TSSOERPT Utility › Service Field Values

Service Field Values

This section describes the possible values for the SERVICE, INCLUDE, and EXCLUDE fields of the TSSOERPT report. These values are case-sensitive.

Note: Additional information that appears on the report when the DETAIL option is specified is a function of the call.

ck_access

Determines if a user has the requested access (READ, WRITE, EXECUTE, or SEARCH) to the specified file or directory.

ck_file_owner

Checks if a current process is a superuser or the owner of the specified file. A process could be the owner of a file if the effective UID is equal to the file owner's UID.

ck_IPC_access

Determines whether the current process has the requested access to the interprocess communication (IPC) key or identifier whose IPC security packet (IISP) is passed.

ck_owner_2_files

Checks whether the calling process is a superuser or is the owner of the file/directory, or directory/directory entry pair represented by input FSP1 and FSP2. A process is the owner of the file if the processes effective UID is equal to the file's owner UID.

ck_priv

Determines if the calling process is a superuser.

ck_process_owner

Checks to see if the calling process is the owner of a process being called.

clear_setid

Clears temporary access given to a file or directory. (Resets the S_ISUID, S_ISGID, and S_ISVTX bits in the file's or directory's access permissions to zero. For information, see the IBM z/OS UNIX System Services User's Guide.

deleteUSP

Indicates that the user's access to USS terminated.

getGMAP

Indicates that a call was made to determine the GID for a groupname or the groupname for a GID.

get_uid_gid_supg

Gets the real, effective, and saved UIDs and GIDs, and the supplemental groups from the USP.

getUMAP

Indicates that a call was made to determine the UID for a username or the username for a UID.

initACEE

Provides an interface for creating and managing security contexts created through the pthread_security_np service.

initUSP

Indicates initial user access to USS.

• Home-The home directory of the user at initial access to USS.
• Program-The name of the program for the indicated user at initial access to USS.

makeFSP

Seen when a file or directory is created.

• File Type-The file type of the file for which the FSP is being created. Tells whether a file is a directory, a regular file, or one of several special types of files.
• File Permissions-The file access permissions to be assigned to the indicated file. These are displayed in the fields named Owner, Group, and Other. Values for the fields are r for READ, w for WRITE, x for EXECUTE, and s for SEARCH.

makeISP

Builds an IISP in the area provided by the caller.

make_root_fsp

Indicates that a new file system is being initialized in a new PDSE/x data set.

query_file_opts

Indicates that file security options were queried to determine the settings.

query_sys_opts

Indicates that system security options were queried to determine the settings.

R_admin

Allows applications to pass an CA Top Secret command buffer used to update the CA Top Secret secfile.

R_audit

A record cut in addition to a security service record. The record supplies additional information about the file being audited.

R_cacheserv

Indicates a call was made for cache services. A cache is stored in a data space and contains security relevant information. The cache functions are:

• START-Start a new cache.
• ADD-Add a record to the new cache.
• END-End cache creation.
• FETCH-Fetch a record from the cache.
• DELETE-Delete the cache.

R_chaudit

Indicates that a file's Audit Options have been changed.

• User Audit Options-Indicates what type of user access to this file should be audited.
• Auditor Audit Options-Indicates what type of auditor access to this file should be audited.

R_chmod

Indicates a file's permissions (mode) have changed.

• File Type-The file type of the file whose permissions are being changed. It indicates if a file is a directory, a regular file or one of several special types of files.
• File Permissions-The file access permissions assigned to the indicated file. These are displayed in the fields named Owner, Group, and Other. Values for the fields are r for READ, w for WRITE, x for EXECUTE, and s for SEARCH.

R_chown

Changes a file's owning UID and GID to a new value.

• UID To Be Set-The UID number the file's owning UID is being set to.
• GID To Be Set-The GID number the file's owning GID is being set to.

R_datalib

Implements OCSF data library support, which provides access to digital certificates connected to a keyring.

• Function-The specific R_datalib function being invoked, such as DataGetFirst or DataGetNext.
• Userid-The userid the KEYRING profile record belongs to or blanks if the KEYRING profile record is owned by the issuer of the request.
• Ring Name-The ring name of the KEYRING profile record.

R_dceauth

Enables an application server to check a user's authority to access a CA Top Secret defined resource. Used only for the USS kernel on behalf of an application server.

R_dceinfo

Retrieves or sets fields in the DCE USER profile record.

R_dcekey

Enables USS DCE to retrieve or set a DCE password (key).

R_dceruid

Enables USS DCE to determine the user ID of the client from the string forms of the client's DCE UUID pair.

• Function-The specific function being processed (“Return RACF userid” or “Return DCE UUID”).
• Userid-The CA Top Secret acid.
• Principal-The string form of the principal DCE UUID.

R_exec

Changes the effective and saved UID or GID or both.

• Set UID-Change made to UID.
• Set GID-Change made to GID.

R_fork

Indicates a call was made to get the security information for a forked process.

R_getGroups

Indicates a call was made to determine what groups the current process or user belongs to.

R_getgroupsbynam

Indicates that a call was made to determine the groups to which a specific userid belongs.

R_IPC_ctl

Performs functions based on a function code.

R_kerbinfo

Retrieves or sets SecureWay Security Server Network Authentication Service fields. The service returns principal or realm information and updates the count of invalid attempts at accessing the SecureWay Security Server Network Authentication Service. The invalid key count is also cleared upon successful access to the service.

R_ptrace

Indicates that a check was made to see if a calling process can ptrace a target process it is calling.

R_PKIServ

Allows applications to request the generation retrieval and administration of V3 X.509 digital certificates.

R_proxyserv

Allows applications to invoke the LDAP component of the Security Server for z/OS to obtain data which resides in an LDAP directory.

R_setegid

Changes the effective GID to a different GID

• GID To Be Set-The GID to be set as the effective GID
• Real GID-The actual GID of this user
• Effective GID-The GID under which this user's accesses are being validated
• Saved GID-Internally used GID

R_seteuid

Changes the effective UID to a different UID.

• UID To Be Set-The UID to be set as the effective UID
• Real UID-The actual UID of this user
• Effective UID-The UID under which this user's accesses are being validated
• Saved UID-Internally used UID

R_setfacl

Indicates a call was made to create or modify an Access Control List.

• Operation-The type of operation performed; Add, Modify, or Delete.
• ACL Type-The type of ACL affected; Access, Directory Model, or File Model.
• UID/GID-The UID or GID for this ACL entry.
• Permissions-The octal value of the file permissions specified for this user or group. If PERM-DEL the ACL entry for the specified UID/GID is deleted.

R_setfsecl

Changes the security label in the FSP

R_setgid

Changes the real, effective, and saved GIDs to a different GID.

• GID To Be Set-The GID to be set as the current GID
• Real GID-The actual GID of this user
• Effective GID-The GID under which this user's accesses are being validated
• Saved GID-Internally used GID

R_setuid

Changes the real, effective and saved UID to a different UID.

• UID To Be Set-The UID that is to be set as the current UID.
• Real UID-The actual UID of this user or process.
• Effective UID-The UID under which this user's accesses are being validated.
• Saved UID-Internally used UID

R_ticketserv

This service enables application servers to parse or extract principal names from a GSS-API context token. This enables an application server to determine the client principal who originated an application-specific request when the request includes a GSS-API context token.

R_umask

Change of permissions that a program sets in a new file or directory when it creates a new file or directory.

R_usermap

Enables z/OS application servers to determine the application user identity associated with an CA Top Secret acid, or to determine the CA Top Secret acid associated with an application user identity or digital certificate. Currently, the only supported applications are Lotus Notes for z/OS and Novell Directory Services and SecureWay Server Network Authentication Server.

R_writepriv

Sets, resets, or queries the setting of the write-down privilege in the ACEE. When MLS is active, the following fields are captured on the TSSOERPT report:

Security Credentials and File Security Packets

Many log entries show additional information about the request. The information is contained internally as Security Credentials (CRED) and File Security Packets (FSP). This information is common to many calls and can appear in the following fields on the TSSOERPT report if it is available:

FUNCTION

Specifies the function attempted for a file or directory, for example OPEN and SEARCH.

PATHNAME

Specifies the full pathname of a file or directory, including the file or directory name itself. There could be two pathnames specified if the call involved more than one file or directory.

FILENAME

Specifies the name of a file or directory. In the case of a ck_access, this field names the part of the path currently being validated for access (If the path is aa/bb/cc three separate ck_access calls are seen: the first with filename aa, the second with filename bb, and the third with filename cc ). There can also be two filenames specified if the call involved more than one file or directory.

FILE PERMISSIONS

Specifies the access permissions for the file's owning UID (owner), the file's owning GID (group), and all others attempting access (other).

OWNING UID

Specifies the UID of the owner of the file or directory. If the real UID of a user or process attempting access to this file matches the owning UID, access is granted according to the owner file permissions.

OWNING GID

Specifies the GID of the owner of the file or directory. If the real GID of a user or process attempting access to this file matches the owning GID, access is granted according to the group file permissions. If the process or user does not have the owning GID as its primary GID, but has a supplemental group that matches the owning GID, access is also determined by the group file permissions.

Note: If the GID or UID do not match the owner's GID or UID, the other file permissions are used to determine access.

VOLUME

Specifies the volume on which the file system that contains the file resides.

FILE IDENTIFIER

In some cases pathname or filename are not indicated in a call. In this occurs, access is validated using the file identifier. To determine the path and filename for this call, find the last previous call with the same file identifier. The pathname and filename for that call are the same as for the call in question.

FILE AUDIT OPTIONS

The file audit options are:

• U-Indicates the type of file access that should be logged for a user. For example, if the report shows “Read Failure, Write All, Exec/Search None,” all failed READ attempts, all WRITEs, but no EXECs or SEARCHes are logged to SMF for the user.
• Auditor-Indicates the type of file access that should be logged for an auditor. For example, if the report shows “Read Failure, Write All, Exec/Search None,” all failed READ attempts, all WRITEs, but no EXECs or SEARCHes are logged to SMF for the auditor.