IND$defender
You can use IND$defender to define your own fields or modify existing fields for BMC AMI Defender for z/OS.
IND$defender is an optional component of the BMC AMI Defender for z/OS product. IND$defender is installed as a part of the installation of the product. It consists of two modules in BMC AMI Defender for z/OS load library:
- CZAIND$D (alias IND$FILE).
- CZAWSMFT.
CZAWSMFT must reside in an APF-authorized library and be linkedited AC=1. For a discussion of APF authorization, see Authorizing the BMC AMI Defender load library. CZAWSMFT has been carefully designed specifically to preclude its being a security exposure; contact BMC Support if you need more information.
You can set up IND$defender to audit the use of the IBM PC 3270 File Transfer Program, commonly known as IND$FILE.
IND$defender is a wrapper for IBM IND$FILE that transparently audits the usage of IND$FILE. IND$defender writes an SMF record, calls the BMC AMI Defender API, or it does both.
See BMC AMI Defender API with the following information for every IND$FILE transfer:
- Invoking user ID, name and Group
- Terminal name and IP address
- Mainframe data set name
- Upload or download
- Time of day and duration of transfer
- Other IND$FILE and APVUFILE parameters
You can configure BMC AMI Defender for z/OS to send the SMF and/or API1 events to the syslog console (SIEM) of your choice or you might use an SMF reporting program of your choice (see Customizing-BMC-AMI-IND-defender-to-report-IND-FILE-activity).
IND$FILE
IND$FILE is IBM 3270-PC File Transfer Program Release 1, IBM program number 5665-311. It is a file transfer program (not to be confused with the File Transfer Program or FTP) that runs as a TSO command and lets a mainframe terminal (3270) session user download or upload a z/OS data set (file) between the PC and the mainframe. The program is commonly referred to by its executable name, IND$FILE, universally pronounced I-N-D-dollar-file (except in the United Kingdom, where it is known as IND£FILE).
IND$FILE programs for VM/CMS and VSE CICS also exist, but the information in this document refers only to IND$FILE for TSO.
APVUFILE
APVUFILE is MVS/TSO File Transfer Program, 5799-xxx, where xxx is BWJ or BWL for Japan and PGY or PGZ for Korea, China, and Taiwan.
APVUFILE is similar to IND$FILE; the primary difference is that it supports DBCS (double-byte, wide or Asian) character translation. It accepts five additional parameters in support of DBCS translation.
For IND$defender, the term IND$FILE is used to mean IND$FILE or APVUFILE, except where the context clearly demands otherwise.
The problem
IND$FILE is subject to your security authorizations and restrictions. Therefore, you cannot use IND$FILE to upload or download a file to where RACF (or CA ACF2 or CA Top Secret as appropriate) does not give you access. But IND$FILE incorporates absolutely no auditing (unlike, for example, FTP). You do not have information available from IND$FILE that allows the auditing of any details of IND$FILE usage.
SMF or API1 record that reports IND$FILE activity
IND$defender is designed for use with the real-time messaging capabilities of BMC AMI Defender for z/OS. But IND$defender by default outputs a user SMF type 202 record in a documented format. You might report on IND$FILE activity using any tool capable of processing SMF records including SAS from the SAS Institute or MXG from Merrill Consultants.
The IND$defender SMF or API1 record
* Copyright 2015 CorreLog, Inc.
* For more information www.CorreLog.com or support@CorreLog.com
*
* The record is "triplet" based, similar to many IBM SMF records such
* as Type 30, 42, 90, 92, 119 and DB2 SMF records. A triplet consists
* of a 32-bit offset relative to the start of the record header, a
* 16-bit length, and a 16-bit count. If you are writing a program to
* process this record you should use the triplets rather than absolute
* offsets.
*
* The fixed header portion
SMF202Header DSECT , SMF Record Header
SMF202HDLength DS HL2 Record length
SMF202HDSegDesc DS HL2 Segment descriptor
SMF202HDFlags DS BL1 Header flags - all of these will be set
SMF202HDSUB EQU X'40' Subtypes are valid
SMF202HDSP4 EQU X'10' MVS/SP Version 4 and above
SMF202HDSP3 EQU X'08' MVS/SP Version 3 and above
SMF202HDSP2 EQU X'04' MVS/SP Version 2 and above
SMF202HDVS2 EQU X'02' MVS/VS2
SMF202HDType DS XL1 Record type (by default 202, X'CA')
SMF202HDTime DS XL4 Time record was moved to SMF buffer
SMF202HDDate DS PL4 Date record was moved to SMF buffer
SMF202HDSID DS CL4 System ID
DS CL4 Reserved, recorded as zeros
SMF202HDSubType DS HL2 Record subtype
SMF202HDST_IND$FILE EQU X'0001' IND$FILE audit
* This is the only subtype defined at this time
SMF202HD_TRN DS HL2 Number of triplets - 3 at this time
DS XL2 Reserved, recorded as zero
*
* Triplets
SMF202IDOff DS FL4 Offset to Identification section
SMF202IDLen DS HL2 Length of Identification section
SMF202IDNum DS HL2 Number of Ident sections - always one
*
SMF202PROff DS FL4 Offset to Product section
SMF202PRLen DS HL2 Length of Product section
SMF202PRNum DS HL2 Number of Prod sects - 1 at this time
*
SMF202FNOff DS FL4 Offset to Filename section
SMF202FNLen DS HL2 Length of Filename section
SMF202FNNum DS HL2 Number of File sects - 0 or 1
*
* End of header portion
SMF202HD_Length EQU *-SMF202Header
*
* Identification section -- common to all SMF 202 records
SMF202Ident DSECT ,
SMF202ID_Comp DS CL8 Component that wrote this SMF record
* At this time this field will always be recorded as C'CZAWSMFT'
SMF202ID_Build DS CL4 Build number of above in numeric EBCDIC
SMF202ID_Env DS C Environment
SMF202ID_TSO EQU C'T' TSO is only environment at present
DS X Filler
SMF202ID_UserID DS CL8 User ID
SMF202ID_Group DS CL8 Group name
SMF202ID_JobNm DS CL8 Job, STC or TSO session name
SMF202ID_ProcSt DS CL8 Cataloged procedure step name
SMF202ID_StepNm DS CL8 Jobstep name
SMF202ID_JobID DS CL8 JES "job number"
* The first character of SMF202_JobID may be used to determine the
* type of work: J=JOB, S=STC, T=TSO, etc.
SMF202ID_ExecSt DS CL8 Job or session start in TOD format
* The following six fields are binary zeros if not TSO
SMF202ID_Term DS CL8 Terminal name
SMF202ID_NetID DS CL8 Network ID
SMF202ID_IPv6 DS XL16 IPv6 or IPv6-formatted IPv4 Address
SMF202ID_Port DS H Port number
SMF202ID_CharS DS CL2 Character Set
SMF202ID_CodePg DS CL2 Code Page
SMF202ID_UsrNm DS CL20 User name from ACEEUNAM
SMF202ID_RUTKN DS CL80 RACF User Token (RUTKN) from ACEETOKP
SMF202ID_CVTTZ DS F Local time offset from CVTTZ
* CVTTZ is the difference between local time and UTC (Coordinated
* Universal Time) in binary units of 1.048576 seconds.
*
* End of Identification section
DS 0F Assure alignment
SMF202ID_Length EQU *-SMF202Ident
*
* Product Section
SMF202Product DSECT ,
SMF202PR_Prod DS CL8 Product to which this section applies
* For subtype 1 this field will be recorded as C'CZAIND$D'
SMF202PR_Build DS CL4 Build number of above in numeric EBCDIC
*
* The following fields are for a CZAIND$D product section
SMF202PI_Cmd DS CL8 Actual command used by TSO users
SMF202PI_RetCd DS F Return code from IND$FILE
SMF202PI_Dur DS F Duration in hundredths of a second
SMF202PI_Dir DS X Direction of file transfer
SMF202PI_Unknown EQU 0 Unknown or invalid
SMF202PI_Get EQU 1 User specified GET = Download
SMF202PI_Put EQU 2 User specified PUT = Upload
SMF202PI_RECFM DS C RECFM specified by user
SMF202PI_RECFM_No EQU 0 RECFM not specified
SMF202PI_RECFM_F EQU C'F' RECFM(F) specified
SMF202PI_RECFM_V EQU C'V' RECFM(V) specified
SMF202PI_RECFM_U EQU C'U' RECFM(U) specified
* Above are valid RECFM values but whatever user coded is recorded
SMF202PI_Opt DS B Various bit-mapped options
SMF202PI_Append EQU X'80' APPEND specified
SMF202PI_ASCII EQU X'40' ASCII specified
SMF202PI_CRLF EQU X'20' CRLF specified
SMF202PI_New EQU X'10' NEW specified
SMF202PI_NoTrunc EQU X'08' NOTRUNC specified
SMF202PI_Unrec EQU X'01' One or more unrecognized options
SMF202PI_Space DS BSPACE specification
SMF202PI_AvBlock EQU 1 AVBLOCK specified
SMF202PI_Cyls EQU 2 CYLINDERS specified
SMF202PI_Tracks EQU 3 TRACKS specified
SMF202PI_AvBlk DS FAVBLOCK(value) as specified, else zero
SMF202PI_Prim DS FSPACE Primary as specified, else zero
SMF202PI_Sec DS FSPACE Secondary as specified, else zero
SMF202PI_BlkSi DS FBLKSIZE as specified, else zero
SMF202PI_LRECL DS FLRECL as specified, else zero
SMF202PI_OptAPVU DS B Various bit-mapped APVUFILE options
SMF202PI_BLANK EQU X'80' BLANK specified
SMF202PI_JISCII EQU X'40' JISCII specified
SMF202PI_NOSO EQU X'20' NOSO specified
SMF202PI_SO EQU X'10' SO specified
SMF202PI_USER EQU X'08' USER specified
DS XL3 Filler for alignment *
*
End of Product Section
SMF202PI_Align DS 0F Assure alignment
SMF202PI_Length EQU *-SMF202Product
*
* Filename Section
SMF202Filename DSECT ,
SMF202FN_Type DS X Type of filename
SMF202FN_SAM EQU 1 Sequential legacy dataset
SMF202FN_PDS EQU 2 PDS - Member name present
SMF202FN_USS EQU 3 HFS or zFS (not used at present)
DS X Filler
SMF202FN_Member DS CL8 Member name, else zeros
SMF202FN_FNlen DS H Length of filename
SMF202FN_Name DS CL44 Actual length 1 to 44
* Note that if we were to support HFS files Name could be > 44
*
* End of Filename Section
DS 0F Assure alignment
SMF202FN_Length EQU *-SMF202Filename
Related topic