Database tables and columns for RACF

BMC AMI Security Policy Manager utilizes the SQLite database engine. During startup, and after significant events, the tables are built or updated. Most of the tables are created in storage for efficiency. The tables created can be accessed by creating SQL queries. This topic describes the tables and fields that are available to SQL queries.

Most tables can be JOINed by connecting on a common field.

Related topic

RACF-database-unload-tables

Command-and-syntax-reference

access (expands characters for the “access” field)

Field

Format

Description

Value

access

Text

Access

N, R, U, C, A, E, T

value

Text

Full word

None, Read, Update etc.

numeric

Text

Number representing access

1=None
2=Exec
3=Read
4=Control
5=Update
6=Alter
7=Trust

cdt (class descriptor table)

Field

Format

Description

Value

cdtclass

Text

Class name


cdtclsid

Text

Class id


cdtactiv

Text

Active?

Y or blank

cdtposit

Text

Posit value


cdtdfrc

Text

Default RC


cdtxref

Text

Group/Member class name


cdtmaxl

Text

Maximum length


cdtfrst

Text

1st character syntax


cdtremn

Text

Remaining characters syntax


cdtuacc

Text

Default UACC

N, R, blank

cdtmflg

Text

Misc flags


cdtflg0

Text

Flag 0


cdtflg1

Text

Flag 1


cdtlogo

Text

LOGOPTIONS for that class

Value is either blank, or
A-Always
N-Never
S-Success
F-Failures

cdtgencm

Text

GENCMD for that class

Value is either blank or Y to indicate that GENCMD is active for that class

cdtgenls

Text

GENLIST for that class

Value is either blank or Y to indicate that GENLIST is active for that class

cfield (custom field values)

Where more than one SPM instance is running in a sysplex that shares the same RACF database, the product sychronizes the SPM databases. For example, if an ALTUSER command is entered on one LPAR, a change message is sent via XCF to SPM instances on different LPARs that share the RACF database. The change message notifies the other SPM instances to refresh the database for that user, group, or profile.

Field

Format

Description

Value

system

Text

System from which the custom field was retrieved


user

Text

User ID to which a user custom field belongs (for backward compatibility)


name

Text

Same as user, the profile name to which the custom field belongs


class

Text

Class name

DATASET, GROUP, RESOURCE, USER

type

Text

Custom field type

CHAR, NUM, FLAG, HEX

key

Text

Custom field name


value

Text

Custom field value


cics

Field

Format

Description

Value

system

Text

System name


jobname

Text

CICS region name


type

Text

Entry type

CICS

DSN

parm

Text

Parameter

CICS - cicsParameter

DSN - ddName (STEPLIB or DFH*)

value

Text

Parameter value

CICS - cicsParameterValue

DSN - dataSetName

clauth

Field

Format

Description

Value

clauuser

Text

Class Auth user ID


clauname

Text

Class Auth Name


command (commands from SMF type 80)

Field

Format

Description

Value

system

Text

System name


date

Text

Command date

yyyy-mm-dd

time

Text

Command time

hh:mm:ss

user

Text

Command user ID


name

Text

User ID Name


portofentry

Text

Port of entry

Console/Terminal name

event

Text

SMF event code or CONS

CONS or xxyy

desc

Text

Description


command

Text

Command entered


config

Field

Format

Description

Value

system

Text

LPAR name


type

Text

Entry type

SYSTEM, SETROPTS, PASSWORD, SMF, DISA, USS, CONSOLE, TSO, CNGRP

parm

Text

Parameter

DISA - CLASSIFIED

PASSWORD - ALGORIGHM, HISTORY, INTERVAL, MINCHANGE, MIXEDCASE, REVOKE, RULE1, SPECIALCHARS, WARNING

SETROPTS - ACTIVE, ADDCREATOR, ADSP, APPLAUDIT, CATDSNS, CMDVIOL, DASDVOLAUDIT, DATASETAUDIT, EGN, ERASE, GENERICOWNER, GROUPAUDI, GRPLIST, INACTIVE, INITSTATS, JES(BATCHALLRACF), JES(EARLYVERIFY), JES(XBMALLRACF), MODEL, NJEUSERID, OPERAUDIT, PREFIX, PROTECTALL, RCVTINPW, RCVTSWPW, REALDSN, RETPD, SAUDIT, SESSIONINTERVAL, STATISTICS, TAPEDSN, TAPEVOLAUDIT, TERMINAL, TERMINALAUDIT, UNDEFINEDUSER, USERAUDIT, WHEN(PROGRAM)

SMF - ACTIVE, INTVAL, JWT, MAXDORM, MEMBER, MEMLIMIT, SID, STATUS, STC, STCDETAIL, STCINTVAL, STCTYPES, SWT, SYNCVAL, SYS, SYSDETAIL, SYSINTVAL, SYSTYPES, TSO, TSODETAIL, TSOINTVAL, TSOTYPES, TWT

SYSTEM - ALLOWUSERKEYCSA, AUTHTSF, ESM, IPLDATE, IPLTIME

USS - STARTUPPROC, STEPLIBLIST, SUPERUSER, TTYGROUP, USERIDALIAS

CONSOLE - MCS

TSO - UADS

CNGRP - GROUPNAME

value

Text

Parameter value

DISA - CLASSIFIED - YES | NO

SYSTEM - ESM - RACF | TSS | ACF2

SETROPTS - REALDSN - ACTIVE | INACTIVE

SETROPTS - RCVTINPW, RCVTSWPW - encryptedPasswordValue

CONSOLE - MCS - attributesOfMasterConsole

TSO - UADS - useridFromSYS1.UADS

CNGRP - GROUPNAME - member

Examples:

  • Type=DISA, parm=CLASSIFIED, value=YES | NO
    The value indicates whether this instance should be treated as a classified system. This field can be queried by a compliance query. Manually set these values in the configuration member, in the SPMParms block.
  • Type=SYSTEM, parm=ESM, value=RACF | TSS | ACF2
    The value indicates the external security manager. This field can be queried by a compliance query.
  • Type=SYSTEM, parm=IPLDATE, value=yyyy-mm-dd
    The value indicates the date of last IPL.
  • Type=SYSTEM, parm=IPLTIME, value=hh:mm:ss
    The value indicates the time of last IPL.
  • Type=SETROPTS, parm=RCVTSWPW, value=encryptedPasswordValue
    The value indicates the encrypted value of the RVARY switch password. The default is all zeroes.
  • Type=SETROPTS, parm=RCVTINPW, value=encryptedPasswordValue
    The value indicates the encrypted value of the RVARY inactivate password. The default is all zeroes.
  • Type=SETROPTS, parm=REALDSN, value=ACTIVE | INACTIVE
  • Type=CONSOLE, parm=MCS, value=attributesOfMasterConsole
    Value examples: NAME(BMC23700) STATUS(ACT-BMC2) AUTH(MASTER) DEV(3700) LOGON(OPTIONAL) USERID(N/A) ROUT(ALL)

conn (group connects)

Field

Format

Description

Value

cguser

Text

Connect Group user


cggrpnm

Text

Connect Group name


cgauthda

Text

Date user connected

yyyy-mm-dd

cgauthor

Text

Connect Group owner


cgljtime

Text

Time of request=verify

hh:mm:ss

cgljdate

Text

Date of request=verify

yyyy-mm-dd

cguacc

Text

Connect Group default UACC


cgflag1

Text

X'80' = group ADSP


cgflag2

Text

X'80' = group SPECIAL


cgflag3

Text

X'80' = group OPERATIONS


cgflag4

Text

X'80' = group REVOKE


cgflag5

Text

X'80' = group GRPACC


cgnotuac

Text

Termina UACC


cggrpaud

Text

X'80' = group AUDIT


cgrevkdt

Text

Revoke date or null


cgresmdt

Text

Resume date or null


console

Field

Format

Description

Value

name

Text

Console name


stflg

Single hexadecimal digit

Status flag


status

Text

Representation of stflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

Status bit settings:

  • 80: active
  • 40: pending
  • 01: inactive

key

Text

User-assigned key


sysnm

Text

System name


rtflg

Single hexadecimal digit

Routing flag


routing

Text

Representation of rtflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

Routing bit settings:

  • 40: hc
  • 20: auto
  • 10: monitor job names
  • 08: monitor status
  • 04: monitor sessions
  • 02: MSCOPE=ALL
  • 01: n mscope data available

domflg

Single hexadecimal digit

DOM settings


dom

Text

Representation of domflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

DOM bit settings:

  • 80: DOM=ALL
  • 40: DOM=NORMAL
  • 20: DOM=NONE

mlvlflg

Single hexadecimal digit

MLVL flags, a single hexadecimal digit


mlvl

Text

Representation of mlvlflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

MLVL bit settings:

  • 80: display WTORs
  • 40: display immediate action messages
  • 20: display critical eventual action messages
  • 10: display eventual action messages
  • 08: display informational messages
  • 04: display broadcast messages

authflg

Single hexadecimal digit

Console AUTH settings, a single hexadecimal digit


auth

Text

Representation of authlflg with Y or N corresponding to 0 or 1

For example, X'F0' is YYYYNNNN.

AUTH bit settings:

  • 80: SYS authority
  • 40: IO authority
  • 20: CONS authority
  • 10: MASTER authority

terminal

Text

Eight-character terminal name


jobnm

Text

Eight-character job name


rout

Text

Route codes for this console

All, None, or specific codes as a 16-character hexadecimal value

db2

Field

Format

Description

Value

system

Text

System name


jobname

Text

DB2/MQ region name


type

Text

Entry type

DB2 or MQ

parm

Text

DB2/MQ Parameter


value

Text

Parameter value


digtnmap

The DIGTNMAP table stores values from the DIGTNMAP class.

Field

Format

Description

Value

profile

Text

Profile name


owner

Text

Profile owner


user

Text

User ID or criteria-filter name


status

Text

Status

T=Trust

label

Text

lcertificates label


idn

Text

Issuer's distinguished name


sdn

Text

Subject's distinguished name


groups

Field

Format

Description

Value

groupname

Text

Name of the RACF group


owner

Text

Group owner


supgroup

Text

Superior group


numsubgroups

Text

Number of sub groups


numusers

Text

Number of connected users


crdate

Text

Group creation date


instdata

Text

Group installation data


gid

Text

OMVS group id


univflg

Text

Universal group?


uacc

Text

Group Uacc


notermuacc

Text

Group has Notermuacc?


aclcnt

Text

Number of users on the ACL


group_access

Field

Format

Description

Value

groupname

Text

Group Name


id

Text

User ID


access

(SPE2407)

Text

Access

  • C-CONNECT
  • A-ADD or CREATE
  • U-USE
  • J-JOIN

ims

Field

Format

Description

Value

system

Text

System name


jobname

Text

IMS region name


type

Text

Entry type

IMS

parm

Text

IMS Parameter


value

Text

Parameter value


login (password failures from SMF type 80)

Field

Format

Description

Value

system

Text

System name


date

Text

Command date

yyyy-mm-dd

time

Text

Command time

hh:mm:ss

user

Text

Command user ID


name

Text

User ID name


portofentry

Text

Port of entry

Terminal name

event

Text

SMF event

xxyy

desc

Text

Description


modules

The modules table stores all load module details from all APF libraries as long as the SPM started task user ID has ESM access to open the APF data set and read the directory. An authorization check is performed before an attempt is made to read the directory.

Field

 Format

 Description

 Value

System

 text

 LPAR name where the APF library resides


Dataset

 text

 APF data set name


Name

 text

 APF module name


Aliasof

 text

 Root member if directory entry is an alias


Size

 text

 Size of the load module


Amode

 text

 AMODE of the load module

 24, 31, 64, or ANY

Rmode

 text

 RMODE of the load module

 24 or ANY

TTR

 text

 Hex TTR address of the load module


Rent

 text

 RE-ENTRANT attribute

 Y or N

Reus

 text

 RE-USABLE attribute

  Y or N

Refr

 text

 REFRESHABLE attribute

  Y or N

Ovly

 text

 OVERLAY attribute

  Y or N

Sctr

 text

 SCATTER attribute

  Y or N

AC

 text

 Auth code

 00 or 01

mqqmgr

The mqqmgr table stores all parameters related to all active queue managers running on the system.

Field

Format

Description

Value

system

Text

LPAR name on where the MQ queue manager is active


QMNAME

Text

Four-character MQ queue manager name


parm

Text

Parameter


value

Text

Parameter value


mqqueue

The mqqueue table stores all parameters related to a specific queue manager. All the parameters are those displayed by the DISPLAY QUEUE(*) ALL command.

Field

Format

Description

Value

system

Text

LPAR name on where the MQ queue manager is active


QMNAME

Text

Four-character MQ queue manager name


QUEUE

Text

Full name of the MQ queue


parm

Text

Parameter


value

Text

Parameter value


ppt (program properties table)

Field

Format

Description

Value

system

Text

System


program

Text

PPT Program name


key

Text

Execution Key

1-15

nocancel

Text

Nocancel attribute?

Y or blank

noswap

Text

Noswap attribute?

Y or blank

priv

Text

Privileged?

Y or blank

syst

Text

SYST

Y or blank

nodsi

Text

PPT NODSI

Y or blank

nopass

Text

PPT NOPASS

Y or blank

nreglimit

Text

NoRegLimit

Y or blank

spref

Text

PPT Spref

Y or blank

lpref

Text

PPT Lpref

Y or blank

nopref

Text

PPT Nopref

Y or blank

origin

Text

Origin

Default PARMLIB

date

Text

Unused


time

Text

Unused


profile

Field

Format

Description

Value

class

Text

Class name

For example, DATA SET

profile

Text

RACF profile

For example, SYS1.**

owner

Text

Profile owner

For example, SYS1

uacc

Text

Universal Access

N, R, U, C, A, E, T

warn

Text

WARN bit on

Y or blank

audit

Text

Profile is audited

Y or blank

idstar

Text

ID(*) access

N, R, U, C, A, E, T

level

Text

Profile level

1-99

aclcnt

Text

Number of users on the ACL


startdate

Text

Profile Start Date (certificates)

yyyy-mm-dd

enddate

Text

Profile End Date (certificates)

yyyy-mm-dd

appldata

Text

Profile APPLDATA


profile_access

Field

Format

Description

Value

class

Text

Profile Class


profile

Text

Profile Name


id

Text

ACL user ID


access

Text

Access

N, R, U, C, A, E, T

profile_cond_access

(SPE2501)

Field

Format

Description

Value

class

Text

Profile Class


profile

Text

Profile Name


id

Text

Conditional ACL user ID


access

Text

Access

N, R, U, C, A, E, T

catype

Text

Conditional Access Type

APPCPORT, CONSOLE, CRITERIA, JESINPUT,  PROGRAM, SERVAUTH

caname

Text

Conditional Access Name


access_cnt

Integer

The number of accesses


vol

Text

Volume of discrete data set


netid

Text

If catype is APPCPORT


cacriteria

Text

Conditional access criteria


profile_members

Field

Format

Description

Value

class

Text

Profile Class


profile

Text

Profile Name


member

Text

Profile member


access

Text

Access

N, R, U, C, A, E, T

sens (sensitive data sets)

Field

Format

Description

Value

apf

Text

Is APF authorized?

Y or blank

audit

Text

Profile audit settings

Success/Failures

cat

Text

Is data set cataloged?

Y or blank

cdate

Text

Creation Date

yyyy-mm-dd

dsn

Text

Sensitive Data set Name


fqg

Text

Fully Qualified Generic data set?

Y or blank

idstar

Text

ID(*) access

N, R, U, C, A, E, T

level

Text

Profile level

1-99

profile

Text

Protecting profile


rdate

Text

Last reference date

yyyy-mm-dd

sms

Text

Is SMS managed?

Y or blank

system

Text

LPAR Name of Reporting system


type

Text

Data set type

ACS, APF, CSF, DUMP, ESMC, HFS, IODF, IPL, JES2, LINK, LPA, MCAT, PAGE, PARM, RACF, SMF, SMS, TFS, TRAC, UADS, UCAT, USER, USTP, VIO, ZDT, ZFS, PSWD, REXX, VTAM

For a description of each type of data set, see the Data set type descriptionstable.

(SPE2407)

uacc

Text

Data set UACC

N, R, U, C, A, E, T

volser

Text

Data set volume


warn

Text

WARN attribute?

Y or blank

Data set type descriptions

Data set type

Description

ACS

DFSMS Automatic Class Selection (ACS) routines source library

APF

Authorized program facility (APF) – authorized libraries

CSF

Cryptographic Key Data Set (CKDS)

DUMP

Dump data sets

ESMC

Potential external security manager (ESM) database copies

HFS

Hierarchical file system (HFS)

IODF

System input/output definition file (IODF) data set

IPL

IPLPARM, NUCLEUS and IMAGELIB data sets

JES2

JES2 related data sets

LINK

LINKLIST data sets

LPA

Link pack area (LPA) data sets

MCAT

Master catalog

PAGE

PAGE data set

PARM

System PARMLIB data sets

PSWD

OS PASSWORD data set

Do not use this data set if an ESM is present and active on the system.

RACF

RACF Database

REXX

System REXX data sets

SMF

System management facilities (SMF) data sets

SMS

DFSMS ACS and COMMDS data sets

TFS

USS temporary file system (TFS)

UADS

User attribute data set

UCAT

User catalog

USER

USER data set specified in SPM configuration

VIO

Virtual Input/Output (VIO) STGINDEX data set

VTAM

Virtual Telecommunications Access Method (VTAM) – related data sets

ZDT

Data sets used for SPM configuration

ZFS

z/OS file system

sens_access

Field

Format

Description

Value

profile

Text

Profile Name


id

Text

ACL user ID


access

Text

Access

N, R, U, C, A, E, T

racf (commands from RACF command exit)

Field

Format

Description

Value

system

Text

System name


date

Text

Command date

yyyy-mm-dd

time

Text

Command time

hh:mm:ss

user

Text

Command user ID


portofentry

Text

Port of entry

Where command entered

rc

Text

Return code


ac

Text

Command type


type

Text

Description

01 - 16

flag1

Text

ACEE flag1

80-Special
40-ADSP
20-Operations
10-Auditor
08-Log RACF functions
04-Rsv
02-Priv STC
01-RACF defined user

flag2

Text

ACEE flag2

80-Alter auth
40-Control
20-Update
10-Read
01-None

flag3

Text

ACEE flag3

80-Acc List of Grps (0-Userid,1-Grp/Userid)
40-Racf a/s
20-Unauthenticated
10-authenticated
08-Task Level
04-INITUSP Done
02-Default UID
01-Password not required

precommand

Text

Command pre-image

Original command entered

postcommand

Text

Command post-image

Command after exit

smf14 (sensitive DSN opened for read/ftp/ind$file)

Field

Format

Description

Value

system

Text

System name


date

Text

Event date

yyyy-mm-dd

time

Text

Event time

hh:mm:ss

data set

Text

Data set name


member

Text

Member Name


jobname

Text

Jobname

Terminal name

jobid

Text

JES Job id

xxyy

jobstep

Text

Job step


lpar

Text

LPAR


program

Text

Program name


user

Text

User


ddname

Text

DDNAME


recfm

Text

RECFM


lrecl

Text

LRECL


blksize

Text

BLKSIZE


volser

Text

Volser


flag1

Text

Flag byte 1


flag2

Text

Flag byte 2


SMF14RSD

Integer

Reader Date


SMV14RST

Integer

Reader Time


smf15 (sensitive DSN opened for write/ftp/ind$file)

Field

Format

Description

Value

system

Text

System name


date

Text

Event date

yyyy-mm-dd

time

Text

Event time

hh:mm:ss

data set

Text

Data set name


member

Text

Member Name


jobname

Text

Jobname

Terminal name

jobid

Text

JES Job id

xxyy

jobstep

Text

Job step


lpar

Text

LPAR


program

Text

Program name


user

Text

User


ddname

Text

DDNAME


recfm

Text

RECFM


lrecl

Text

LRECL


blksize

Text

BLKSIZE


volser

Text

Volser


flag1

Text

Flag byte 1


flag2

Text

Flag byte 2


SMF15RSD

Integer

Reader Date


SMV15RST

Integer

Reader Time


smf42 (pds update)

Field

Format

Description

Value

system

Text

System name


date

Text

Event date

yyyy-mm-dd

time

Text

Event time

hh:mm:ss

data set

Text

Data set name


member

Text

Member Name


memberold

Text

Previous member name

Terminal name

action

Text

Member action

ADD or DEL

user

Text

User name


jobname

Text

Jobname


stepname

Text

Step name


procname

Text

Proc Name


portofentry

Text

Port of Entry

Terminal or INTRDR

volser

Text

Volume serial


severity

Integer

Internal SPM severity


stc

Field

Format

Description

Value

profile

Text

Profile name


stuser

Text

STC user ID

yyyy-mm-dd

stgroup

Text

STC Group

hh:mm:ss

priv

Text

Priv attribute?

 Yes or blank

trusted

Text

Trusted attribute?

Yes or blank

useridprotected

Text

User ID is protected?

Yes or blank

traced

Text

Traced?

Yes or blank

summary

Field

Format

Description

Value

System

Text

System the compliance check was run on


Reference

Text

Reference as defined in the RULES(INDEX) data set


Rule

Text

The rule name from the RULES(INDEX) data set


ESM

Text

External security manager on the system

RACF, TSS, or ACF2

Category

Text

Defined in the RULES(INDEX) data set


Priority

Text

Defined in the RULES(INDEX) data set


Failures

Text

Number of failures discovered by the query


Lastrun

Text

 The date and time the query was last run

dd mm HH:MM:SS

Lastrun

Text

 The date and time the query will next run

dd mm HH:MM:SS

Description

Text

 the description from the RULES(INDEX) data set


tcpip

Field

Format

Description

Value

stackname

Text

TCPIP stack name


keyword

Text

TCPIP keyword

yyyy-mm-dd

value

Text

Keyword value

hh:mm:ss

tcpipport

Field

Format

Description

Value

stackname

Text

TCPIP stack name


protocol

Text

Protocol

TCP or UDP

port

Text

Port number


bindaddr

Text

Bind address

Address or ANY

ipver

Text

TCPIP ipver


usage

Text

TCPIP usage


bind

Text

TCPIP bind

Y or N

saf

Text

TCPIP saf

Y or N

unrsvdeny

Text

TCPIP unrsvdeny

Y or N

unrsvsaf

Text

TCPIP unrsvsaf

Y or N

unrsvdlsn

Text

TCPIP unrsvdlsn

Y or N

unrsvdbind

Text

TCPIP unrsvdbind

Y or N

jobname

Text

Jobname using port


saf

Text

SAF name


ussfile

Field

Format

Description

Value

filename

Text

USS file name

filename

parent

Text

Parent directory

Pindex in usspath table (number associated with path)

filetype

Text

UNIX file types

dir, reg, sym

permission

Text

File permissions (user, group, other)

For example: 777

setuid

Text

Gives permission to execute the file on behalf of the owner

Y or N

setgid

Text

Gives permission to execute the file on behalf of the owner’s group

Y or N

stickybit

Text

Only a file or directory owner can delete or modify the file

Y or N

useraudit

Text

Audit bits (Read Write Exec)

  • a=all
  • f=failures
  • s=success
  • -=none

For example: fff

auditoraudit

Text

Log auditor audit

---

uid

Text

File owner user uid

000000000000

gid

Text

File owner group gid

000000010000

To relate a file to a directory, see Using the ussfile and usspath tables.

usspath

Field

Format

Description

Value

Pindex

Text

Parent index (number associating path)

For example: 104

path

Text

File or directory path

For example: /bolryg/etc

To relate a file to a directory, see Using the ussfile and usspath tables.

Using the ussfile and usspath tables

BMC AMI Security Policy Manager runs the following USS file scans to capture attributes.

  • Full file scan performed once in every 7 days, where it scans the complete tree starting from the root directory
  • Monitored file scan performed once every day to scan the file locations and record updates

The message SPM0708I Uss file delta scan: 694 entries captured for ussfile table indicates that the scan performed is a monitored file scan.

Important

To relate a file to a directory, take the value in the parent column from the ussfile table and use it as the index to read from the usspath table. This will give you the directory that the file is in.

The following file locations are monitored:

  • '%/usr/sbin'
  • '%/usr/lpp/tcpip'
  • '%/usr/lpp/tcpip/sbin'
  • '%/etc'
  • '%/bin'
  • '%/dev'
  • '%/usr/lib/cron'

ussprocess

Field

Format

Description

Value

pid

Text

Process id

Up to here

euid

Text

Protocol

TCP or UDP

asid

Text

Port number


userid

Text

Bind address

Address or ANY

ruid

Text

TCPIP ipver


jobname

Text

TCPIP usage


jobjbni

Text

TCPIP bind

Y or N

jobjbns

Text

TCPIP saf

Y or N

egid

Text

TCPIP unrsvdeny

Y or N

rgid

Text

TCPIP unrsvsaf

Y or N

parms

Text

TCPIP unrsvdlsn

Y or N

starttime

Text

Start time of the USS process

yyyy-mm-dd hh:mm:ss

user

Field

Format

Description

Value

userid

Text

RACF user ID


name

Text

User's name


dfltgrp

Text

User's default group


owner

Text

User ID owner


revoked

Text

Is user ID revoked?

Y or blank

pwint

Text

Password Interval


uid

Text

USS uid


auditor

Text

Does user have AUDITOR?

Y or blank

special

Text

Does user have SPECIAL?

Y or blank

operations

Text

Does user have OPERATIONS?

Y or blank

roaudit

Text

Does user have ROAUDIT?

Y or blank

ibmuser

Text

Is this the IBMUSER account?

Y or blank

not90

Text

Is user ID unused in the last 90 days?

Y or blank

ljdate

Text

Last connect date

ddMMMyyyy

numdays

Text

Number of days since last connect


weakpswd

Text

Does the user have a weak password?

Number 1–7

protected

Text

Is the user ID protected?

Y or blank

pwdcnt

Text

Number of old passwords


uaudit

Text

Does the user have UAUDIT on?

Y or blank

restricted

Text

Is this a restricted user ID?

Y or blank

revokect

Text

Number of unsuccessful password attempts


home

Text

USS Home directory


program

Text

User ID's USS program


instdata

Text

Installation data


proc

Text

User's logon procedure


segments

Text

Segments present

T=TSO O=OMVS C=CICS
S=CSDATA

creadate

Text

Date the user ID was created

ddmmmyyyy

passdate

Text

Date the password was last changed

ddmmmyyyy

operparm

Text

Operator's command authority

MASTER, ALL, SYS, IO, CONS, INFO

cicstime

Text

User's CICS timeout parameter

HH:MM

HH=hours, MM=minutes

ussmount

Field

Format

Description

Value

fsname

Text

USS file system DSN


fstype

Text

File system type

HFS, ZFS, TFS

rootino

Text

Root inode


fsmode

Text

File system mode

READWRITE, READONLY

security

Text

SECURITY active

Y, N

setguid

Text

SETGUID active

Y, N

muid

Text

Mounting UID


mountpoint

Text

Path name of the mount point


usssysdir

Field

Format

Description

Value

dirpath

Text

Directory path

For example, /etc/

pindex

Text

Parent index (number associating path)

For example, 104

filetype

Text

UNIX file types

dir

permission

Text

File permissions (user, group, other)

For example, 777

setuid

Text

Gives permission to run the file on behalf of the owner

Y or N

setgid

Text

Gives permission to run the file on behalf of the owner’s group

Y or N

stickybit

Text

Only the owner of a file or directory can delete or modify the file

Y or N

useraudit

Text

Audit bits (Read Write Exec)

  • a=all
  • f=failures
  • s=success
  • -=none

For example: fff

auditoraudit

Text

Log auditor audit

uid

Text

File owner user uid

000000000000

gid

Text

File owner group gid

000000010000

The usssysdir table captures information such as the user permissions and user audit bits for the following system directories, as recommended by DISA STIG V-223847.

  • "/",
  • "/u/",
  • "/lib/",
  • "/etc/",
  • "/bin/",
  • "/dev/",
  • "/usr/",
  • "/tmp/",
  • "/var/",
  • "/samples/",
  • "/usr/sbin/",
  • "/usr/lpp/tcpip/",
  • "/usr/lpp/tcpip/sbin/",
  • "/usr/lib/cron/"

usssysfile

Field

Format

Description

Value

filename

Text

USS file name

filename

For example, /etc/profile

parent

Text

Parent directory

Pindex in usssysdir table (number associated with path)

filetype

Text

UNIX file types

reg, sym

permission

Text

File permissions (user, group, other)

For example, 777

setuid

Text

Gives permission to run the file on behalf of the owner

Y or N

setgid

Text

Gives permission to run the file on behalf of the owner’s group

Y or N

stickybit

Text

Only the owner of a file or directory can delete or modify the file

Y or N

useraudit

Text

Audit bits (Read Write Exec)  

  • a=all
  • f=failures
  • s=success
  • -=none

For example, fff

auditoraudit

Text

Log auditor audit

uid

Text

File owner user uid

000000000000

gid

Text

File owner group gid

000000010000

The usssysfile table captures information about the files residing in the system directories mentioned in the usssysdir section, and refers to only the system files mentioned in the following DISA STIGs:

  • V-223734
  • V-223775
  • V-223812
  • V-223822
  • V-223848
  • V-3232

vmgroup (list of RACF groups on z/VM)

Field

Format

Description

Value

groupname

Text

Name of the group


owner

Text

Group owner


supgroup

Text

Superior group


numsubgroups

Text

Number of sub groups


numusers

Text

Number of connected users


univflg

Character

Universal group?

Single character

Y or blank

create_dt

Text

Group creation date

ddd.yy

vmgroup_access (list of user ID access to groups on z/VM)

Field

Format

Description

Value

groupname

Text

Name of the group


id

Text

User ID 


access

Character

Access of the user ID, single character

  • C-CONNECT
  • A-ADD or CREATE
  • U-USE
  • J-JOIN

accesscount

Text

Access count of the user


uacc

Character

Universal access of the user, single character

  • N-None
  • R-Read
  • U-Update
  • A-Alter

adsp

Character

Does the user have ADSP connect privileges?

Single character

Y or blank

special

Character

Does the user have SPECIAL connect privileges?

Single character


operations

Character

Does the user have OPERATIONS connect privileges?

Single character


revoke

Character

Is the user ID REVOKED?

Single character


auditor

Character

Does the user have AUDITOR connect privileges?

Single character


roaudit

Character

Does the user have ROAUDIT connect privileges?

Single character


revoke_dt

Text

Revoke date or null

ddd.yy or null

resume_dt

Text

Resume date or null

ddd.yy or null

vmprofile_access (accesses of the user IDs to surrogate profiles on z/VM)

(SPE2407)

Field

Format

Description

Value

class

Text

Profile class

SURROGAT

profile

Text

Profile name


userid

Text

Surrogate user ID


uaccess

Character

Access of the surrogate user ID, single character

N, R, U, A

accesscnt

Character

Access count of the surrogate user ID, single character


vmsurrog (list of defined LOGONBY surrogate profiles on z/VM)

(SPE2407)

Field

Format

Description

Value

profile

Text

Profile name


level

Text

Level of resource


owner

Text

Owner of resource


uacc

Text

Universal access


warning

Character

Warning, single character

Y or N

audit

Text

Success/Failures


create_dt

Text

Creation date

ddd.yy

lastref_dt

Text

Last reference date

ddd.yy

lastchg_dt

Text

Last change date

ddd.yy

vmuser (list of defined z/VM user IDs)

(SPE2407)

Field

Format

Description

Value

userid

Text

z/VM userid


name

Text

User name


owner

Text

Userid owner


dfltgrp

Text

User's default group


pwint

Text

Password Interval


special

Character

Does the user have SPECIAL?

Single character

Y or blank

auditor

Character

Does the user have AUDITOR?

Single character

Y or blank

operations

Character

Does the user have OPERATIONS?

Single character

Y or blank

protect

Character

Does the user have PROTECTED?

Single character

Y or blank

roaudit

Character

Does the user have ROAUDIT?

Single character

Y or blank

passphrase

Character

PASSPHRASE enabled?

Single character

Y or blank

revoked

Character

Is user ID revoked?

Single character

Y or blank

groupname

Text

User's group name


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*