IND$Detect

You can use IND$Detect to define your own fields or modify existing fields for BMC AMI Datastream for z/OS.

IND$Detect is an optional component of the BMC AMI Datastream product. IND$Detect is installed as a part of the installation of the product. It consists of two modules in BMC AMI Datastream load library:

  • CZAIND$D (alias IND$FILE)
  • CZAWSMFT

Related topics

BMC-AMI-Datastream-overview

Customizing-for-IND-Detect

CZAWSMFT must reside in an APF-authorized library and be linkedited with AC=1. CZAWSMFT has been specifically designed to not enable a security exposure; contact BMC Support if you need more information.

For more information about APF authorization, see the section Authorizing the BMC AMI Datastream load library in Configuring-exits-for-SMF-and-system-monitoring

Important

IND$Detect does not apply to the BMC AMI Datastream for Db2 product.

You can set up IND$Detect to audit the use of the IBM PC 3270 File Transfer Program, commonly known as IND$FILE.

IND$Detect is a wrapper for IBM IND$FILE that transparently audits the usage of IND$FILE. IND$Detect writes an SMF record, calls the BMC AMI Datastream API, or it does both.

See BMC AMI Datastream API with the following information for every IND$FILE transfer:

  • Invoking user ID, name and Group
  • Terminal name and IP address
  • Mainframe data set name
  • Upload or download
  • Time of day and duration of transfer
  • Other IND$FILE and APVUFILE parameters

You can configure BMC AMI Datastream to send the SMF and/or API1 events to the syslog console (SIEM) of your choice or you might use an SMF reporting program of your choice (see Customizing-IND-Detect-to-report-IND-FILE-activity).

IND$FILE

IND$FILE is IBM 3270-PC File Transfer Program Release 1, IBM program number 5665-311. It is a file transfer program (not to be confused with the File Transfer Program or FTP) that runs as a TSO command and lets a mainframe terminal (3270) session user download or upload a z/OS data set (file) between the PC and the mainframe. The program is commonly referred to by its executable name, IND$FILE, universally pronounced I-N-D-dollar-file (except in the United Kingdom, where it is known as IND£FILE).

IND$FILE programs for VM/CMS and VSE CICS also exist, but the information in this document refers only to IND$FILE for TSO.

APVUFILE

APVUFILE is MVS/TSO File Transfer Program, 5799-xxx, where xxx is BWJ or BWL for Japan and PGY or PGZ for Korea, China, and Taiwan.

APVUFILE is similar to IND$FILE; the primary difference is that it supports DBCS (double-byte, wide or Asian) character translation. It accepts five additional parameters in support of DBCS translation.

For IND$Detect, the term IND$FILE is used to mean IND$FILE or APVUFILE, except where the context clearly demands otherwise.

The problem

IND$FILE is subject to your security authorizations and restrictions. Therefore, you cannot use IND$FILE to upload or download a file to where RACF (or CA ACF2 or CA Top Secret as appropriate) does not give you access. But IND$FILE incorporates absolutely no auditing (unlike, for example, FTP). You do not have information available from IND$FILE that allows the auditing of any details of IND$FILE usage.

Example

Alice has legitimate access to the customer master file for her work. If she downloads the complete file to her PC every evening with IND$FILE, there is no convenient way for her company to track that.

SMF or API1 record that reports IND$FILE activity

IND$Detect is designed for use with the real-time messaging capabilities of BMC AMI Datastream. By default IND$Detect outputs a user SMF type 202 record in a documented format. You might report on IND$FILE activity using any tool capable of processing SMF records including SAS from the SAS Institute or MXG from Merrill Consultants.

The IND$Detect SMF or API1 record

**  Layout of the BMC AMI "user" SMF Record, by default type 202
*  Copyright 2015-2018,2019 BMC Software
*  For more information www.BMC.com or support@BMC.com
*
*  The record is "triplet" based, similar to many IBM SMF records such
*  as Type 30, 42, 90, 92, 119 and DB2 SMF records. A triplet consists
*  of a 32-bit offset relative to the start of the record header, a
*  16-bit length, and a 16-bit count. If you are writing a program to
*  process this record you should use the triplets rather than absolute
*  offsets.
*
* The fixed header portion
SMF202Header   DSECT ,          SMF Record Header
SMF202HDLength  DS  HL2         Record length
SMF202HDSegDesc DS  HL2         Segment descriptor
SMF202HDFlags   DS  BL1         Header flags - all of these will be set
SMF202HDSUB     EQU X'40'       Subtypes are valid
SMF202HDSP4     EQU X'10'       MVS/SP Version 4 and above
SMF202HDSP3     EQU X'08'       MVS/SP Version 3 and above
SMF202HDSP2     EQU X'04'       MVS/SP Version 2 and above
SMF202HDVS2     EQU X'02'       MVS/VS2
SMF202HDType    DS  XL1         Record type (by default 202, X'CA')
SMF202HDTime    DS  XL4         Time record was moved to SMF buffer
SMF202HDDate    DS  PL4         Date record was moved to SMF buffer
SMF202HDSID     DS  CL4         System ID
                DS  CL4         Reserved, recorded as zeros
SMF202HDSubType DS  HL2         Record subtype
SMF202HDST_IND$FILE    EQU X'0001'      IND$FILE audit
*  This is the only subtype defined at this time
SMF202HD_TRN    DS  HL2         Number of triplets - 3 at this time
                DS  XL2         Reserved, recorded as zero
*
*  Triplets
SMF202IDOff     DS  FL4         Offset to Identification section
SMF202IDLen     DS  HL2         Length of Identification section
SMF202IDNum     DS  HL2         Number of Ident sections - always one
*
SMF202PROff     DS  FL4         Offset to Product section
SMF202PRLen     DS  HL2         Length of Product section
SMF202PRNum     DS  HL2         Number of Prod sects - 1 at this time
*
SMF202FNOff     DS  FL4         Offset to Filename section
SMF202FNLen     DS  HL2         Length of Filename section
SMF202FNNum     DS  HL2         Number of File sects - 0 or 1
*
*  End of header portion
SMF202HD_Length EQU *-SMF202Header
*
*  Identification section -- common to all SMF 202 records
SMF202Ident     DSECT ,
SMF202ID_Comp   DS  CL8         Component that wrote this SMF record
*  At this time this field will always be recorded as C'CZAWSMFT'
SMF202ID_Build  DS  CL4         Build number of above in numeric EBCDIC
SMF202ID_Env    DS  C           Environment
SMF202ID_TSO    EQU  C'T'       TSO is only environment at present
                DS  X           Filler
SMF202ID_UserID DS  CL8         User ID
SMF202ID_Group  DS  CL8         Group name
SMF202ID_JobNm  DS  CL8         Job, STC or TSO session name
SMF202ID_ProcSt DS  CL8         Cataloged procedure step name
SMF202ID_StepNm DS  CL8         Jobstep name
SMF202ID_JobID  DS  CL8         JES "job number"
*  The first character of SMF202_JobID may be used to determine the
*  type of work: J=JOB, S=STC, T=TSO, etc.
SMF202ID_ExecSt DS  CL8         Job or session start in TOD format
*  The following six fields are binary zeros if not TSO
SMF202ID_Term   DS  CL8         Terminal name
SMF202ID_NetID  DS  CL8         Network ID
SMF202ID_IPv6   DS  XL16        IPv6 or IPv6-formatted IPv4 Address
SMF202ID_Port   DS  H           Port number
SMF202ID_CharS  DS  CL2         Character Set
SMF202ID_CodePg DS  CL2         Code Page
SMF202ID_UsrNm  DS  CL20        User name from ACEEUNAM
SMF202ID_RUTKN  DS  CL80        RACF User Token (RUTKN) from ACEETOKP
SMF202ID_CVTTZ  DS  F           Local time offset from CVTTZ
*  CVTTZ is the difference between local time and UTC (Coordinated
*  Universal Time) in binary units of 1.048576 seconds.
*
*  End of Identification section
                DS   0F         Assure alignment
SMF202ID_Length EQU  *-SMF202Ident
*
*  Product Section
SMF202Product     DSECT ,
SMF202PR_Prod     DS    CL8       Product to which this section applies
*  For subtype 1 this field will be recorded as C'CZAIND$D'
SMF202PR_Build    DS  CL4         Build number of above in numeric EBCDIC
*
*  The following fields are for a CZAIND$D product section
SMF202PI_Cmd      DS    CL8       Actual command used by TSO users
SMF202PI_RetCd    DS    F         Return code from IND$FILE
SMF202PI_Dur      DS    F         Duration in hundredths of a second
SMF202PI_Dir      DS    X         Direction of file transfer
SMF202PI_Unknown  EQU   0         Unknown or invalid
SMF202PI_Get      EQU   1         User specified GET = Download
SMF202PI_Put      EQU   2         User specified PUT = Upload
SMF202PI_RECFM    DS    C         RECFM specified by user
SMF202PI_RECFM_No EQU   0          RECFM not specified
SMF202PI_RECFM_F  EQU   C'F'       RECFM(F) specified
SMF202PI_RECFM_V  EQU   C'V'       RECFM(V) specified
SMF202PI_RECFM_U  EQU   C'U'       RECFM(U) specified
*  Above are valid RECFM values but whatever user coded is recorded
SMF202PI_Opt      DS    B         Various bit-mapped options
SMF202PI_Append   EQU  X'80'     APPEND specified
SMF202PI_ASCII    EQU  X'40'     ASCII specified
SMF202PI_CRLF     EQU  X'20'     CRLF specified
SMF202PI_New      EQU  X'10'     NEW specified
SMF202PI_NoTrunc  EQU  X'08'     NOTRUNC specified
SMF202PI_Unrec    EQU  X'01'     One or more unrecognized options
SMF202PI_Space    DS    B         SPACE specification
SMF202PI_AvBlock  EQU  1          AVBLOCK specified
SMF202PI_Cyls     EQU  2          CYLINDERS specified
SMF202PI_Tracks   EQU  3          TRACKS specified
SMF202PI_AvBlk    DS    F         AVBLOCK(value) as specified, else zero
SMF202PI_Prim     DS    F         SPACE Primary as specified, else zero
SMF202PI_Sec      DS    F         SPACE Secondary as specified, else zero
SMF202PI_BlkSi    DS    F         BLKSIZE as specified, else zero
SMF202PI_LRECL    DS    F         LRECL as specified, else zero
SMF202PI_OptAPVU  DS    B        Various bit-mapped APVUFILE options
SMF202PI_BLANK    EQU  X'80'     BLANK  specified
SMF202PI_JISCII   EQU  X'40'     JISCII specified
SMF202PI_NOSO     EQU  X'20'     NOSO specified
SMF202PI_SO       EQU  X'10'     SO specified
SMF202PI_USER     EQU  X'08'     USER specified
                  DS    XL3       Filler for alignment
*
*  End of Product Section
SMF202PI_Align    DS   0F         Assure alignment
SMF202PI_Length   EQU  *-SMF202Product
*
*  Filename Section
SMF202Filename    DSECT ,
SMF202FN_Type     DS    X         Type of filename
SMF202FN_SAM      EQU   1          Sequential legacy dataset
SMF202FN_PDS      EQU   2          PDS - Member name present
SMF202FN_USS      EQU   3          HFS or zFS (not used at present)
                  DS    X         Filler
SMF202FN_Member   DS    CL8       Member name, else zeros
SMF202FN_FNlen    DS    H         Length of filename
SMF202FN_Name     DS    CL44      Actual length 1 to 44
*  Note that if we were to support HFS files Name could be > 44
*
*  End of Filename Section
                  DS   0F         Assure alignment
SMF202FN_Length   EQU  *-SMF202Filename

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*