Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for Db2 7.1.

Customizing IND$Detect to report IND$FILE activity

IND$Detect (formerly IND$defender) is shipped and properly configured for most installations. The default configuration options are described in IND-Detect-configuration-parameters. If these options are correct for your installation, you can skip this topic.

  • Do not rename IBM IND$FILE or APVUFILE.
  • IBM IND$FILE, APVUFILE, or both are installed in a cataloged data set named SYS1.CMDLIB.
  • IND$Detect should log IND$FILE usage using SMF record type 202 (not the BMC AMI Datastream API).

Configure IND$Detect by adding the IND$Detect configuration parameters to a small assembler module found in amihlq .CZAGENT.ASM, then assemble it, and bind it with the distributed IND$Detect. To complete this task, you must be comfortable with programming in simple assembly language and understand the basics of using the z/OS binder (refer to IBM documentation for details).

Editing the IND$CONF module

The following is the IND$CONF module that is found in amihlq. CZAGENT.ASM.

IND$CONF TITLE 'Configuration options for BMC AMI IND$Detect'
* See manual "BMC AMI Datastream for z/OS SIEM Agent for IND$Detect"
IND$CONF AMODE ANY31
IND$CONF RMODE ANY
IND$CONF CSECT
DC C'IND$CONF: Config for BMC AMI IND$Detect' Eyecatcher
*
*     *** Do not alter the next four statements ***
      ENTRY   IND$DOPT
IND$DOPTDC    A(IND$PARM)
DC    A(0)                Required end-of-list delimiter
IND$PARM EQU  *
*    Place any configuration parameters here
DC    X'0'                End of parameters -Required

*
END

To add parameters to the module, open it in an editor and insert one or more parameters where indicated, formatted as character constants. Look at the following instance:

IND$PARM EQU   *
*    Place any configuration parameters here
DC      C'LIBRARY(SYS2.PROD.CMDLIB)'
DC    X'0'                End of parameters - Required

To separate multiple parameters with one or more blanks, look at the following instance:

IND$PARM EQU   *
*    
Place any configuration parameters here
  DC      C'INSTANCE(1)'
  DC      C' '                Separator blank
  DC      C'SEND(API SMF)'
  DC     X'0'   End of parameters - Required

Do not to delete or change the position of the X'0' that terminates the parameters.

Assembling, binding, and testing IND$CONF

After editing IND$CONF, run the following job, found in amihlq.CZAGENT.CNTL as member IND$CONF. 

Warning

Do not alter the LKED PARM= options.


// appropriate JOB statement
//*
//* Re-configure IND$Detect
//*
//* Assemble the config module
//ASM EXEC PGM=ASMA90,COND=(12,LE),REGION=2M,
// PARM=''
//SYSLIB DD DISP=SHR,DSN=hlq.CZAGENT.ASM
//SYSPUNCH DD DUMMY
//SYSIN DD DISP=SHR,DSN=hlq.CZAGENT.ASM(IND$CONF)
//SYSLIN DD DISP=(NEW,PASS)
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD UNIT=SYSDA,SPACE=(CYL,(2,2))
//*
//* Re-bind IND$Detect
//REBIND EXEC PGM=IEWBLINK,REGION=2M,COND=(4,LE,ASM),
// PARM='AMODE=31,MAP,NORENT,NOREUS'
//OLDMOD DD DISP=SHR,DSN=hlq.CZAGENT.LOAD
//SYSLIN DD DSN=*.ASM.SYSLIN,DISP=(OLD,DELETE)
// DD *
INCLUDE OLDMOD(CZAIND$D)
REPLACE IND$CONF,IND$CONF
ALIAS IND$FILE(CEESTART)
ALIAS APVUFILE(CEESTART)
ENTRY CEESTART
NAME CZAIND$D(R)
/*
//SYSLMOD DD DSN=hlq.CZAGENT.LOAD,DISP=(OLD,KEEP)
//SYSUT1 DD UNIT=SYSALLDA,SPACE=(32000,(30,30))
//SYSPRINT DD SYSOUT=*

Configuring with BMC AMI Datastream

See also Customizing-for-IND-Detect.

You will need the following statements

  • For IND$FILE events written to SMF, SELECT SMF(CORRELOG) and SMF CORRELOG …
  • For IND$FILE events sent to API1, SELECT EVENT(IND$FILE) and EVENT IND$FILE …

Related topic

Customizing-after-installation


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*