TSSUTIL Utility › TSSUTIL Report Description › Report Using EVENT(ALL) DATE(-01) LONG

Report Using EVENT(ALL) DATE(-01) LONG

The following information is displayed on the report:

DATE

The date when the related incident was recorded. The format of the date is controlled by the DATE control option specified at CA Top Secret initialization. The default is month/day/year. This can vary if using European, military, or other date format. Selection criterion is DATE.

TIME

Time of day when the incident was recorded. The report is, for the most, part time‑sequenced; however, this is controlled by the SMF logging function of MVS. TSSUTIL does not sort the incidents, so some events might be out of sequence. You might also notice that blocks of events will have the same time stamp-especially true for online violations. CA‑ROSCOE, CICS, IMS and other online facilities record incidents indirectly to SMF. The CA Top Secret address space does the actual logging every 15 to 300 seconds (based on the time value set by the TIMER control option). Selection criterion is TIME.

SYSID

The SMF identification of the CPU that logged the event. Selection criterion is SYSID.

ACESSOR

The ACID that was in effect for the user. ACIDs that begin with an asterisk '*' are special to CA Top Secret.

• *BYPASS*—Indicates that the user is bypassing security.
• *UNDEF*—Indicates an undefined user.
• *MISSING*—Indicates that the ACID was not supplied on a job card.

Selection criterion is ACID.

JOBNAME

The name of a batch job, the procedure name of a started task (STC), or the userid of an online user. The jobname is usually the same for a TSO user. The jobname for the online region will appear with that of an online user ACID. Selection criterion is JOBNAME.

FACILITY

Shows the facility being used. The most common facilities are:

• BATCH
• CICSPROD
• CICSTEST
• IMSPROD
• ROSCOE
• STC
• TSO
• VM

MODE

Shows the mode of the user. Valid modes are:

• DORM
• FAIL
• IMPL
• WARN

VC

Represents a consecutive accumulation of violations for duration of the session or job. It is displayed only with violation entries.

PROGRAM

Shows the name of the program in control at the time the security incident was recorded. Common program names are:

• IEFIIC—Batch initiator
• IKJEFLC—TSO logon
• IMASPZAP—Superzap
• ISPTASK—SPF

A program name will not always be present, especially if the event was recorded through an online data base system such as CICS or IMS. Selection criterion is RESOURCE. (Select RESOURCE only if you are looking for explicitly owned program usage.)

R‑ACCESS

Shows the requested access level as defined in the RDT for the current resource (usually data set, volume, or CICS file).

If an access mask does not uniquely define an access level, the access mask is displayed preceded by an asterisk. In this case; the access mask displayed represents more than one access level.

Note: A requested access of FETCH will appear as READ in MVS.

If the requested access is ALTER, then the TSS PERMIT command requires an access level of ALL.

A‑ACCESS

Shows the allowed access level as defined in the RDT for the current resource. Indicates how the resource (usually data set, volume, or CICS file) was accessed by the user of job.

If an access mask does not uniquely define an access level, the access mask is displayed preceded by an asterisk. In this case; the access mask displayed represents more than one access level.

SRC/DRC

Shows the return code presented to the system (caller) and the associated detailed error reason code. This indicates whether the access was successful or failed. If it was successful, one of the following codes will display.

• OK—Indicates that the request was successful.
• OK+A—Indicates a successfully audited incident.
• OK+B—Indicates a successfully bypassed access.
• OK+P—Indicates a successfully issued password.

Otherwise, the return and detail codes are shown in the format *rr*‑dd, where rr is the return code and dd is the detailed error reason code. For example, *30*‑0F indicates a terminal or reader violation during initiation; *08*‑65 indicates a data set is not accessible.

The selection criteria is EVENT(VIOL,AUDIT) to get all violations and audit entries, and DRC to get only the specific violations as explained by the detailed error reason codes.

Return codes and the Detailed Error Reason Codes are documented in this manual, as well as in the CA Top Secret Messages and Codes.

SEC

Shows the MVS, vendor or customer security driver requesting security validation. This is represented by a three‑character mnemonic or by a hexadecimal value for the SVC in control. The following codes will appear:

• ADA—Database
• BLP—BLP
• CAT—Catalog management
• CRE—Create data set
• DES—Data encryption
• EOV—End of volume
• FAP—Fetch access protection
• FEV—FEOV
• HSM—HSM
• INC—RACINITC
• INI—Job/STC/session initiation
• INY—RACINITY
• LCF—Command/program
• LKD—”AC=1”
• LST—IMS/CICS initiation
• OPJ—Open‑J
• OPN—Open
• PGM—Attach, link or load request
• REN—Rename‑DSNAME
• SCR—Delete‑DSNAME
• SUB—Submit
• TMS—Tape management
• TRM—Termination
• USS—UNIX System Services
• VSM—VSAM‑Catalog management
• XX—SVC number in hex

JOBID

Shows the JES2 job number. The job number can be preceded by one of the following codes:

• J—Job
• S—Started task
• T—TSO

TERMINAL

Shows the terminal for an online user or the reader through which a batch job was submitted (JES2 only). Jobs submitted from the internal reader are listed as INTRDR. Selection criterion is TERMINAL.

RESOURCE

Shows the eight‑character resource type and up to a 248‑character resource name. The resource varies greatly and does not always appear.

For initiations, the name of the user will appear.

For job submissions, the name of the job and associated ACID will appear.

For data set access, the volume serial number and data set name will both appear. The selection criteria are:

• DATASET—For data sets
• VOLUME—For volumes
• RESOURCE—For other resources
• RESCLASS—For specific class
• OPERCMDS—For operator commands

ORIGINAL RESOURCE CLASS

Displays the original eight-character resource class before it was translated during the security check to the resource class displayed in the prior line. This line is displayed only:

• On a type=LONG audit report
• If a resource class translation has been performed

  ORIGINAL RESOURCE CLASS:  xxxxxxxx
  

DATE AND TIME RANGES OF AUDIT FILES(S)

Shows the beginning and end of the time range included in the Audit Tracking File(s). This helps the security administrator determine what information is included in the report. If the Audit Tracking File(s) is empty, the STARTING and ENDING fields will contain XX/XX/XX and 99:99:99.