Hello, We have installed TSS in a shared CPU installation. It means that our AUDIT is shared and used by all the partitions. We would like to split it, having a file for each partition. The questions are, Is it possible to separate only AUDIT file? How we should proceed? Do you have any documentation related to this? Thank you very much in advance!!!

Top Secret

View Only

AUDIT shared file to AUDIT exclusive files

Cetelem Sistemas posted Feb 02, 2023 06:29 AM

Hello,

We have installed TSS in a shared CPU installation. It means that our AUDIT is shared and used by all the partitions.

We would like to split it, having a file for each partition.

The questions are, Is it possible to separate only AUDIT file? How we should proceed? Do you have any documentation related to this?

Thank you very much in advance!!!

Robert Bridges posted Feb 02, 2023 05:09 PM

I would have expected someone much more knowledgeable to chime in about this by now, and was interested in seeing what they offered. But since so far all we're hearing is crickets, herewith my guess. Don't take it as authoritative, though:

The TSS JCL specifies, among other things, the DSN for the Audit file. So I suppose you could easily enough do this:

1) Copy the current Audit file to each partition, giving it the proper DSN.
2) Copy the current JCL for the Top-Secret STC to each partition.
3) In each partition, modify the JCL so that the Audit file points to the appropriate "local" DS.

I gather you want the other TSS datasets to be shared, as before, so I guess you're sharing DASD across the partitions (or at least some HLQs. If so, maybe this is all that's required? But I'm not a systems programmer (I came into security from the developer side), so there's lots I don't know.

By the way, you say "audit file" and I have to assume you know what you're talking about. But I'll mention in passing that I occasionally confuse the audit file and the recovery file. I forget, does the DD name for the audit file include the word "recovery", or does the recovery DD go by "AUDIT"? Something like that, anyway. It's been a while since I had to look at it, but as I recall the audit file records security violations, and the recovery file records TSS commands (so that you can look back at what commands were recently issued and have a hope of ~recovering~ the system from a disastrous mistake).

Robert Bridges posted Feb 02, 2023 05:44 PM

Two things I should add:

First, I may have been unclear; I see I was assuming a lot of knowledge. Let me spell out those instructions better:

1) Copy the current Audit file to each partition, giving it a new DSN that you deem proper for an Audit file in the target partition. This will be the new Audit file in that partition, going forward.

2) Copy the current TSS JCL to a JCLLIB in each new partition. This will be the new JCL fr the local STC.

3) In each partition, modify the JCL so that the audit-file DD points to the appropriate local audit DS.

Second: Wait a minute, you want to have separate audit files but still have just one TSS database? Wouldn't that imply that if I make a change to (say) TSS permissions, it'll affect the central database but the change will appear in only one audit file? Seems to me that if you're trying to figure out what happened to TSS, by this scheme you'd have to look in three different places. That doesn't sound like a great idea to me. But it's your installation, after all.

Broadcom Employee Kevin Segreti posted Feb 03, 2023 08:31 AM

Hi Cetelem,

I work in Tech Consultanting here at Broadcom and would like to help you create a plan to break out your Audit files. Please e-mail me at Kevin.Segreti@broadcom.com, and I would be happy to schedule a meeting to walk you through the steps needed.

Thanks,

Kevin Segreti