CA Top Secret

Expand all | Collapse all

TSS profile auditing

  • 1.  TSS profile auditing

    Posted 11-12-2018 02:14 PM

    Hello, question on auditing of profiles.   A dataset ABCD.  generates audit records at the read level and I can't pinpoint why.  I checked TSS LIST(AUDIT) and ABCD. not listed.  

     

    TSSUTIL list shows  'read' for R-ACCESS (requested access) and 'all' for A-ACCESS (allowed access).   None of  the userids that are accessing ABCD. are being audited either....thank you



  • 2.  Re: TSS profile auditing

    Posted 11-12-2018 02:23 PM

    Hello Bobs,

    there are more than one reasons for an audit record to be cut. For example, if access is granted by a PERMIT command having specified ACTION(AUDIT), an audit record is written, when a user accesses that resource, granted by that PERMIT command.

    Best regards,

    Josef  



  • 3.  Re: TSS profile auditing

    Posted 11-12-2018 05:01 PM

    Thank you Josef!

     

    I searched all profiles for ACTION = AUDIT and found a few occurences but none for the sample ABCD.  likewise for TSS LIST(AUDIT) and TSS WHOHAS AUDIT for the userid that is reading ABCD.

     

    Since my TSSUTIL sysout indicates DRC = +A, means audit record was created because audit is turned on?  Btw it’s a 3rd party dataset for DB2.

     

     

     

    R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME)



  • 4.  Re: TSS profile auditing

    Posted 11-13-2018 12:33 AM

    I'd agree, that "+A" in the DRC indicates, that AUDIT (or "log") was active for this access. But there are several possibilities, that audit is active for a specific access.

     

    Are you familiar with TSSSIM? This tool to simulate that request with TRACE could enlighten, which authorization is relevant for that access. If you are not familiar with TSSSIM: It's worth to adopt it, start at https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/troubleshooting/using-the-tsssim-utility and it will be helpful also in many other cases.



  • 5.  Re: TSS profile auditing

    Posted 11-15-2018 09:43 AM

    Hi Bob,

     

    How are you.  It is good to see you out here.

     

    I would also suggest two other places to look for the reason.

    1 - Does the ACID being reported have the AUDIT attribute?

         TSS LIS(acid) should show attributes

    2 - Does the FACILITY the event happens under have AUDIT set

         TSS MODI FAC(facility)  should show all the attributes

     

    Regards,

    Frank



  • 6.  Re: TSS profile auditing

    Posted 11-15-2018 04:43 PM

    thanks Jeff!

     

    I did the TSS LIST(JOHNDOE) and “attributes” shows ‘console’.  Does this mean audit for JOHNDOE userid not turned on?

     

    When I do a TSS LIST(AUDIT) it displays JOHNDOE:  USRCLASS = JOHNDOE.  Doesn’t this mean audit is turned on for JOHNDOE?

     

    TSS LIST(AUDIT) also displays the dataset I want to audit:  DATASET    = 'ABCD.EFGH'   Can I assume audit is turned on for ABCD.EFGH access?

     

    TSS MODI FAC(facility):

     

    I had to research this command as I was afraid MODI meant modify, but I guess used in this context it only displays, which is a little confusing.

     

    I tried it in our sandbox several parms to no avail:

     

    TSS MODI FAC(USRCLASS)

    TSS9186E The Facility name is invalid no such facility name.

     

    TSS MODI FAC(DSNAME)

    TSS9186E The Facility name is invalid no such facility name.

     

    I was successful with TSO and STC parameter, which shows “ATTRIBUTES=NOPROMPT,NOAUDIT” probably means by default they are not being audited?

     

     

    Bobby Sagami

    HNA Mainframe Platform security



  • 7.  Re: TSS profile auditing

    Posted 11-15-2018 05:01 PM

    USRCLASS is not a Facility it is a Resource Class. You display a Facility with TSS MODI cmd

     

    I am having a tough time following this thread, send over the exact output of your TSS LIST(AUDIT)

    along with TSS WHOHAS DSN('ABCD.EFGH' ) I assume those ' '  are showing in the output

     

    tss lis(rdt) resclass(USRCLASS)

    ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS

    RESOURCE CLASS = USRCLASS
    RESOURCE CODE = X'04F'
    ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(044),ACCESS,PRIVPGM
    ACCESS = NONE(0000),READ(4000),ALL(FFFF)
    DEFACC = NONE
    TSS0300I LIST FUNCTION SUCCESSFUL

     

    tss whohas USRCLASS(JOHNDOE)



  • 8.  Re: TSS profile auditing

    Posted 11-16-2018 04:26 PM

    Hi Robert, thanks for chiming in!  I understand thread is a little confusing…

     

    I asked how to audit a dataset and userid profile, but to reduce confusion I will concentrate on the userid, JOHNDOE.

     

    Yes, JOHNDOE is in my TSS LIST(AUDIT) output: USRCLASS   = JOHNDOE, which indicates audit is turned on for JOHNDOE?

     

    However when running TSSUTIL to list JOHNDOE activities nothing shows.  I know my jcl is good since I see other activities.

     

    JOHNDOE is a stc userid executing 24hrs/day.   I’m wondering if the stc needs to be recycled to pick up my change.

     

    Or do a refresh command:  TSS REFRESH(JOHNDOE) JOBNAME(stcname)

     

    Thank you



  • 9.  Re: TSS profile auditing

    Posted 12-03-2018 10:12 AM

    Hi Bobby,

    I just have read again through this discussion and just for clearification as you wrote in your post above:             

    ...

    TSS LIST(AUDIT) also displays the dataset I want to audit:  DATASET    = 'ABCD.EFGH'   Can I assume audit is turned on for ABCD.EFGH access?

    ...

     

    Your assumption is correct: For every access of a user, who is permitted access to dataset 'ABCD.EFGH', an +A audit record should be cut.

     

    Kind regards,

    Josef



  • 10.  Re: TSS profile auditing

    Posted 11-30-2018 01:22 AM

    Hi,

     

    As Frank also indicated , this might be a facility "AUDIT" issue, that you can see using the following command

     

    TSS MODI FAC(facility_name) 

     

    or the user(or users profile) accessing the dataset ABCD has AUDIT attribute, but you don't have necessary administrative authority to display the AUDIT records.

     

    Can you issue the command TSS WHOH AUDIT and see, if you see any outputs?

     

    Best Regards,

     

    Erdem. 



  • 11.  Re: TSS profile auditing

    Posted 11-30-2018 01:32 PM

    Frank, thanks for chiming in…

     

    I do a TSS LIST(AUDIT) and I do see the userid in question.

     

    When i do TSS WHOH AUDIT it does not show but there are other entries.

     

    Correct me if wrong, but TSS LIST(AUDIT) shows what ids are being audited?   Unsure what TSS WHOH AUDIT is

     

     

    Bobby Sagami

    HNA Mainframe Platform security



  • 12.  Re: TSS profile auditing

    Posted 12-01-2018 02:19 AM

    Hi Bob,

     

    TSS LIST(AUDIT) shows resources being audited, where TSS WHOH AUDIT shows ACIDS being audited.

     

    Regards,

    Erdem.