CA Top Secret

Expand all | Collapse all

resclass TSOAUTH auditing

Jump to Best Answer
  • 1.  resclass TSOAUTH auditing

    Posted 01-02-2017 04:59 AM

    I'm looking for a possibility to detect, which userid effectively   references class TSOAUTH permissions. I suppose, that z/OS checks these permissions with LOG(NONE) so they don't appear in the ATF-data. Beyond this, I suppose and fear, that the resclass is not checked, when the resource is effectively referenced ... (but probably only at logon-time)

     

    Especially I'd be interested in TSOAUTH(TESTAUTH)

     

    Thanks for any hint, idea and suggestion!     (....also for where to find docs ...)   

     

    ------------------------------------------------------------------------------------------------------------------------------------------------------

     

    intermediately and afterwards edited table as a summary, contributions to complete the table very much appreciated ... 

     

    ResourceAuditing effective references
    TSOAUTH(ACCT)
    TSOAUTH(CONSOLE)
    TSOAUTH(JCL)
    TSOAUTH(MOUNT)
    TSOAUTH(OPER)
    TSOAUTH(PARMLIB)TSS PER(xxxxxxxx) TSOAUTH(PARMLIB) ACTION(AUDIT)
    TSOAUTH(RECOVER)
    TSOAUTH(TESTAUTH)

    TSS ADD(xxxxxxxx) PROGRAM(TESTAUTH)

    TSS PER(ALL) PROGRAM(TESTAUTH)



  • 2.  Re: resclass TSOAUTH auditing
    Best Answer

    Posted 01-03-2017 02:18 AM

    Hello Josef,

     

    The TSSAUTH class is checked at logon time by TSO with LOG=NONE.

    You can set a sectrace against any ACID to logon onto TSO, you should see the TSS-F for TSOAUTH class with LOG=NONE, check L/xx80 on the TSS-F lines.

     

    Sincerely, Jacques.



  • 3.  Re: resclass TSOAUTH auditing

    Posted 01-03-2017 03:22 AM

    Hello Jacques, thank you for the details, I'll give them a try.

    Well, I'm interested in the effective  references to that resources. When the resource is checked at logon time, it does not necessarily mean, that the user makes really use of that permission. I would like to determine the effective references to those resources, especially TESTAUTH, so that the permissions can be reworked. Maybe there is a smart possibility for it.....   

    Regards, Josef   



  • 4.  Re: resclass TSOAUTH auditing

    Posted 01-03-2017 05:16 AM

    Hello Josef,

     

    There is no TSOAUTH(TESTAUTH) check with TSS.  TESTAUTH is checked with PROGRAM class when it is issued.

     

    Sincerely, Jacques.



  • 5.  Re: resclass TSOAUTH auditing

    Posted 01-03-2017 10:40 AM

    Many Thanks, Jacques,

     

    ... so it would come down to a

    TSS ADD(xxxxxxxx) PROGRAM(TESTAUTH)

    TSS PER(ALL) PROGRAM(TESTAUTH) ACTION(AUDIT)

     

    Do you or somebody in the community or at Computer Associates have, ideas to detect the "effective reference" to the other TSOAUTH resources, namely

    TSOAUTH(ACCT)
    TSOAUTH(JCL) 
    TSOAUTH(MOUNT)
    TSOAUTH(OPER) 
    TSOAUTH(PARMLIB) 
    [TSOAUTH(TESTAUTH) --> PROGRAM(TESTAUTH) see above]
    TSOAUTH(CONSOLE)   

     

    Regards, Josef



  • 6.  Re: resclass TSOAUTH auditing

    Posted 01-04-2017 04:54 AM

    sorry, TSOAUTH(RECOVER) missed



  • 7.  Re: resclass TSOAUTH auditing

    Posted 01-03-2017 10:54 AM

    Hello Josef,

     

    To clarify the TSOAUTH with TSS:

    TSOAUTH(JCL)

    TSOAUTH(ACCT)

    TSOAUTH(MOUNT)

    TSOAUTH(OPER)

    TSOAUTH(RECOVER) are checked at logon time with LOG=NONE

     

    TSOAUTH(PARMLIB) is checked when user enter this command in TSO command or other means.

    e.g. PARMLIB UPDATE(00)

     

    and as already seen TESTAUTH is checked via PROGRAM class with LOG=ASIS, then what you said should work to audit it.

     

    Sincerely, Jacques.



  • 8.  Re: resclass TSOAUTH auditing

    Posted 01-04-2017 07:14 AM

    Hello Josef,

     

    I have to add some comment about TESTAUTH. From what I was able to test and saw in sectrace the TESTAUTH command as I said is checked with PROGRAM class. But, under certain circumstances it can be checked with TSOAUTH(TESTAUTH) as described in IBM documentation. I didn't have a chance to see this check with the tests I made.

     

    Sincerely, Jacques.



  • 9.  Re: resclass TSOAUTH auditing

    Posted 01-04-2017 07:30 AM

    Hello Josef,

     

    My mistake! My TSO environment wasn't correct. Now, I can see the TSOAUTH(TESTAUTH) check coming after the PROGRAM(TESTAUTH) check, this check is not done with LOG=NONE then it should be auditable.

     

    Sincerely, Jacques.