by TSSAUDIT. This data set can be assigned to a printer, tape volume, or DASD volume. The following DCB attributes are set by TSSAUDIT and cannot be changed: DSORG=PS, RECFM=FBA, LRECL=133, and BLKSIZE=1330.
ddname: Defines an input data set to be processed as specified in one or more APF control statements. No DCB attributes should be specified. This DD statement is required only when the APF control statement is specified with the DDNAME operand. Multiple data sets may be concatenated.
RECOVERY: Defines an input data set containing the CA Top Secret recovery file. DCB attributes should not be specified. This DD statement is required only when the CHANGES control statement is specified.

Control statements can be entered in the PARM field of the EXEC statement and/or as input in the AUDITIN DD statement.

If the AUDITIN data set is not used, its DD statement must be specified as follows:

//AUDITIN  DD DUMMY

Control statements in the AUDITIN data set must begin in column 1.

APF: Lists information about one or more load modules residing in authorized libraries.
CHANGES: Lists changes made to the CA Top Secret Security File. Only changes made by an administrator within the scope of the ACID running the utility are reported.
MVS: Lists information about site‑written SVCs, the Program Properties Table (PPT), and the Terminal Monitor Program's authorized program lists.
PRIVILEGES: Lists Security File information about one or more ACIDs. Only privileges for ACIDs within the scope of the ACID running the utility are reported.

APF Control Statement

The APF control statement generates a two-part report that displays:

A list of data sets contained in:
- SYS1.LPALIST
- Live dynamic APF list
- Live dynamic LLA list
The data sets in these lists can be located on the specified volumes. Data sets whose volumes do not exist or that cannot be located on the volume will be omitted from consideration.
A list of authorized programs (AC=1) within each reported partitioned data set (PDS) in the above list. Although the program will tolerate PDS/E's, it does not support member lists for such libraries.

The APF control statement may take any of the following formats:

APF: TSSAUDIT searches modules on SYSI1.LPALIB (by default) as well as any libraries in the current dynamic-APF list.
APF DDNAME(xx): TSSAUDIT searches modules in the library specified by the filename specified in the DDNAME operand. The DDNAME for this specification is expected to reference a PDS of RECFM=U, containing load modules.
APF PARMLIB: TSSAUDIT searches modules from libraries specified in the local SYS1.PARMLIB members (IEAAPFnn and LNKLSTnn)
APF PARMLIB DDNAME(xx): TSSAUDIT searches modules from libraries specified in a specific PARMLIB (not necessarily the one in use where the utility is being executed). The DDNAME for this specification is expected to reference a fixed length 80-character record partitioned data set.

The following is the APF control statement syntax:

APF <DDNAME=xx> <{PARMLIB         }> <DUMPALL|STRING(charstrg)|ZAPPED>
                <{MEMBER(*|module)}>

Use the following operands with this syntax:

DDNAME

If PARMLIB is specified, it refers to a copy of SYS1.PARMLIB to be searched for static LPALSTxx members and LNKLSTxx members. The data sets provided in these static lists will then be searched for load modules and reported for their audit characteristics. This file is expected to be an 80-character length partitioned data set.

If PARMLIB is not specified, it refers to a load library (a partitioned data set of RECFM=U) to be searched and reported on specifically.

PARMLIB

Specifies the list of data sets to be searched for load modules is to be taken from the current SYS1.PARMLIB (when no DDNAME is specified) or from a copy of another system's SYS1.PARMLIB (when DDNAME is specified and references the parmlib to be searched). PARMLIB is mutually exclusive with MEMBER.

MEMBER

Specifies all modules are to be searched (*) or a specific module is to be searched. MEMBER is mutually exclusive with PARMLIB.

DUMPALL

All CSECTS in each module are to be listed in the report.

STRING

Only modules containing the specified character string (“charstrg”) are to be reported in the second part of the report. The character string must consist of alphanumeric characters and must not be enclosed in apostrophes or quotes.

ZAPPED

Only modules whose IDR count is greater than zero will be listed.

CHANGES Control Statement

Use the CHANGES control statement to list changes made to the CA Top Secret security file.

Note: You can list only changes that are within your scope. For example, a VCA can list changes for his or her division and all departments within his or her division.

This control statement has the following format:

            [CA(acid)]
CHANGES     [DATE(yyddd|yyddd,yyddd|-nn|-nn,-nn|TODAY)]
            [TIME(hhmmss|hhmmss,hhmmss)]
            [STRING(string)]

CA(acid)

Lists only security file changes that were made by the control ACID that you specify. Omitting this entry lists all changes.

DATE(yyddd|yyddd,yyddd|-nn|-nn,-nn|TODAY)

Selects records based on a date or range of dates. Omitting DATE lists all changes made from the beginning date of the recovery file.

Note: Specifying DATE and TIME concurrently displays only records that are within both the date range and time range.

DATE(yyddd[,yyddd])

Specifies a specific date or range of dates (in Julian format) from which to select records. Specifying only one date selects records that are produced from that date through the current date. Specifying two dates creates a range that selects records that are produced between the specified dates.

To select records that are produced on a single day, specify the same value for both yyddd entries.

DATE(-nn)

Specifies a value from -00 to -99, which subtracts the specified number of days from the current date (to create a start date). This specification produces a report that includes records from the start date through the current date.

Example: Specify DATE(-01) to use yesterday as a start date and produce a report that includes records from yesterday through today.

DATE(-nn,-nn)

Specifies a set of values (each value between -00 to -99) to select records that are produced on the two relative dates and produced during the time between the dates.

Example: Specify DATE(-60,-40) to select all records that were produced between 60 days ago and 40 days ago.

DATE(TODAY)

Specifies to select records from today.

TIME(hhmmss[,hhmmss] )

Selects records that are produced at a specific time or during a specific time period (up to but not including 24 hours). Specifying only one time selects the records that are produced from that time through the end of the 24-hour period. Specifying two times selects all records that are produced between those times. Omitting TIME lists all changes that are made in a 24-hour period (000000 to 235959).)

Note: Specifying DATE and TIME concurrently displays only records that are within both the date range and time range.

To select records that are produced at a specific time, specify the same value for both hhmmss entries.

Example: Specify TIME(181500,181500) to select records that are produced at 6:15 p.m.

Important! You cannot produce a single report that spans days. For example, to select all records produced between 6:00 p.m. yesterday and 6:00 a.m. today, you must produce multiple reports by using the following specification:

TIME(180000) DATE(-01,-01)
TIME(000000,060000) DATE(TODAY)

STRING(string)

Lists only the changes that contain the specified string entries.

Because TSSAUDIT reads the entire CA Top Secret recovery file into memory when the CHANGES control statement is specified, you might need to increase the REGION size. Insufficient storage is indicated by a U2719 abend.

Example: Report Changes Based on a Specific Time

This example generates a report on all security file changes that were made at 8:00 a.m. and later (within a 24-hour period) for all days on and after the date that the recovery file started:

CHANGES TIME(080000)

Example: Report Changes Based on a Time Period

This example generates a report on all security file changes that were made from 8:00 a.m. to 4:00 p.m. for all days on and after the date that the recovery file started:

CHANGES TIME(080000,160000)

Example: Report Changes Based on a Date in the Past

This example produces a report on all security file changes that occurred yesterday:

CHANGES DATE(-01,-01)

Example: Report Changes Based on a Specific Date

This example produces a report on all security file changes that occurred on May 4, 2012:

CHANGES DATE(12124,12124)

Example: Report Changes Based on a Date Range

This example produces a report on all security file changes that occurred between 14 days ago and 7 days ago.

Note: You can also specify two specific dates in Julian format.

CHANGES DATE(-14,-07)

MVS Control Statement

Lists information about site‑written Supervisor Calls (SVCs), the Program Properties Table (PPT), and the Terminal Monitor Program's (TMP) authorized program lists.

MVS

There are no operands for this control statement.

The MVS option is only valid when issued by an SCA or an MSCA.

PRIVILEGES Control Statement

Lists Security File information about one or more ACIDs.

PRIVILEGES [SHORT]

SHORT

Information is listed only for those ACIDs that have administrative authority or any of the following attributes or privileges:

Abbreviation	Attribute
ASUS/SUSP	Administrative SUSPEND/SUSPEND ACID
AUD	AUDIT attribute
CONS	CONSOLE attribute
DUFU	DUFUPD attribute
DUFX	DUFXTR attribute
GAP	GAP attribute on profile
LDS	LDS Attribute
MRO	MRO attribute
MPW	MULTIPW attribute
NADS	NOADSP attribute
NATS	NOATS attribute
NDSN	NODSNCHK privilege
NLCF	NOLCFCHK privilege
NPWC	NOPWCHG attribute
NRES	NORESCHK privilege
NSUB	NOSUBCHK privilege
NSUS	NOSUSPEND privilege
NVMD	NOVMDCHK privilege
NVOL	NOVOLCHK privilege
OID	OIDCARD attribute
PSUS	Password SUSPEND
REST	RSTDACC attribute
TMPW	TSOMPW attribute
TRA	TRACE attribute
VSUS	Violation SUSPEND
XSUS	Installation Exit SUSPEND

In the listing produced by the PRIVILEGES control statement, underlining of attributes indicates that the attributes are in a profile to which the specified ACID is attached. If the PRIVILEGES control statement is specified, you must be the MSCA or have the following administrative authority:

TSS ADMIN (Auditor's acid) 
          ACID(REPORT,AUDIT)
          RESOURCES(REPORT,AUDIT)