TSSUTIL Utility › TSSUTIL JCL

TSSUTIL JCL

TSSUTIL works against sequential SMF data or the Audit/Tracking File. We suggest that you select the Audit/Tracking File instead of SMF data. While SMF requires one or more pre‑processing “dump” steps, the Audit/Tracking File is a direct‑access file providing immediate access. The Audit/Tracking File also allows use of TSSTRACK to monitor security events online (in real‑time), which SMF data does not. JCL for using TSSUTIL in batch is outlined below.

JCL for TSSUTIL Using TSS AUDIT File Input

//REPORT         JOB
//REPORT         EXEC          PGM=TSSUTIL
//*
//*                            INPUT SMF OR AUDIT/TRACKING FILE
//*
//SMFIN          DD            DSN=name.of.atf,DISP=SHR
//SMFIN1         DD            DSN=name.of.atf2,DISP=SHR] optional
//*
//*                            REPORT OUTPUT
//*
//UTILOUT        DD            SYSOUT=*
//*
//*                            SELECTION CRITERIA
//*
//UTILIN         DD            *
  options
/*
//SYSPRINT       DD            SYSOUT=*
//SYSUDUMP       DD            SYSOUT=*
//*
//*                            OPTIONAL DD STATEMENTS
//*
//SMFOUT 	   DD 		    DSN=name.of.abstract.dataset, 
// 				    DISP=(,CATLG,DELETE),
// 				    VOL=SER=volser,SPACE=(space-values), 
// 				    DCB=(LRECL=465,BLKSIZE=file-blocksize,RECFM=VB)
//XTROUT 	   DD		    DSN=name.of.abstract.dataset, 
// 				    DISP=(,CATLG,DELETE),
// 				    VOL=SER=volser,SPACE=(space-values), 
// 				    DCB=(LRECL=27994,BLKSIZE=27998,RECFM=VB) 
//EARLOUT        DD            DSN=output‑file‑name,UNIT=unit‑name,
                               DISP=(NEW,KEEP),
//                             VOL=SER=volser,SPACE=(space‑values),
//                             DCB=BLKSIZE=file‑blocksize

JCL for Wrapped or Switched Audit File

If the audit file is switched or wrapped, use the following JCL to produce a report sorted by date:

 //MASTERU  JOB  (118300000),'MASTER UTIL',CLASS=A,MSGCLASS=X,
 //  NOTIFY=MASTER,TIME=1440
 //*
 //*  STEP 1
 //*
 //UTIL     EXEC PGM=TSSUTIL,REGION=2M
 //UTILOUT  DD  SYSOUT=*
 //SYSUDUMP DD SYSOUT=*
 //SMFIN        DD    DISP=SHR,DSN=USER.TEST.AUDIT
 //SMFIN1       DD    DISP=SHR,DSN=USER.TEST.AUDIT2
 //SMFOUT   DD DSN=USER.TEST.EXTRACT.AUDIT,
 //    SPACE=(TRK,(15,1),RLSE),DCB=(RECFM=VB,LRECL=465,BLKSIZE=11160),
 //    UNIT=SYSDA,VOL=SER=XXXXXX, DISP=(NEW,CATLG,DELETE)
 //UTILIN   DD  *
  EXTRACT EVENT(ALL) END
 //*
 //*  STEP 2
 //*
 //JS10     EXEC PGM=SORT
 //SYSOUT   DD  SYSOUT=*
 //SORTIN       DD    DISP=SHR,DSN=USER.TEST.EXTRACT.AUDIT
 //SORTOUT  DD DSN=USER.TEST.AUDIT.SORTED,
 //    SPACE=(TRK,(15,1),RLSE),DCB=(RECFM=VB,LRECL=465,BLKSIZE=11160),
 //    UNIT=SYSDA,VOL=SER=XXXXXX,DISP=(NEW,CATLG,DELETE)
 //SYSIN    DD  *
         SORT FIELDS=(92,3,PD,A,96,4,CH,A)
 //*
 //*  STEP 3
 //*
 //UTIL     EXEC PGM=TSSUTIL,REGION=2M
 //UTILOUT  DD  SYSOUT=*
 //SYSUDUMP DD SYSOUT=*
 //SMFIN        DD    DISP=SHR,DSN=USER.TEST.AUDIT.SORTED
 //UTILIN   DD  *
  REPORT EVENT(ALL) END
 //

Step 1 extracts the audit records from two audit files to create a single audit file. Step 2 sorts the single audit file by date and time. Step 3 uses the sorted file as input for the TSSUTIL report run.

JCL for TSSUTIL Using SMF Input

//REPORT        JOB
//********      dump              vsam type‑80 data first
//MAN           EXEC              PGM=IFASMFDP
//DUMPIN        DD                DSN=SYS1.MANX,DISP=SHR
//SMFOUT        DD                DSN=&&SMF.,DISP=(,PASS),
//                                SPACE=(CYL,10),UNIT=disk
//SYSPRINT      DD                SYSOUT=*
//SYSIN         DD                *
    LSNAME(IFASMF.XE15.TSSLOG)
    OUTDD(SMFOUT,TYPE(80))
/*
//MANY          EXEC PGM=IFASMFDP
//DUMPIN        DD                DSN=SYS1.MANY,DISP=SHR
//SMFOUT        DD                DSN=&&SMF.,DISP=(MOD,PASS)
//SYSPRINT      DD                SYSOUT=*
//SYSIN         DD *
    INDD(DUMPIN,OPTIONS(DUMP))
    OUTDD(SMFOUT,TYPE(80))
/*
//REPORT        EXEC              PGM=TSSUTIL,PARM='options list'
//UTILOUT       DD                SYSOUT=*
//SMFIN         DD                DSN=&&SMF.,DISP=OLD,DCB=(BFTEK=A)
[//SMFIN1       DD                DSN=&&SMF.,DISP=OLD,DCB=(BFTEK=A)]
                                  optional
[//SMFOUT       DD                DSN=extract.smf.data set,DISP=SHR]
                                  optional
[//XTROUT	  DD			DSN=extract.smf.data set,DISP=SHR] 
					optional 
//UTIILIN       DD *
   options...
/*

TSSUTIL DD Statements

SMFIN

Defines an input data set to TSSUTIL. SMFIN can represent any of the following:

• An Audit/Tracking file as illustrated by the first JCL example.
• An SMFOUT EXTRACT file.
• A backup copy of the SMF data from tape.

Notes:

• SMF extract files can be concatenated.
• TSS AUDIT files can be concatenated.
• SMF and AUDIT files should not be mixed in the same execution of TSSUTIL.
• When SMF files are used for SMFIN, DCB=BFTEK=A is required.

SMFIN1

Defines an additional DD statement for SMF or AUDIT file input to the utility. If the data in SMFIN is SMF (or AUDIT, respectively), SMFIN1 is expected to be the same type of data. When SMF files are used for SMFIN1, DCB=BFTEK=A is required.

SMFOUT

Defines an output data set used only for EXTRACT. It is an optional DD statement, and the data set characteristics must be RECFM=VB, LRECL=465.

UTILIN

Defines input containing selection criteria options. These options can also be specified in the 'options list' of the PARM field in the EXEC statement. EXEC parameters override UTILIN options; in fact, UTILIN is ignored when EXEC parameters are coded.

UTILOUT

Defines an output data set for the formatted report of security incidents based on selection criteria. If UTILOUT is being routed to a PDS, the PDS must be defined with LRECL=133. If you are running at or above genlevel 9301, the blocksize can be a multiple of 133, TSSUTIL will honor what is coded in the UTILOUT DD statement. If you are running below genlevel 9301, the BLKSIZE is hardcoded as 2660 and any other valued specified in the UTILOUT DD statement is ignored. Also, be sure to include a member name with the data set.

For sequential data sets, if you create a new data set (DISP=NEW), TSSUTIL makes LRECL=133 regardless of what you specify in the DCB information on the UTILOUT DD statement. The blocksize will default to 23408 unless you override it in the DCB information on the UTILOUT DD statement.

To route the output to an existing sequential data set, it must have LRECL=133 and the blocksize must be a multiple of 133 (if at or above genlevel 9301), otherwise, an SO13 abend will occur.

EARLOUT

Generates Easy Access Report Language CA‑Earl®) formatted record types that can be used as input to produce customized reports.

• output‑file‑name-The data set name of the file.
• unit‑name-Assigns the I/O device for the output media. Any output media compatible with the sequential access method (such as tape or disk) can be used.
• volser-The volume serial number of the volume on which the file will reside.
• space‑values-If a disk device is chosen for output, assign disk for the output file. Omit this parameter if a tape device if used.
• file‑blocksize-Choose a blocksize to make the most efficient use of the output media chosen. The value chosen must be an integral multiple of 456, the file record length.

XTROUT

Defines an output data set used only for EXTRACT. It is an optional DD statement and the data set characteristics must be as follows: RECFM=VB,LRECL=27994,BLKSIZE=27998. This DD statement may be required if the site is using OPTIONS(32) to write USS records to the audit tracking file. In that case, some output records may exceed the defined LRECL of 465 for the SMFOUT file.

Notes:

• IFASMFDP (the SMF DUMP program) is used to convert VSAMSMF files to a sequential SMF data set.
• TSSUTIL cannot execute if the TSS address space is not active.
• If you are using VBS format SMF data, and DCB=BFTEK=A is not coded, you might get a system 0C4 abend.