Reports for ACF2

(SPE2107)

From the navigation bar at the top of the window, you can select and display different types of information in BMC AMI Security Policy Manager:

Data sets
Sensitive Commands
Resources
System Settings
Users
Compliance
ACF2

Data sets

Click Data sets and select one of the following reports to display information about sensitive data sets:

Non-Fully Qualified Generic: APF
Non-Fully Qualified Generic: Other
Sensitive Data Sets: Other datasets with ID(*) Access > None
Sensitive Data Sets: Uncatalogued
APF Data Sets: APF datasets with ID(*) Access > None
APF Data Sets: APF libraries with inappropriate logging
APF Data Sets: APF libraries with no */NOACCESS entry

Non-Fully Qualified Generic: APF

This report lists all APF data sets that do not have a Fully Qualified Generic data set profile defined in ACF2:

System	Dataset Name	Volser	Create Date	Refer Date
RSM4	TCPIP.SEZALOAD	RSM44A	2019-07-08	2021-06-30

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
VOLSER	Volume serial number
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced

Non-Fully Qualified Generic: Other

This report lists all other data sets that do not have a Fully Qualified Generic data set profile defined in ACF2:

System	Dataset Name	Volser	Create Date	Refer Date	Type
RSM4	SYS1.RSM4.PPLIB	RSM4W1	2020-09-10	2021-06-30	LINK

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
VOLSER	Volume serial number
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced
TYPE	Type of data set being reported on, such as APF, IPL, or Link

Sensitive Data Sets: Other datasets with ID(*) Access > None

This report lists all sensitive data sets with default user ID access—that is, ID(*) access—greater than none:

System	Dataset Name	Volser	Create Date	Refer Date	read	write	alloc	exec
RSM4	CBC.SCLBDLL	RSM44A	2019-07-08	2021-06-30	A			A

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
VOLSER	Volume serial number
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

Sensitive Data Sets: Uncatalogued

This report lists all sensitive data sets that are uncataloged:

System	Dataset Name	Volume	Dataset Type	Create Date	Refer Date	Type	cat
RSM4	SYS1.IPLPARM		IPL			IPL	N
RSM4	SYS1.CLOCK.PARMLIB	HCD002	PARM	2014-10-29	2021-06-30	PARM	N

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
VOLUME	Volume serial number
DATASET TYPE	Type of sensitive data set being reported on, such as APF, IPL, or User
CREATE DATE	Date of data set creation
REFER DATE	Date last referenced
TYPE	Type of sensitive data set being reported on, such as APF, IPL, or User
CAT	Confirmation that the data set is not cataloged

APF Data Sets: APF datasets with ID(*) Access > None

This report lists all APF data sets with default user ID access—that is, ID(*) access—greater than none:

Dataset	UID	read	write	alloc	exec
TCPIP.SEZALOAD	*	A			A

Column	Description
DATASET NAME	Name of the data set
UID	User ID
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

APF Data Sets: APF libraries with inappropriate logging

This option lists all APF libraries set logging that does not comply with the recommended best practices—that is, data sets that should be WRITE(L) and ALLOC(L):

Dataset	UID	read	write	alloc	exec
TSGDM.RSSV21.LOADLIB	STC	A	A	A	A

Column	Description
DATASET NAME	Name of the data set
UID	User ID
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

APF Data Sets: APF libraries with no */NOACCESS entry

This report lists all APF libraries with no * or NOACCESS entry:

Dataset	uid	read	write	alloc	exec
ASM.SASMMOD1		A	L	L	A

Column	Description
DATASET NAME	Name of the data set
UID	User ID
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)

Sensitive Commands

Click Sensitive Commands and select one of the following reports to display information about sensitive commands:

MVS.SETPROG
All MVS Commands

MVS.SETPROG

This report lists all MVS SETPROG commands issued in the system and related information:

System	Date	Time	Userid	Name	From	Event	Description	Details
RSMP	12/02/2019	13:37:46	CPWREXIT	COMPUWARE EXITS	CONSOLE	CONS	SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSMLOAD,VOL=NC3998	System Command

Column	Description
SYSTEM	System ID from which the record was written
DATE	Date the command was executed
TIME	Time the command was executed
USERID	User ID that issued the command
NAME	Name of the user, if available
FROM	Where the command was entered
EVENT	Internal event type or SMF Event and Event Qualifier Event refers to the SMF Event/Code Qualifier documented in the IBM SMF manuals, or CONS for a command entered at the system console.
DESCRIPTION	Command that was entered
DETAILS	Internal event type

All MVS Commands

This report lists all MVS commands issued in the system and related information:

System	Date	Time	Userid	User Name	Port Of Entry	Event	Description	Command Image
RSM4	2021-06-29	11:14:03	MVSPPS	BERT WILLIAMS	CONSOLE	CONS	System Command	F BASPMSM,LRS

Column	Description
SYSTEM	System ID from which the record was written
DATE	Date the command was executed
TIME	Time the command was executed
USERID	User ID that issued the command
USER NAME	Name of the user, if available
PORT OF ENTRY	Where the command was entered
EVENT	Internal event type or SMF Event and Event Qualifier Event refers to the SMF Event/Code Qualifier documented in the IBM SMF manuals, or CONS for a command entered at the system console.
DESCRIPTION	Command that was entered
COMMAND IMAGE	Internal event types

Resources

Click Resources and select one of the following reports to display information about ACF2 general resources:

Missing Profiles: OPERCMD
Missing Profiles: STGADMIN
Missing Profiles: UNIXPRIV
Missing Profiles: FACILITY/STGADMIN due to Catch-All Profile
Missing Profiles: Certificate
Misconfigured Settings: CICS SIT
Misconfigured Settings: IMS
Misconfigured Settings: DB2
Misconfigured Settings: MQ
Software Security Settings: CICS SIT
Software Security Settings: IMS
Software Security Settings: DB2
Software Security Settings: MQ

Missing Profiles: OPERCMD

This report lists all recommended OPERCMD profiles that are missing and should be defined to ACF2 by the Mainframe Security team:

Class	Profile	Purpose	Recommended
OPERCMDS	MVS.SET.PROG.**	Modify APF Libraries	Access must be limited to authorized personnel only. Preferably only accessible via Security PAM ids. Should have UACC(NONE) and AUDIT(SUC(READ) FAIL(READ))

Column	Description
CLASS	ACF2 class
PROFILE	OPERCMDS profile
PURPOSE	Purpose of the ACF2 profile
RECOMMENDED	BMC recommendations

Missing Profiles: STGADMIN

This report lists all recommended STGADMIN profiles that are missing and should be defined to ACF2 by the Mainframe Security team:

Class	Profile	Purpose	Recommended
FACILITY	STGADMIN.ADR.CONVERTV	Convert VTOC to SMS	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.ADR.COPY.BYPASSACS	Copy data sets bypassing ACS routines	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.ADR.COPY.INCAT	INCAT processing	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.ADR.COPY.PROCESS.SYS	Copy SYS1 data sets	Require READ access to use. Restrict access to this

Column	Description
CLASS	ACF2 class
PROFILE	STGADMIN profile
PURPOSE	Purpose of the ACF2 profile
RECOMMENDED	BMC recommendations

Missing Profiles: UNIXPRIV

This report lists all recommended UNIXPRIV profiles that are missing and should be defined to ACF2 by the Mainframe Security team:

Class	Profile	Purpose	Recommended
UNIXPRIV	SUPERUSER.IPC.RMID	Release IPC resources (ipcrm)	Require READ access to use. Limit to UNIX processes/debuggers
UNIXPRIV	SUPERUSER.PROCESS.KILL	Issue kill to processes	Require READ access to use. Limit to UNIX processes/debuggers
UNIXPRIV	SUPERUSER.PROCESS.PTRACE	Use ptrace through dbx debugger	Require READ access to use. Limit to UNIX processes/debuggers
UNIXPRIV	SUPERUSER.SETPRIORITY	Increase own priority	Require READ access to use. Limit to Storage Admin Group

Column	Description
CLASS	ACF2 class
PROFILE	UNIXPRIV profile
PURPOSE	Purpose of the ACF2 profile
RECOMMENDED	BMC recommendations

Missing Profiles: FACILITY/STGADMIN due to Catch-All Profile

This report lists all missing ACF2 profiles from classes FACILITY and STGADMIN that are being overlooked due to the UACC being greater than NONE or ID(*) being defined in the access control list (ACL) with access greater than NONE:

Class	Profile	Purpose	Recommended
FACILITY	STGADMIN.IDC.DIAGNOSE.CATALOG	Run DIAGNOSE command against catalogs	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.IDC.DIAGNOSE.VVDS	DIAGNOSE command against a VVDS	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.IDC.EXAMINE.DATASET	Allows use of the IDCAMS EXAMINE command	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.IGG.ALTER.SMS	Allows Storage Class or Management Class to be altered	Require READ access to use. Restrict access to this

Column	Description
CLASS	ACF2 class name
PROFILE	ACF2 profile
PURPOSE	Profile purpose
RECOMMENDED	BMC recommendations

Missing Profiles: Certificate

This report lists all the recommended general resource profiles related to digital certificates that are not defined to ACF2:

Class	Missing Profile	Recommended Setting
FACILITY	IRR.DIGTCERT.**	Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates
FACILITY	IRR.DIGTCERT.CHECKCERT	Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates

Column	Description
CLASS	ACF2 class
MISSING PROFILE	Missing ACF2 profile
RECOMMENDED SETTING	BMC recommended profile

Misconfigured Settings: CICS SIT

This report lists the security settings defined in the CICS system initialization table (SIT) that conflict with BMC recommendations:

Region	Setting	Current	Recommended	Purpose	Notes
CICSTS55	CONFDATA	Show	HIDETC	Determines whether user data to appear in traces or dumps. This data could be used to penetrate the system.	Default is SHOW. This may have SOX implications
CICSTS55	CONFTXT	No	Yes	Determines whether user data to appear in traces or dumps. This data could be used to penetrate the system.	Default is NO VTAM can trace user data.
CICSTS55	GMTRAN	CESN	CSGM	Specifies the initial transaction that will be executed.	Default is CSGM. Specify an ATI transaction that will be run.
CICSTS55	SECPRFX	No	Yes	This parameter allows for segregation of access to separate regions. CICS will prefix all resource names with the CICS userid ID when talking to the ESM	YES is generally recommended if multiple CICS systems are running.

Column	Description
Region	CICS region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the BMC recommendation

Misconfigured Settings: IMS

This report lists the security settings defined in the IMS system initialization table (SIT) that conflict with BMC recommendations:

Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
Region	IMS region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Misconfigured Settings: DB2

This report lists the security settings defined in the DB2 SIT that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	System name where the DB2 region is running
Region	Db2 region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Misconfigured Settings: MQ

This report lists the security settings defined in the MQ SIT that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	System name where the MQ region is running
Region	MQ region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Software Security Settings: CICS SIT

This report lists the security settings defined in the CICS system initialization table (SIT) of each active CICS region:

System	Region	Parameter	Current setting
RSMP	CICSTS51	AIEXIT	DFHZATDX
RSMP	CICSTS51	APPLIDG	A05CICS1
RSMP	CICSTS55	APPLIDG	A

Column	Description
SYSTEM	System name where the CICS region is running
REGION	CICS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings: IMS

This report lists the security settings defined in the IMS SIT of each active IMS region:

System	Region	Parameter	Current setting

Column	Description
SYSTEM	System name where the IMS region is running
REGION	IMS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings: DB2

This report lists the security settings defined in the DB2 SIT of each active DB2 region:

System	Region	Parameter	Current setting

Column	Description
SYSTEM	System name where the IMS region is running
REGION	IMS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings: MQ

This report lists the security settings defined in the MQ SIT of each active MQ region:

System	Region	Parameter	Current setting
RSMN	QCBAMSTR	ACTIVE	Yes
RSMN	QCBAMSTR	ACTIVE	No
RSMN	QCBAMSTR	ACTIVE	No
RSMN	QCBAMSTR	ACTIVE	No

Column	Description
SYSTEM	System name where the MQ region is running
REGION	MQ region name
PARAMETER	Parameter name
CURRENT SETTING	Current setting

System Settings

Click System Settings and select one of the following reports to display information about your ACF2 and z/OS environment:

PPT: Entries Specifying NOPASS
PPT: Entries Defined as NOSWAP
All Settings
Inactive Monitored Jobs

PPT: Entries Specifying NOPASS

This report lists all Program Properties Table (PPT) entries that have NOPASS specified in z/OS PARMLIB member SCHEDxx:

System	Program
RSMP	EPWINIT

Column	Description
SYSTEM	System name
PROGRAM	Program that has NOPASS in the PPT

PPT: Entries Defined as NOSWAP

This report lists all Program Properties Table (PPT) entries that have NOSWAP defined in z/OS PARMLIB member SCHEDxx:

System	Program	Key
RSMP	AZFSTCMN	2
RSMP	BNJLINTX	8
RSMP	BPEINI00	7
RSMP	BPXBATA2	2

Column	Description
SYSTEM	System name
PROGRAM	Program name in the PPT
KEY	MVS storage protect key that the program runs under and has been defined in the MVS PPT

All Settings

System	Type	Setting	Current Value
RSMN	PASSWORD	HISTORY	6
RSMN	PASSWORD	INTERVAL	30
RSMN	PASSWORD	MINCHANGE	0
RSMN	PASSWORD	MIXEDCASE	MIXEDCASE

Column	Description
SYSTEM	System name
TYPE	Setting type
SETTING	Setting name
CURRENT VALUE	Current value of the setting from storage

Inactive Monitored Jobs

This report lists all jobs marked for monitoring in Security Policy Manager that are not currently running:

System	Job not running
RSMP	RSSTAM
RSMP	CICSTS42

Column	Description
SYSTEM	System name
JOB NOT RUNNING	Name of the monitored job that appears not to be running

Users

Click Users and select one of the following reports to display information about ACF2 users:

Specific User Activity
ACF2 Privileges
UID(0)
Password interval<30
Sharing non-zero uid
USER attribute
File Transfers

Specific User Activity

With the Specific User Activity report, you can fetch information about a specific user. Select the report, enter the user ID you want to query, and click Submit.

The report lists detailed user activity, as displayed in the following example:

ACF2 Privileges

This report lists ACF2 privileges:

Logonid	Uid	Name	Access Count	Last Access	ACCOUNT	NON-CNCL	SECURITY	LEADER	CONSULT
ACFSTCID	ACFSTCID	ACFSTCID STC	88	05/22/21 04:23		NON-CNCL

Column	Description
LOGONID	ACF2 user ID
UID	ACF2 UID string
NAME	User name, if available
ACCESS COUNT	Number of accesses
LAST ACCESS	Last time the privileged user used the system
ACCOUNT	User has the account privilege
NON-CNCL	User has the non-cncl privilege
SECURITY	User has the security privilege
LEADER	User has the leader privilege
CONSULT	User has the consult privilege

UID(0)

This report lists all ACF2 users that have UID(0) defined, that is, superuser attribute in Unix System Services (USS):

Userid	Name	Default Group	Operations	Auditor
ADCDMST	ADCD MASTER	SYS1
BATCH01	BATCH PROCESSING	SYS1	Y
BPXOINIT	BPXOINIT	SYS1
AUSER	Brian Small	#RSM		Y

Column	Description
USERID	User ID
NAME	Associated name, if available
DEFAULT GROUP	User ID's default group
SPECIAL	Whether the user has the SPECIAL attribute set
OPERATIONS	Whether the user has the OPERATIONS attribute set
AUDITOR	Whether the user has the AUDITOR attribute set

Password interval<30

This report lists all ACF2 users that have who have a password interval of less than 30:

Userid	Name	UID	Maxdays
ACFTCID	ACFTCID STC	ACFTCID	0

Column	Description
USERID	User ID
NAME	Associated name, if available
UID	ACF2 UID string
MAXDAYS	Number of days of the password interval

Sharing non-zero uid

This report lists all ACF2 users that share a non-zero OMVS user ID:

Userid	Name	UID

Column	Description
USERID	ACF2 log-on ID
NAME	Associated user name, if available
UID	Number of the OMVS UID that is being shared

USER attribute

Lists all ACF2 users that have the USER attribute:

Userid	Name	UID

Column	Description
USERID	ACF2 log-on ID
NAME	Associated user name, if available
UID	Uid string

File Transfers

Date	Time	System	User	Action	Program	Dataset	Jobname

Column	Description
DATE	Date the file transfer was run
TIME	Time the file transfer was run
SYSTEM	System the file transfer was run from
USER	User ID performing the file transfer
ACTION	Send or receive
PROGRAM	Name of the program used to transfer the file
DATASET	Name of the data set that was transferred
JOBNAME	Name of the job that ran the file transfer

Compliance

Click Compliance and select one of the following reports to display information about security violations detected in the z/OS environment:

Access Violations

Lists all security access violations detected in your z/OS environment:

System	Date	Time	Userid	Name	Class	Resource	Intent	Allowed
RSMP	19/02/2019	14:29:14	RSS	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.SECURITY	Read	None
RSMP	19/02/2019	14:29:14	RSS	RSS STARTED TASK	MQCMDS	QCBB.DISPLAY.SECURITY	Read	None
RSMP	19/02/2019	14:00:16	RSSCHIP	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.SECURITY	Read	None
RSMP	19/02/2019	14:00:16	RSSCHIP	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.ARCHIVE	Read	None

Column	Description
SYSTEM	System where the violation was detected
DATE	Event date
TIME	Event time
USERID	User ID who caused the violation
NAME	User ID's name
CLASS	Class of the resource that generated the violation
RESOURCE	Resource that generated the violation
VOLSER	Volume serial number if appropriate
INTENT	Access intent
ALLOWED	Access allowed

Allowlists

Many of the Security Policy Manager queries can exclude results by using allowlists. Allowlists are defined in the index member of the rules data set and consist of exceptions that can be used to prevent specific users or resources from being reported on as non-compliant.

For example, if only one user ID is allowed to update APF libraries, then an allowlist containing that one user ID can be defined, and the compliance query can specify a clause such as:
AND userid NOT IN (SELECT userid FROM allowlist WHERE type='APF')

The allowlist defined would be:

* TSO allowlists
Allowlist APF
TSGAPF Userid allowed to update APF data sets.

For an example of the alllowlist, see Sample-index-member.

Compliance Reports

Select Overview to see the Compliance Overview dashboard that is described in Logging-on-and-viewing-compliance-summaries.

Select All to see all the compliance reports defined on the system, including all policies contained in the index member, their last run time, next run time, and result of the run. For more information, see "Examining all compliance reports" and "To run individual reports" in Logging-on-and-viewing-compliance-summaries.

Select one of the following report categories:

DISA STIG
MVS
DB2
RACF
TSS
USS
TCP/IP
CICS
REXX

The list of categories might change, depending on your system configuration.

If you add a custom category to the HLQ.RULES(INDEX) member and update the rules with the /f stc, loadrules command (or restart the product), the custom category is displayed in the Compliance menu and in the All Compliance Reports table. For an example of the index member, see Sample-index-member.

ACF2

Click ACF2 and select one of the following reports to display information about issues on your ACF2 environment:

Access Rules
Resource Rules
GSO/Password/Phrase Settings
Profiles with: * access > None

Access Rules

This report lists all ACF2 data set access rules:

Key	Prefix	Mode	User data	Last Update By	Last Update Date	Last Update Time	Roleset	Length	% Used

Column	Description
KEY	ACF2 key
PREFIX	ACF2 prefix
MODE	ACF2 mode for this rule, Abort, Log or blank
USER DATA	ACF2 user data
LAST UPDATE BY	ID of last user who last updated access rule
LAST UPDATE DATE	Last date that access rule was updated
LAST UPDATE TIME	Last time that access rule was updated
ROLESET	ACF2 roleset rule
LENGTH	Rule length
% USED	Percentage of space used in the rule definition

Resource Rules

This report lists all ACF2 data set resource rules:

Key	Prefix	Mode	User data	Last Update By	Last Update Date	Last Update Time	Roleset	Length	% Used

Column	Description
KEY	ACF2 key
PREFIX	ACF2 prefix
MODE	ACF2 mode for this rule, Abort, Log or blank
USER DATA	ACF2 user data
LAST UPDATE BY	ID of last user who last updated access rule
LAST UPDATE DATE	Last date that access rule was updated
LAST UPDATE TIME	Last time that access rule was updated
ROLESET	ACF2 roleset rule
LENGTH	Rule length
% USED	Percentage of space used in the rule definition

GSO/Password/Phrase Settings

This report lists the Global System Options (GSO), password, and passphrase settings

System	Type	Setting	Current value

Column	Description
SYSTEM	LPAR name
TYPE	GSO
SETTING	Value from the ACF2 configuration
CURRENT VALUE	Current value of the setting

Profiles with: * access > None

This report lists ACF2 profiles in which * access that is greater than NONE:

Dataset	UID	read	write	alloc	exec

Column	Description
DATASET	Name of the data set
UID	ACF2 UID string
READ	Whether the user has read access, A(llow) or L(og)
WRITE	Whether the user has write access, A(llow) or L(og)
ALLOC	Whether the user has allocation access, A(llow) or L(og)
EXEC	Whether the user has executive access, A(llow) or L(og)