Database tables and columns for RACF

BMC AMI Security Policy Managerutilizes the SQLite database engine. During startup, and after significant events, the tables are built or updated. Most of the tables are created in storage for efficiency. The tables created can be accessed by creating SQL queries. This topic describes the tables and fields that are available to SQL queries.

Most tables can be JOINed by connecting on a common field.

Related topic

RACF-database-unload-tables

Command-and-syntax-reference

access (expands characters for the “access” field)

Field

Format

Description

Value

access

Text

Access

N, R, U, C, A, E, T

value

Text

Full word

None, Read, Update etc.

numeric

Text

Number representing access

1=None
2=Exec
3=Read
4=Control
5=Update
6=Alter
7=Trust

cdt (class descriptor table)

Field

Format

Description

Value

cdtclass

Text

Class name

 

cdtclsid

Text

Class id

 

cdtactiv

Text

Active?

Y or blank

cdtposit

Text

Posit value

 

cdtdfrc

Text

Default RC

 

cdtxref

Text

Group/Member class name

 

cdtmaxl

Text

Maximum length

 

cdtfrst

Text

1st character syntax

 

cdtremn

Text

Remaining characters syntax

 

cdtuacc

Text

Default UACC

N, R, blank

cdtmflg

Text

Misc flags

 

cdtflg0

Text

Flag 0

 

cdtflg1

Text

Flag 1

 

cdtlogo

Text

LOGOPTIONS for that class

Value is either blank, or
A-Always
N-Never
S-Success
F-Failures

cdtgencm

Text

GENCMD for that class

Value is either blank or Y to indicate that GENCMD is active for that class

cdtgenls

Text

GENLIST for that class

Value is either blank or Y to indicate that GENLIST is active for that class

cfield (custom field values)

Where more than one SPM instance is running in a sysplex that shares the same RACF database, the product sychronizes the SPM databases. For example, if an ALTUSER command is entered on one LPAR, a change message is sent via XCF to SPM instances on different LPARs that share the RACF database. The change message notifies the other SPM instances to refresh the database for that user, group, or profile.

Field

Format

Description

Value

system

Text

System from which the custom field was retrieved

 

user

Text

User ID to which a user custom field belongs (for backward compatibility)

 

name

Text

Same as user, the profile name to which the custom field belongs

 

class

Text

Class name

DATASET, GROUP, RESOURCE, USER

type

Text

Custom field type

CHAR, NUM, FLAG, HEX

key

Text

Custom field name

 

value

Text

Custom field value

 

clauth

Field

Format

Description

Value

clauuser

Text

Class Auth user ID

 

clauname

Text

Class Auth Name

 

command (commands from SMF type 80)

Field

Format

Description

Value

system

Text

System name

 

date

Text

Command date

yyyy-mm-dd

time

Text

Command time

hh:mm:ss

user

Text

Command user ID

 

name

Text

User ID Name

 

portofentry

Text

Port of entry

Console/Terminal name

event

Text

SMF event code or CONS

CONS or xxyy

desc

Text

Description

 

command

Text

Command entered

 

config

Field

Format

Description

Value

system

Text

LPAR name

 

type

Text

Entry type

SYSTEM, SETROPTS, PASSWORD, SMF, DISA, USS, CONSOLE, TSO, CNGRP

parm

Text

Parameter

DISA - CLASSIFIED

PASSWORD - ALGORIGHM, HISTORY, INTERVAL, MINCHANGE, MIXEDCASE, REVOKE, RULE1, SPECIALCHARS, WARNING

SETROPTS - ACTIVE, ADDCREATOR, ADSP, APPLAUDIT, CATDSNS, CMDVIOL, DASDVOLAUDIT, DATASETAUDIT, EGN, ERASE, GENERICOWNER, GROUPAUDI, GRPLIST, INACTIVE, INITSTATS, JES(BATCHALLRACF), JES(EARLYVERIFY), JES(XBMALLRACF), MODEL, NJEUSERID, OPERAUDIT, PREFIX, PROTECTALL, RCVTINPW, RCVTSWPW, REALDSN, RETPD, SAUDIT, SESSIONINTERVAL, STATISTICS, TAPEDSN, TAPEVOLAUDIT, TERMINAL, TERMINALAUDIT, UNDEFINEDUSER, USERAUDIT, WHEN(PROGRAM)

SMF - ACTIVE, INTVAL, JWT, MAXDORM, MEMBER, MEMLIMIT, SID, STATUS, STC, STCDETAIL, STCINTVAL, STCTYPES, SWT, SYNCVAL, SYS, SYSDETAIL, SYSINTVAL, SYSTYPES, TSO, TSODETAIL, TSOINTVAL, TSOTYPES, TWT

SYSTEM - ALLOWUSERKEYCSA, AUTHTSF, ESM, IPLDATE, IPLTIME

USS - STARTUPPROC, STEPLIBLIST, SUPERUSER, TTYGROUP, USERIDALIAS

CONSOLE - MCS

TSO - UADS

CNGRP - GROUPNAME

value

Text

Parameter value

DISA - CLASSIFIED - YES | NO

SYSTEM - ESM - RACF | TSS | ACF2

SETROPTS - REALDSN - ACTIVE | INACTIVE

SETROPTS - RCVTINPW, RCVTSWPW - encryptedPasswordValue

CONSOLE - MCS - attributesOfMasterConsole

TSO - UADS - useridFromSYS1.UADS

CNGRP - GROUPNAME - member

Examples:

  • Type=DISA, parm=CLASSIFIED, value=YES | NO
    The value indicates whether this instance should be treated as a classified system. This field can be queried by a compliance query. Manually set these values in the configuration member, in the SPMParms block.
  • Type=SYSTEM, parm=ESM, value=RACF | TSS | ACF2
    The value indicates the external security manager. This field can be queried by a compliance query.
  • Type=SYSTEM, parm=IPLDATE, value=yyyy-mm-dd
    The value indicates the date of last IPL.
  • Type=SYSTEM, parm=IPLTIME, value=hh:mm:ss
    The value indicates the time of last IPL.
  • Type=SETROPTS, parm=RCVTSWPW, value=encryptedPasswordValue
    The value indicates the encrypted value of the RVARY switch password. The default is all zeroes.
  • Type=SETROPTS, parm=RCVTINPW, value=encryptedPasswordValue
    The value indicates the encrypted value of the RVARY inactivate password. The default is all zeroes.
  • Type=SETROPTS, parm=REALDSN, value=ACTIVE | INACTIVE
  • Type=CONSOLE, parm=MCS, value=attributesOfMasterConsole
    Value examples: NAME(BMC23700) STATUS(ACT-BMC2) AUTH(MASTER) DEV(3700) LOGON(OPTIONAL) USERID(N/A) ROUT(ALL)

conn (group connects)

Field

Format

Description

Value

cguser

Text

Connect Group user

 

cggrpnm

Text

Connect Group name

 

cgauthda

Text

Date user connected

yyyy-mm-dd

cgauthor

Text

Connect Group owner

 

cgljtime

Text

Time of request=verify

hh:mm:ss

cgljdate

Text

Date of request=verify

yyyy-mm-dd

cguacc

Text

Connect Group default UACC

 

cgflag1

Text

X'80' = group ADSP

 

cgflag2

Text

X'80' = group SPECIAL

 

cgflag3

Text

X'80' = group OPERATIONS

 

cgflag4

Text

X'80' = group REVOKE

 

cgflag5

Text

X'80' = group GRPACC

 

cgnotuac

Text

Termina UACC

 

cggrpaud

Text

X'80' = group AUDIT

 

cgrevkdt

Text

Revoke date or null

 

cgresmdt

Text

Resume date or null

 

console

Field

Format

Description

Value

name

Text

Console name

 

stflg

Single hexadecimal digit

Status flag

 

status

Text

Representation of stflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

Status bit settings:

  • 80: active
  • 40: pending
  • 01: inactive

key

Text

User-assigned key

 

sysnm

Text

System name

 

rtflg

Single hexadecimal digit

Routing flag

 

routing

Text

Representation of rtflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

Routing bit settings:

  • 40: hc
  • 20: auto
  • 10: monitor job names
  • 08: monitor status
  • 04: monitor sessions
  • 02: MSCOPE=ALL
  • 01: n mscope data available

domflg

Single hexadecimal digit

DOM settings

 

dom

Text

Representation of domflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

DOM bit settings:

  • 80: DOM=ALL
  • 40: DOM=NORMAL
  • 20: DOM=NONE

mlvlflg

Single hexadecimal digit

MLVL flags, a single hexadecimal digit

 

mlvl

Text

Representation of mlvlflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

MLVL bit settings:

  • 80: display WTORs
  • 40: display immediate action messages
  • 20: display critical eventual action messages
  • 10: display eventual action messages
  • 08: display informational messages
  • 04: display broadcast messages

authflg

Single hexadecimal digit

Console AUTH settings, a single hexadecimal digit

 

auth

Text

Representation of authlflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

AUTH bit settings:

  • 80: SYS authority
  • 40: IO authority
  • 20: CONS authority
  • 10: MASTER authority

terminal

Text

Eight-character terminal name

 

jobnm

Text

Eight-character job name

 

rout

Text

Route codes for this console

All, None, or specific codes as a 16-character hexadecimal value

db2

Field

Format

Description

Value

system

Text

System name

 

jobname

Text

DB2/MQ region name

 

type

Text

Entry type

DB2 or MQ

parm

Text

DB2/MQ Parameter

 

value

Text

Parameter value

 

groups

Field

Format

Description

Value

groupname

Text

Name of the RACF group

 

owner

Text

Group owner

 

supgroup

Text

Superior group

 

numsubgroups

Text

Number of sub groups

 

numusers

Text

Number of connected users

 

crdate

Text

Group creation date

 

instdata

Text

Group installation data

 

gid

Text

OMVS group id

 

univflg

Text

Universal group?

 

uacc

Text

Group Uacc

 

notermuacc

Text

Group has Notermuacc?

 

aclcnt

Text

Number of users on the ACL

 

group_access

Field

Format

Description

Value

groupname

Text

Group Name

 

id

Text

User ID

 

access

(SPE2407)

Text

Access

  • C-CONNECT
  • A-ADD or CREATE
  • U-USE
  • J-JOIN

ims

Field

Format

Description

Value

system

Text

System name

 

jobname

Text

IMS region name

 

type

Text

Entry type

IMS

parm

Text

IMS Parameter

 

value

Text

Parameter value

 

login (password failures from SMF type 80)

Field

Format

Description

Value

system

Text

System name

 

date

Text

Command date

yyyy-mm-dd

time

Text

Command time

hh:mm:ss

user

Text

Command user ID

 

name

Text

User ID name

 

portofentry

Text

Port of entry

Terminal name

event

Text

SMF event

xxyy

desc

Text

Description

 

ppt (program properties table)

Field

Format

Description

Value

system

Text

System

 

program

Text

PPT Program name

 

key

Text

Execution Key

1-15

nocancel

Text

Nocancel attribute?

Y or blank

noswap

Text

Noswap attribute?

Y or blank

priv

Text

Privileged?

Y or blank

syst

Text

SYST

Y or blank

nodsi

Text

PPT NODSI

Y or blank

nopass

Text

PPT NOPASS

Y or blank

nreglimit

Text

NoRegLimit

Y or blank

spref

Text

PPT Spref

Y or blank

lpref

Text

PPT Lpref

Y or blank

nopref

Text

PPT Nopref

Y or blank

origin

Text

Origin

Default PARMLIB

date

Text

Unused

 

time

Text

Unused

 

profile

Field

Format

Description

Value

class

Text

Class name

For example, DATA SET

profile

Text

RACF profile

For example, SYS1.**

owner

Text

Profile owner

For example, SYS1

uacc

Text

Universal Access

N, R, U, C, A, E, T

warn

Text

WARN bit on

Y or blank

audit

Text

Profile is audited

Y or blank

idstar

Text

ID(*) access

N, R, U, C, A, E, T

level

Text

Profile level

1-99

aclcnt

Text

Number of users on the ACL

 

startdate

Text

Profile Start Date (certificates)

yyyy-mm-dd

enddate

Text

Profile End Date (certificates)

yyyy-mm-dd

appldata

Text

Profile APPLDATA

 

profile_access

Field

Format

Description

Value

class

Text

Profile Class

 

profile

Text

Profile Name

 

id

Text

ACL user ID

 

access

Text

Access

N, R, U, C, A, E, T

profile_cond_access

(SPE2501)

Field

Format

Description

Value

class

Text

Profile Class

 

profile

Text

Profile Name

 

id

Text

Conditional ACL user ID

 

access

Text

Access

N, R, U, C, A, E, T

catype

Text

Conditional Access Type

APPCPORT, CONSOLE, CRITERIA, JESINPUT,  PROGRAM, SERVAUTH

caname

Text

Conditional Access Name

 

access_cnt

Integer

The number of accesses

 

vol

Text

Volume of discrete data set

 

netid

Text

If catype is APPCPORT

 

cacriteria

Text

Conditional access criteria

 

profile_members

Field

Format

Description

Value

class

Text

Profile Class

 

profile

Text

Profile Name

 

member

Text

Profile member

 

access

Text

Access

N, R, U, C, A, E, T

sens (sensitive data sets)

Field

Format

Description

Value

apf

Text

Is APF authorized?

Y or blank

audit

Text

Profile audit settings

Success/Failures

cat

Text

Is data set cataloged?

Y or blank

cdate

Text

Creation Date

yyyy-mm-dd

dsn

Text

Sensitive Data set Name

 

fqg

Text

Fully Qualified Generic data set?

Y or blank

idstar

Text

ID(*) access

N, R, U, C, A, E, T

level

Text

Profile level

1-99

profile

Text

Protecting profile

 

rdate

Text

Last reference date

yyyy-mm-dd

sms

Text

Is SMS managed?

Y or blank

system

Text

LPAR Name of Reporting system

 

type

Text

Data set type

ACS, APF, CSF, DUMP, ESMC, HFS, IODF, IPL, JES2, LINK, LPA, MCAT, PAGE, PARM, RACF, SMF, SMS, TFS, TRAC, UADS, UCAT, USER, USTP, VIO, ZDT, ZFS, PSWD, REXX, VTAM

For a description of each type of data set, see the Data set type descriptions table.

(SPE2407)

uacc

Text

Data set UACC

N, R, U, C, A, E, T

volser

Text

Data set volume

 

warn

Text

WARN attribute?

Y or blank

sens_access

Field

Format

Description

Value

profile

Text

Profile Name

 

id

Text

ACL user ID

 

access

Text

Access

N, R, U, C, A, E, T

racf (commands from RACF command exit)

Field

Format

Description

Value

system

Text

System name

 

date

Text

Command date

yyyy-mm-dd

time

Text

Command time

hh:mm:ss

user

Text

Command user ID

 

portofentry

Text

Port of entry

Where command entered

rc

Text

Return code

 

ac

Text

Command type

 

type

Text

Description

01 - 16

flag1

Text

ACEE flag1

80-Special
40-ADSP
20-Operations
10-Auditor
08-Log RACF functions
04-Rsv
02-Priv STC
01-RACF defined user

flag2

Text

ACEE flag2

80-Alter auth
40-Control
20-Update
10-Read
01-None

flag3

Text

ACEE flag3

80-Acc List of Grps (0-Userid,1-Grp/Userid)
40-Racf a/s
20-Unauthenticated
10-authenticated
08-Task Level
04-INITUSP Done
02-Default UID
01-Password not required

precommand

Text

Command pre-image

Original command entered

postcommand

Text

Command post-image

Command after exit

smf14 (sensitive DSN opened for read/ftp/ind$file)

Field

Format

Description

Value

system

Text

System name

 

date

Text

Event date

yyyy-mm-dd

time

Text

Event time

hh:mm:ss

data set

Text

Data set name

 

member

Text

Member Name

 

jobname

Text

Jobname

Terminal name

jobid

Text

JES Job id

xxyy

jobstep

Text

Job step

 

lpar

Text

LPAR

 

program

Text

Program name

 

user

Text

User

 

ddname

Text

DDNAME

 

recfm

Text

RECFM

 

lrecl

Text

LRECL

 

blksize

Text

BLKSIZE

 

volser

Text

Volser

 

flag1

Text

Flag byte 1

 

flag2

Text

Flag byte 2

 

SMF14RSD

Integer

Reader Date

 

SMV14RST

Integer

Reader Time

 

smf15 (sensitive DSN opened for write/ftp/ind$file)

Field

Format

Description

Value

system

Text

System name

 

date

Text

Event date

yyyy-mm-dd

time

Text

Event time

hh:mm:ss

data set

Text

Data set name

 

member

Text

Member Name

 

jobname

Text

Jobname

Terminal name

jobid

Text

JES Job id

xxyy

jobstep

Text

Job step

 

lpar

Text

LPAR

 

program

Text

Program name

 

user

Text

User

 

ddname

Text

DDNAME

 

recfm

Text

RECFM

 

lrecl

Text

LRECL

 

blksize

Text

BLKSIZE

 

volser

Text

Volser

 

flag1

Text

Flag byte 1

 

flag2

Text

Flag byte 2

 

SMF15RSD

Integer

Reader Date

 

SMV15RST

Integer

Reader Time

 

smf42 (pds update)

Field

Format

Description

Value

system

Text

System name

 

date

Text

Event date

yyyy-mm-dd

time

Text

Event time

hh:mm:ss

data set

Text

Data set name

 

member

Text

Member Name

 

memberold

Text

Previous member name

Terminal name

action

Text

Member action

ADD or DEL

user

Text

User name

 

jobname

Text

Jobname

 

stepname

Text

Step name

 

procname

Text

Proc Name

 

portofentry

Text

Port of Entry

Terminal or INTRDR

volser

Text

Volume serial

 

severity

Integer

Internal SPM severity

 

stc

Field

Format

Description

Value

profile

Text

Profile name

 

stuser

Text

STC user ID

yyyy-mm-dd

stgroup

Text

STC Group

hh:mm:ss

priv

Text

Priv attribute?

 Yes or blank

trusted

Text

Trusted attribute?

Yes or blank

useridprotected

Text

User ID is protected?

Yes or blank

traced

Text

Traced?

Yes or blank

summary

Field

Format

Description

Value

System

Text

System the compliance check was run on

 

Reference

Text

Reference as defined in the RULES(INDEX) data set

 

Rule

Text

The rule name from the RULES(INDEX) data set

 

ESM

Text

External security manager on the system

RACF, TSS, or ACF2

Category

Text

Defined in the RULES(INDEX) data set

 

Priority

Text

Defined in the RULES(INDEX) data set

 

Failures

Text

Number of failures discovered by the query

 

Lastrun

Text

 The date and time the query was last run

dd mm HH:MM:SS

Lastrun

Text

 The date and time the query will next run

dd mm HH:MM:SS

Description

Text

 the description from the RULES(INDEX) data set

 

tcpip

Field

Format

Description

Value

stackname

Text

TCPIP stack name

 

keyword

Text

TCPIP keyword

yyyy-mm-dd

value

Text

Keyword value

hh:mm:ss

tcpipport

Field

Format

Description

Value

stackname

Text

TCPIP stack name

 

protocol

Text

Protocol

TCP or UDP

port

Text

Port number

 

bindaddr

Text

Bind address

Address or ANY

ipver

Text

TCPIP ipver

 

usage

Text

TCPIP usage

 

bind

Text

TCPIP bind

Y or N

saf

Text

TCPIP saf

Y or N

unrsvdeny

Text

TCPIP unrsvdeny

Y or N

unrsvsaf

Text

TCPIP unrsvsaf

Y or N

unrsvdlsn

Text

TCPIP unrsvdlsn

Y or N

unrsvdbind

Text

TCPIP unrsvdbind

Y or N

jobname

Text

Jobname using port

 

saf

Text

SAF name

 

ussfile

Field

Format

Description

Value

filename

Text

USS file name

filename

parent

Text

Parent directory

Pindex in usspath table (number associated with path)

filetype

Text

UNIX file types

dir, reg, sym

permission

Text

File permissions (user, group, other)

For example: 777

setuid

Text

Gives permission to execute the file on behalf of the owner

Y or N

setgid

Text

Gives permission to execute the file on behalf of the owner’s group

Y or N

stickybit

Text

Only a file or directory owner can delete or modify the file

Y or N

useraudit

Text

Audit bits (Read Write Exec)

  • a=all
  • f=failures
  • s=success
  • -=none

For example: fff

auditoraudit

Text

Log auditor audit

---

uid

Text

File owner user uid

000000000000

gid

Text

File owner group gid

000000010000

To relate a file to a directory, see Using the ussfile and usspath tables.

usspath

Field

Format

Description

Value

Pindex

Text

Parent index (number associating path)

For example: 104

path

Text

File or directory path

For example: /bolryg/etc

To relate a file to a directory, see Using the ussfile and usspath tables.

Using the ussfile and usspath tables

BMC AMI Security Policy Managerruns the following USS file scans to capture attributes.

  • Full file scan performed once in every 7 days, where it scans the complete tree starting from the root directory
  • Monitored file scan performed once every day to scan the file locations and record updates

The message SPM0708I Uss file delta scan: 694 entries captured for ussfile table indicates that the scan performed is a monitored file scan.

Important

To relate a file to a directory, take the value in the parent column from the ussfile table and use it as the index to read from the usspath table. This will give you the directory that the file is in.

The following file locations are monitored:

  • '%/usr/sbin'
  • '%/usr/lpp/tcpip'
  • '%/usr/lpp/tcpip/sbin'
  • '%/etc'
  • '%/bin'
  • '%/dev'
  • '%/usr/lib/cron'

ussprocess

Field

Format

Description

Value

pid

Text

Process id

Up to here

euid

Text

Protocol

TCP or UDP

asid

Text

Port number

 

userid

Text

Bind address

Address or ANY

ruid

Text

TCPIP ipver

 

jobname

Text

TCPIP usage

 

jobjbni

Text

TCPIP bind

Y or N

jobjbns

Text

TCPIP saf

Y or N

egid

Text

TCPIP unrsvdeny

Y or N

rgid

Text

TCPIP unrsvsaf

Y or N

parms

Text

TCPIP unrsvdlsn

Y or N

starttime

Text

Start time of the USS process

yyyy-mm-dd hh:mm:ss

user

Field

Format

Description

Value

userid

Text

RACF user ID

 

name

Text

User's name

 

dfltgrp

Text

User's default group

 

owner

Text

User ID owner

 

revoked

Text

Is user ID revoked?

Y or blank

pwint

Text

Password Interval

 

uid

Text

USS uid

 

auditor

Text

Does user have AUDITOR?

Y or blank

special

Text

Does user have SPECIAL?

Y or blank

operations

Text

Does user have OPERATIONS?

Y or blank

roaudit

Text

Does user have ROAUDIT?

Y or blank

ibmuser

Text

Is this the IBMUSER account?

Y or blank

not90

Text

Is user ID unused in the last 90 days?

Y or blank

ljdate

Text

Last connect date

ddMMMyyyy

numdays

Text

Number of days since last connect

 

weakpswd

Text

Does the user have a weak password?

Number 1–7

protected

Text

Is the user ID protected?

Y or blank

pwdcnt

Text

Number of old passwords

 

uaudit

Text

Does the user have UAUDIT on?

Y or blank

restricted

Text

Is this a restricted user ID?

Y or blank

revokect

Text

Number of unsuccessful password attempts

 

home

Text

USS Home directory

 

program

Text

User ID's USS program

 

instdata

Text

Installation data

 

proc

Text

User's logon procedure

 

segments

Text

Segments present

T=TSO O=OMVS C=CICS
S=CSDATA

creadate

Text

Date the user ID was created

ddmmmyyyy

passdate

Text

Date the password was last changed

ddmmmyyyy

operparm

Text

Operator's command authority

MASTER, ALL, SYS, IO, CONS, INFO

cicstime

Text

User's CICS timeout parameter

HH:MM

HH=hours, MM=minutes

ussfiledevc

This table provides details about which mounted device the USS file resides on.

Field

Format

Description

Value

filename

TextUSS file pathFor example, /home/user1
devcnumText

Device number on which the file is located

If the specified file does not exist or is invalid, the device number is updated as err.

 

ussmount

Field

Format

Description

Value

fsname

Text

USS file system DSN

 

fstype

Text

File system type

HFS, ZFS, TFS

rootino

Text

Root inode

 

fsmode

Text

File system mode

READWRITE, READONLY

security

Text

SECURITY active

Y, N

setguid

Text

SETGUID active

Y, N

muid

Text

Mounting UID

 

mountpoint

Text

Path name of the mount point

 

mountsysTextSystem mounted onFor example, TSOP1, TSOP2, and so on
fsaccessText

Protecting fsaccess class profile

If no fsaccess profile is present, the value is none.

For example, USS.*

devcnumText

Device number allocated for the zFS mounted data set

 

usssysdir

Field

Format

Description

Value

dirpath

Text

Directory path

For example, /etc/

pindex

Text

Parent index (number associating path)

For example, 104

filetype

Text

UNIX file types

dir

permission

Text

File permissions (user, group, other)

For example, 777

setuid

Text

Gives permission to run the file on behalf of the owner

Y or N

setgid

Text

Gives permission to run the file on behalf of the owner’s group

Y or N

stickybit

Text

Only the owner of a file or directory can delete or modify the file

Y or N

useraudit

Text

Audit bits (Read Write Exec)

  • a=all
  • f=failures
  • s=success
  • -=none

For example: fff

auditoraudit

Text

Log auditor audit

uid

Text

File owner user uid

000000000000

gid

Text

File owner group gid

000000010000

The usssysdir table captures information such as the user permissions and user audit bits for the following system directories, as recommended by DISA STIG V-223847.

  • "/",
  • "/u/",
  • "/lib/",
  • "/etc/",
  • "/bin/",
  • "/dev/",
  • "/usr/",
  • "/tmp/",
  • "/var/",
  • "/samples/",
  • "/usr/sbin/",
  • "/usr/lpp/tcpip/",
  • "/usr/lpp/tcpip/sbin/",
  • "/usr/lib/cron/"

usssysfile

Field

Format

Description

Value

filename

Text

USS file name

filename

For example, /etc/profile

parent

Text

Parent directory

Pindex in usssysdir table (number associated with path)

filetype

Text

UNIX file types

reg, sym

permission

Text

File permissions (user, group, other)

For example, 777

setuid

Text

Gives permission to run the file on behalf of the owner

Y or N

setgid

Text

Gives permission to run the file on behalf of the owner’s group

Y or N

stickybit

Text

Only the owner of a file or directory can delete or modify the file

Y or N

useraudit

Text

Audit bits (Read Write Exec)  

  • a=all
  • f=failures
  • s=success
  • -=none

For example, fff

auditoraudit

Text

Log auditor audit

uid

Text

File owner user uid

000000000000

gid

Text

File owner group gid

000000010000

The usssysfile table captures information about the files residing in the system directories mentioned in the usssysdir section, and refers to only the system files mentioned in the following DISA STIGs:

  • V-223734
  • V-223775
  • V-223812
  • V-223822
  • V-223848
  • V-3232

vmgroup (list of RACF groups on z/VM)

Field

Format

Description

Value

groupname

Text

Name of the group

 

owner

Text

Group owner

 

supgroup

Text

Superior group

 

numsubgroups

Text

Number of sub groups

 

numusers

Text

Number of connected users

 

univflg

Character

Universal group?

Single character

Y or blank

create_dt

Text

Group creation date

ddd.yy

vmgroup_access (list of user ID access to groups on z/VM)

Field

Format

Description

Value

groupname

Text

Name of the group

 

id

Text

User ID 

 

access

Character

Access of the user ID, single character

  • C-CONNECT
  • A-ADD or CREATE
  • U-USE
  • J-JOIN

accesscount

Text

Access count of the user

 

uacc

Character

Universal access of the user, single character

  • N-None
  • R-Read
  • U-Update
  • A-Alter

adsp

Character

Does the user have ADSP connect privileges?

Single character

Y or blank

special

Character

Does the user have SPECIAL connect privileges?

Single character

 

operations

Character

Does the user have OPERATIONS connect privileges?

Single character

 

revoke

Character

Is the user ID REVOKED?

Single character

 

auditor

Character

Does the user have AUDITOR connect privileges?

Single character

 

roaudit

Character

Does the user have ROAUDIT connect privileges?

Single character

 

revoke_dt

Text

Revoke date or null

ddd.yy or null

resume_dt

Text

Resume date or null

ddd.yy or null

vmprofile_access (accesses of the user IDs to surrogate profiles on z/VM)

(SPE2407)

Field

Format

Description

Value

class

Text

Profile class

SURROGAT

profile

Text

Profile name

 

userid

Text

Surrogate user ID

 

uaccess

Character

Access of the surrogate user ID, single character

N, R, U, A

accesscnt

Character

Access count of the surrogate user ID, single character

 

vmsurrog (list of defined LOGONBY surrogate profiles on z/VM)

(SPE2407)

Field

Format

Description

Value

profile

Text

Profile name

 

level

Text

Level of resource

 

owner

Text

Owner of resource

 

uacc

Text

Universal access

 

warning

Character

Warning, single character

Y or N

audit

Text

Success/Failures

 

create_dt

Text

Creation date

ddd.yy

lastref_dt

Text

Last reference date

ddd.yy

lastchg_dt

Text

Last change date

ddd.yy

vmuser (list of defined z/VM user IDs)

(SPE2407)

Field

Format

Description

Value

userid

Text

z/VM userid

 

name

Text

User name

 

owner

Text

Userid owner

 

dfltgrp

Text

User's default group

 

pwint

Text

Password Interval

 

special

Character

Does the user have SPECIAL?

Single character

Y or blank

auditor

Character

Does the user have AUDITOR?

Single character

Y or blank

operations

Character

Does the user have OPERATIONS?

Single character

Y or blank

protect

Character

Does the user have PROTECTED?

Single character

Y or blank

roaudit

Character

Does the user have ROAUDIT?

Single character

Y or blank

passphrase

Character

PASSPHRASE enabled?

Single character

Y or blank

revoked

Character

Is user ID revoked?

Single character

Y or blank

groupname

Text

User's group name

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*