You must identify the trap through the ID operand when you issue the SAF SECTRACE MODIFY command. You can, however, invoke the SAF SECTRACE SET command without the ID operand. SAF SECTRACE assigns the value TRACE(nnn), where (nnn) is the next available sequential number.
Use the TYPE operand to identify the type of security event to be processed. TYPE lets you specify RACROUTE parameters that act as additional filters on specific SAF requests.
This operand has the following format:
TYPE=SAF|SAFP|OMVS|HFS
Specifies that the security event to be traced is from the z/OS SAF facility. Any SAF event that matches the specified environment qualifies for tracing. This value is the default value.
Specifies that the security event to be traced is from the z/OS SAF facility. Use this option to enter additional SAF information to further filter out SAF events. When you enter TYPE=SAFP, you are prompted by SAF SECTRACE for the RACROUTE parameters. Only single values for parameters are accepted. The maximum length for the parameter keyword, operator, and value is 64 characters. To specify parameters that are unique to a specific RACROUTE request, first enter REQUEST= to specify the type of RACROUTE request. SECTRACE continues to prompt you until you enter END or CANCEL.
You must adhere to RACROUTE macro coding conventions when you specify RACROUTE parameters for SAF SECTRACE filtering. You can specify special operators to indicate the presence of a particular value (for example, ENVIR=CREATE) or the presence of a pointer address (for example, ACEE=>). You can use the following operators, depending on your type of keyboard:
Pointer operators are valid only if the parameter is specified as a pointer to a data area or a data structure (for example, an ACEE). When you specify a pointer operator, you cannot specify a value for the parameter. A pointer operator indicates the presence or absence of a pointer. For example, you cannot specify ACEE=>address, but you can specify ACEE=> or ACTINFO^=>. Using standard CA Top Secret masking characters, you can mask character data types of parameters. You can mask other types of data only if the mask is complete. A complete mask indicates that the trap will match all values. For example, USERID=‑ indicates that this parameter matches all values of USERID. USERID^= indicates that the USERID option is not coded on the RACROUTE request.
Specifies that the security event to be traced is from the USS facility. Any SAF event that matches the specified function qualifies for tracing.
Specifies to trace internal functions of CA SAF HFS security. The trace output might be requested by CA Support.
Use the OMVS operands group to define callable services. You cannot specify more than one function, however, multiple SECTRACES can be set. Other parameters can be specified on the command, but they are ignored. The OMVS SECTRACE output is written to the console only. DEST does not redirect the output.
This operand has the format:
FUNC=ALL|MAKE|INIT|SET|GET|CHECK|CHANGE|MISC
(Default) Defines all callable services.
make_fsp, make_root_fsp, make_ISP
initUSP, deleteSUP, fork_exit, init_ACEE
set_file_creation_mask, setuid, set_effective_uid, setgid, set_effective_gid, R_exec_set, clear_setid, R_admin
getUMAP, getGMAP, get_supplemental_groups, get_users_groups, get_effective_uid_gid_supplemental_groups, R_dceinfo, R_dcekey, R_dceruid
check_access, check_privilege, check_process_owner, check_file_owner, check_owner_2_files, R_dceauth
change_owner_group, change_file_mode, change_audits_options
audit, query_file_options, query_security_options
Use the TRACING operands group to specify which address spaces, jobs, or users must be in control for an event to match the SAF SECTRACE specifications. By specifying USERID= - or JOBNAME= -, you can trap events regardless of the address space they occur in. However, you can create more specific traps to filter out individual users or started tasks by ASID or job name. These traps enable you to use SAF SECTRACE in a production environment with little impact. When you specify one or more operands from this group, a match occurs only when all of the operands are matched (the operands are ANDed).
These operands have the format:
[ASID=nn][JOBname=mask][USERid=mask]
Specifies the address space number.
Indicates the job name or job name mask of the target address space as determined by the ACUCB (address space level ACEE). Use this operand to target batch, TSO, started task, and MOUNT address spaces, even if they are not secured by CA Top Secret.
Use an asterisk (*) as a masking character to display all possible combinations of a specific jobname. For example, specify ABC* to display all jobnames beginning with ABC.
Specifies the logonid or logonid mask of the target address space as determined by the ACUCB (address space level ACEE).
Use an asterisk (*) as a masking character to display all possible combinations of a specific userid. For example, specify ABC* to display all userids beginning with ABC.
Use the ENVIRONS operations group as filters on the environment when a security event occurs. If one or more fields from this group are specified, all fields must match for SAF SECTRACE to trap the event.
These operands have the format:
[RB=mask][ProGraM=mask][RETcode=nn][RSNcode=nn]
Specifies the request block (RB) name that the security event must occur in. When an event occurs directly under a PRB, the name of the program specified in that block is used to match what you specify in this field. If an event occurs under a supervisor call request block (SVRB), the RB name is assigned SVCnnn, where nnn is the decimal SVC number. If this RB is the only RB on the active RB chain under an SVRB, the interrupt code (SVC number) cannot be determined. Therefore, another RB name is assigned. If the program manager indicator is set, the assigned RB name is *PMSVRB*. If this indicator is not set, the RB name is *SYSTEM*. If the security event occurs under the control of a service request block (SRB), the assigned RB name is *SRB*.
Specifies the program name of the newest PRB on the active RB chain. If no PRB exists on the active RB chain when a monitored event occurs, the name used for the RB field is also used for PROGRAM.
Specifies the return code to be matched against the return code from the security event. If a return code of 0 (the default) is specified, all return codes from security events match. If a nonzero return code is specified and the return codes match (for TRACE=AFTER requests only), the specified SAF SECTRACE action takes place.
Indicates the reason code to be matched against the reason code from the security event. If a reason code of 0 (the default) is specified, all reason codes from security event match. If a nonzero reason code is specified and the reason codes match (for TRACE=AFTER requests only), the specified SAF SECTRACE action takes place.
Use the STATUS group operands to define:
If an event matches the criteria for more than one defined SAF SECTRACE trap, SAF SECTRACE generates trace output in the order that the SAF SECTRACE traps were entered until a trap specifying ACTION=IGNORE is encountered.
These operands have the format:
[ENABLE|DISABLE][ACTION=IGNORE|TRACE][,TRACE=[PRE|BEFORE]][POST|AFTER]][ALL]
Specifies the initial status of the SECTRACE trap.
(Default) Indicates that the SECTRACE trap identified by the ID operand is enabled. All events that match the SECTRACE trap are trapped.
Indicates that the SECTRACE trap identified by the ID operand is disabled.
Specifies the action to perform when a SECTRACE trap is matched.
Indicates that the SECTRACE trap is ignored and the search for other defined SECTRACE traps that might match the event is halted.
Specifies that the trace output is sent to all specified destinations. See the DEST operand for the destinations that you can specify.
Specifies when the trap is applied if all criteria are matched before security validation or processing occurs or after it occurs.
Specifies that the event is trapped before security validation or processing occurs.
Specifies that the event is trapped after security validation or processing occurs.
Indicates that the event is trapped before and after all security validation or processing occurs.
Use the EVENTS operand to specify the maximum number of events to be traced before the trap is automatically disabled.
Specifies the maximum number of trace events to occur before SAF SECTRACE is automatically disabled.
To reduce overhead, terminate SAFTRACE after a finite number of events.For an unlimited trace, set the match limit to zero.
When a disabled SAFTRACE is modified to ENABLE, the event counter for the trap is reset to zero and the MATCHLIM remains unchanged (unless specifically modified by the command).
Maximum: 9999
Use the ROUTE TO operands group to describe how the trace output is formatted and routed to a console.
These operands have the format:
[CONSid=nn][TSoUser=id][LINELEN=nn]
[DEST=CONSOLE|JOBLOG|SMF|SYSLOG|TSOUSER|ALL|DATASET]
[ForMaT[DUMP|LABEL|NOPACK|PACK]
[IMSGid|NOMSGid]
[WAIT|NOWAIT]
Identifies the console that receives the trace output when DEST=CONSOLE is specified. This operand avoids problems caused by flooding crucial consoles in a production environment and preserves the existing SAF SECTRACE function.
Identifies the ID of the time‑sharing (TSO) user who receives the trace output when DEST=TSOUSER is specified.
Specifies the length of the variable output line for the display of the RACROUTE macro parameters.
Specifies where the trace output is delivered when ACTION=TRACE is specified:
Indicates that trace output is sent to the console identified by the CONSID operand. SAF SECTRACE may discard trace output when control is received with LOCKs held or in SRB mode. When control is received again, a message is issued stating how many trace events were lost.
Specifies that trace output is sent to the JOBLOG (ROUTCDE=11). SAF SECTRACE may discard trace output when control is received with LOCKs held or in SRB mode. When control is received again, a message is issued stating how many trace events were lost.
Indicates that trace output is journaled to the System Management Facility (SMF). SMF is the only trace output destination where output is guaranteed. Information is retrieved and formatted with TSSRPTST.
Specifies that trace output is sent to the system log file (WTL). SAF SECTRACE may discard trace output when control is received with LOCKs held or in SRB mode. When control is received again, a message is issued stating how many trace events were lost.
Specifies that trace output is sent to the time‑sharing (TSO) user identified by the TSOUSER operand. See the WAIT|NOWAIT operand for additional information. SAF SECTRACE may discard trace output when control is received with LOCKs held or in SRB mode. When control is received again, a message is issued stating how many trace events were lost.
Indicates that all of the above destinations will receive trace output.
Specifies that trace output is sent to a data set. The data set can be a sequential data set or a member of a partitioned data set(PDS). SECTRACE might discard trace output when control is received with locks held in SRB mode. DATASET is not included in DEST=ALL. A separate SECTRACE is required to specify DATASET as a destination.
Note: DEST=DATASET also requires the DSName= operand to specify the data set that is to receive the trace output. If a member of a partitioned data set is to be used, the MEMBER= operand is required in addition to the DSName= operand.
This console may also receive messages regarding the failure to deliver trace messages to any of the other destinations. The default for CONSID is the console that initially set the SAF SECTRACE trap.
Identifies the DASD data set that receives the trace output. The data set must be allocated and available before the SECTRACE is enabled.
This must be a fully-qualified data set name. Do not include the member name in the DSName= operand. Use the MEMBER= operand to specify the member name.
Specifying this operand automatically sets DEST=DATASET provided that the DEST= operand does not follow this operand when entering the SECTRACE command.
You can use the INITSECD member included in the sample JCL library to allocate the data set.
Specifies the format option of the trace output. Format options are valid only for output destinations of CONSOLE, JOBLOG, SYSLOG, and TSOUSER:
Specifies that the external data structures identified in the RACROUTE macro definition are to be displayed following the RACROUTE macro parameters. These external data structures are shown in both hexadecimal and EBCDIC formats.
Note: DUMP is only valid when used with the PACK operand.
Indicates that the RACROUTE parameter format extension tags are displayed. This field is for internal use and diagnostic purposes only.
Note: LABEL is only valid when used with the PACK operand.
Specifies that the output of the RACROUTE macro is not to be packed. Only one parameter per line is displayed.
Indicates that the output of the RACROUTE macro is to be packed with multiple parameters per line up to the line length specified by the LINELEN operand of the SAF SECTRACE command.
Identifies the member of a partitioned data set that receives the trace output.
Indicates whether the message ID of the trace output is displayed on the output. This option is valid only for CONSOLE, JOBLOG, SYSLOG, and TSOUSER destinations.
Default: MSGID.
Specifies whether the task control block (TCB) being traced is to wait if trace output destined for a TSO user cannot be displayed until TPUT buffers are available for the TSOUSER destination. When NOWAIT is specified, trace messages may be lost. When TPUT buffers are available, a message tells the TSO user of the loss of trace messages. Use WAIT with caution because you may halt system‑level processing by waiting for the availability of TPUT buffers. To view messages and free buffers for use, the TSO user must press the Enter key.
Default: NOWAIT
Use one of these operands to complete your SAF SECTRACE specifications:.
Indicates that the SAF SECTRACE specifications for this trap are finished.
Specifies that the SAF SECTRACE specifications for this trap are ignored.
|
Copyright © 2014 CA Technologies.
All rights reserved.
|
|