Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for Db2 7.1.

Configuring SMF and other IBM z/OS subsystems

To enable BMC AMI Defender to receive the required record types from SMF, ensure that:

  • SMF is configured to invoke the EXITS parameters:
    • IEFU83
    • IEFU84
    • IEFU85
  • SMF is configured to collect and write the appropriate record types (TYPE parameters). SMF configuration is controlled by the  SMFPRMxx  member of SYS1.PARMLIB.
  • TN3270 is configured to write the appropriate records.

BMC AMI Defender diagnoses most mismatches between the BMC AMI Defender configuration and the SMF configuration and issues the following messages:

CZA0277W The following specified subsystems are NOT configured to write SMF Type 18 records: SYSSTC. Some events will be missing from syslog

CZA0286W SUBSYS(TSO,EXITS(IEFU85)) not specified in SYS1.PARMLIB(SMFPRMxx). Some events will be missing from syslog

CZA0287W SUBSYS(OMVS,EXITS or [NO]TYPE coded in SYS1.PARMLIB(SMFPRMxx) but OPTIONS SUBSYS(SYSOMVS) not specified in CZAPARMS. Some events will be missing from syslog[DK1] 

In the SMFPRMxx member, you can perform the following tasks:

  • Specify parameters for z/OS as a whole using the SYS(EXITS/NOEXITS and SYS(TYPE/NOTYPE statements.
  • Override these parameters for individual subsystems using SUBSYS(xxx,EXITS/NOEXITS and SUBSYS(xxx,TYPE/NOTYPE statements.
Warning

BMC highly recommends that you code SUBSYS(ALL). Otherwise, you might miss important events.

The following table describes the EXITS and TYPES parameters:

Event type to be forwarded

SUBSYS statement

Record type

  • Job
  • Jobstep
  • Started task
  • TSO session
  • Unit of work start and end

Any, but corresponding to the type of work.

30

DFSMS PDS(E) changes

Any

42

Security events

Any

80 (RACF and TSS), 230, or other as specified in ACF2

Db2 events

Any

100, 101, and 102

CICS events

STC

110

TCP/IP and FTP events

Any, but typically OMVS, TSO, or STC

119

If any of the following requirements is not met:

  1. Appropriately edit your SMFPRMxx member in SYS1.PARMLIB.
  2. Issue the console command SET SMF=xx (or /SET SMF=xx from SDSF). The xx variable represents the last two characters of the appropriate SMFPRMxx member name.

If the SMFPRMxx member contains any SUBSYS statements, see SUBSYS option.

EXITS parameters

You must enable the following exits for all events that you want to monitor:

  • IEFU83
  • IEFU84
  • IEFU85

You can enable these exits for z/OS as a whole or for individual subsystems.

Warning

BMC highly recommends that you code SUBSYS(ALL). Otherwise, you might miss important events.

Issue the console command D SMF,O (or /D SMF,O from SDSF). Check the D SMF,O output to ensure that at least one of the following statements is true:

  • SYS(EXITS and SYS(NOEXITS are both not specified.
  • (Recommended) SYS(EXITS(IEFU83, IEFU84, and IEFU85 are specified, and there are no SUBSYS(xxx,EXITS or NOEXITS statements for any of the subsystems that you want to monitor.
  • SUBSYS(xxx,EXITS(IEFU83, IEFU84, and IEFU85 are specified for all of the subsystems that you want to monitor.

Note

If IEFU85 is not enabled for all subsystems, your SIEM might miss important events (such as, some SMF 80 (RACF) and SMF 119 (TCP/IP) events).

TYPE parameters

You must enable the writing of the appropriate SMF record types for the events that you want to monitor. You can enable them for exits for z/OS as a whole or for individual subsystems.

Warning

BMC highly recommends that you enable exits for z/OS as a whole. Otherwise, you might miss important events.

  1. Issue the console command D SMF,O (or /D SMF,O from SDSF).
  2. Check the D SMF,O output to ensure that both of the following statements are true:
  • One of the following statements is true:
    • SYS(TYPE and SYS(NOTYPE are both omitted.
    • (Recommended) SYS(TYPE is specified and the specification includes all the record types that you want to monitor. 
    • SYS(NOTYPE is specified and the specification does not include any of the record types that you want to monitor.
  • One of the following statements is true:
    • (Recommended) Neither SUBSYS(xxx,TYPE nor NOTYPE statements for any of the subsystems that you want to monitor is specified.
    • SUBSYS(xxx,TYPE is specified for each of the subsystem and record type combinations that you want to monitor and SUBSYS(xxx,NOTYPE is not coded specifying any of the subsystem and record type combinations that you want to monitor.

TCP/IP parameter

The //PROFILE DD statement references the TCP/IP profile data set in the cataloged procedure used to start TCP/IP.

To configure the TCP/IP profile data set for type 119 records, ensure that it contains the following (or a similar) SMFCONFIG statement:

SMFCONFIGTYPE119 FTPCLIENT TCPINIT TCPTERM TN3270CLIENT[DK1] 

For most record types, the default value is NO.
If the TCP/IP profile data set does not contain such a statement:

  1. Insert this statement in your TCP/IP profile data set.
  2. Save the data set.
  3. Stop and restart TCP/IP.

Tip

BMC recommends scheduling this step for a weekend or an IPL.

Note

If the TCP/IP data set already contains an SMFCONFIG statement that does not specify type 119, or that specifies type 118, you can leave the statement in place. 

To receive FTP server events, such as server login failures, the FTP server profile must be configured for type 119 records.

To configure the FTP server profile for type 119 records, ensure that the following statement appears in the data set referenced by the SYSFTPD DD statement in your FTP server cataloged procedure (commonly referred to as FTP.DATA):

SMF TYPE119 

TN3270 parameter

The //PROFILE DD statement references the TN3270 profile data set in the cataloged procedure used to start TN3270. Type 119 records are essential to enable you to correlate security violations by TSO users back to the TCP/IP address from that they connected.

To write type 119 records for the start and end of TN3270 sessions, ensure that the TN3270 profile data set contains the following statements:

SMFINIT TYPE119
SMFTERM TYPE119 

If the TN3270 profile data set does not contain these statements:

  1. Insert these statements in your TN3270 profile data set.
  2. Save the data set.
  3. Stop and restart TN3270.

Tip

BMC recommends scheduling this step for a weekend or an IPL.

Note

If the TN3270 profile data set already contains SMFINIT STD and SMFTERM STD statements, you can leave the statements in place. 

Additional subsystem parameters to write SMF records

To write the appropriate SMF records, you must configure the following subsystems:

  • ACF2
  • CICS
  • Db2
  • MQ
  • RACF
  • Top Secret 

For Db2 only, you can configure BMC AMI Defender to have Db2 start the required traces (SMF record types) automatically. For more information, see the discussion of the STArt parameter in the SMF-DB2-statement topic and in the IBM Knowledge Center.

Language environment options

BMC AMI Defender and its associated programs run with z/OS Language Environment (LE). The BMC AMI Defender programs operate correctly with the IBM-supplied default LE options. 

The supplied JCL for BMC AMI Defender and CZASEND includes CEEOPTS DD statements to facilitate overriding LE options. For more information about LE, see the IBM Knowledge Center.

Authorizing the BMC AMI Defender load library

You must authorize the BMC AMI Defender load library with the authorized program facility (APF).

To temporarily APF-authorize the load library for testing

For testing purposes, use the SETPROG APF console command to authorize the library only until the next initial program load (IPL).

  1. Determine the volume on which the library resides by entering the following command in the ISPF:

    TSO LISTDS '<amihlq>.CZAGENT.LOAD' 

    The amihlq variable is the high-level qualifier that you specified during installation.
    The last line of the output is the volume serial number of the disk on which the BMC AMI Defender load library resides.

  2. To clear the *** on your display, press Enter.
  3. In the SDSF, enter /+ and press Enter.

  4. In the pop-up page, enter the following data set name:

    SETPROG APF,ADD,DSN=<amihlq>.CZAGENT.LOAD,VOL=<volumeSerialNumber> 

    The volumeSerialNumber variable is the volume serial number referred to earlier.

    Note

    Enter the data set name carefully because z/OS does not validate the data set name even if you receive a message confirming that z/OS has added the load library to the authorized library list.

  5. Press Enter.

To permanently APF-authorize the load library

Add the BMC AMI Defender load library to the permanent authorized library list in SYS1.PARMLIB. Contact your system administrator or BMC Support for instructions.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*