search cancel

*MISSING ACID SYSTEM ACCESS violations for successful USS logons executing tsocmd over SSH

book

Article ID: 190369

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP WEB ADMINISTRATOR FOR TOP SECRET

Issue/Introduction

Seeing SYSTEM ACCESS violations with *MISSING ACID for logons with PGM=IKJEFT01 and FACILITY=OPENMVS which are triggered by someone issues TSO commands with 'tsocmd' via SSH.

The JOBNAME field is also always set to the ACID used in the ssh command and appended digit.

This violation is recorded for a successful logon where the TSO command is executed in the shell and the output can be seen.

There is a policy set to capture all of SYSTEM ACCESS violations but also have an exclude policy before it that excludes specific LOG= values.

These violations do NOT get reported in TSSUTIL report that reads the Audit Tracking File.

Why do we see these incorrect violations?                          

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Reviewed Top Secret DIAGTRAP and found the following:

If the ACID is running in *bypass* it will show up as *missing*.  This is normal process when no ACID passed on RACINIT.

LOG is set to NONE was set on the RACROUTE call which disable ATF logging data in TSSUTIL report.