Configuring SMF and other IBM z/OS subsystems
To enable BMC AMI Defender to receive the required record types from SMF, ensure that:
- SMF is configured to invoke the EXITS parameters:
- IEFU83
- IEFU84
- IEFU85
- SMF is configured to collect and write the appropriate record types (TYPE parameters). SMF configuration is controlled by the SMFPRMxx member of SYS1.PARMLIB.
- TN3270 is configured to write the appropriate records.
BMC AMI Defender diagnoses most mismatches between the BMC AMI Defender configuration and the SMF configuration and issues the following messages:
CZA0286W SUBSYS(TSO,EXITS(IEFU85)) not specified in SYS1.PARMLIB(SMFPRMxx). Some events will be missing from syslog
CZA0287W SUBSYS(OMVS,EXITS or [NO]TYPE coded in SYS1.PARMLIB(SMFPRMxx) but OPTIONS SUBSYS(SYSOMVS) not specified in CZAPARMS. Some events will be missing from syslog[DK1]
In the SMFPRMxx member, you can perform the following tasks:
- Specify parameters for z/OS as a whole using the SYS(EXITS/NOEXITS and SYS(TYPE/NOTYPE statements.
- Override these parameters for individual subsystems using SUBSYS(xxx,EXITS/NOEXITS and SUBSYS(xxx,TYPE/NOTYPE statements.
The following table describes the EXITS and TYPES parameters:
Event type to be forwarded | SUBSYS statement | Record type |
|---|---|---|
| Any, but corresponding to the type of work. | 30 |
DFSMS PDS(E) changes | Any | 42 |
Security events | Any | 80 (RACF and TSS), 230, or other as specified in ACF2 |
Db2 events | Any | 100, 101, and 102 |
CICS events | STC | 110 |
TCP/IP and FTP events | Any, but typically OMVS, TSO, or STC | 119 |
If any of the following requirements is not met:
- Appropriately edit your SMFPRMxx member in SYS1.PARMLIB.
- Issue the console command SET SMF=xx (or /SET SMF=xx from SDSF). The xx variable represents the last two characters of the appropriate SMFPRMxx member name.
If the SMFPRMxx member contains any SUBSYS statements, see SUBSYS option.
EXITS parameters
You must enable the following exits for all events that you want to monitor:
- IEFU83
- IEFU84
- IEFU85
You can enable these exits for z/OS as a whole or for individual subsystems.
Issue the console command D SMF,O (or /D SMF,O from SDSF). Check the D SMF,O output to ensure that at least one of the following statements is true:
- SYS(EXITS and SYS(NOEXITS are both not specified.
- (Recommended) SYS(EXITS(IEFU83, IEFU84, and IEFU85 are specified, and there are no SUBSYS(xxx,EXITS or NOEXITS statements for any of the subsystems that you want to monitor.
- SUBSYS(xxx,EXITS(IEFU83, IEFU84, and IEFU85 are specified for all of the subsystems that you want to monitor.
TYPE parameters
You must enable the writing of the appropriate SMF record types for the events that you want to monitor. You can enable them for exits for z/OS as a whole or for individual subsystems.
- Issue the console command D SMF,O (or /D SMF,O from SDSF).
- Check the D SMF,O output to ensure that both of the following statements are true:
- One of the following statements is true:
- SYS(TYPE and SYS(NOTYPE are both omitted.
- (Recommended) SYS(TYPE is specified and the specification includes all the record types that you want to monitor.
- SYS(NOTYPE is specified and the specification does not include any of the record types that you want to monitor.
- One of the following statements is true:
- (Recommended) Neither SUBSYS(xxx,TYPE nor NOTYPE statements for any of the subsystems that you want to monitor is specified.
- SUBSYS(xxx,TYPE is specified for each of the subsystem and record type combinations that you want to monitor and SUBSYS(xxx,NOTYPE is not coded specifying any of the subsystem and record type combinations that you want to monitor.
TCP/IP parameter
The //PROFILE DD statement references the TCP/IP profile data set in the cataloged procedure used to start TCP/IP.
To configure the TCP/IP profile data set for type 119 records, ensure that it contains the following (or a similar) SMFCONFIG statement:
For most record types, the default value is NO.
If the TCP/IP profile data set does not contain such a statement:
- Insert this statement in your TCP/IP profile data set.
- Save the data set.
- Stop and restart TCP/IP.
To receive FTP server events, such as server login failures, the FTP server profile must be configured for type 119 records.
To configure the FTP server profile for type 119 records, ensure that the following statement appears in the data set referenced by the SYSFTPD DD statement in your FTP server cataloged procedure (commonly referred to as FTP.DATA):
TN3270 parameter
The //PROFILE DD statement references the TN3270 profile data set in the cataloged procedure used to start TN3270. Type 119 records are essential to enable you to correlate security violations by TSO users back to the TCP/IP address from that they connected.
To write type 119 records for the start and end of TN3270 sessions, ensure that the TN3270 profile data set contains the following statements:
SMFTERM TYPE119
If the TN3270 profile data set does not contain these statements:
- Insert these statements in your TN3270 profile data set.
- Save the data set.
- Stop and restart TN3270.
Additional subsystem parameters to write SME records
To write the appropriate SMF records, you must configure the following subsystems:
- ACF2
- CICS
- Db2
- MQ
- RACF
- Top Secret
For Db2 only, you can configure BMC AMI Defender to have Db2 start the required traces (SMF record types) automatically. For more information, see the discussion of the STArt parameter in the SMF-Db2-statement topic and in the IBM Knowledge Center.
Language environment options
BMC AMI Defender and its associated programs run with z/OS Language Environment (LE). The BMC AMI Defender programs operate correctly with the IBM-supplied default LE options.
The supplied JCL for BMC AMI Defender and CZASEND includes CEEOPTS DD statements to facilitate overriding LE options. For more information about LE, see the IBM Knowledge Center.
Authorizing the BMC AMI Defender load library
You must authorize the BMC AMI Defender load library with the authorized program facility (APF).
To temporarily APF-authorize the load library for testing
For testing purposes, use the SETPROG APF console command to authorize the library only until the next initial program load (IPL).
Determine the volume on which the library resides by entering the following command in the ISPF:
TSO LISTDS '<amihlq>.CZAGENT.LOAD'The amihlq variable is the high-level qualifier that you specified during installation.
The last line of the output is the volume serial number of the disk on which the BMC AMI Defender load library resides.- To clear the *** on your display, press Enter.
- In the SDSF, enter /+ and press Enter.
In the pop-up page, enter the following data set name:
SETPROG APF,ADD,DSN=<amihlq>.CZAGENT.LOAD,VOL=<volumeSerialNumber>The volumeSerialNumber variable is the volume serial number referred to earlier.
- Press Enter.
To permanently APF-authorize the load library
Add the BMC AMI Defender load library to the permanent authorized library list in SYS1.PARMLIB. Contact your system administrator or BMC Support for instructions.