Before enabling DEFPROT on a resource class such as IBMFAC, is there a way to see if there are any undefined resources being accessed on the system?
Is there a report in Top Secret to identify undefined resources being accessed on the system, or not, since the resource wouldn't be defined to Top Secret ?
1) Verify that IBMFAC is non-masked in the RDT via TSS LIS(RDT) RESCLASS(IBMFAC) command.
2) Get the output of TSS WHOOWNS IBMFAC(*) to determine the current set of owned resources.
3) For safety, keep the output of a TSS LIST(ACIDS) DATA(ALL) TSSCFILE or TSSCFBK job
This will provide a backup in case the WHOHAS information was incorrect.
4) Issue the following commands:
TSS ADD(dept) IBMFAC(*ALL*)
TSS PER(ALL) IBMFAC(*ALL*) ACCESS(ALL) ACTION(AUDIT)
TSS REPL(RDT) RESCLASS(IBMFAC) ATTR(DEFPROT)
These commands will permit access to currently undefined resources while auditing all events that are allowed as a result.
5) For any currently DEFINED HLQ (from the TSS WHOOWNS IBMFAC(*) in step 2), such as IBMFAC(STGADMIN), issue:
TSS PER(ALL) IBMFAC(STGADMIN) ACCESS(NONE)
This will ensure users who currently do not have access to the already defined resources do not gain access.
6) Continuously monitor the TSSUTIL reports to see what IBMFAC events are being audited.
Administer the appropriate permissions to eliminate the auditing.
7) Once you are satisfied the audit reports are correct you may then begin the process of cleaning up (revoking) the ALL record permits with ACCESS(NONE) and the ALL record permit for IBMFAC(*ALL*) with ACCESS(ALL) ACTION(AUDIT). Optionally, the IBMFAC(*ALL*) ownership can be removed.
Some of the calls for class the IBMFAC resource class are issued with LOG=NONE which means they are not going to log. The only way to be aware of those calls is through something like our CEM product which logs all events, or a SAFTRACE. It is hard to know what the effects will be for LOG=NONE calls but generally those will not hurt your processing. That is why they are issued with LOG=NONE. Typically they are used not to allow access to a resource but rather to allow access to a resource in a particular way. Perhaps a faster path or something along those lines.