Top Secret

Hello, question on auditing of profiles.   A dataset ABCD.  generates audit records at the read level and I can't pinpoint why.  I checked TSS LIST(AUDIT) and ABCD. not listed.  

TSSUTIL list shows  'read' for R-ACCESS (requested access) and 'all' for A-ACCESS (allowed access).   None of  the userids that are accessing ABCD. are being audited either....thank you

Hello Bobs,

there are more than one reasons for an audit record to be cut. For example, if access is granted by a PERMIT command having specified ACTION(AUDIT), an audit record is written, when a user accesses that resource, granted by that PERMIT command.

Best regards,

Josef  

Thank you Josef!

I searched all profiles for ACTION = AUDIT and found a few occurences but none for the sample ABCD.  likewise for TSS LIST(AUDIT) and TSS WHOHAS AUDIT for the userid that is reading ABCD.

Since my TSSUTIL sysout indicates DRC = +A, means audit record was created because audit is turned on?  Btw it’s a 3rd party dataset for DB2.

R-ACCESS A-ACCESS SRC/DRC SEC RESOURCE (TYPE & NAME)

I'd agree, that "+A" in the DRC indicates, that AUDIT (or "log") was active for this access. But there are several possibilities, that audit is active for a specific access.

Are you familiar with TSSSIM? This tool to simulate that request with TRACE could enlighten, which authorization is relevant for that access. If you are not familiar with TSSSIM: It's worth to adopt it, start at https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/troubleshooting/using-the-tsssim-utility and it will be helpful also in many other cases.

Hi Bob,

How are you.  It is good to see you out here.

I would also suggest two other places to look for the reason.

1 - Does the ACID being reported have the AUDIT attribute?

     TSS LIS(acid) should show attributes

2 - Does the FACILITY the event happens under have AUDIT set

     TSS MODI FAC(facility)  should show all the attributes

Regards,

Frank

thanks Jeff!

I did the TSS LIST(JOHNDOE) and “attributes” shows ‘console’.  Does this mean audit for JOHNDOE userid not turned on?

When I do a TSS LIST(AUDIT) it displays JOHNDOE:  USRCLASS = JOHNDOE.  Doesn’t this mean audit is turned on for JOHNDOE?

TSS LIST(AUDIT) also displays the dataset I want to audit:  DATASET    = 'ABCD.EFGH'   Can I assume audit is turned on for ABCD.EFGH access?

TSS MODI FAC(facility):

I had to research this command as I was afraid MODI meant modify, but I guess used in this context it only displays, which is a little confusing.

I tried it in our sandbox several parms to no avail:

TSS MODI FAC(USRCLASS)

TSS9186E The Facility name is invalid no such facility name.

TSS MODI FAC(DSNAME)

TSS9186E The Facility name is invalid no such facility name.

I was successful with TSO and STC parameter, which shows “ATTRIBUTES=NOPROMPT,NOAUDIT” probably means by default they are not being audited?

Bobby Sagami

HNA Mainframe Platform security

USRCLASS is not a Facility it is a Resource Class. You display a Facility with TSS MODI cmd

I am having a tough time following this thread, send over the exact output of your TSS LIST(AUDIT)

along with TSS WHOHAS DSN('ABCD.EFGH' ) I assume those ' '  are showing in the output

tss lis(rdt) resclass(USRCLASS)

ACCESSORID = *RDT* NAME = RESOURCE DEFINITIONS

RESOURCE CLASS = USRCLASS
RESOURCE CODE = X'04F'
ATTRIBUTE = NOMASK,MAXOWN(08),MAXPERMIT(044),ACCESS,PRIVPGM
ACCESS = NONE(0000),READ(4000),ALL(FFFF)
DEFACC = NONE
TSS0300I LIST FUNCTION SUCCESSFUL

tss whohas USRCLASS(JOHNDOE)

Hi Robert, thanks for chiming in!  I understand thread is a little confusing…

I asked how to audit a dataset and userid profile, but to reduce confusion I will concentrate on the userid, JOHNDOE.

Yes, JOHNDOE is in my TSS LIST(AUDIT) output: USRCLASS   = JOHNDOE, which indicates audit is turned on for JOHNDOE?

However when running TSSUTIL to list JOHNDOE activities nothing shows.  I know my jcl is good since I see other activities.

JOHNDOE is a stc userid executing 24hrs/day.   I’m wondering if the stc needs to be recycled to pick up my change.

Or do a refresh command:  TSS REFRESH(JOHNDOE) JOBNAME(stcname)

Thank you

Hi Bobby,

I just have read again through this discussion and just for clearification as you wrote in your post above:             

...

TSS LIST(AUDIT) also displays the dataset I want to audit:  DATASET    = 'ABCD.EFGH'   Can I assume audit is turned on for ABCD.EFGH access?

...

Your assumption is correct: For every access of a user, who is permitted access to dataset 'ABCD.EFGH', an +A audit record should be cut.

Kind regards,

Josef

Hi,

As Frank also indicated , this might be a facility "AUDIT" issue, that you can see using the following command

TSS MODI FAC(facility_name) 

or the user(or users profile) accessing the dataset ABCD has AUDIT attribute, but you don't have necessary administrative authority to display the AUDIT records.

Can you issue the command TSS WHOH AUDIT and see, if you see any outputs?

Best Regards,

Erdem. 

Frank, thanks for chiming in…

I do a TSS LIST(AUDIT) and I do see the userid in question.

When i do TSS WHOH AUDIT it does not show but there are other entries.

Correct me if wrong, but TSS LIST(AUDIT) shows what ids are being audited?   Unsure what TSS WHOH AUDIT is

Bobby Sagami

HNA Mainframe Platform security

Hi Bob,

TSS LIST(AUDIT) shows resources being audited, where TSS WHOH AUDIT shows ACIDS being audited.

Regards,

Erdem.