Customizing for IND$Detect

This topic describes how to customize BMC AMI Datastream for z/OS for IND$Detect (formerly IND$defender).

SYS1.PARMLIB member IKJTSOxx

You must add CZAWSMFT as an AUTHTSF program to the relevant IKJTSOxx member in your SYS1.PARMLIB concatenation. AUTHTSF is discussed in the IBM documentation. You (or an authorized system programmer) must then issue the TSO command.

PARMLIB UPDATE(xx)

where xx is your IKJTSOxx suffix.

Replacing IND$FILE for TSO users with IND$Detect

You must configure your system such that TSO file transfer users invoke IND$Detect (module CZAIND$D, aliases IND$FILE and APVUFILE) rather than invoking IBM IND$FILE. You might do this in one of the three ways. The choice depends on your system configuration and your preferences. Also, see Important security note.

BMC AMI Datastream load library as TSO session STEPLIB

This method is recommended only if all of your existing TSO session STEPLIB data sets are APF-authorized. It does not work if any data sets in the TSO session STEPLIB concatenation are not APF-authorized.

You can add the BMC AMI Datastream load library, or another APF-authorized load library where CZAIND$D and CZAWSMFT is moved or copied, to the TSO startup procedure STEPLIB concatenation. The BMC AMI Datastream load library must precede any library containing IBM IND$FILE (normally SYS1.CMDLIB). We recommend that you place the BMC AMI Datastream load library first in the concatenation, such as:

Adding BMC AMI Datastream load Library to the LINKLIST

This method is recommended only if some of the data sets in your TSO session startup procedure are not APF-authorized.

Add the BMC AMI Datastream load library, amihlq.CZAGENT.LOAD to your installation linklist by placing a statement, similar to the following example, in the PROGxx member of your SYS1.PARMLIB concatenation:

Specify a VOLUME parameter if the BMC AMI Datastream load library is not cataloged in the master catalog.

Specify the BMC AMI Datastream load library ahead of any data set containing IBM IND$FILE, normally SYS1.CMDLIB.

Refresh the link-list with one of the following commands:

• SET PROG=xx
• SETPROG LNKLST,…

Copying

This method is recommended only if some of the data sets in your TSO session startup procedure are not APF-authorized and for some reason do not add the BMC AMI Datastream load library to your link-list. Use IEBCOPY or ISPF function 3.3 to copy CZAWSMFT, and CZAIND$D and its aliases IND$FILE and APVUFILE to a link-listed load library. You should copy them to a library that is ahead of any library containing IBM IND$FILE, generally SYS1.CMDLIB.

Important security note

A sophisticated user can bypass IND$Detect by loading IBM IND$FILE or APVUFILE from a TSOLIB data set. For complete protection, move IBM IND$FILE to a load library other than SYS1.CMDLIB where there is no direct user access permitted. You should provide Program Access to Data sets (PADS) access to that load library for CZAIND$D. The appropriate RACF, ACF2 or TSS configuration is beyond the scope of this.

SMF configuration

If you configure IND$Detect or allow the configuration to default to logging IND$FILE events using SMF, you must also configure the relevant SMF record type, by default type 202. In the SYS1.PARMLIB concatenation member SMFPRMxx, specify SYS(TYPE(… 202 …)).

If you do not enable type 202, BMC AMI Datastream displays message CZA0278W:

No specified subsystem configured to write SMF Type nn records in SYSx.PARMLIB(SMFPRMxx). Events will be missing from Syslog.

For more information about configuring the SMF record type, see the section TYPE parameters in Configuring-SMF-and-other-IBM-z-OS-subsystems.