search cancel

Top Secret Auditing APF libraries not working

book

Article ID: 214608

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

When auditing APF libraries via AUDIT record or ACTION(AUDIT) on a PERMIT, Top Secret does not produce audit entries for the APF libraries in the Top Secret Audit Tracking File which causes them not to show up in any TSSUTIL report.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

Is the APF library also in the lnklst and laplst? Libraries in the lnklst an lpalst cannot be tracked/audited.

Top Secret depends on a RACROUTE to audit and track resources which include z/OS libraries.

Anytime a library dataset is accessed, a RACROUTE is issued at file open time for the dataset to determine if the user is authorized.

Libraries in the lnklst and lpalst are ONLY opened at IPL time, which means they are only opened, once until the next IPL.

Subsequent accessed to libraries in the linklst or lpalst will not trigger a file open.

Therefore, there will not be any RACROUTEs security checks, whenever they are accessed after IPL. No RACROUTE, no auditing.

 

Additional Information

Because of this z/OS behavior and client interest to track APF datasets, Broadcom decided to enhance their  product line to meet this need.

An enhancement was made to CEM (Compliance Event Manager) to monitor the APF libraries.