RACF Logging Options equivalents under CA Top Secret.
Article ID: 117618
Updated On:
Products
Top Secret
Top Secret - LDAP
Issue/Introduction
Can you tell me the RACF logging option equivalents in TSS ?
IN RACF:
INISTATS
Ensures that account statistics that are authenticated to z / OS are logged
SETROPTS INISTATS (ON)
SAUDIT
Ensures that the RACF commands performed by the administrators (having the attribute SPECIAL or GROUP SPECIAL) are recorded.
SETROPTS SAUDIT (ON)
CMDVIOL
Ensures that failed command attempts after the protection check are logged.
SETROPTS CMDVIOL (ON)
OPERAUDIT
Ensures that successful access to files by accounts with the OPERATION attribute is logged.
SETROPTS OPERAUDIT (ON)
Can testing be done without isolating the TSS from a CPF network using the NEWPW (MC) option without forcing via NEWPW (LC) or (UC) ?
IN RACF:
INISTATS
Ensures that account statistics that are authenticated to z / OS are logged
SETROPTS INISTATS (ON)
SAUDIT
Ensures that the RACF commands performed by the administrators (having the attribute SPECIAL or GROUP SPECIAL) are recorded.
SETROPTS SAUDIT (ON)
CMDVIOL
Ensures that failed command attempts after the protection check are logged.
SETROPTS CMDVIOL (ON)
OPERAUDIT
Ensures that successful access to files by accounts with the OPERATION attribute is logged.
SETROPTS OPERAUDIT (ON)
Can testing be done without isolating the TSS from a CPF network using the NEWPW (MC) option without forcing via NEWPW (LC) or (UC) ?
Environment
Release:
Component: TSSMVS
Component: TSSMVS
Resolution
.
Questions:
Can you tell me if there is the equivalent in TSS ?
IN RACF:
INISTATS
Ensures that account statistics that are authenticated to z / OS are logged
Answer:
CA Top Secret Control Option LOG(INIT) is the equivalent on INISTATS which tracks user authentication.
Putting the AUDIT attribute will also cause the authentication to be tracked even if you dont have LOG(INIT) control option set. AUDIT attribute records all security related activity for a user.
SETROPTS INISTATS (ON)
SAUDIT
Ensures that the RACF commands performed by the administrators (having the attribute SPECIAL or GROUP SPECIAL) are recorded.
Answer:
TSS always record successful admin activity. There is no way to disable this.
SETROPTS SAUDIT (ON)
CMDVIOL
Ensures that failed command attempts after the protection check are logged.
Answer:
Currently failed TSS commands are not tracked.Only successfful TSS admin commands are tracked.
SETROPTS CMDVIOL (ON)
OPERAUDIT
Ensures that successful access to files by accounts with the OPERATION attribute is logged.
Answer:
The AUDIT attribute is the equivalent which can be specified on a user or a particular resource.
SETROPTS OPERAUDIT (ON)
Can testing be done without isolating the TSS from a CPF network using the NEWPW (MC) option without forcing via NEWPW (LC) or (UC) ?
Answer:
The NEWPW setting only affect the one system it is set on. It will not affect the other CPFed systems. So you can have multiple system with different NEWPW setting that CPF to one another,but this is NOT a good security practice or standard. Most site have a unified password standard that applies to all their systems and platforms. NEWPW is checked when a users changes their password via signon panel and not TSS REPLACE PASSWORD command. A TSS admin can always override the NEWPW password controls.
Questions:
Can you tell me if there is the equivalent in TSS ?
IN RACF:
INISTATS
Ensures that account statistics that are authenticated to z / OS are logged
Answer:
CA Top Secret Control Option LOG(INIT) is the equivalent on INISTATS which tracks user authentication.
Putting the AUDIT attribute will also cause the authentication to be tracked even if you dont have LOG(INIT) control option set. AUDIT attribute records all security related activity for a user.
SETROPTS INISTATS (ON)
SAUDIT
Ensures that the RACF commands performed by the administrators (having the attribute SPECIAL or GROUP SPECIAL) are recorded.
Answer:
TSS always record successful admin activity. There is no way to disable this.
SETROPTS SAUDIT (ON)
CMDVIOL
Ensures that failed command attempts after the protection check are logged.
Answer:
Currently failed TSS commands are not tracked.Only successfful TSS admin commands are tracked.
SETROPTS CMDVIOL (ON)
OPERAUDIT
Ensures that successful access to files by accounts with the OPERATION attribute is logged.
Answer:
The AUDIT attribute is the equivalent which can be specified on a user or a particular resource.
SETROPTS OPERAUDIT (ON)
Can testing be done without isolating the TSS from a CPF network using the NEWPW (MC) option without forcing via NEWPW (LC) or (UC) ?
Answer:
The NEWPW setting only affect the one system it is set on. It will not affect the other CPFed systems. So you can have multiple system with different NEWPW setting that CPF to one another,but this is NOT a good security practice or standard. Most site have a unified password standard that applies to all their systems and platforms. NEWPW is checked when a users changes their password via signon panel and not TSS REPLACE PASSWORD command. A TSS admin can always override the NEWPW password controls.
Feedback
Yes
No
Powered by
