Limited supportBMC provides limited support for this version of the product. As a result, BMC no longer accepts comments in this space. If you encounter problems with the product version or the space, contact BMC Support.BMC recommends upgrading to the latest version of the product. To see documentation for that version, see BMC AMI Datastream for z/OS 7.1.

Customizing BMC AMI IND$defender to report IND$FILE activity

The IND$defender program is shipped and properly configured for most installations. The default IND$defender configuration options are described in IND-defender-configuration-parameters. If these options are correct for your installation, then you can skip this topic.

  • Do not rename IBM IND$FILE or APVUFILE.
  • IBM IND$FILE, APVUFILE, or both are installed in a cataloged data set named SYS1.CMDLIB.
  • You want IND$defender to log IND$FILE usage using SMF record type 202 (and not to BMC AMI Defender API).

You can configure IND$defender by adding IND$defender configuration parameters to a small assembler module found in amihlq.CZAGENT.ASM, assembling it, and binding it with the distributed IND$defender. You must be comfortable with very simple assembly language programming and the basic usage of the z/OS Binder to complete this task.

Editing the IND$CONF module

The following is the IND$CONF module that is found in amihlq.CZAGENT.ASM.

IND$CONF TITLE 'Configuration options for BMC AMI IND$defender'
* See manual "BMC AMI Defender for z/OS SIEM Agent for IND$defender"
IND$CONF AMODE ANY31
IND$CONF RMODE ANY
IND$CONF CSECT
DC C'IND$CONF: Config for BMC AMI IND$defender' Eyecatcher
*
*     *** Do not alter the next four statements ***
      ENTRY   IND$DOPT
IND$DOPTDC    A(IND$PARM)
DC    A(0)                Required end-of-list delimiter
IND$PARM EQU  *
*    Place any configuration parameters here
DC    X'0'                End of parameters -Required

*
END

To add parameters to the module, open it in an editor and insert one or more parameters where indicated, formatted as character constants. Look at the following instance:

IND$PARM EQU   *
*    Place any configuration parameters here
DC      C'LIBRARY(SYS2.PROD.CMDLIB)'
DC    X'0'                End of parameters - Required

To separate multiple parameters with one or more blanks, look at the following instance:

IND$PARM EQU   *
*    
Place any configuration parameters here
  DC      C'INSTANCE(1)'
  DC      C' '                Separator blank
  DC      C'SEND(API SMF)'
  DC     X'0'   End of parameters - Required

Do not to delete or change the position of the X'0' that terminates the parameters.

Assembling, binding, and testing IND$CONF

After editing IND$CONF, run the following job, found in amihlq.CZAGENT.CNTL as member IND$CONF. 

Warning

Do not alter the LKED PARM= options.


// appropriate JOB statement
//*
//*  Re-configure IND$defender
//*
//*  Assemble the config module
//ASM    EXEC  PGM=ASMA90,COND=(12,LE),REGION=2M,
//   PARM=''
//SYSLIB   DD  DISP=SHR,DSN=<amihlq>.CZAGENT.ASM
//SYSPUNCH DD DUMMY
//SYSIN    DD  DISP=SHR,DSN=<amihlq>.CZAGENT.ASM(IND$CONF)
//SYSLIN   DD  DISP=(NEW,PASS)
//SYSPRINT DD SYSOUT=*
//SYSUT1   DD  UNIT=SYSDA,SPACE=(CYL,(2,2))
//*
//*  Re-bind IND$defender
//REBIND   EXEC PGM=IEWBLINK,REGION=2M,COND=(4,LE,ASM),
//       PARM='AMODE=31,MAP,NORENT,NOREUS'
//OLDMOD   DD  DISP=SHR,DSN=<amihlq>.CZAGENT.LOAD
//SYSLIN   DD  DSN=*.ASM.SYSLIN,DISP=(OLD,DELETE)
//         DD  *
INCLUDE OLDMOD(CZAIND$D)
REPLACE IND$CONF,IND$CONF
ALIAS   IND$FILE(CEESTART)
ALIAS   APVUFILE(CEESTART)
ENTRY   CEESTART
NAME    CZAIND$D(R)
/*
//SYSLMOD  DD  DSN=<amihlq>.CZAGENT.LOAD,DISP=(OLD,KEEP)
//SYSUT1   DD  UNIT=SYSALLDA,SPACE=(32000,(30,30))
//SYSPRINT DD SYSOUT=*

Configuring with BMC AMI Defender

See also Customizing-for-BMC-AMI-IND-defender.

You will need the following statements

  • For IND$FILE events written to SMF, SELECT SMF(CORRELOG) and SMF CORRELOG …
  • For IND$FILE events sent to API1, SELECT EVENT(IND$FILE) and EVENT IND$FILE …


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*