Reports for TSS

From the navigation bar at the top of the window, you can select and display different types of information in BMC AMI Security Policy Manager:

Data sets
Sensitive Commands
Resources
System Settings
Users
Compliance
TSS

Data sets

Click Data sets and select one of the following reports to display information about sensitive data sets:

Non-Fully Qualified Generic: APF
Non-Fully Qualified Generic: Other
Sensitive Data Sets: With *ALL* > None
Sensitive Data Sets: Uncatalogued
Sensitive Data Sets: All

Non-Fully Qualified Generic: APF

This option lists all APF data sets that do not have a Fully Qualified Generic data set profile defined in TSS:

System	Data set name	Protecting Profile
RSMP	SYS1.SVCLIB	SYS1.**
RSMP	AZF.SAZFLOAD	AZF.**
RSMP	CBC.SCLBDLL	CBC.**
RSMP	CBC.SCLBDLL2	CBC.**

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
PROTECTING PROFILE	TSS profile that protects the data set

Non-Fully Qualified Generic: Other

This option lists all other sensitive data sets that do not have a fully qualified generic data set profile defined in TSS:

System	Data set Name	Protecting Profile	Dataset Type
RSMP	SYS1.LINKLIB.EXITS	SYS1.**	LINK
RSMP	USER.LINKLIB	USER.**	LINK
RSMP	SYS1.SIEALNKE	SYS1.**	LINK
RSMP	SYS1.SIEAMIGE	SYS1.**	LINK

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
PROTECTING PROFILE	Non-fully qualified generic TSS profile that is protecting the data set
DATASET TYPE	Type of sensitive data set being reported on, such as APF or Link

Sensitive Data Sets: With ALL > None

DSN	Resource	Owner	Access	Type
CATALOG.HOUSEKP.SHARED	CATALOG.	MASTER	READ	UCAT
CATALOG.GENERAL.UCAT	CATALOG.	MASTER	READ	UCAT
CATALOG.SMF.SHARED	CATALOG.	MASTER	READ	UCAT
CATALOG.ISVS.SHARED	CATALOG.	MASTER	READ	UCAT
CATALOG.ISVS.UCAT	CATALOG.	MASTER	READ	UCAT

Column	Description
DSN	Data set name
RESOURCE	Name of the physical or virtual component in the system
OWNER	Name of the owner of the resource
ACCESS	Access level permitted by TSS for accessing the resource
TYPE	Name of the type of resource set being reported on

Sensitive Data Sets: Uncatalogued

This option lists all TSS uncatalogued sensitive data sets:

System	Dataset Name	Protecting Profile	Cataloged?	Dataset Type
RSMP	ISVR.CA.SYSVIEW.V15R00.CNM4BLOD	ISVR.CA.SYSVIEW.**	N	APF
RSMP	ISVR.COMPWARE.CPWR.MPAA170.SPAAAUTH	ISVR.COMPWARE.**	N	APF
RSMP	ISVR.COMPWARE.CPWR.MKAZ170.SKAZAUTH	ISVR.COMPWARE.**	N	APF
RSMP	ISVR.COMPWARE.CPWR.MKFX171.SKFXAUTH	ISVR.COMPWARE.**	N	APF

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
PROTECTING PROFILE	TSS profile that is protecting the data set
CATALOGED?	Confirmation that the data set is not cataloged
DATASET TYPE	Type of sensitive data set being reported on, such as APF or Link

Sensitive Data Sets: All

This option will display all sensitive data sets including any relevant information:

System	Dataset Name	Protecting Profile	Volume	Creation Date	Referenced Date	Cataloged?	UACC	ID(*)	Fully Qualified Generic?	Warning?	Audit S/F	Dataset Type
RSMP	CATALOG.CICS.UCAT.Z210	CATALOG.**	CPWRK3	18/12/2014	06/02/2019	Y	None	Read	N	N	-/R	UCAT
RSMP	CATALOG.EXPRESS.SMPE.UCAT	CATALOG.**	SYS001	11/02/2019	12/02/2019	Y	None	Read	N	N	-/R	UCAT
RSMP	CATALOG.FDRPAS.SHARED	CATALOG.**	IODF01	17/11/2017	06/02/2019	Y	None	Read	N	N	-/R	UCAT
RSMP	CATALOG.IMS.USER	CATALOG.**	PTSG06	11/12/2015	06/02/2019	Y	None	Read	N	N	-/R	UCAT

Column	Description
SYSTEM	System ID from which the record was written
DATASET NAME	Name of the data set
PROTECTING PROFILE	TSS profile that is protecting the data set
VOLUME	Volume serial number
CREATION DATE	Date of data set creation
REFERENCED DATE	Date last referenced
CATALOGED?	Whether the data set is cataloged
SMS?	Whether the data set SMS controlled
APF?	APF library indicator
UACC	Universal ACCess for undefined user IDs
ID(*)	Default access for defined user IDs
FULLY QUALIFIED GENERIC?	FQG indicator
WARNING?	Whether the profile has the WARNING attribute
LEVEL	Data set level
AUDIT S/F	Audit successes and failures The audit levels can have the following values: - (not set) R (READ) U (UPDATE) C (CONTROL) A (ALTER) For example, U/R is equal to Success(Update)/Failures(Read).
DATASET TYPE	Type of sensitive data set being reported on, such as APF or Link

Sensitive Commands

Click Sensitive Commands and select one of the following reports to display information about sensitive commands:

MVS.SETPROG
SETROPTS

MVS.SETPROG

Lists all MVS SETPROG commands issued in the system and related information:

System	Date	Time	Userid		From	Event	Description	Details
RSMP	12/02/2019	13:37:46	REXXBAT	Unknown	CONSOLE	CONS	SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSMLOAD,VOL=NC3998	System Command
RSMP	12/02/2019	13:37:45	REXXBAT	Unknown	CONSOLE	CONS	SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSMLOAD,VOL=NC3997	System Command
RSMP	12/02/2019	13:37:44	REXXBAT	Unknown	CONSOLE	CONS	SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSMLOAD,VOL=NC3996	System Command
RSMP	12/02/2019	13:37:43	REXXBAT	Unknown	CONSOLE	CONS	SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSMLOAD,VOL=NC3995	System Command

Column	Description
SYSTEM	System ID from which the record was written
DATE	Date the command was executed
TIME	Time the command was executed
USERID	User ID that issued the command
NAME	Name of the user, if available
FROM	Where the command was entered
EVENT	Internal event type or SMF event and event qualifier Event refers to the SMF event/code qualifier documented in the IBM SMF manuals, or 'CONS' for a command entered at the system console.
DESCRIPTION	Command that was entered
COMMAND IMAGE	Internal event types

SETROPTS

Lists all TSS SETROPTS commands issued in the system and related information:

System	Date	Time	Userid	User Name	Port Of Entry	Event	Description	Command Image
RSMP	14/02/2019	12:15:59	AUSER	Fred Smith	A05TCP45	1800	SETROPTS command	SETROPTS RACLIST(XFACILIT) REFRESH
RSMP	14/02/2019	12:14:15	BUSER	Dave Jones	A05TCP57	1800	SETROPTS command	SETROPTS GENERIC(DATASET) REFRESH
RSMP	14/02/2019	12:11:29	CUSER	Bert Williams	A05TCP34	1800	SETROPTS command	SETROPTS RACLIST(STARTED) REFRESH
RSMP	14/02/2019	12:09:23	DUSER	Tina Brown	A05TCP19	1800	SETROPTS command	SETROPTS RACLIST(OPERCMDS) REFRESH

Column	Description
SYSTEM	System ID from which the record was written
DATE	Date the command was executed
TIME	Time the command was executed
USERID	User ID that issued the command
USER NAME	Name of the user, if available
PORT OF ENTRY	Where the command was entered
EVENT	Internal event type or SMF event and event qualifier Event refers to the SMF event/code qualifier documented in the IBM SMF manuals, or 'CONS' for a command entered at the system console.
DESCRIPTION	Command that was entered
COMMAND IMAGE	Internal event types

Resources

Click Resources and select one of the following reports to display information about TSS general resources:

Missing Profiles: OPERCMD
Missing Profiles: STGADMIN
Missing Profiles: UNIXPRIV
Missing Profiles: FACILITY/STGADMIN due to Catch-All Profile
Missing Profiles: Command Verifier
Missing Profiles: Certificate
Certificates: All Profiles
Certificates: Expiring
Certificates: Expired
Misconfigured Settings: CICS SIT
Misconfigured Settings: IMS
Misconfigured Settings: DB2
Misconfigured Settings: MQ
Software Security Settings: CICS SIT
Software Security Settings: IMS
Software Security Settings: Db2
Software Security Settings: MQ
Profiles with Inappropriate Audit
All Profiles
Global Access Table

Missing Profiles: OPERCMD

Lists all recommended OPERCMDS profiles that are missing and should be defined to TSS by the Mainframe Security team:

Class	Profile	Purpose	Recommended
OPERCMDS	MVS.SET.PROG.**	Modify APF Libraries	Access must be limited to authorized personnel only. Preferably only accessible via Security PAM ids. Should have UACC(NONE) and AUDIT(SUC(READ) FAIL(READ))

Column	Description
CLASS	TSS class
PROFILE	OPERCMDS profile
PURPOSE	Purpose of the TSS profile
RECOMMENDED	BMC recommendations

Missing Profiles: STGADMIN

Lists all recommended STGADMIN profiles that are missing and should be defined to TSS by the Mainframe Security team:

Class	Profile	Purpose	Recommended
FACILITY	STGADMIN.ADR.CONVERTV	Convert VTOC to SMS	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.ADR.COPY.BYPASSACS	Copy data sets bypassing ACS routines	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.ADR.COPY.INCAT	INCAT processing	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.ADR.COPY.PROCESS.SYS	Copy SYS1 data sets	Require READ access to use. Restrict access to this

Column	Description
CLASS	TSS class.
PROFILE	STGADMIN profile
PURPOSE	Purpose of the TSS profile
RECOMMENDED	BMC recommendations

Missing Profiles: UNIXPRIV

Lists all recommended UNIXPRIV profiles that are missing and should be defined to TSS by the Mainframe Security team:

Class	Profile	Purpose	Recommended
UNIXPRIV	SUPERUSER.IPC.RMID	Release IPC resources (ipcrm)	Require READ access to use. Limit to UNIX processes/debuggers
UNIXPRIV	SUPERUSER.PROCESS.KILL	Issue kill to processes	Require READ access to use. Limit to UNIX processes/debuggers
UNIXPRIV	SUPERUSER.PROCESS.PTRACE	Use ptrace through dbx debugger	Require READ access to use. Limit to UNIX processes/debuggers
UNIXPRIV	SUPERUSER.SETPRIORITY	Increase own priority	Require READ access to use. Limit to Storage Admin Group

Column	Description
CLASS	TSS class.
PROFILE	UNIXPRIV profile
PURPOSE	Purpose of the TSS profile
RECOMMENDED	BMC recommendations

Missing Profiles: FACILITY/STGADMIN due to Catch-All Profile

Lists all missing TSS profiles from classes FACILITY and STGADMIN that are being overlooked due to the UACC being greater than NONE or ID(*) being defined in the access control list (ACL) with access greater than NONE:

Class	Profile	Purpose	Recommended
FACILITY	STGADMIN.IDC.DIAGNOSE.CATALOG	Run DIAGNOSE command against catalogs	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.IDC.DIAGNOSE.VVDS	DIAGNOSE command against a VVDS	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.IDC.EXAMINE.DATASET	Allows use of the IDCAMS EXAMINE command	Require READ access to use. Restrict access to this
FACILITY	STGADMIN.IGG.ALTER.SMS	Allows Storage Class or Management Class to be altered	Require READ access to use. Restrict access to this

Column	Description
CLASS	TSS class name
PROFILE	TSS profile
PURPOSE	Profile purpose
RECOMMENDED	BMC recommendations

Missing Profiles: Command Verifier

Class	CV Profile	Purpose	Recommended
XFACILIT	C4R.EXEMPT	Allows certain users to be exempt from policy enforcement	If you are installing Command Verifier for the first time, ensure that 1 or 2 users are permitted
XFACILIT	C4R.USER.ATTR.AUDITOR.**	Prevents system AUDITOR from being granted to users	Very few users should have this access Set default universal access authority (UACC) to NONE.
XFACILIT	C4R.USER.ATTR.OPERATIONS.**	Prevents system OPERATIONS from being granted to users	Very few users should have this access Set UACC to NONE.
XFACILIT	C4R.USER.ATTR.SPECIAL.**	Prevents system SPECIAL from being granted to users	Very few users should have this access Set UACC to NONE.

Column	Description
CLASS	Class name to which the profile belongs
CV Profile	Command Verifier profile
Purpose	Profile owner
Recommended	BMC recommendations for this setting

Missing Profiles: Certificate

Lists all the recommended general resource profiles related to digital certificates that are not defined to TSS:

Class	Missing Profile	Recommended Setting
FACILITY	IRR.DIGTCERT.**	Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates
FACILITY	IRR.DIGTCERT.CHECKCERT	Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates

Column	Description
CLASS	TSS class
MISSING PROFILE	Missing TSS profile
RECOMMENDED SETTING	BMC recommended profile

Certificates: All Profiles

Lists all general resource profiles related to digital certificates defined to TSS:

Data set Name	Protecting Profile	Owner	UACC	Warning?	Audit S/F	ID(*)	ACL count
FACILITY	IRR.DIGTCERT.*	TSGDL	None	N	/R
FACILITY	IRR.DIGTCERT.ADD	TSGCG	None	N	/R	R	7
FACILITY	IRR.DIGTCERT.ADDRING	TSGCG	None	N	/R	R	7
FACILITY	IRR.DIGTCERT.ALTER	TSGCG	None	N	/R	R	7

Column	Description
CLASS	TSS class
PROTECTING PROFILE	TSS profile
OWNER	Profile owner
UACC	TSS Universal ACCess setting
WARNING?	Is the WARNING attribute on?
AUDIT S/F	Audit successes and failures The audit levels can have the following values: - (not set) R (READ) U (UPDATE) C (CONTROL) A (ALTER) For example, U/R is equal to Success(Update)/Failures(Read).
ID(*)	Default access for the profile
LEVEL	Resource level
ACL COUNT	Number of users on the access list

Certificates: Expiring

Lists all digital certificates defined to TSS that are about to expire:

Class	Profile	Remaining	Expiry Date
DIGTCERT	00.CN=RSMP?TEST.T=RSS.OU=RSM?PARTNERS?LTD.O=RSM.L=STOKE?POUND.SP=BROMSGROVE.C=GB	106	01/06/2019
DIGTCERT	01.CN=RSMP?TEST.T=RSS.OU=RSM?PARTNERS?LTD.O=RSM.L=STOKE?POUND.SP=BROMSGROVE.C=GB	106	01/06/2019
DIGTCERT	4AA7268B.CN=CA?Receive?Order.OU=CA?Receive?Order	207	10/09/2019
DIGTCERT	00.CN=CKNCA.OU=ZSECURE.O=IBM.C=US	349	30/01/2020

Column	Description
CLASS	TSS class
PROFILE	Profile name
REMAINING	Number of days until the certificate expires
EXPIRY DATE	Certificate expiry date

Certificates: Expired

Lists all digital certificates defined to TSS that have expired:

Class	Profile	Days	Expired date
DIGTCERT	01.CN=Root?CA?Test.OU=Technology.O=Test.L=Glasgow.SP=Scotland.C=GB	-99	07/11/2018
DIGTCERT	35DEF4CF.OU=Equifax?Secure?Certificate?Authority.O=Equifax.C=US	-176	22/08/2018
DIGTCERT	01A3.CN=GTE?CyberTrust?Root.O=GTE?Corporation.C=US	-4739	23/02/2006
DIGTCERT	03.CN=GTE?CyberTrust?Root.O=GTE?Corporation.C=US	-4792	01/01/2006

Column	Description
CLASS	TSS class
PROFILE	Profile name
DAYS	Number of days since the certificate expired
EXPIRED DATE	Date the certificate expired

Misconfigured Settings: CICS SIT

Lists the security settings defined in the CICS system initialization table (SIT) that conflict with BMC recommendations:

Region	Setting	Current	Recommended	Purpose	Notes
CICSTS55	CONFDATA	Show	HIDETC	Determines whether user data to appear in traces or dumps. This data could be used to penetrate the system.	Default is SHOW. This may have SOX implications
CICSTS55	CONFTXT	No	Yes	Determines whether user data to appear in traces or dumps. This data could be used to penetrate the system.	Default is NO VTAM can trace user data.
CICSTS55	GMTRAN	CESN	CSGM	Specifies the initial transaction that will be executed.	Default is CSGM. Specify an ATI transaction that will be run.
CICSTS55	SECPRFX	No	Yes	This parameter allows for segregation of access to separate regions. CICS will prefix all resource names with the CICS userid ID when talking to the ESM	YES is generally recommended if multiple CICS systems are running.

Column	Description
Region	CICS region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the BMC recommendation

Misconfigured Settings: IMS

Lists the security settings defined for IMS that conflict with BMC recommendations:

Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
Region	IMS region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Misconfigured Settings: DB2

Lists the security settings defined in the DB2 SIT that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	System name where the DB2 region is running
Region	Db2 region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Misconfigured Settings: MQ

Lists the security settings defined in the MQ SIT that conflict with BMC recommendations:

System	Region	Setting	Current	Recommended	Purpose	Notes

Column	Description
System	System name where the MQ region is running
Region	MQ region name
Setting	System name
Current	Current value
Recommended	BMC recommended value
Purpose	Description of the purpose of the setting
Notes	Supplementary notes regarding the recommendation

Software Security Settings: CICS SIT

Lists the security settings defined in the CICS System Initialization Table (SIT) of each active CICS region:

System	Region	Parameter	Current Setting
RSMP	CICSTS51	AIEXIT	DFHZATDX
RSMP	CICSTS51	APPLIDG	A05CICS1
RSMP	CICSTS55	APPLIDG	A

Column	Description
SYSTEM	System name where the CICS region is running
REGION	CICS region name
PARAMETER	SIT initialization parameter
CURRENT SETTING	Current setting

Software Security Settings: IMS

Lists the security settings defined for each active IMS region:

System	Region	Parameter	Current setting

Column	Description
SYSTEM	System name where the IMS region is running
REGION	IMS region name
PARAMETER	Initialization parameter
CURRENT SETTING	Current setting

Software Security Settings: Db2

Lists the security settings defined for each active Db2 region:

System	Region	Parameter	Current setting

Column	Description
SYSTEM	System name where the Db2 region is running
REGION	Db2 region name
PARAMETER	Initialization parameter
CURRENT SETTING	Current setting

Software Security Settings: MQ

Lists the security settings defined for each active MQ region:

System	Region	Parameter	Current setting
RSMN	QCBAMSTR	ACTIVE	Yes
RSMN	QCBAMSTR	ACTIVE	No
RSMN	QCBAMSTR	ACTIVE	No
RSMN	QCBAMSTR	ACTIVE	No

Column	Description
SYSTEM	System name where the MQ region is running
REGION	MQ region name
PARAMETER	Parameter name
CURRENT SETTING	Current setting

Profiles with Inappropriate Audit

Lists all general resource profiles that do not comply with the recommended audit settings:

Class	Profile	Owner	UACC	Warn	Audit S/F	# on ACL	Cert Start	Cert End
DIGTCERT	023456.CN=GeoTrust?Global?CA.O=GeoTrust?Inc..C=US	TSGAT	T	N	/		21/05/2002	21/05/2022
FACILITY	AOPADMIN	IBMUSER	N	N	/R	1
FACILITY	AP	#OPSMVS	N	N	/R	1
FACILITY	BPX.CONSOLE	TSGSJ	N	N	/R	8

Column	Description
CLASS	TSS class
PROFILE	TSS profile
OWNER	Profile owner
UACC	Universal ACCess for undefined user IDs
WARN	Is the WARNING attribute on?
AUDIT S/F	Audit successes and failures The audit levels can have the following values: - (not set) R (READ) U (UPDATE) C (CONTROL) A (ALTER) For example, U/R is equal to Success(Update)/Failures(Read).
ID(*)	Default access for defined user IDs
LEVEL	Level from the TSS profile definition
# ON ACL	Number of users on the access list (ACL)
CERT START	Start date if a certificate
CERT END	End date if a certificate

All Profiles

Lists all general resource profiles from the recommended TSS classes:

Class	Profile	Owner	UACC	Warn	Audit S/F	on ACL	Cert Start	Cert End
DIGTCERT	00.CN=CKNCA.OU=ZSECURE.O=IBM.C=US	TSGTS	T	N	/		24/05/2018	30/01/2020
FACILITY	AOPADMIN	IBMUSER	N	N	/R	1
FACILITY	AP	#OPSMVS	N	N	/R	1
FACILITY	BPX.CONSOLE	TSGSJ	N	N	/R	8

Column	Description
CLASS	TSS class
PROFILE	TSS profile
OWNER	Profile owner
UACC	Universal ACCess for undefined user IDs
WARN	Is the WARNING attribute on?
AUDIT S/F	Audit successes and failures The audit levels can have the following values: - (not set) R (READ) U (UPDATE) C (CONTROL) A (ALTER) For example, U/R is equal to Success(Update)/Failures(Read).
ID(*)	Default access for defined user IDs
LEVEL	Level from the TSS profile definition
ON ACL	Number of users on the access list (ACL)
CERT START	Start date if a certificate
CERT END	End date if a certificate

Global Access Table

Lists all TSS definitions defined in the Global Access Table (GAT):

Class	Profile	Entry	Access
GLOBAL	DATASET	&RACUID.**	A
GLOBAL	DATASET	SYS1.**	R
GLOBAL	DATASET	SYS1.HELP	R
GLOBAL	DATASET	SYS1.MARK	R

Column	Description
CLASS	TSS class – GLOBAL.
PROFILE	TSS profile type
ENTRY	Global table entry member
ACCESS	Global access: A (ALTER) R (READ)

System Settings

Click System Settings and select one of the following reports to display information about your TSS and z/OS environment:

PPT: Entries Specifying NOPASS
PPT: Entries Defined as NOSWAP
Misconfigured Settings
STC Entries with Unprotected User ID
Inactive Monitored Jobs

PPT: Entries Specifying NOPASS

Lists all Program Properties Table (PPT) entries that have NOPASS specified in z/OS PARMLIB member SCHEDxx:

System	Program
RSMP	EPWINIT

Column	Description
SYSTEM	System name
PROGRAM	Program that has NOPASS in the PPT

PPT: Entries Defined as NOSWAP

Lists all Program Properties Table (PPT) entries that have NOSWAP defined in z/OS PARMLIB member SCHEDxx:

System	Program	Key
RSMP	AZFSTCMN	2
RSMP	BNJLINTX	8
RSMP	BPEINI00	7
RSMP	BPXBATA2	2

Column	Description
SYSTEM	System name
PROGRAM	Program name in the PPT
KEY	MVS storage protect key that the program runs under and has been defined in the MVS PPT

Misconfigured Settings

Lists all TSS and z/OS settings that are potential vulnerabilities on your system:

System	Type	Setting	Current Value	Recommended	Description	Notes
RSMP	PASSWORD	INTERVAL	30	90	Number of days before user must change password (1-254).	Specify as PASSWORD( INTERVAL(nn)). nn should be <=90
RSMP	PASSWORD	MINCHANGE	0	1	Number of days before user can change password again (0-254).	Specify as PASSWORD(MINCHANGE(nn)). nn should be >=1
RSMP	SETROPTS	APPLAUDIT	NOAPPLAUDIT	APPLAUDIT	Enables auditing of APPC transactions	Set as APPLAUDIT
RSMP	SETROPTS	GENERICOWNER	NOGENERICOWNER	GENERICOWNER	Restricts creation of more specific undercutting profiles	Specify GENERICOWNER

Column	Description
SYSTEM	System LPAR name
TYPE	Setting type Type is either 'SETROPTS', 'PASSWORD', 'SMF' or 'SYSTEM' and denotes the category of the setting that has been misconfigured.
SETTING	Setting name
CURRENT VALUE	Current value of the setting from storage
RECOMMENDED	Recommended setting
DESCRIPTION	Description of the setting
NOTES	Notes and recommendations

STC Entries with Unprotected User ID

Lists all started tasks defined to TSS that have unprotected user IDs:

System	Profile	Stuser	Stgroup	Trusted
LPAR1	BPXAS.*	OMVSKERN	OMVSGRP
LPAR1	FTPD.*	FTPD
LPAR2	TCPIP.*	TCPIP	OMVSGRP	Yes
LPAR3	TN3270.*	TN3270	OMVSGRP	Yes

Column	Description
SYSTEM (SPE2304)	System name
PROFILE	Started task profile name
STUSER	Started task user IDs associated with the profile
STGROUP	Started task group associated with the profile
PRIVILEGED	Whether the task is privileged
TRUSTED	Whether the task is trusted
TRACED	Whether the task is traced

Inactive Monitored Jobs

Lists all jobs marked for monitoring in Security Policy Manager that are not currently running:

System	Job not running
RSMP	RSSTAM
RSMP	CICSTS42

Column	Description
SYSTEM	System name
JOB NOT RUNNING	Name of the monitored job that appears not to be running

Users

Click Users and select one of the following reports to display information about TSS users:

Specific User Activity
Inactive (Non-STC)
File Transfers
ACIDs: No 'Last Used' Date
ACIDs: With NOxxxCHK
ACIDs: With Non-Expiring Passwords
ACIDs: With UID(0)

Specific User Activity

With the Specific User Activity report, you can retrieve information about a specific user. Select the report, enter the user ID you want to query, and click Submit.

The report lists detailed user activity, as displayed in the following example:

Inactive (Non-STC)

User	Name	Type	Revoked	Created	DateUsed	TimeUsed	Last Facility	Last CPU
TSGAT	ADRIAN TOPP	USER		2018-03-05	2020-0717	14:30	TSO	RSMX
TSGCH	CHRIS HARVEY	CENTRAL		2019-07-04	2019-10-07	09:22	TSO	RSMZ

Column	Description
USER	ACID
NAME	Name of the ACID
TYPE	Type of ACID
REVOKED	Date ACID was revoked
CREATED	Date ACID was created
DATEUSED	Date ACID was last used
TIMEUSED	Time ACID was last used
LAST FACILITY	Name of the last facility that ACID used on the system
LAST CPU	Name of last CPU (LPAR) accessed by ACID

File Transfers

Date	Time	System	User	Action	Program	Dataset	Jobname

Column	Description
DATE	Date the file transfer was run
TIME	Time the file transfer was run
SYSTEM	System the file transfer was run from
USER	ACID performing the file transfer
ACTION	Send or receive
PROGRAM	Name of the program used to transfer the file
DATASET	Name of the data set that was transferred
JOBNAME	Name of the job that ran the file transfer

ACIDs: No 'Last Used' Date

ACID	Name	Type	Creation Date	Time
BPXROOT	BPX ROOT	USER	2018-03-02	12:20
ECWFSEC	SECURITY ADMIN	CENTRAL	2020-04-27	11:54
GSVNDTCL	SYSVIEW	USER	2019-11-20	10:44

Column	Description
ACID	ACID
NAME	Name of ACID
TYPE	Type of ACID
SUSPENDED	Date ACID was suspended
CREATION DATE	Date ACID was created
TIME	Time ACID was last used

ACIDs: With NOxxxCHK

For the listed ACID with expanded privileges, the access and activity are logged, but the specified security checks are not performed.

ACID	Name	Type	DSN	LCF	RES	SUB	VMD	VOL	STC?
SMFCLEAR	OMVS	USER	NODSNCHK					NOVOLCHK	STC
TSGCW	CHAD WICK	CENTRAL	NODSNCHK	NOLCFCHK	NORESCHK			NOVOLCHK
TSGTA	TROY AIKMAN	CENTRAL	NODSNCHK	NOLCFCHK	NORESCHK	NOSUBCHK	NOVMDCHK

Column	Description
ACID	ACID
NAME	Name of the ACID
TYPE	Type of ACID
DSN	ACID bypasses data sets name checks
LCF	ACID bypasses LCF restrictions and can run any command on facility
SUB	ACID can submit all jobs regardless of the ACID specified on the jobcard in the JCL
VMD	ACID bypasses VM minidisk-level security checking
VOL	ACID bypasses volume-level security checking
STC?	If ACID is a started task ACID, STC is displayed

ACIDs: With Non-Expiring Passwords

ACID	Name	Type	LastUsed	Zone	Division	Department

Column	Description
ACID	ACID
NAME	Name of ACID
TYPE	Type of ACID
LASTUSED	Date ACID was last used
ZONE	Name of zone the ACID belongs to (ZCA)
DIVISION	Name of division the ACID belongs to (VCA)
DEPARTMENT	Name of department the ACID belongs to (DCA)

ACIDs: With UID(0)

This report lists users with UID(0) who are users with root accounts, also refered to as superusers.

Userid	Name	Default Group	UID(0)

Column	Description
USERID	ACID
NAME	Name of ACID
DEFAULT GROUP	Name of ACID default group
UID(0)	Full user identifier number of the root account

Compliance

Click Compliance and select one of the following reports to display information about security violations detected in the z/OS environment:

Access Violations

Lists all security access violations detected in your z/OS environment:

System	Date	Time	Userid	Name	Class	Resource	Intent	Allowed
RSMP	19/02/2019	14:29:14	RSS	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.SECURITY	Read	None
RSMP	19/02/2019	14:29:14	RSS	RSS STARTED TASK	MQCMDS	QCBB.DISPLAY.SECURITY	Read	None
RSMP	19/02/2019	14:00:16	RSSCHIP	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.SECURITY	Read	None
RSMP	19/02/2019	14:00:16	RSSCHIP	RSS STARTED TASK	MQCMDS	QCBA.DISPLAY.ARCHIVE	Read	None

Column	Description
SYSTEM	System where the violation was detected
DATE	Event date
TIME	Event time
USERID	User ID who caused the violation
NAME	User ID's name
CLASS	Class of the resource that generated the violation
RESOURCE	Resource that generated the violation
VOLSER	Volume serial number if appropriate
INTENT	Access intent
ALLOWED	Access allowed

Allowlists

Many of the Security Policy Manager queries can exclude results by using allowlists. Allowlists are defined in the index member of the rules data set and consist of exceptions that can be used to prevent specific users or resources from being reported on as non-compliant.

For example, if only one user ID is allowed to update APF libraries, then an allowlist containing that one user ID can be defined, and the compliance query can specify a clause such as:
AND userid NOT IN (SELECT userid FROM allowlist WHERE type='APF')

The allowlist defined would be:

* TSO allowlists
Allowlist APF
TSGAPF Userid allowed to update APF data sets.

For an example of the alllowlist, see Sample-index-member.

Compliance Reports

Select Overview to see the Compliance Overview dashboard that is described in Logging-on-and-viewing-compliance-summaries.

Select All to see all the compliance reports defined on the system, including all policies contained in the index member, their last run time, next run time, and result of the run. For more information, see "Examining all compliance reports" and "To run individual reports" in Logging-on-and-viewing-compliance-summaries.

Select one of the following report categories:

DISA STIG
MVS
DB2
RACF
TSS
USS
TCP/IP
CICS
REXX

The list of categories might change, depending on your system configuration.

If you add a custom category to the HLQ.RULES(INDEX) member and update the rules with the /f stc, loadrules command (or restart the product), the custom category is displayed in the Compliance menu and in the All Compliance Reports table. For an example of the index member, see Sample-index-member.

TSS

Click TSS and select the following report to display information about issues on your TSS environment:

Resources with ALL Access > None

Class	Resource	Owner	Access	Type
CATALOG.HOUSEKP.SHARED	CATALOG.	MASTER	READ	UCAT
CATALOG.GENERAL.UCAT	CATALOG.	MASTER	READ	UCAT
CATALOG.SMF.SHARED	CATALOG.	MASTER	READ	UCAT
CATALOG.ISVS.SHARED	CATALOG.	MASTER	READ	UCAT
CATALOG.ISVS.UCAT	CATALOG.	MASTER	READ	UCAT

Column	Description
CLASS	Name of the class that the resource belongs to
RESOURCE	Name of the physical or virtual component in the system
OWNER	Name of the owner of the resource
ACCESS	Access level permitted by TSS for accessing the resource