Top Secret

Expand all | Collapse all
  • 1.  userid audit

    Posted Jun 14, 2018 06:07 PM

    is there a command to list all userids that are being audited?   a particular userid is gobbling up smf80 records and so trying to see if the  audit is turned  on...regards



  • 2.  Re: userid audit

    Broadcom Employee
    Posted Jun 14, 2018 06:21 PM

    Bobby,

     

    There currently isn't a built in report but you can create one.

     

    Run a TSSCFILE TSS LIST(ACIDS) to create a dataset of acids with just the basic information.

     

    Then you would create a reporting program that will pull out all the acids that have the 'AUDIT' attributes.

     

    Please refer to CA Top Secret documentation on docops.ca.com for details about TSSCFILE and the record layouts.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support



  • 3.  Re: userid audit

    Broadcom Employee
    Posted Jun 15, 2018 09:41 AM

    Hi Bobby,

     

    You'll find the TSSCFILE content here.

     

    Since you're probably not overly familiar with DocOps (our online, browser-hosted documentation platform), you can find some explanatory information in either of the following videos.

     

     

    In summary, this platform lets you find answers through Google searches (or the Search mechanism on the docops.ca.com/topsecret space itself); lets you watch the space for updates; and lets you add comments or questions to topics that we will address. Any questions, let me know!

     

    Take care,
    Kris



  • 4.  Re: userid audit
    Best Answer

    Posted Jun 15, 2018 10:00 AM

    You can simply issue a "TSS WHOHAS AUDIT" command.

     

    However, please be aware that this will NOT report permits having "ACTION(AUDIT)" specified.

     

    John P. Baker



  • 5.  Re: userid audit

    Posted Jun 15, 2018 04:11 PM

    Great blog!  thank you for all the replies...

    I did TSS WHOHAS AUDIT and the userid in question, GPCSTF, which is generating a ton of the  following SMF80 records, is not on the list.   Now I'm thinking perhaps audit turned on for the master catalog, HAM.MASTER.xxxx, which I have no idea why.

    I  notice the record indicates +A, which says is +A=AUDIT, not sure what this means.

    I dumped all profiles TSS LIST(ALL) DATA(ALL) and did not find any resembling HAM.MASTER.xxxxx.   Perhaps I'm not familiar how masking works in TSS.

    RACF provides a command to enter next to the filename in 3.4 to display corresponding RACF profile covering that particular dataset...is there a TSS equivalent?

    Thank you for your support...bobby

     

      DATE     TIME   SYSI ACCESSOR JOBNAME  FFM VC PROGRAM  R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME)      

    -------- -------- ---- -------- -------- --- -- -------- -------- -------- --------------------------------------

    06/13/18 15:17:49 PROD GPCSTF   TFXP1B3  B F    IDCAMS   READ     ALL        OK+A  CAT D ZOS1BA HAM.MASTER.xxxx

     

    SRC/DRC  = SRC=SEC'Y CODE: 00=OK  +A=AUDIT +B=BYPASS +P=PW
               * FOR RESOURCE ACCESS: 04 OR 08 = ACCESS DENIED
               * FOR JOB INITIATION:  08=PASSWORD IS INCORRECT



  • 6.  Re: userid audit

    Broadcom Employee
    Posted Jun 15, 2018 04:42 PM

    Bobby,

     

    Do a TSS WHOHAS DSN(HAM.MASTER) that will show you if permits exists for it.

     

    Please remember this is a public forum. You dont want to post to many details of your security environment which can potentially be exploited. Try and keep names of things at your site as generic a possible.

     

    TSSUTIL entries that have '+A' indicate the entry is being logged because the user, the resource or the permit used to access the resource is being audited.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support

     



  • 7.  Re: userid audit

    Posted Jun 19, 2018 01:07 PM

    Hi Joe, thanks for your advice!

     

    I tried the TSS WHOHAS DSN(xxxx.yyyy) and got the following

     

    TSS0318E  RESOURCE NOT FOUND IN SECURITY FILE

    TSS0301I  WHOHAS   FUNCTION FAILED, RETURN CODE =  8

     

    I tried both the HLQ only and the complete dataset name that exist on dasd.

     

    Could this mean they are unknown to TSS, which defaults to no access?   I don’t see anything in TSS parms either.

     

     

    Bobby Sagami

    HNA Mainframe Platform security

    Tel:  310-781-4060



  • 8.  Re: userid audit

    Broadcom Employee
    Posted Jun 19, 2018 01:18 PM

    Issue TSS WHOOWNS DSN(xxxx.yyyy)  or TSS WHOHAS DSN(xxxx.)...HLQ

    If you receive RESOURCE NOT FOUND  then it is not defined to Top Secret

    In FAIL mode, DATASETs are protected by default. 

    all undefined resources in that resource class
    will be treated as owned. This means there will either be a return
    code 00 (access allowed) or 08 (access denied) even if the resource
    is not defined.



  • 9.  Re: userid audit

    Posted Jun 19, 2018 09:18 PM

    Hi Robert, I tried both WHOOWNS n WHOHAS and both yielded the following:

     

    TSS0318E  RESOURCE NOT FOUND IN SECURITY FILE

    TSS0301I  WHOOWNS  FUNCTION FAILED, RETURN CODE =  8

     

    Which as you say means “datasets protected by default”, which I presume means no access to anybody/anything?

     

    I see several datasets under this hlq which makes me wonder how it got permission to get allocated

     

    Regards,

     

    Bobby Sagami

    HNA Mainframe Platform security

    Tel:  310-781-4060



  • 10.  Re: userid audit

    Posted Jun 18, 2018 04:03 PM

    I'm not familiar with TSSCFILE but I ran a TSS LIST(ACIDS) DATA(A) and searched for AUDIT.  I found RESOURCE   = AUDIT,REPORT,INFO.    does this indicate the associated userid is being audited?  unsure what REPORT and INFO indicates.

     

    if a dataset is fully audited, read access and above, will it also read RESOURCE   = AUDIT?  will it indicate audited at what level?  read, update, etc

     

    thank you, bobby



  • 11.  Re: userid audit

    Posted Jun 18, 2018 04:13 PM

    Bobby,

     

    RESOURCE=AUDIT indicates that the associated administrative accessor ID can administer the AUDIT attribute for other accessor IDs with his or her scope of authority.

     

    ATTRIBUTES=AUDIT indicates that the associated accessor ID is to be audited, and applies to all signons, signoffs, and resource accesses by that accessor ID.

     

    ACTION=AUDIT indicates that resource accesses involving the associated permit are to be audited.

     

    John P. Baker



  • 12.  Re: userid audit

    Posted Jun 18, 2018 04:17 PM

    Bobby,

     

    ACTION=AUDIT when subordinate to a FACILITY={facility-id-8} entry indicates that the associated accessor ID is to be audited when signed on via that facility.

     

    John P. Baker



  • 13.  Re: userid audit

    Posted Jun 18, 2018 04:50 PM

    Hey John, I appreciate your time!  Not sure allowed to reply directly to your email but I will try…

     

    Your absolutely correct,,,,the line above indicates so:



  • 14.  Re: userid audit

    Posted Jun 19, 2018 08:48 AM

    Something else for you to look at is whether the accessor ID in question is using OMVS services.

     

    Adding the AUDIT attribute to an accessor ID has the unfortunate side effect of activating USS auditing as if TSS control option UNIXOPTS(DIRACC,DIRSCH,FSOBJ,FSSEC,IPOBJ,PROCACT,PROCESS) were in effect, but only for that accessor ID.

     

    I have previously observed excess events being written to SMF in this scenario.

     

    Please see AUDIT, UNIXOPTS, and SMF 231 

     

    John P. Baker