When auditing APF libraries via AUDIT record or ACTION(AUDIT) on a PERMIT, Top Secret does not produce audit entries for the APF libraries in the Top Secret Audit Tracking File which causes them not to show up in any TSSUTIL report.
Release : 16.0
Component : CA Top Secret for z/OS
Is the APF library also in the lnklst and laplst? Libraries in the lnklst an lpalst cannot be tracked/audited.
Top Secret depends on a RACROUTE to audit and track resources which include z/OS libraries.
Anytime a library dataset is accessed, a RACROUTE is issued at file open time for the dataset to determine if the user is authorized.
Libraries in the lnklst and lpalst are ONLY opened at IPL time, which means they are only opened, once until the next IPL.
Subsequent accessed to libraries in the linklst or lpalst will not trigger a file open.
Therefore, there will not be any RACROUTEs security checks, whenever they are accessed after IPL. No RACROUTE, no auditing.
Because of this z/OS behavior and client interest to track APF datasets, Broadcom decided to enhance their product line to meet this need.
An enhancement was made to CEM (Compliance Event Manager) to monitor the APF libraries.