Audit and log report for USS/OMVS
search cancel

Audit and log report for USS/OMVS

book

Article ID: 230717

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

Is there any sort of report or auditing tool in Top Secret to check OMVS/USS activity?

 

Environment

Release : 16.0

Component : Top Secret for z/OS

Resolution

USS/OMVS events are recorded on SMF type 231 records, and can be checked using the TSSOERPT utility. By default, log records are written for any security event that denies the ACID access to a USS function or resource.

Turning on user logging or audit options in an HFS file can cause logging to occur even when access is allowed.

Adding TRACE to an ACID causes all the ACID's activity (including USS events) to be recorded in SMF. Use the following command to log all activity for an ACID:
 

TSS ADDTO(acid)TRACE

 

This is a sample JCL used to run TSSOERPT:

//REPORT EXEC PGM=TSSOERPT,PARM='TITLE(USS EVENTS)'

//*

//SYSPRINT DD SYSOUT=*

//SYSUDUMP DD SYSOUT=*

//RECMAN1 DD DSN=IFASMF.XE15.TSSLOG,DISP=SHR

//SYSIN    DD *

  DETAIL

/*

//

RECMAN1 DD should contain the SMF file that was active at the time of the event to be reported.

Some useful parameters to be added on SYSIN DD:

  • SDATE(000000|cyyddd)
    Specifies the beginning Julian date from which report information is selected, where c is required and specifies the century. Enter 1 for years greater than (>) 2000 or 0 for years less than (<) 2000. Any input SMF records generated before the SDATE value are ignored.
  • STIME(000000|hhmm)
    Specifies the beginning-of-time interval from which SMF records are selected based on a 24-hour clock. SMF records generated before this time are ignored. The selection of records begins at the STIME specified for each date in the SDATE/EDATE range and ends on each date at the ETIME given.
    Default: Process all available records.
  • EDATE(169365|cyyddd)
    Specifies the ending Julian date from which report information is selected, where c is required and specifies the century. Enter 1 for years greater than (>) 2000 or 0 for years less than (<) 2000. When combined with the SDATE parameter, this parameter creates a window for report content. The defaults for SDATE and EDATE process all available records.
  • ETIME(2359|hhmm)
    Specifies the end-of-time interval from which SMF records are selected based on a 24-hour clock. SMF records generated after this specified time of day are ignored. The selection of records begins at the STIME specified for each date in the SDATE/EDATE range and ends on each date at the ETIME given. The defaults for STIME and ETIME process all available records.
  • UID(value)
    Specifies the USS UID for which you intend to collect security information. Acceptable numeric values range from zero to 2,147,483,647. This field is not maskable.
    Default: All UID values.
  • USER(acid)
    Specifies the ACID for which you want USS security information collected. This field is maskable and it is case sensitive.
    Default: All ACIDs.

Additional Information

More information about TSSOERPT Utility can be found on the Top Secret for z/OS 16.0 manual