The following information is displayed on the report.
The date when the related incident was recorded. The format of the date is controlled by the DATE control option specified at CA Top Secret initialization. The default is month/day/year. This can vary if using European, military, or other date format. Selection criterion is DATE.
Time of day when the incident was recorded. The report is, for the most part, time‑sequenced; however, this is controlled by the SMF logging function of MVS. TSSUTIL does not sort the incidents, so some events might be out of sequence. You might also notice that blocks of events will have the same time stamp-especially true for online violations. CA‑Roscoe, CICS, IMS and other online facilities record incidents indirectly to SMF. The CA Top Secret address space does the actual logging every 15 to 300 seconds (based on the time value set by the TIMER control option). Selection criterion is TIME.
The SMF identification of the CPU that logged the event. Selection criterion is SYSID.
The ACID that was in effect for the user. ACIDs that begin with an asterisk '*' are special to CA Top Secret:
The name of a batch job, the procedure name of a started task (STC), or the userid of an online user. The jobname is usually the same for a TSO user. The jobname for the online region will appear with that of an online user ACID. Selection criterion is JOBNAME.
Represents two data items: FACILITY ID and MODE. The facility being used is represented by one or two characters. The most common facility codes are:
FACILITY codes for other facilities can be obtained by entering:
F TSS,FACILITY(fac) at the console.
The mode of the user is represented by the last single character that shows:
For example, TW shows a TSO user in WARN mode. Selection criteria are FACILITY and MODE.
Represents a consecutive accumulation of violations for the duration of the session or job. It is displayed only with violation entries.
Shows the name of the program in control at the time the security incident was recorded. Common program names are:
A program name will not always be present, especially if the event was recorded through an online data base system such as CICS or IMS. Selection criterion is RESOURCE. (Select RESOURCE only if you are looking for explicitly owned program usage.)
Displays the access level requested for a resource request. The label is determined from the RDT access level definition. If the ACID access level is not an exact match with the bit value for an RDT access-level, the binary access level is placed into the report preceded by an asterisk.
Note: A requested access of FETCH appears as READ in MVS.
Displays the access level from the ACID "best fit" permission. The label for the access level is determined from the RDT access level definition. If the ACID access level is not an exact match with the bit value for an RDT access-level, the binary access levelis placed into the report preceded by an asterisk.
Shows the return code presented to the system (caller) and the associated detailed error reason code. This indicates whether the access was successful or was failed. If it was successful, one of the following codes will display.
Otherwise, the return and detail codes are shown in the format *rr*‑dd, where rr is the return code and dd is the detailed error reason code. For example, *30*‑0F indicates a terminal or reader violation during initiation; *08*‑65 indicates a data set is not accessible. The selection criteria is EVENT(VIOL,AUDIT) to get all violations and audit entries and DRC to get only the specific violations as explained by the detailed error reason codes.
Return codes and the Detailed Error Reason Codes are documented in this manual as well as in the CA Top Secret Messages and Codes.
Shows the MVS, vendor or customer security driver requesting security validation. This is represented by a three‑character mnemonic or by a hexadecimal value for the SVC in control. The following codes will appear:
Shows a one character code and up to a 248 character resource name. For initiations, the name of the user will appear via the NAME= keyword. For job submissions, the name of the job and associated ACID will appear. For data set access, the volume serial number and data set name will usually both appear. The class code is one of the following:
a = CA_IDMS SUBSCHEMA U = Abstract
b = CA‑IDMS AREA V = Tape volume
c = Adabas database W = DASD volume
d = IMS DBD X = Transaction
e = JESINPUT Y = USERn
f = IBM Facility Z = CICS TST
g = TSO account number 1 = Change propagation
h = TSO authority 2 = CA jobname
i = TSO procedure name 3 = CA panel
j = TSO performance group 4 = DUFXTR
k = VAX file 5 = DUFUPD
l = VAX device 6 = User logging
m = VM IUCV 7 = VM MDISK
n = VM VMCF 8 = VM CP CMD
o = TSAF 9 = VM diagnose
p = JESPOOL 0 = VM network
q = JESJOBS * = Reserved
r = OPERCMDS # = VM RDR
s = CICS CEMT SPI % = Logging DB2 resources
t = DEVICES (for VTAM 3.2) $ = VM DCSS
u = CA REPORT @ = VM dial
v = CA TAPE + = Logging installation exit call
w = SMESSAGE (TSO/E) = = CACMD
x = VTAMAPPL (VTAM 3.2) ‑ = Ca Scheduler
y = CAADMIN ? = Extract
z = CAVAPPL < = Operator commands
' = SYSCONS > = Owned transactions
A = Application . = Data set
B = Audited job submission / = Dasdvold
C = Mode by user “ = Tapevolt
D = Data set ! = CA Station
E = CICS DCT & = Recipid
F = CICS FCT : = Reserved
G = Authentication call ¢ = VMANAPPL
H = TOTAL File ¦ = UNVEDIT
I = ACID xe03type 7 = UNVRPRT
J = CICS JCT ~ = UNVPGM
K = Terminal unlock , = CPU
L = Terminal lock | = SDSF userclass
M = UR1 } = VM Machine
N = UR2 { = IMBGROUP
O = TSS control options ` = PROPCNTL
P = Program _ = Librarian resource CALIBMEM
Q = CICS PPT ; = Librarian resource CACCFMEM
R = Database field ¬ = Librarian resource CACCFDSN
S = DL/1 PST ( = SMS management class
T = Terminal ) = SMS storage class
The selection criteria are:
Shows the JES2 job number. The job number might be preceded by one of the following codes:
Shows the terminal for an online user or the reader through which a batch job was submitted (JES2 only). Jobs submitted through the internal reader are listed as INTRDR. For users accessing the system via TCP/IP, the IP address is reported in this field as an eight‑byte hexadecimal value. For example, access from IP address 111.222.33.123 would be reported as 6FDE217B, where:
The selection criteria is TERMINAL.
Shows the beginning and end of the time range included in the Audit Tracking File(s). This helps the security administrator determine what information is included in the report. If the Audit Tracking File(s) is empty, the STARTING and ENDING fields will contain XX/XX/XX and 99:99:99.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|