Selection criteria options determine the types of incidents to process. You can specify any option, but each option can be specified only once. For example, the following specification is valid:
DEPARTMENT(XYZ,ABC)
The following specification is not valid:
DEPARTMENT(XYZ) DEPARTMENT(ABC)
To be valid for processing, all selection criteria must be met within each SMF or Audit/Tracking File record.
Note: Abbreviated forms, if any, appear under the full names of the selection criteria in the boxed areas.
Every selection criteria option that has a parameter list can span multiple lines; however, the following restrictions apply:
Example: The following RESOURCE option specification splits a parameter across lines and is valid:
RESOURCE(SAMPLE.RESOURCE.NAME.THAT.IS.LONG.ENOUGH.SUCH.THAT.IT. SPANS.MULTIPLE.LINES, ABC)
Example: The following DEPARTMENT option specification attempts to split a parameter across lines and is not valid:
DEPARTMENT(XY Z,ABC)
Example: The following DEPARTMENT option specification splits the parameter list across lines and is valid:
DEPARTMENT(XYZ, ABC)
The list of selection criteria is as follows:
Selects a level of access to data set, volume, CICS, UR1, UR2, and FIELD requests. Only those incidents whose access matches the requested access level is selected. A maximum of eight levels can be specified.
ACCESS(level,level,...,(resclass))
Used to select incidents with matching requested access level.
Access level names given are defined in the RDT for the resource class name given. If resource class is not given, DATASET is used as the default. Specifying a resource class name is optional.
Selects records produced by jobs or sessions running under a specific ACID. A maximum of eight ACIDs can be specified.
ACCESSOR(acid,acid*,*,...) ACID A
A specific ACID name. If you specify more than one, separate them with commas.
An ACID prefix. All ACIDs that begin with the given prefix is selected.
Selects undefined ACIDs including *MISSING*, *UNDEF*, and *BYPASS*.
ACID(*) might only be used by an SCA.
Selects records that refer to a specific resource class.
CLASS(type)
Replace type with one of the following single‑character codes:
a CA-IDMS SUBSCHEM.
b AllFusion™ CA‑IDMS® AREA
c Adabas database
d IMS DBD
e JESINPUT
f IBM Facility
g TSO account number
h TSO authority
i TSO procedure name
j TSO performance group
k VAX file
I VAX device
m VM IUCV
n VM VMCF
o TSAF
p JESPOOL
q JESJOBS
r OPERCMDS
s CICS CEMT SPI
t DEVICES (for VTAM 3.2)
u CA REPORT
v CA TAPE
w SMESSAGE (TSO/E)
x VTAMAPPL (VTAM 3.2)
y CAADMIN
z CAVAPPL
' SYSCONS
A Application
B Audited job submission
C Mode by user
D Data set
E CICS DCT
F CICS FCT
G Authentication call
H TOTAL file
I ACID xe03type
J CICS JCT
K Terminal unlock
L Terminal lock
M UR1
N UR2
O TSS control options
P Program
Q CICS PPT
R Database field
S DL/1 PST
T Terminal
U Abstract
V Tape volume
W DASD volume
X Transaction
Y USERn
Z CICS TST
1 Change propagation
2 CA jobname
3 CA panel
4 DUFXTR
5 DUFUPD
6 User logging
7 VM MDISK
8 VM CP CMD
9 VM diagnose
0 VM network
* Reserved
# VM RDR
% Logging DB2 resources
$ VM DCSS
@ VM dial
+ Logging installation exit call
= CACMD
- CA Scheduler
? Extract
< Operation commands
> Owned transactions
. Data set
/ Dasdvold
´´ Tapevolt
! CA Station
& Recipid
: Reserved
¢ VMANAPPL
¦ UNVEDIT
\ UNVRPRT
~ UNVPGM
, CPU
| SDSF userclass
} VM Machine
{ IMBGROUP
` PROPCNTL
_ Librarian resource CALIBMEM
; Librarian resource CACCFMEM
¬ Librarian resource CACCFDSN
( SMS management class
) SMS storage class
Note: Class O records only display when specifically requested, and they can only be requested by the SCA and MSCA.
Selects records that refer to any of the specified data set prefixes. A maximum of eight data set prefixes can be specified.
DATASET(dsnprx,...) DSN D
A data set prefix. All records that refer to data set(s) matching the prefix(es) are selected. If you specify more than one prefix, separate them with commas.
Use the DATE selection criteria option to select records by using dates or date ranges. This option has the following format:
DATE(yyddd|yyddd,yyddd|-nn|-nn,-nn|TODAY)
Selects records based on a date or range of dates. Omitting DATE lists all changes made from the beginning date of the recovery file.
Note: Specifying DATE and TIME concurrently displays only records that are within both the date range and time range.
Specifies a specific date or range of dates (in Julian format) from which to select records. Specifying only one date selects records that are produced from that date through the current date. Specifying two dates creates a range that selects records that are produced between the specified dates.
To select records that are produced on a single day, specify the same value for both yyddd entries.
Specifies a value from -00 to -99, which subtracts the specified number of days from the current date (to create a start date). This specification produces a report that includes records from the start date through the current date.
Example: Specify DATE(-01) to use yesterday as a start date and produce a report that includes records from yesterday through today.
Specifies a set of values (each value between -00 to -99) to select records that are produced on the two relative dates and produced during the time between the dates.
Example: Specify DATE(-60,-40) to select all records that were produced between 60 days ago and 40 days ago.
Specifies to select records from today.
Selects one or more departments for which Security Records are selected. A maximum of eight Department ACIDs can be specified. TSSUTIL reports only on users that are in a DEPARTMENT when the audit record is created.
DEPARTMENT(dept,...)
Specifies the department name.
Use the DIVISION selection criteria option to select one or more divisions for which security records are selected. This option has the following format:
DIVISION(division,...)
Specifies the division ACID name. You can specify a maximum of eight division ACIDs.
Selects all records that are flagged with the specified error code(s).
DRC(code,... |IN|DS|VL|RS|PW)
Specifies a detailed error reason code in hexadecimal format: 00 through FF-up to a maximum of 32 total DRCs.
Selects all initiation violation codes. 01 - 1D, 46, and 64
Selects all data set violation codes. 65 ‑ 72
Selects all volume violation codes. 73 ‑ 81
Selects all resource violations. 42, 5F - 63, and 82 - 101
Selects all password and OID violations. 07 ‑ 0F
Selects one or more of the incidents to be chosen.
EVENT(ALL|ACCESS,JOBS,INIT,TERM,VIOL,AUDIT,AUDTA)
Selects all events except TSS control options. See keyword CLASS type O for details. ALL is the default.
Note: ALL is mutually exclusive with all other options.
Selects resource and facility accesses.
Selects job/session initiations and terminations.
Selects only job/session initiations.
Selects only job/session terminations.
Selects resource and facility access and password violations.
Selects audited incidents.
Displays OK+A events and prevents OK+B events from displaying.
Displays OK+B events and prevents OK+A events from displaying.
Note: VIOL and AUDIT allow extended scope checking for DCAs and VCAs. A DRC of '09', '77', '01', '1B', and '1C' will always be audited with the AUDIT/AUDTA option.
Use to exclude a job record from the report output. A maximum of eight job names can be specified.
EXCLJOB(jobname,jobname*,…)
Indicates the name of the job record to exclude from the report output.
Indicates a job name or job name prefix. All job names that start with the supplied prefix are selected.
Use to exclude an ACID record from the report output. A maximum of eight acids can be specified.
EXCLACID(acid,acid*,…)
Indicates the ACID record to exclude from the report output.
Indicates an acid or acid prefix. All acids that start with the supplied prefix are selected.
Selects records produced by jobs or sessions using one or more specific system facilities.
FACILITY(ALL|fac,...) FAC F
Includes all facilities. The default is ALL.
A system facility defined to CA Top Secret: BATCH, STC, TSO, IMS, CICS, NCCF, CA‑Roscoe®, WYLBUR, or any installation‑defined facility.
When used with the ACID keyword, selects ACIDs that have been deleted from the Security File. For example, if ACID USER10 has been deleted, the following statement would report on the events USER10 created:
REPORT EVENT (ALL) ACID(USER10) HISTORY
HISTORY
Note: This keyword can only be used by an SCA or the MSCA.
Selects records with specific job IDs. A maximum of eight job IDs can be specified.
JOBID(jobid1,jobid*,…)
Specifies a job ID.
Specifies a job ID or job ID prefix. All job IDs that start with the supplied prefix are selected.
Selects records produced by specific jobs or online sessions. A maximum of eight jobnames can be specified.
JOBNAME(jobname, job*,...) JOB J
Specifies a jobname or online userid.
Specifies a jobname or TSO userid prefix. All jobnames that start with the supplied prefix is selected.
Changes the default line count of 53 information lines for the report listing.
LINECNT(nn)
Specifies the new line count, in the range 10 to 99.
Requests the simultaneous production of a report listing when used with the EXTRACT verb.
LIST
Requests the long format (two lines per event) of a report.
LONG
Selects all events that were recorded while the user was in the specified mode.
MODE(DORMANT|WARN|IMPL|FAIL)
Use the NOECHO selection criteria option to suppress echoed input parameters and the preceding title line (unless CA Top Secret detects a parameter syntax error or compatibility error). If an error is detected, CA Top Secret prints the parameter echo title, all input parameters, and all error messages in order.
"Echoed" content in the output represents a visual copy of your specified input, which allows you to quickly review the input specifications for accuracy. However, suppressing the echoed content lets you run TSSUTIL output directly into another program (without having to skip the echoed content).
This option has the following format:
NOECHO
Suppresses generation of legend at the bottom of all reports in current job execution.
NOLEGEND
Use the NOTITLE selection criteria option to suppress all title lines and pagination in the main body of the TSSUTIL report. The option also suppresses the legend that normally follows the TSSUTIL report.
Important! This option is incompatible with ONETITLE.
This option has the following format:
NOTITLE
Use the ONETITLE selection criteria option to print one full title block at the beginning of the TSSUTIL report and suppress all later pagination and title blocks.
Important! This option is incompatible with NOTITLE.
This option has the following format:
ONETITLE
Selects records with specific program names. A maximum of eight program names can be specified.
PROGRAM(PROGRAM1,PROG*,…)
Specifies a program name.
Specifies a program name or program name prefix. All program names that start with the supplied prefix are selected.
Selects any resource class defined in the RDT.
RESCLASS(resource class name)
Any resource that has been predefined or dynamically defined to the RDT.
Use the RESOURCE selection criteria option to select records that refer to all resource prefixes or a specific resource name. You can specify up to eight resource prefixes or specific resource names. Use commas to separate multiple prefixes or names.
Note: You can use the RESOURCE and RESCLASS options together to select a specific type of resource.
This option has the following format:
RESOURCE(prefix,’name’,...)
Specifies a prefix (up to eight characters) for an online or RJE terminal, command, program, application, or user-defined resource. Specifying a prefix selects all records that refer to resources matching the prefix.
Specifies a specific resource entity name (up to 255 characters) for an online or RJE terminal, command, program, application, or user-defined resource. Specifying a name selects all records that refer to resources matching the name.
Note: You must enclose the name within single quotation marks.
Specific resource names can span multiple lines. For a long resource name, ensure that the name is enclosed in single quotation marks before starting any new name or prefix.
Important! If resource name spans multiple lines, do not exceed column 72 on a line before continuing the name on the next line. TSSUTIL ignores any content in columns 73 through 80.
Selects records produced on a specific system or CPU. Use SYSID to select records from an SMF file in which SMF records from multiple systems have been merged.
SYSID(smfid)
The four‑character SMF‑id of the required system.
Selects all events associated with a specific terminal or reader. This includes all events, not only initiations.
TERMINAL(termprx,...) TERM T
A prefix for an online terminal or RJE reader.
(Applicable with EARLOUT option) Bypasses the process of populating the Department, Division, and Zone columns of a CA Earl report with ACID names. This process avoids the I/O processing that is associated with producing these names, which helps shorten the report running time.
TERSE
Use the TIME selection criteria option to select records by using a specific time or a time period. This option has the following format:
TIME(hhmmss|hhmmss,hhmmss)
Selects records that are produced at a specific time or during a specific time period (up to but not including 24 hours). Specifying only one time selects the records that are produced from that time through the end of the 24-hour period. Specifying two times selects all records that are produced between those times. Omitting TIME lists all changes that are made in a 24-hour period (000000 to 235959).)
Note: Specifying DATE and TIME concurrently displays only records that are within both the date range and time range.
To select records that are produced at a specific time, specify the same value for both hhmmss entries.
Example: Specify TIME(181500,181500) to select records that are produced at 6:15 p.m.
Important! You cannot produce a single report that spans days. For example, to select all records produced between 6:00 p.m. yesterday and 6:00 a.m. today, you must produce multiple reports by using the following specification:
TIME(180000) DATE(-01,-01) TIME(000000,060000) DATE(TODAY)
Provides up to 39 characters to replace the characters “CA Top Secret“ on the report title line.
TITLE(text...)
Indicates whether events with undefined (*UNDEF*) or missing (*MISSING) ACIDs are selected.
UNDEF(INC|EXC)
Includes undefined or missing ACID events. The default is UNDEF(INC).
Excludes undefined or missing ACID events.
Selects records that refer to any of the specified prefixes.
VOLUME(volprx,...) VOL V
A volume prefix. All records that refer to any volume matching the prefix are selected. If you specify more than one prefix, separate each of them with commas.
Use the ZONE selection criteria option to select one or more zones for which security records are selected. This option has the following format:
ZONE(zone,...)
Specifies the zone ACID name. You can specify a maximum of eight zone ACIDs.
Example: Produce Two Reports without Legends
This example produces two reports without legends: the first, a total violation report; the second, audit entries
NOLEGEND REPORT EVENT(VIOL) END REPORT EVENT(AUDIT) END
Example: Select all TSO Data Set Violations from Yesterday and Today
This example selects all TSO data set violations that occurred yesterday and today:
DATE(‑01) DRC(DS) FACILITY(TSO)
Example: Select All Events Logged on a Specific Date for Specific Jobs
This example selects all events logged on April 26, 1999 for jobs FINBUD01 and FINBUD02:
J(FINBUD01,FINBUD02) DATE(99426,99426) EVENT(ALL)
Example: Select all Violations in a Department
This example selects all violations by all users in the Finance Department (If submitted by a VCA or DCA, violations against all resources owned in the Finance Department as well as by users in the Finance Department):
DEPARTMENT(FINANCE) EVENT(VIOL)
Select all Violations Against volumes with Specific Prefixes
This example selects all violations against volumes with the prefix WORK by users B1010, B1020, B1030:
A(B1010,B1020,B1030) V(WORK) EVENT(VIOL)
Example: Select All Jobs Submitted from a Specific Terminal
This example selects all jobs submitted from terminal R15.RD1:
RES(R15.RD1) RESCLASS(TERMINAL) EVENT(INIT)
Example: Select All Updates Against a Data Set from a Specific CPU
This example selects all updates against SYS1.SPFPARMS from the CPU SYS3:
SYSID(SYS3) EVENT(ACCESS) DSNAME(SYS1.SPFPARMS) ACCESS(UPDATE)
Example: Select All Test CICS Transactions with Violations, with Two Lines Per Incident
This example selects all test CICS transactions with violations so that the report generates two lines per security incident:
RESCLASS(OTRAN) FACILITY(CICSTEST) EVENT(VIOL) LONG
Example: Select Illegal Access Attempts for a Specific Time Period
This example selects illegal CPU SYS2 access attempts for the second shift:
EVENT(VIOL) RES(CPU.SYS2) TIME(160000,235959)
Example: Select All IMS Production Signon Password Violations
This example selects all IMS production sign‑on password violations:
DRC(PW) F(IMSPROD)
Example: Select all Undefined Batch Jobs
This example selects all batch jobs that are undefined:
FACILITY(BATCH) ACID(*)
Example: Select All Operator Authentication Failures
This example select all operator authentication failures:
EVENT(ALL) JOB(PROD*)
Example: Select Violations Against Payroll Files
This example selects CICS production and test violations against payroll files:
EVENT(VIOL) RES(PAY) FACILITY(CICSPROD,CICSTEST)
Example: Select All Unsuccessful Terminal Unlocks
This example selects all unsuccessful terminal unlocks:
RESCLASS(TERMINAL)
Example: Select Specific Audited Terminals
This example selects specific audited terminals:
EVENT(AUDIT) TERMINAL(188,189,18A)
Example: Select All Uses of Selected System Utilities
This example selects all uses of selected system utilities:
EVENT(ALL) RES(IMASPZAP,IEHPROGM,IEHINITT)
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|