The TSSUTIL REPORT function produces a fixed-format report whose content is determined by the selection criteria. One report line is generated for each security incident unless the LONG selection criterion is used which generates two report lines. A final summary shows retrieval statistics, and two legends are produced at the end of each report to guide you through the various areas and codes. (See Sample TSSUTIL Reports for information on the reports and codes.)
The title line of each report page indicates the sequence number of the report being produced, as several reports can be produced with one run of the utility. A subtitle, controlled by the TITLE option can be used to identify different reports or to provide a company or department name.
The header line for the report's data areas are explained below, along with the appropriate selection criteria:
The date when the related incident was recorded. The format of the date is controlled by the DATE control option specified at initialization. The default is month/day/year. This may vary if using European, military, or other date format. Selection criterion is DATE.
The time of day when the incident was recorded. Selection criterion is TIME.
The VMLOGID or SMF identification of the CPU that logged the event. Selection criterion is SYSID.
The ACID that was in effect for the user. For VM users the ACID is generally the userid defined in the directory. ACIDs that begin with an asterisk “*” are special to CA Top Secret. *UNDEF* indicates an undefined user. *BYPASS* indicates that the user is bypassing security. Selection criterion is ACID.
Either the name of a batch job, the procedure name of a started task (STC), or the userid of an online user. The jobname is usually the same for a VM user. The jobname for the online region appears with that of an online user ACID. Selection criterion is JOBNAME.
Represents two data items: FACILITY and MODE. The facility being used is represented by a single character. The most common facility codes are:
T=TSO B=BATCH C=CICSPROD
R=ROSCOE V=VM
Codes for other facilities may be obtained by entering:
TSS MODIFY(FAC(facname))
The mode of the user is represented by the second single character that shows:
D=DORMANT W=WARN I=IMPL F=FAIL
Note: When using the LONG selection criterion, a second report line generates up to an eight-character facility name taken from the Facility Matrix, and a four-character mode of the user:
DORM WARN IMPL FAIL
Represents a consecutive accumulation of violations for life of the session or job. It is displayed only with violation entries.
Shows the name of the program in control at the time the security incident was recorded. Common program names are:
A program name is not always present, especially if the event was recorded through an online data base system such as CICS or IMS. Selection criterion is RESOURCE. (Select RESOURCE only if you are looking for explicitly owned program usage.)
For CP commands, this field contains the name of the virtual machine that was the target of the command.
Shows the requested access level as defined in the RDT for the current resource (usually minidisk, data set, volume, or CICS file).
If an access mask does not uniquely define an access level, the access mask is displayed preceded by an asterisk. In this case; the access mask displayed represents more than one access level.
Shows the allowed access level as defined in the RDT for the current resource. Indicates how the resource (usually data set, volume, or CICS file) was accessed by the user or job.
If an access mask does not uniquely define an access level, the access mask is displayed preceded by an asterisk. In this case; the access mask displayed represents more than one access level.
Shows the return code presented to the system (caller) and the associated detailed error reason code. This indicates whether the access was successful or was failed. OK indicates the request was successful OK+A indicates a successful audited incident OK+B indicates a successful bypassed access. Otherwise, the return and detail codes are shown in the format:
*rr*-dd
where rr is the return code, and dd is the detailed error reason code. Return codes are documented in the legend produced at the end of the report.
For example, *30*-0F indicates a terminal or reader violation during initiation; *08*-65 indicates a data set is not accessible.
Selection criteria are as follows. To get violations and audit entries, use EVENT(VIOL,AUDIT). To get only the specific violations as explained by the detailed error reason codes, use DRC.
For MVS violations, this shows the vendor or customer security driver requesting security validation. This is represented by a three-character mnemonic or by a hexadecimal value for the SVC in control. The legend at the end of the report shows all driver codes.
The common driver codes are:
Shows the class and name of the resource being accessed. This value varies greatly and does not always appear. For initiations, the name of the user usually appears via the NAME= keyword. The most common classes are:
Note: When using the LONG selection criterion, a second report line generates up to an eight-character resource type and up to a 44-character resource name. Initiations still show NAME= followed by the user's name.
Shows the job number.
Shows the terminal for an online user: AUTOLOG for autologged initiations and DISC for disconnected virtual machines. Selection criterion is TERMINAL.
Note: When using the LONG selection criterion, a second report line generates the VOLSER number in this column.
Displays the original eight-character resource class before it was translated during the security check to the resource class displayed in the prior line. This line is displayed only:
|
Copyright © 2009 CA.
All rights reserved.
|
|