Previous Topic: ZONE Option—Select the Zone for Which Security Records Are SelectedNext Topic: TSSCHART Utility

TSSUTIL UtilitySample TSSUTIL Selection Criteria

Sample TSSUTIL Selection Criteria

Produce two reports: the first, a total violation report; the second, audit entries:

REPORT  EVENT(VIOL)  END
REPORT  EVENT(AUDIT)  END

Select all TSO data violations that occurred yesterday:

DATE(-01,-01)  DRC(DS)  FACILITY(TSO)

Select all events logged on April 26, 1991 for jobs FINBUD01 and FINBUD02:

J(FINBUD01,FINBUD02)  DATE(91116,91116)  EVENT(ALL)

Select all violations by all users in the Finance Department:

DEPT(FINANCE)  EVENT(VIOL)

Select all violations against volumes with the prefix WORK by users B1010, B1020, B1030:

A(B1010,B1020,B1030)  V(WORK)  EVENT(VIOL)

Select all jobs submitted from terminal R15.RD1:

RES(R15.RD1)  CLASS(T)  EVENT(INIT)

Select all updates against SYS1.SPFPARMS from the CPU SYS3:

SYSID(SYS3)  EVENT(ACCESS)  DSN(SYS1.SPFPARMS)
ACCESS(UPDATE)

Select all test CICS unowned transactions with violations, and the report generates two lines for every security incident:

CLASS(X)  FAC(CICSTEST)  EVENT(VIOL)  LONG

Select illegal CPU SYS2 access attempts for the second shift:

EVENT(VIOL)  RES(CPU.SYS2)  TIME(160000,235959)

Select all IMS production signon password violations:

DRC(PW)  F(IMSPROD)

Select all jobs that are undefined:

FAC(BATCH)  ACID(*)

Select all operator authentication failures:

CLASS(G)  EVENT(VIOL)

Select all production jobs:

EVENT(ALL)  JOB(PROD*)

Select CICS production and test violations against payroll files:

EVENT(VIOL)  RES(PAY)  FAC(CICSPROD,CICSTEST)

Select all minidisks:

RESCLASS(VMMDISK)

Select specific audited terminals:

EVENT(AUDIT)  TERM(GRAF001,GRAF002,GRAF003)

Select all uses of selected system utilities:

EVENT(ALL)  RES(IMASPZAP,IEHPROGM,IEHINITT)

TSSUTIL Report Description

The TSSUTIL REPORT function produces a fixed-format report whose content is determined by the selection criteria. One report line is generated for each security incident unless the LONG selection criterion is used which generates two report lines. A final summary shows retrieval statistics, and two legends are produced at the end of each report to guide you through the various areas and codes. (See Sample TSSUTIL Reports for information on the reports and codes.)

The title line of each report page indicates the sequence number of the report being produced, as several reports can be produced with one run of the utility. A subtitle, controlled by the TITLE option can be used to identify different reports or to provide a company or department name.

The header line for the report's data areas are explained below, along with the appropriate selection criteria:

DATE

The date when the related incident was recorded. The format of the date is controlled by the DATE control option specified at initialization. The default is month/day/year. This may vary if using European, military, or other date format. Selection criterion is DATE.

TIME

The time of day when the incident was recorded. Selection criterion is TIME.

SYSI

The VMLOGID or SMF identification of the CPU that logged the event. Selection criterion is SYSID.

ACCESSOR

The ACID that was in effect for the user. For VM users the ACID is generally the userid defined in the directory. ACIDs that begin with an asterisk “*” are special to CA Top Secret. *UNDEF* indicates an undefined user. *BYPASS* indicates that the user is bypassing security. Selection criterion is ACID.

JOBNAME

Either the name of a batch job, the procedure name of a started task (STC), or the userid of an online user. The jobname is usually the same for a VM user. The jobname for the online region appears with that of an online user ACID. Selection criterion is JOBNAME.

FFM

Represents two data items: FACILITY and MODE. The facility being used is represented by a single character. The most common facility codes are:

    T=TSO      B=BATCH     C=CICSPROD
    R=ROSCOE   V=VM
FACILITY

Codes for other facilities may be obtained by entering:

TSS MODIFY(FAC(facname))

The mode of the user is represented by the second single character that shows:

D=DORMANT   W=WARN   I=IMPL   F=FAIL

Note: When using the LONG selection criterion, a second report line generates up to an eight-character facility name taken from the Facility Matrix, and a four-character mode of the user:

DORM   WARN   IMPL   FAIL
VC

Represents a consecutive accumulation of violations for life of the session or job. It is displayed only with violation entries.

PROGRAM

Shows the name of the program in control at the time the security incident was recorded. Common program names are:

A program name is not always present, especially if the event was recorded through an online data base system such as CICS or IMS. Selection criterion is RESOURCE. (Select RESOURCE only if you are looking for explicitly owned program usage.)

For CP commands, this field contains the name of the virtual machine that was the target of the command.

R-ACCESS

Shows the requested access level as defined in the RDT for the current resource (usually minidisk, data set, volume, or CICS file).

If an access mask does not uniquely define an access level, the access mask is displayed preceded by an asterisk. In this case; the access mask displayed represents more than one access level.

A-ACCESS

Shows the allowed access level as defined in the RDT for the current resource. Indicates how the resource (usually data set, volume, or CICS file) was accessed by the user or job.

If an access mask does not uniquely define an access level, the access mask is displayed preceded by an asterisk. In this case; the access mask displayed represents more than one access level.

SRC/DRC

Shows the return code presented to the system (caller) and the associated detailed error reason code. This indicates whether the access was successful or was failed. OK indicates the request was successful OK+A indicates a successful audited incident OK+B indicates a successful bypassed access. Otherwise, the return and detail codes are shown in the format:

*rr*-dd

where rr is the return code, and dd is the detailed error reason code. Return codes are documented in the legend produced at the end of the report.

For example, *30*-0F indicates a terminal or reader violation during initiation; *08*-65 indicates a data set is not accessible.

Selection criteria are as follows. To get violations and audit entries, use EVENT(VIOL,AUDIT). To get only the specific violations as explained by the detailed error reason codes, use DRC.

SEC

For MVS violations, this shows the vendor or customer security driver requesting security validation. This is represented by a three-character mnemonic or by a hexadecimal value for the SVC in control. The legend at the end of the report shows all driver codes.

The common driver codes are:

RESOURCE

Shows the class and name of the resource being accessed. This value varies greatly and does not always appear. For initiations, the name of the user usually appears via the NAME= keyword. The most common classes are:

Note: When using the LONG selection criterion, a second report line generates up to an eight-character resource type and up to a 44-character resource name. Initiations still show NAME= followed by the user's name.

JOBID

Shows the job number.

TERMINAL

Shows the terminal for an online user: AUTOLOG for autologged initiations and DISC for disconnected virtual machines. Selection criterion is TERMINAL.

Note: When using the LONG selection criterion, a second report line generates the VOLSER number in this column.

ORIGINAL RESOURCE CLASS

Displays the original eight-character resource class before it was translated during the security check to the resource class displayed in the prior line. This line is displayed only: