Reports for ACF2

For details about the Tools menu, see Administering.

Data sets

Click Data sets and select one of the following reports to display information about sensitive data sets:

• Non-Fully Qualified Generic > APF
• Non-Fully Qualified Generic > Other
• Sensitive Data Sets > Other datasets with UID(*) Access > None
• Sensitive Data Sets > Uncatalogued
• APF Data Sets > APF datasets with UID(*) Access > None
• APF Data Sets > APF libraries with inappropriate logging
• APF Data Sets > APF libraries with no Rule with UID(*) Preventing Access

Non-Fully Qualified Generic > APF

The APF Data Sets without Fully Qualified Rule report lists sensitive data sets that are specified as Authorized Program Facility (APF) libraries and are protected by a generic security rule (for example, SYS1.) or have no rule defined. Executable code within these data sets can perform sensitive system functions and has access to sensitive data.

Assign data sets that have no rule a data set rule to make sure that only authorized users have access. Review generic rules to make sure they grant appropriate access to the data sets.

Non-Fully Qualified Generic > Other

The Other Data Sets without Fully Qualified Rule report lists system data sets that are protected by a generic security rule (for example, SYS1.) or have no security rule defined. These data sets might contain sensitive system parameters that could affect system integrity. They might also include executable modules that provide sensitive system services, reporting or monitoring.

Assign data sets that have no rule a data set rule to make sure that only authorized users have access. Review generic rules to make sure that they grant appropriate access to the data sets.

Sensitive Data Sets > Other datasets with UID(*) Access > None

The All sensitive datasets with UID(*) ACCESS > None report lists all sensitive data sets with default user UID access—that is, UID(*) access—greater than none:

Sensitive Data Sets > Uncatalogued

The Uncatalogued Sensitive Data Sets report lists sensitive data sets that are not cataloged. Use this information to make sure that all sensitive data sets are properly cataloged, allowing for centralized monitoring and access management. We recommend that you catalog these data sets or remove from the system.

APF Data Sets > APF datasets with UID(*) Access > None

The APF libraries with UID(*) access > None report lists all APF data sets with default user UID access—that is, UID(*) access—greater than none:

APF Data Sets > APF libraries with inappropriate logging

The APF libraries with Inappropriate Logging - should be WRITE(L) and ALLOC(L) option lists all APF libraries set logging that does not comply with the recommended best practices—that is, data sets that should be WRITE(L) and ALLOC(L):

APF Data Sets > APF libraries with no Rule with UID(*) Preventing Access

The APF libraries with no Rule with UID(*) Preventing Access entry report lists all APF libraries with no UID(*) preventing access entry:

Sensitive Commands

Click Sensitive Commands and select one of the following reports to display information about sensitive commands:

• z/OS.SETPROG
• All z/OS Commands

z/OS.SETPROG

The z/OS.SETPROG Commands report lists all z/OS.SETPROG commands issued in the system, who issued the command, and related information. Use this information to review the impact of the SETPROG commands on critical system configuration, security, stability, and performance. A decline in these factors can occur because of unauthorized changes to the APF list, incorrect LPA modifications, enabling or disabling of protection of REFR programs, incorrect tracking settings of directed load modules, and so on.

As a security administrator, you can rely on this report to monitor authorized changes and prevent unauthorized modifications.

All z/OS Commands

The All z/OS Commands report lists all z/OS commands issued in the system, who issued the command, and related information. Use this information to perform a security audit and report anomalies. This helps you monitor commands, detect unauthorized or suspicious activities, assess compliance with security policies, and identify potential vulnerabilities.

As a security administrator, you can investigate any unexpected or high-impact commands, and take corrective actions as needed to assert system integrity and security.

Resources

Click Resources and select one of the following reports to display information about ACF2 general resources:

• Missing Permissions > OPERCMD
• Missing Permissions > STGADMIN
• Missing Permissions > UNIXPRIV
• Missing Permissions > Certificate
• Certificates > Expiring
• Certificates > Expired
• Certificates > All
• Misconfigured Settings > CICS SIT
• Misconfigured Settings > IMS
• Misconfigured Settings > DB2
• Misconfigured Settings > MQ
• Software Security Settings > CICS SIT
• Software Security Settings > IMS
• Software Security Settings > DB2
• Software Security Settings > MQ

Missing Permissions > OPERCMD

The Missing OPERCMD Permissions report identifies permissions associated with the OPERCMD resource class that are missing or not properly defined. Use this information to identify and review inadequately configured OPERCMD permissions, define and configure the required permissions, and assign appropriate access and permissions to only users authorized for each action.

As a security administrator, you can address security concerns arising out of unauthorized access to critical system commands.

Missing Permissions > STGADMIN

The Missing STGADMIN Permissions report lists storage administration permissions in the FACILITY and XFACILIT classes related to the STGADMIN resource class that are absent or incorrectly set up. Use this information to verify that STGADMIN permissions are properly defined and that storage administration tasks are restricted to authorized personnel only. Defining and configuring these permissions reduces the need for superuser authority and minimizes security risks.

As a security administrator, you can ensure that storage management functions, such as compression, ACL overrides, and changing permissions, are protected and secure.

Missing Permissions > UNIXPRIV

The Missing UNIXPRIV Permissions report lists permissions with z/OS UNIX privileges related to the UNIXPRIV resource class that are missing or misconfigured. Use this information to validate that UNIXPRIV permissions are correctly set up. 

This ensures proper access control for UNIX-related resources. You can create user permissions without superuser authority and grant them specific privileges using these UNIXPRIV permissions with fine granularity. This enhances security of your mainframe environment by ensuring user privileges are granted only where necessary.

As a security administrator, you can ensure controlled access to superuser-level actions, such as changing ownership or managing ACLs. You can activate and inactivate the UNIXPRIV class and define permissions with the necessary permissions to authorized UNIX administrators.​​​​​​

Missing Permissions > Certificate

The Missing Certificate Permissions report lists ACF2 certificate management-related permissions in the FACILITY class, which are not defined. It includes all the recommended general resource permissions related to digital certificates that are not defined to ACF2. Use this information to ensure that only authorized personnel have access to commands used to store and maintain digital certificate information in ACF2.

As a security administrator, you can ensure that digital certificate information is stored securely without any unauthorized access or change attempts.​​​​​

Certificates > Expiring

The Expiring Certificates report provides a comprehensive list of certificates that are due to expire in 365 days or less. It includes details such as the certificate label, start date, end date, owner, days to expiry, and the certificate profile. Use this information to proactively renew or replace expiring certificates and avoid service disruptions.

As a security administrator, you can proactively manage expiring certificates, safeguard security, and ensure compliance within the mainframe environment.
 

Certificates > Expired

The Expired Certificates report provides a detailed list of digital certificates that have already expired and not been deleted. It includes information such as the certificate label, start and end date, owner, days since expiry, and the certificate profile. Use this information to manage expired certificates that might cause security vulnerabilities or service disruptions. 

As a security administrator, you can promptly ensure that the mainframe environment remains secure and compliant.
 

Certificates > All

The All Certificates report provides a comprehensive list of all digital certificates managed within the mainframe environment. It includes details such as the certificate label, start and end dates, and the certificate profile. Use this information to gain a complete overview of the certificates in use.

As a security administrator, you can regularly review this information to identify and address any issues related to certificates, ensuring a secure and compliant mainframe environment.

Misconfigured Settings > CICS SIT

The Misconfigured CICS SIT Settings report lists security configurations in CICS sessions defined in the CICS system initialization table (SIT) that conflict with BMC recommendations. This report includes information about improperly configured security settings, such as unauthorized access and incorrect permissions. Use this information to correct these misconfigurations and to ensure that access controls are properly enforced and the system remains secure. 

As a security administrator, you can identify security misconfigurations to correct them and maintain system integrity and compliance with security policies.
 

Misconfigured Settings > IMS

The Misconfigured IMS Settings report lists IBM Information Management System (IMS) environment settings that conflict with BMC recommendations. It provides information about improperly configured security settings, such as unauthorized access, outdated or incorrect permissions, and deviations from BMC recommendations in integrating with IMS. 

Use this information to correct these misconfigurations, adjust access controls, and enforce stringent security policies to ensure that IMS environments are configured securely in line with organizational and regulatory requirements.

As a security administrator, you can address configuration and access concerns to help maintain a secure and compliant mainframe system.
 

Misconfigured Settings > DB2

The Misconfigured Db2 Settings report lists Db2 environment settings that conflict with BMC recommendations. Potential security misconfigurations in the Db2 database environment can include issues such as incorrect user access levels, improperly assigned roles, and discrepancies between the ESM and Db2 access control settings. Use this information to gain insights into areas in which access controls might be lenient or inconsistent with security policies, and correct user permissions to ensure that the Db2 security settings align with organizational security standards. 

As a security administrator, you can mitigate risks and enhance the overall security posture of the mainframe system.
 

Misconfigured Settings > MQ

The Misconfigured MQ Settings report lists MQ environment settings that conflict with BMC recommendations. This can include issues such as improper user access, unsecured queue permissions, and discrepancies between the ESM and MQ security configurations. 

Use this information to identify potential vulnerabilities where unauthorized users might be able to gain access to sensitive messages or queues. You can adjust user roles, refine access controls, and enforce security policies to ensure that MQ settings are tightly controlled.

As a security administrator, you can monitor and manage these misconfigurations, prevent unauthorized access, and enhance the overall security of the messaging infrastructure.
 

Software Security Settings > CICS SIT

The CICS SIT Settings report lists the security settings defined in the CICS system initialization table (SIT) of each active CICS region. This report provides details about the security settings for the CICS (Customer Information Control System) environment and reflects configurations related to resource access and control mechanisms defined in the CICS SIT. Use this information to identify any security vulnerabilities, misconfigurations, or deviations from best practices in CICS settings.

As a security administrator, you can monitor compliance with organizational security policies, and fine-tune access controls, enforce security policies, and enhance the overall protection of CICS applications.
 

Software Security Settings > IMS

The IMS Security Settings report provides information about the security configurations for IBM Information Management System (IMS) applications defined for each active IMS region. It details access controls and resource protections defined within these applications. Use this information to review how IMS is configured to secure sensitive data and manage user access. 

As a security administrator, you can identify potential vulnerabilities and misconfigurations in security policies and ensure that only authorized users can interact with critical IMS data and services. You can thus enforce stronger security policies, prevent unauthorized access, and maintain compliance with security standards.
 

Software Security Settings > DB2

The Db2 Security Settings report lists the security settings defined for each active Db2 region. It provides a detailed view of the security configurations for Db2, a relational database management system and outlines settings related to user access controls and resource protections for Db2 databases. 

Use this information to detect potential security risks, such as overly permissive access and misconfigured permissions.

As a security administrator, you can fine-tune access controls, regulate authority and access, enforce security policies, strengthen database security, and make sure that the Db2 configurations align with your organizational security standards.
 

Software Security Settings > MQ

The MQ Security Settings report lists the security settings defined for each active MQ region. This report provides a detailed overview of the security configurations for IBM MQ. It also highlights access control settings, encryption protocols, user permissions, and authentication methods used within the MQ environment. Use this information to identify potential security risks related to message queuing, such as unauthorized access or weak encryption, and misconfigurations or vulnerabilities that might compromise MQ system integrity.

As a security administrator, you can ensure that sensitive messages and data are protected during transmission. You can adjust security settings, implement tighter controls, and enforce compliance with organizational security policies. 
 

System Settings

Click System Settings and select one of the following reports to display information about your ACF2 and z/OS environment:

• PPT > Entries Specifying NOPASS
• PPT > Entries Defined as NOSWAP
• Inactive Monitored Jobs

PPT > Entries Specifying NOPASS

The PPT Entries Specifying NOPASS in Parmlib report lists all Program Properties Table (PPT) entries that have NOPASS specified in z/OS PARMLIB member SCHEDxx. This report provides information about program entries that might lack security protection. Use this information to identify programs that can access the resources without security protection, and modify these entries to require password protection where necessary. 

As a security administrator, you can make sure that only trusted programs have such exceptions and take corrective actions, such as removing unnecessary NOPASS entries or tightening access control policies to mitigate potential vulnerabilities.
 

PPT > Entries Defined as NOSWAP

The PPT Entries Defined as NOSWAP in Parmlib report lists all Program Properties Table (PPT) entries with NOSWAP defined in z/OS PARMLIB member SCHEDxx. This report provides information to z/OS about programs that are configured to prevent z/OS from swapping them out to auxiliary storage. The NOSWAP parameter is important to ensure that critical processes or high-priority tasks remain in the main memory for faster execution. Use the information in this report to review and modify these entries to adjust the ability to swap programs based on security policies and requirements.

As a security administrator, you can make sure that essential processes are protected and prevent misuse by non-critical users or unauthorized programs to help maintain system performance and security.
 

Inactive Monitored Jobs

The Inactive Monitored Jobs report lists all jobs that have been inactive for a specified period but are still being monitored. Use this report to identify dormant, idle, or unauthorized jobs that could pose security risks.

As a security administrator, you can take appropriate actions against anomalies in job activity and remove unnecessary jobs to enhance system security and maintain system performance.

Users

Click Users and select one of the following reports to display information about ACF2 users:

• ACF2 Privileges
• UID(0)
• Password interval<30
• Sharing non-zero uid

ACF2 Privileges

The Users with ACF2 Privileges report lists users with ACF2 privileges:

UID(0)

The Users with UID(0) report lists all ACF2 users that have UID(0) defined, that is, superuser attribute in Unix System Services (USS):

Password interval<30

The Users with password interval<30 report lists all ACF2 users that have who have a password interval of less than 30:

Sharing non-zero uid

The Users sharing non-zero uid report lists all ACF2 users that share a non-zero OMVS user ID:

File Transfers

The User File Transfers report lists the following:

Compliance

Click Compliance and select one of the following reports to display information about security violations detected in the z/OS environment:

• Allowlists

Allowlists

Many of the SPM queries can exclude results by using allowlists. Allowlists are defined in the index member of the rules data set and consist of exceptions that can be used to prevent specific users or resources from being reported on as non-compliant.

For example, if only one user LID is allowed to update APF libraries, then an allowlist containing that one user LID can be defined, and the compliance query can specify a clause such as:
AND userid NOT IN (SELECT userid FROM allowlist WHERE type='APF')

The allowlist defined would be:

For an example of the allowlist, see Sample-index-member.

Compliance Reports

Select Overview to see the Compliance Overview dashboard that is described in Logging-on-and-viewing-compliance-summaries.

Select All to see all the compliance reports defined on the system, including all policies contained in the index member, their last run time, next run time, and result of the run. For more information, see "Examining all compliance reports" and "To run individual reports" in Logging-on-and-viewing-compliance-summaries.

Select one of the following report categories:

• DISA STIG
• z/OS
• DB2
• RACF (RACF users, only)
• TSS (TSS users, only)
• USS
• TCP/IP
• CICS
• REXX
• (SPE2410) (SPE2507)CIS RACF (RACF users, only)
• (SPE2501)PCI DSS RACF (RACF users, only)

The list of categories might change, depending on your system configuration.

If you add a custom category to the HLQ.RULES(INDEX) member and update the rules with the /f stc, loadrules command (or restart the product), the custom category is displayed in the Compliance menu and the All Compliance Reports table. For an example of the index member, see Sample-index-member.

ACF2

Click ACF2 and select one of the following reports to display information about issues on your ACF2 environment:

• Access Rules
• Resource Rules
• GSO/Password/Phrase Settings
• Rules with UID (*) access > None

Access Rules

The Access Rules report lists all ACF2 data set access rules:

Resource Rules

The Resource Rules report lists all ACF2 data set resource rules:

GSO/Password/Phrase Settings

The GSO/Password/Phrase Settings report lists the Global System Options (GSO), password, and passphrase settings

Rules with UID (*) access > None

The Rules with UID (*) access > None report lists ACF2 permissions in which * access that is greater than NONE: