System PROCLIB, PARMLIB, and user-defined PDS monitoring support

(SPE2404)

You can use BMC AMI Datastream for z/OS to track system PROCLIB, PARMLIB, and user-defined PDS and PDSE changes in real time.

  • PROCLIBs contain important procedures used by subsystems, servers, and started tasks.
  • PARMLIBs contain your system configuration information.
  • (SPE2410)User-defined non-system PDSs and PDSEs can contain sensitive data or be crucial for maintaining system integrity.

Related topics

BMC-AMI-Datastream-overview

PROCLIBs, PARMLIBs, and user-defined non-system PDSs and PDSEs are sensitive data sets. Unintended or unauthorized changes to these critical system libraries can have devastating consequences to the stability or integrity of your system. Getting real-time alerts about changes to these members helps to ensure the security of your system. The alerts tell you not only the TSO user, job step, and program that made the change, but also the exact line-level changes that were made.

BMC AMI Datastream can perform a source comparison to check for differences in your system PROCLIB, PARMLIB, and user-defined non-system PDS and PDSE members. The comparison shows:

  • Which data set and member were changed
  • Percentage of the member that was changed
  • Job name, step name, and program that changed the member
  • User ID and name of the user that changed the member
  • The actual changes, including the lines that were deleted, inserted, and reformatted

You can print a report of the findings and pass the records on to the SIEM.

Source compare is available only on z/OS 2.5 and later.

To use this feature, you must perform the following steps:

  1. Switch on the SIV and SRCC options in the $$$CONFG member. For more information, see Customizing-for-a-proprietary-syslog-extension.
  2. (SPE2410)(Optional) Switch on the USRSRCC option in the $$$CONFG member to monitor user-defined non-system PDS and PDSE members. Use the SIVDSN statement to provide a list of PDS and PDSE libraries to monitor. For more information, see SIVDSN-statement.

  3. Add the ASMFSUPC LOAD library (SASMMOD2) to the STEPLIB concatenation.

    //STEPLIB  DD  DSN=amihlq.LOAD,DISP=SHR
    //        DD  DISP=SHR,DSN=ASM.SASMMOD2    For more information, see Sample-CZAGENT-JCL-for-running-BMC-AMI-Datastream-as-a-started-task.

  4. Choose the API event types to receive, including the SRCCOMP_PERCENT field to see the percentage that was changed. For more information, see EVENT-SIVSRC-fields and EVENT-SRCCOMP-fields.
  5. Configure the EVENT statement to include the event types. For more information, see EVENT-statement.
  6. Configure the OPTIONS statement parameters NOSIVSRC, NOSRCCMPOutput, and NOSRCCMPSend. For more information, see OPTIONS-statement.

For examples of the various records, see Sample CZASCMP DD, SIVSRC, and SRCCMP.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*