Reports for RACF
For details about the Tools menu, see Administering.
Tip
If your browser window is too narrow to see all the values in the report, click the + icon 
at the beginning of the row. The column headings and values show below the row, as displayed in the following example:
Click the - icon 
to collapse the row.
Data sets
Click Data sets and select one of the following reports to display information about sensitive data sets:
- Non-Fully Qualified Generic > APF
- Non-Fully Qualified Generic > Other
- Sensitive Data Sets > UACC > None
- Sensitive Data Sets > ID(*) > None
- Sensitive Data Sets > WARN
- Sensitive Data Sets > Uncatalogued
- Sensitive Data Sets > Inappropriate Audit
- Sensitive Data Sets > Level = 99
- Sensitive Data Sets > All
Non-Fully Qualified Generic > APF
The APF Data Sets without Fully Qualified Generic profile report lists sensitive data sets that are specified as Authorized Program Facility (APF) libraries and are protected by a generic security profile (for example, SYS1.**) or have no security profile defined (*Unprotected*). Executable code within these data sets can perform sensitive system functions and has access to sensitive data.
Assign unprotected data sets a security profile to make sure that only authorized users have access. Review generic profiles to make sure they grant appropriate access to the data sets.
System | Dataset name | Protecting Profile |
|---|---|---|
TSOP | SYS1.SVCLIB | SYS1.** |
TSOP | AZF.SAZFLOAD | AZF.** |
TSOP | CBC.SCLBDLL | CBC.** |
TSOP | CBC.SCLBDLL2 | CBC.** |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | RACF profile that protects the data set |
Non-Fully Qualified Generic > Other
The Other Data Sets with Non-Fully Qualified Generic profiles report lists system data sets that are protected by a generic security profile (for example, SYS1.**) or have no security profile defined (*Unprotected*). These data sets might contain sensitive system parameters that could affect system integrity. They might also include executable modules that provide sensitive system services, reporting or monitoring.
Assign unprotected data sets a security profile to make sure that only authorized users have access. Review generic profiles to make sure that they grant appropriate access to the data sets.
System | Dataset Name | Protecting Profile | Dataset Type |
|---|---|---|---|
TSOP | SYS1.LINKLIB.EXITS | SYS1.** | LINK |
TSOP | USER.LINKLIB | USER.** | UCAT |
TSOP | SYS1.SIEALNKE | SYS1.** | MCAT |
TSOP | SYS1.SIEAMIGE | SYS1.** | LINK |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | Non-fully qualified generic RACF profile that is protecting the data set |
DATASET TYPE | Type of authorization table, such as UCAT or LINK |
Sensitive Data Sets > UACC > None
The Sensitive Data Sets with UACC > None report lists sensitive data sets with no Universal Access (UACC) protection to allow some level of access to any user. We recommend that these data sets have a UACC of NONE with access granted to specific users or groups.
System | Dataset Name | Protecting Profile | UACC | Dataset Type |
|---|---|---|---|---|
TSOP | CICSTS52.CICS.SDFHAUTH | CICSTS52.** | Read | APF |
TSOP | CICSTS52.CICS.SDFHLIC | CICSTS52.** | Read | APF |
TSOP | CICSTS52.CICS.SDFJAUTH | CICSTS52.** | Read | APF |
TSOP | CICSTS52.CPSM.SEYUAUTH | CICSTS52.** | Read | APF |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | Non-fully qualified generic RACF profile that is protecting the data set |
UACC | Universal ACCess of the sensitive data set |
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Data Sets > ID(*) > None
The Sensitive Data Sets with ID(*) > None report lists sensitive data sets that are not defined with an owner user ID. Use this information to assign an owning user ID to the data sets. The owning user ID ensures only an authorized person or group may modify the data set security profile.
System | Dataset Name | Protecting Profile | ID(*) | Dataset Type |
|---|---|---|---|---|
TSOP | SYS1.LINKLIB | SYS1.LINKLIB | Read | APF |
TSOP | AZF.SAZFLOAD | AZF.** | Read | APF |
TSOP | CBC.SCLBDLL | CBC.** | Read | APF |
TSOP | CBC.SCLBDLL2 | CBC.** | Read | APF |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | Non-fully qualified generic RACF profile that is protecting the data set |
ID(*) | Access level that applies to all RACF-defined users The access level can have the following values:
|
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Data Sets > WARN
The Sensitive Data Sets with WARN report lists sensitive data sets with the WARNing security attribute assigned but with neither a security profile nor a generic security profile.
Assign unprotected data sets a security profile to make sure that authorized users have access. Review generic profiles to make sure that they grant appropriate access to the data sets.
System | Dataset Name | Protecting Profile | Dataset Type |
|---|---|---|---|
TSOP | ISVR.RSS.LOADLIB | ISVR.RSS.** | APF |
TSOP | ISVR.RSS.SSPR.V2R1M0.RSSLOAD | ISVR.RSS.** | APF |
TSOP | ISVR.RSS.VIA.V2R1M0.RSSLOAD | ISVR.RSS.** | APF |
TSOP | ISVR.RSS.V2R1M0.RSSLOAD | ISVR.RSS.** | APF |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | RACF profile that is protecting the data set |
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Data Sets > Uncatalogued
The Uncatalogued Sensitive Data Sets report lists sensitive data sets that are not cataloged. Use this information to make sure that all sensitive data sets are properly cataloged, allowing for centralized monitoring and access management. We recommend that you catalog these data sets or remove from the system.
System | Dataset Name | Protecting Profile | Dataset Type |
|---|---|---|---|
TSOP | ISVR.CA.SYSVIEW.V15R00.CNM4BLOD | ISVR.CA.SYSVIEW.** | APF |
TSOP | ISVR.COMPWARE.CPWR.MPAA170.SPAAAUTH | ISVR.COMPWARE.** | APF |
TSOP | ISVR.COMPWARE.CPWR.MKAZ170.SKAZAUTH | ISVR.COMPWARE.** | APF |
TSOP | ISVR.COMPWARE.CPWR.MKFX171.SKFXAUTH | ISVR.COMPWARE.** | APF |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | RACF profile that is protecting the data set |
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Data Sets > Inappropriate Audit
The Sensitive Data Sets with Inappropriate Audit report lists sensitive data sets that are defined with inappropriate or insufficient audit settings. Use this information to identify areas where appropriate auditing criteria are established to ensure proper use and modification of the sensitive data sets. Adjust the audit settings to ensure comprehensive monitoring of access and activities related to sensitive data sets.
System | Dataset Name | Protecting Profile | Audit S/F | Dataset Type |
|---|---|---|---|---|
TSOP | SYS1.SVCLIB | SYS1.** | -/R | APF |
TSOP | CBC.SCLBDLL | CBC.** | -/R | APF |
TSOP | CBC.SCLBDLL2 | CBC.** | -/R | APF |
TSOP | CSF.SCSFMOD0 | CSF.** | -/R | APF |
This relates to the audit settings, e.g. Success(UPDATE) and Fail(READ), often abbreviated to S/F. This display shows the Audit Level (both Successes and Failures) in a three-character format: a success level, a forward slash, a failures level.
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | RACF profile that is protecting the data set |
AUDIT S/F | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Data Sets > Level = 99
The Sensitive Data Sets with Level = 99 report lists sensitive data sets with high sensitivity (Level = 99). Use this information to focus on securing the most critical data based on your site’s defined sensitivity levels. To improve security, verify that higher level data sets have appropriate access controls and monitoring measures in place.
System | Dataset Name | Protecting Profile | Volume | Creation Date | Referenced Date | Cataloged? | SMS? | APF? | UACC | ID(*) | Fully Qualified Generic? | Warning? | Audit S/F | Dataset Type | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
TSOP | ISVR.RSS.SUE.QA.TEST | ISVR.RSS.SUE.** | TISV08 | 2019-01-29 | 1900-01-00 | Y | Y | Y | Read | Read | N | Y | R/R | APF | ||||||||||
TSOP | TSGNJC.TEST.XMIT | TSGNJC.TEST.** | TTSO01 | 2019-01-16 | 2019-01-16 | Y | Y | Y | None |
| N | N | -/R | APF | ||||||||||
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | RACF profile that is protecting the data set |
VOLUME | Volume Serial number |
CREATION DATE | Date of data set creation |
REFERENCED DATE | Date last referenced |
CATALOGED? | Whether the data set is cataloged |
SMS? | Whether the data set SMS is controlled |
APF? | APF Library Indicator |
UACC | Universal ACCess for undefined user IDs |
ID(*) | Default access for defined user IDs |
FULLY QUALIFIED GENERIC? | FQG indicator |
WARNING? | Whether the profile has the WARNING attribute |
AUDIT S/F | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Data Sets > All
The All Sensitive Data Sets report lists all sensitive data sets and their file types. Use this information to review your sensitive data landscape so that you can implement proper access controls and security measures. To enhance security, evaluate and strengthen your security based on the report's findings.
System | Dataset Name | Protecting Profile | Volume | Creation Date | Referenced Date | Cataloged? | SMS? | APF? | UACC | ID(*) | Fully Qualified Generic? | Warning? | Level | Audit S/F | Dataset Type |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
TSOP | CATALOG.CICS.UCAT.Z210 | CATALOG.** | CPWRK3 | 2014-12-18 | 2019-02-06 | Y |
|
| None | Read | N | N | 0 | -/R | UCAT |
TSOP | CATALOG.EXPRESS.SMPE.UCAT | CATALOG.** | SYS001 | 2019-02-11 | 2019-02-12 | Y |
|
| None | Read | N | N | 0 | -/R | UCAT |
TSOP | CATALOG.FDRPAS.SHARED | CATALOG.** | IODF01 | 2017-11-17 | 2019-02-06 | Y |
|
| None | Read | N | N | 0 | -/R | UCAT |
TSOP | CATALOG.IMS.USER | CATALOG.** | PTSG06 | 2015-12-11 | 2019-02-06 | Y |
|
| None | Read | N | N | 0 | -/R | UCAT |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATASET NAME | Name of the data set |
PROTECTING PROFILE | RACF profile that is protecting the data set |
VOLUME | Volume serial number |
CREATION DATE | Date of data set creation |
REFERENCED DATE | Date last referenced |
CATALOGED? | Whether the data set is cataloged or not |
SMS? | Whether the data set SMS is controlled |
APF? | APF library indicator |
UACC | Universal ACCess for undefined user IDs |
ID(*) | Default access for defined user IDs |
FULLY QUALIFIED GENERIC? | FQG indicator |
WARNING? | Whether the profile has the WARNING attribute |
LEVEL | Data set level |
AUDIT S/F | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
DATASET TYPE | Type of sensitive data set being reported on, such as APF or Link |
Sensitive Commands
Click Sensitive Commands and select one of the following reports to display information about sensitive commands:
z/OS.SETPROG
The z/OS.SETPROG Commands report lists all z/OS.SETPROG commands issued in the system, who issued the command, and related information. Use this information to review the impact of the SETPROG commands on critical system configuration, security, stability, and performance. A decline in these factors can occur because of unauthorized changes to the APF list, incorrect LPA modifications, enabling or disabling of protection of REFR programs, incorrect tracking settings of directed load modules, and so on.
As a security administrator, you can rely on this report to monitor authorized changes and prevent unauthorized modifications.
System | Date | Time | Userid | Name | From | Event | Command | Details |
|---|---|---|---|---|---|---|---|---|
TSOP | 2019-02-12 | 13:37:46 | REXXBAT | Unknown | CONSOLE | CONS | SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSSLOAD,VOL=NC3998 | System Command |
TSOP | 2019-02-12 | 13:37:45 | REXXBAT | Unknown | CONSOLE | CONS | SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSSLOAD,VOL=NC3997 | System Command |
TSOP | 2019-02-12 | 13:37:44 | REXXBAT | Unknown | CONSOLE | CONS | SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSSLOAD,VOL=NC3996 | System Command |
TSOP | 2019-02-12 | 13:37:43 | REXXBAT | Unknown | CONSOLE | CONS | SETPROG APF,ADD,DSN=ISVR.RSS.QA.ZDT.RSSLOAD,VOL=NC3995 | System Command |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATE | Date the command was executed |
TIME | Time the command was executed |
USERID | User ID that issued the command |
NAME | Name of the user, if available |
FROM | Where the command was entered |
EVENT | Internal event type or SMF Event and Event Qualifier Event refers to the SMF Event/Code Qualifier documented in the IBM SMF manuals, or CONS for a command entered at the system console. |
COMMAND | Command that was entered |
DETAILS | Internal event type |
SETROPTS
The SETROPTS Commands report lists all SETROPTS commands issued in the system that allow you to customize system security options in RACF. Use this information to maintain a secure environment by reviewing the changes made via the SETROPTS commands.
As a security administrator, this can help you promptly address deviations if the changes do not align with the security policies in your environment.
System | Date | Time | Userid | User Name | Port Of Entry | Event | Description | Command |
|---|---|---|---|---|---|---|---|---|
TSOP | 2019-02-14 | 12:15:59 | AUSER | Fred Smith | A05TCP45 | 1800 | SETROPTS command | SETROPTS RACLIST(XFACILIT) REFRESH |
TSOP | 2019-02-14 | 12:14:15 | BUSER | Dave Jones | A05TCP57 | 1800 | SETROPTS command | SETROPTS GENERIC(DATASET) REFRESH |
TSOP | 2019-02-14 | 12:11:29 | CUSER | Bert Williams | A05TCP34 | 1800 | SETROPTS command | SETROPTS RACLIST(STARTED) REFRESH |
TSOP | 2019-02-14 | 12:09:23 | DUSER | Tina Brown | A05TCP19 | 1800 | SETROPTS command | SETROPTS RACLIST(OPERCMDS) REFRESH |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATE | Date the command was executed |
TIME | Time the command was executed |
USERID | User ID that issued the command |
USER NAME | Name of the user, if available |
PORT OF ENTRY | Where the command was entered |
EVENT | Internal event type or SMF event and event qualifier Event refers to the SMF event/code qualifier documented in the IBM SMF manuals, or CONS for a |
DESCRIPTION | Command that was entered |
COMMAND | Internal event types |
All z/OS Commands
The All z/OS Commands report lists all z/OS commands issued in the system, who issued the command, and related information. Use this information to perform a security audit and report anomalies. This helps you monitor commands, detect unauthorized or suspicious activities, assess compliance with security policies, and identify potential vulnerabilities.
As a security administrator, you can investigate any unexpected or high-impact commands, and take corrective actions as needed to assert system integrity and security.
System | Date | Time | Userid | User Name | Port Of Entry | Event | Description | Command |
|---|---|---|---|---|---|---|---|---|
TSOP | 2019-02-14 | 12:15:59 | AUSER | Fred Smith | A05TCP45 | 1800 | SETROPTS command | SETROPTS RACLIST(XFACILIT) REFRESH |
TSOP | 2019-02-14 | 12:14:15 | BUSER | Dave Jones | A05TCP57 | 1800 | SETROPTS command | SETROPTS GENERIC(DATASET) REFRESH |
TSOP | 2019-02-14 | 12:11:29 | CUSER | Bert Williams | A05TCP34 | 1800 | SETROPTS command | SETROPTS RACLIST(STARTED) REFRESH |
TSOP | 2019-02-14 | 12:09:23 | DUSER | Tina Brown | A05TCP19 | 1800 | SETROPTS command | SETROPTS RACLIST(OPERCMDS) REFRESH |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATE | Date the command was executed |
TIME | Time the command was executed |
USERID | User ID that issued the command |
USER NAME | Name of the user, if available |
PORT OF ENTRY | Where the command was entered |
EVENT | Internal event type or SMF event and event qualifier Event refers to the SMF event/code qualifier documented in the IBM SMF manuals, or CONS for a |
DESCRIPTION | Command that was entered |
COMMAND | Internal event types |
Resources
Click Resources and select one of the following reports to display information about RACF general resources:
- Missing Profiles > OPERCMD
- Missing Profiles > STGADMIN
- Missing Profiles > UNIXPRIV
- Missing Profiles > Command Verifier
- Missing Profiles > Certificate
- Certificates > All Profiles
- Certificates > Expiring
- Certificates > Expired
- Certificates > All
- Misconfigured Settings > CICS SIT
- Misconfigured Settings > IMS
- Misconfigured Settings > DB2
- Misconfigured Settings > MQ
- Software Security Settings > CICS SIT
- Software Security Settings > IMS
- Software Security Settings > DB2
- Software Security Settings > MQ
- Recommended Security Settings
- Profiles with Inappropriate Audit
- All Profiles
- Global Access Table
Missing Profiles > OPERCMD
The Missing OPERCMD Profiles report identifies profiles associated with the OPERCMD resource class that are missing or not properly defined. Use this information to identify and review inadequately configured OPERCMD profiles, define and configure the required profiles, and assign appropriate access and permissions to only users authorized for each action.
As a security administrator, you can address security concerns arising out of unauthorized access to critical system commands.
System | Class | Profile | Purpose | Recommended |
|---|---|---|---|---|
TSOP | OPERCMDS | MVS.SET.PROG.** | Modify APF Libraries | Access must be limited to authorized personnel only. Preferably only accessible via PAM ids. Should have UACC(NONE) and AUDIT(SUC(READ) FAIL(READ)) |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | OPERCMDS profile |
PURPOSE | Purpose of the RACF profile |
RECOMMENDED | BMC recommendations |
Missing Profiles > STGADMIN
The Missing STGADMIN Profiles report lists storage administration profiles in the FACILITY and XFACILIT classes related to the STGADMIN resource class that are absent or incorrectly set up. Use this information to verify that STGADMIN profiles are properly defined and that storage administration tasks are restricted to authorized personnel only. Defining and configuring these profiles reduces the need for superuser authority and minimizes security risks.
As a security administrator, you can ensure that storage management functions, such as compression, ACL overrides, and changing permissions, are protected and secure.
System | Class | Profile | Purpose | Recommended |
|---|---|---|---|---|
TSOP | FACILITY | STGADMIN.ADR.CONVERTV | Convert VTOC to SMS | Require READ access to use. Restrict access to this |
TSOP | FACILITY | STGADMIN.ADR.COPY.BYPASSACS | Copy data sets bypassing ACS routines | Require READ access to use. Restrict access to this |
TSOP | FACILITY | STGADMIN.ADR.COPY.INCAT | INCAT processing | Require READ access to use. Restrict access to this |
TSOP | FACILITY | STGADMIN.ADR.COPY.PROCESS.SYS | Copy SYS1 data sets | Require READ access to use. Restrict access to this |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | STGADMIN profile |
PURPOSE | Purpose of the RACF profile |
RECOMMENDED | BMC recommendations |
Missing Profiles > UNIXPRIV
The Missing UNIXPRIV Profiles report lists profiles with z/OS UNIX privileges related to the UNIXPRIV resource class that are missing or misconfigured. Use this information to validate that UNIXPRIV profiles are correctly set up.
This ensures proper access control for UNIX-related resources. You can create user profiles without superuser authority and grant them specific privileges using these UNIXPRIV profiles with fine granularity. This enhances security of your mainframe environment by ensuring user privileges are granted only where necessary.
As a security administrator, you can ensure controlled access to superuser-level actions, such as changing ownership or managing ACLs. You can activate and inactivate the UNIXPRIV class and define profiles with the necessary permissions to authorized UNIX administrators.
System | Class | Profile | Purpose | Recommended |
|---|---|---|---|---|
TSOP | UNIXPRIV | SUPERUSER.IPC.RMID | Release IPC resources (ipcrm) | Require READ access to use. Limit to UNIX processes/debuggers |
TSOP | UNIXPRIV | SUPERUSER.PROCESS.KILL | Issue kill to processes | Require READ access to use. Limit to UNIX processes/debuggers |
TSOP | UNIXPRIV | SUPERUSER.PROCESS.PTRACE | Use ptrace through dbx debugger | Require READ access to use. Limit to UNIX processes/debuggers |
TSOP | UNIXPRIV | SUPERUSER.SETPRIORITY | Increase own priority | Require READ access to use. Limit to Storage Admin Group |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | UNIXPRIV profile |
PURPOSE | Purpose of the RACF profile |
RECOMMENDED | BMC recommendations |
Missing Profiles > Command Verifier
The Missing Command Verifier Profiles report lists instances where profiles related to the Command Verifier (C4R) in the XFACILIT resource class are absent. Use this information to understand which profiles are missing, and ensure that the C4RPIER module is correctly configured and that zSecure Command Verifier is up-to-date.
As a security administrator, you can investigate unauthorized attempts to access system resources.
System | Class | Profile | Purpose | Recommended |
|---|---|---|---|---|
TSOP | XFACILIT | C4R.EXEMPT | Allows certain users to be exempt from policy enforcement | If you are installing Command Verifier for the first time, ensure that 1 or 2 users are permitted |
TSOP | XFACILIT | C4R.USER.ATTR.AUDITOR.** | Prevents system AUDITOR from being granted to users | Very few users should have this access Set default universal access authority (UACC) to NONE. |
TSOP | XFACILIT | C4R.USER.ATTR.OPERATIONS.** | Prevents system OPERATIONS from being granted to users | Very few users should have this access Set UACC to NONE. |
TSOP | XFACILIT | C4R.USER.ATTR.SPECIAL.** | Prevents system SPECIAL from being granted to users | Very few users should have this access Set UACC to NONE. |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | Class name to which the profile belongs |
PROFILE | Command verifier profile |
PURPOSE | Profile owner |
RECOMMENDED | BMC recommendations for this setting |
Missing Profiles > Certificate
The Missing Certificate Profiles report lists RACF certificate management-related profiles in the FACILITY class, which are not defined. It includes all the recommended general resource profiles related to digital certificates that are not defined to RACF. Use this information to ensure that only authorized personnel have access to commands used to store and maintain digital certificate information in RACF.
As a security administrator, you can ensure that digital certificate information is stored securely without any unauthorized access or change attempts.
System | Class | Profile | Recommended |
|---|---|---|---|
TSOP | FACILITY | IRR.DIGTCERT.** | Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates |
TSOP | FACILITY | IRR.DIGTCERT.CHECKCERT | Set UACC/ID(*) to NONE. READ allows users to issue the RACDCERT commands for themselves, UPDATE for others and CONTROL for SITE and CERTAUTH certificates |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | Missing RACF profile |
RECOMMENDED | BMC recommended profile |
Certificates > All Profiles
The All Certificate Profiles report lists all the general resource profiles related to the maintenance of digital certificates including Profile name, Owner, Universal Access, Audit controls, and ACL Count. Use this information to verify the validity of the profile definitions and make necessary updates or deletions to maintain system security.
As a security administrator, you can identify and validate access to maintain certificates, ensuring proper configuration and security.
System | Class | Profile | Owner | UACC | Warn | Audit S/F | ID(*) | Level | ACL count |
|---|---|---|---|---|---|---|---|---|---|
TSOP | FACILITY | IRR.DIGTCERT.* | TSGDL | None | N | /R |
| 0 |
|
TSOP | FACILITY | IRR.DIGTCERT.ADD | TSGCG | None | N | /R | R | 0 | 7 |
TSOP | FACILITY | IRR.DIGTCERT.ADDRING | TSGCG | None | N | /R | R | 0 | 7 |
TSOP | FACILITY | IRR.DIGTCERT.ALTER | TSGCG | None | N | /R | R | 0 | 7 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF profile |
OWNER | Profile owner |
UACC | RACF universal ACCess setting |
WARN | Whether the WARNING attribute is on |
AUDIT S/F | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
ID(*) | Default access for the profile |
LEVEL | Resource level |
ACL COUNT | Number of users on the access list |
Certificates > Expiring
The Expiring Certificates report provides a comprehensive list of certificates that are due to expire in 365 days or less. It includes details such as the certificate label, start date, end date, owner, days to expiry, and the certificate profile. Use this information to proactively renew or replace expiring certificates and avoid service disruptions.
As a security administrator, you can proactively manage expiring certificates, safeguard security, and ensure compliance within the mainframe environment.
System | Label | Owner | Start Date | End Date | Days to Expiry | Profile |
|---|---|---|---|---|---|---|
TSOP | DefaultzOSMFCert.IZUDFLT.QAP5 | AVUSTR | 2018/03/11 | 2023/05/17 | 5 | 12.CN=z/OSMF�CertAuth�for�Security�Domain.OU=IZUDFLT |
TSOP | DefaultzOSMFCert.IZUDFLT.QAP2 | AVUSTR | 2018/03/16 | 2023/05/17 | 5 | 13.CN=z/OSMF�CertAuth�for�Security�Domain.OU=IZUDFLT |
TSOP | DefaultzOSMFCert.IZUDFLT.QAP3 | AVUSTR | 2018/03/16 | 2023/05/17 | 5 | 14.CN=z/OSMF�CertAuth�for�Security�Domain.OU=IZUDFLT |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
LABEL | Digital certificate label |
OWNER | Certificate owner, CERTAUTH (CA), or SITE (site certificate) |
START DATE | Certificate start date, if available |
END DATE | Certificate expiration date |
DAYS TO EXPIRY | Number of days until the certificate expires |
PROFILE | RACF profile protecting the certificate |
Certificates > Expired
The Expired Certificates report provides a detailed list of digital certificates that have already expired and not been deleted. It includes information such as the certificate label, start and end date, owner, days since expiry, and the certificate profile. Use this information to manage expired certificates that might cause security vulnerabilities or service disruptions.
As a security administrator, you can promptly ensure that the mainframe environment remains secure and compliant.
System | Label | Owner | Start Date | End Date | Days After Expiry | Profile |
|---|---|---|---|---|---|---|
TSOP | ZBASIL_TEST.NEW | AVUSTR | 2022/05/04 | 2023/05/04 | 7 | 01.CN=ZBASIL.CA.OU=ZBASIL�CA.O=EC�TEST.L=ALTON.SP=HANTS.C=GB |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
LABEL | Digital certificate label |
OWNER | Certificate owner, CERTAUTH (CA), or SITE (site certificate) |
START DATE | Certificate start date, if available |
END DATE | Certificate expiration date |
DAYS AFTER EXPIRY | Number of days after the certificate expired |
PROFILE | RACF profile protecting the certificate |
Certificates > All
The All Certificates report provides a comprehensive list of all digital certificates managed within the mainframe environment. It includes details such as the certificate label, start and end dates, and the certificate profile. Use this information to gain a complete overview of the certificates in use.
As a security administrator, you can regularly review this information to identify and address any issues related to certificates, ensuring a secure and compliant mainframe environment.
System | Label | Owner | Start Date | End Date | Profile |
|---|---|---|---|---|---|
TSOP | ZBASIL_TEST.NEW | AVUSTR | 2022/05/04 | 2023/05/04 | 01.CN=ZBASIL.CA.OU=ZBASIL�CA.O=EC�TEST.L=ALTON.SP=HANTS.C=GB |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
LABEL | Digital certificate label |
OWNER | Certificate owner, CERTAUTH (CA), or SITE (site certificate) |
START DATE | Certificate start date, if available |
END DATE | Certificate expiration date |
PROFILE | RACF profile protecting the certificate |
Misconfigured Settings > CICS SIT
The Misconfigured CICS SIT Settings report lists security configurations in CICS sessions defined in the CICS system initialization table (SIT) that conflict with BMC recommendations. This report includes information about improperly configured security settings, such as unauthorized access and incorrect permissions. Use this information to correct these misconfigurations and to ensure that access controls are properly enforced and the system remains secure.
As a security administrator, you can identify security misconfigurations to correct them and maintain system integrity and compliance with security policies.
System | Region | Setting | Current | Recommended | Purpose | Notes |
|---|---|---|---|---|---|---|
TSOP | CICSTS55 | CONFDATA | Show | HIDETC | Determines whether user data to appear in traces or dumps. This data could be used to penetrate the system. | Default is SHOW. This may have SOX implications |
TSOP | CICSTS55 | CONFTXT | No | Yes | Determines whether user data to appear in traces or dumps. This data could be used to penetrate the system. | Default is NO VTAM can trace user data. |
TSOP | CICSTS55 | GMTRAN | CESN | CSGM | Specifies the initial transaction that will be executed. | Default is CSGM. Specify an ATI transaction that will be run. |
TSOP | CICSTS55 | SECPRFX | No | Yes | This parameter allows for segregation of access to separate regions. CICS will prefix all resource names with the CICS userid ID when talking to the ESM | YES is generally recommended if multiple CICS systems are running. |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | CICS region name |
SETTING | System name |
CURRENT | Current value |
RECOMMENDED | BMC recommended value |
PURPOSE | Description of the purpose of the setting |
NOTES | Supplementary notes regarding the BMC recommendation |
Misconfigured Settings > IMS
The Misconfigured IMS Settings report lists IBM Information Management System (IMS) environment settings that conflict with BMC recommendations. It provides information about improperly configured security settings, such as unauthorized access, outdated or incorrect permissions, and deviations from BMC recommendations in integrating with IMS.
Use this information to correct these misconfigurations, adjust access controls, and enforce stringent security policies to ensure that IMS environments are configured securely in line with organizational and regulatory requirements.
As a security administrator, you can address configuration and access concerns to help maintain a secure and compliant mainframe system.
System | Region | Setting | Current | Recommended | Purpose | Notes |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | IMS region name |
SETTING | System name |
CURRENT | Current value |
RECOMMENDED | BMC recommended value |
PURPOSE | Description of the purpose of the setting |
NOTES | Supplementary notes regarding the recommendation |
Misconfigured Settings > DB2
The Misconfigured Db2 Settings report lists Db2 environment settings that conflict with BMC recommendations. Potential security misconfigurations in the Db2 database environment can include issues such as incorrect user access levels, improperly assigned roles, and discrepancies between the ESM and Db2 access control settings. Use this information to gain insights into areas in which access controls might be lenient or inconsistent with security policies, and correct user permissions to ensure that the Db2 security settings align with organizational security standards.
As a security administrator, you can mitigate risks and enhance the overall security posture of the mainframe system.
System | Region | Setting | Current | Recommended | Purpose | Notes |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | Db2 region name |
SETTING | System name |
CURRENT | Current value |
RECOMMENDED | BMC recommended value |
PURPOSE | Description of the purpose of the setting |
NOTES | Supplementary notes regarding the recommendation |
Misconfigured Settings > MQ
The Misconfigured MQ Settings report lists MQ environment settings that conflict with BMC recommendations. This can include issues such as improper user access, unsecured queue permissions, and discrepancies between the ESM and MQ security configurations.
Use this information to identify potential vulnerabilities where unauthorized users might be able to gain access to sensitive messages or queues. You can adjust user roles, refine access controls, and enforce security policies to ensure that MQ settings are tightly controlled.
As a security administrator, you can monitor and manage these misconfigurations, prevent unauthorized access, and enhance the overall security of the messaging infrastructure.
System | Region | Setting | Current | Recommended | Purpose | Notes |
|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | MQ region name |
SETTING | System name |
CURRENT | Current value |
RECOMMENDED | BMC recommended value |
PURPOSE | Description of the purpose of the setting |
NOTES | Supplementary notes regarding the recommendation |
Software Security Settings > CICS SIT
The CICS SIT Settings report lists the security settings defined in the CICS system initialization table (SIT) of each active CICS region. This report provides details about the security settings for the CICS (Customer Information Control System) environment and reflects configurations related to resource access and control mechanisms defined in the CICS SIT. Use this information to identify any security vulnerabilities, misconfigurations, or deviations from best practices in CICS settings.
As a security administrator, you can monitor compliance with organizational security policies, and fine-tune access controls, enforce security policies, and enhance the overall protection of CICS applications.
System | Region | Parameter | Current setting |
|---|---|---|---|
TSOP | CICSTS51 | AIEXIT | DFHZATDX |
TSOP | CICSTS51 | APPLIDG | A05CICS1 |
TSOP | CICSTS55 | APPLIDG | A |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | CICS region name |
PARAMETER | SIT initialization parameter |
CURRENT SETTING | Current setting |
Software Security Settings > IMS
The IMS Security Settings report provides information about the security configurations for IBM Information Management System (IMS) applications defined for each active IMS region. It details access controls and resource protections defined within these applications. Use this information to review how IMS is configured to secure sensitive data and manage user access.
As a security administrator, you can identify potential vulnerabilities and misconfigurations in security policies and ensure that only authorized users can interact with critical IMS data and services. You can thus enforce stronger security policies, prevent unauthorized access, and maintain compliance with security standards.
System | Region | Parameter | Current setting |
|---|---|---|---|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | IMS region name |
PARAMETER | SIT initialization parameter |
CURRENT SETTING | Current setting |
Software Security Settings > DB2
The Db2 Security Settings report lists the security settings defined for each active Db2 region. It provides a detailed view of the security configurations for Db2, a relational database management system and outlines settings related to user access controls and resource protections for Db2 databases.
Use this information to detect potential security risks, such as overly permissive access and misconfigured permissions.
As a security administrator, you can fine-tune access controls, regulate authority and access, enforce security policies, strengthen database security, and make sure that the Db2 configurations align with your organizational security standards.
System | Region | Parameter | Current setting |
|---|---|---|---|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | IMS region name |
PARAMETER | SIT initialization parameter |
CURRENT SETTING | Current setting |
Software Security Settings > MQ
The MQ Security Settings report lists the security settings defined for each active MQ region. This report provides a detailed overview of the security configurations for IBM MQ. It also highlights access control settings, encryption protocols, user permissions, and authentication methods used within the MQ environment. Use this information to identify potential security risks related to message queuing, such as unauthorized access or weak encryption, and misconfigurations or vulnerabilities that might compromise MQ system integrity.
As a security administrator, you can ensure that sensitive messages and data are protected during transmission. You can adjust security settings, implement tighter controls, and enforce compliance with organizational security policies.
System | Region | Parameter | Current setting |
|---|---|---|---|
TSOP | QCBAMSTR | ACTIVE | Yes |
TSOP | QCBAMSTR | ACTIVE | No |
TSOP | QCBAMSTR | ACTIVE | No |
TSOP | QCBAMSTR | ACTIVE | No |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REGION | MQ region name |
PARAMETER | Parameter name |
CURRENT SETTING | Current setting |
Recommended Security Settings
The Recommended Profile and Security Settings report lists recommendations for security settings for RACF profiles from the FACILITY (STGADMIN and IRR.DIGTCERT), UNIXPRIV, and OPERCMDS classes.
Use this information to prioritize security updates, remedy identified risks, and ensure compliance with security standards.
As a security administrator, you can make adjustments to minimize vulnerabilities, optimize settings for performance, and strengthen access control, audit settings, and system integrity.
System | Class | Profile | Purpose | Recommended |
|---|---|---|---|---|
TSOP | FACILITY | STGADMIN.IDC.DIAGNOSE.CATALOG | Run DIAGNOSE command against catalogs | Require READ access to use. Restrict access to this |
TSOP | FACILITY | STGADMIN.IDC.DIAGNOSE.VVDS | DIAGNOSE command against a VVDS | Require READ access to use. Restrict access to this |
TSOP | FACILITY | STGADMIN.IDC.EXAMINE.DATASET | Allows use of the IDCAMS EXAMINE command | Require READ access to use. Restrict access to this |
TSOP | FACILITY | STGADMIN.IGG.ALTER.SMS | Allows Storage Class or Management Class to be altered | Require READ access to use. Restrict access to this |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class name |
PROFILE | RACF profile |
PURPOSE | Profile purpose |
RECOMMENDED | BMC recommendations |
Profiles with Inappropriate Audit
The Resource Profiles with Inappropriate Audit report lists all general resource profiles that do not comply with the recommended audit settings, including profiles for which auditing might be disabled or wrongly configured, potentially leaving security events untracked. Use this report to help spot gaps in monitoring audit parameters and to ensure that all critical resources are properly audited for access and activity.
As a security administrator, you can review and update audit settings and ensure proper supervision to mitigate potential security vulnerabilities and enhance detection capabilities, strengthen compliance with audit policies, and improve overall security monitoring.
System | Class | Profile | Owner | UACC | Warn | Audit S/F | ID(*) | Level | ACL Count | Cert Start | Cert End |
|---|---|---|---|---|---|---|---|---|---|---|---|
TSOP | DIGTCERT | 023456.CN=GeoTrust?Global?CA.O=GeoTrust?Inc..C=US | TSGAT | T | N | / |
| 0 |
| 2002-05-21 | 2022-05-21 |
TSOP | FACILITY | AOPADMIN | IBMUSER | N | N | /R |
| 0 | 1 |
|
|
TSOP | FACILITY | AP | #OPSMVS | N | N | /R |
| 0 | 1 |
|
|
TSOP | FACILITY | BPX.CONSOLE | TSGSJ | N | N | /R |
| 0 | 8 |
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF profile |
OWNER | Profile owner |
UACC | Universal ACCess for undefined user IDs |
WARN | Whether the WARNING attribute is on |
AUDIT S/F | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
ID(*) | Default access for defined user IDs |
LEVEL | The level from the RACF profile definition |
ACL COUNT | Number of users on the access list (ACL) |
CERT START | Start date if a certificate |
CERT END | End date if a certificate |
All Profiles
The All Resource Profiles report lists all general resource profiles from the recommended RACF classes defined in the system. This report includes details such as resource class, resource name, access levels, and audit settings offering a snapshot of how each resource is protected. Use this information to review and audit resource profiles, detect unauthorized or outdated settings, and adjust access controls to align with security policies.
As a Security Administrator, you can identify resource access control configurations and ensure that the appropriate security measures are in place for each resource. You can proactively manage risk and ensure all resources are secured according to best practices to maintain system security and compliance with policies.
System | Class | Profile | Owner | UACC | Warn | Audit S/F | ID(*) | Level | ACL Count | Cert Start | Cert End |
|---|---|---|---|---|---|---|---|---|---|---|---|
TSOP | DIGTCERT | 00.CN=CKNCA.OU=ZSECURE.O=IBM.C=US | TSGTS | T | N | / |
| 0 |
| 2018-05-24 | 2020-01-30 |
TSOP | FACILITY | AOPADMIN | IBMUSER | N | N | /R |
| 0 | 1 |
|
|
TSOP | FACILITY | AP | #OPSMVS | N | N | /R |
| 0 | 1 |
|
|
TSOP | FACILITY | BPX.CONSOLE | TSGSJ | N | N | /R |
| 0 | 8 |
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF profile |
OWNER | Profile owner |
UACC | Universal ACCess for undefined user IDs |
WARN | Whether the WARNING attribute is on |
AUDIT S/F | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
ID(*) | Default access for defined user IDs |
LEVEL | Level from the RACF profile definition |
ACL COUNT | Number of users on the access list (ACL) |
CERT START | Start date if a certificate |
CERT END | End date if a certificate |
Global Access Table
The Global Access Table report lists all RACF definitions defined in the Global Access Table (GAT).
This provides an overview of global access settings for resources and lists resources with global access permissions, showing which users or groups have wide-ranging access to these resources. Use this report to review access control settings and identify overly permissive access, unauthorized access patterns, or discrepancies in user permissions.
As a security administrator, you can examine the report and take preventive measures to tighten security, reassign resource access rights, and ensure compliance with access control policies, and thus maintain a secure environment for critical resources.
System | Class | Profile | Entry | Access |
|---|---|---|---|---|
TSOP | GLOBAL | DATASET | &RACUID.** | A |
TSOP | GLOBAL | DATASET | SYS1.** | R |
TSOP | GLOBAL | DATASET | SYS1.HELP | R |
TSOP | GLOBAL | DATASET | SYS1.MARK | R |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class – GLOBAL |
PROFILE | RACF profile type |
ENTRY | Global table entry member |
ACCESS | Global access level:
|
System Settings
Click System Settings and select one of the following reports to display information about your RACF and z/OS environment:
- PPT > Entries Specifying NOPASS
- PPT > Entries Defined as NOSWAP
- Misconfigured Settings
- All Settings
- STC Entries with Unprotected User ID
- Inactive Monitored Jobs
PPT > Entries Specifying NOPASS
The PPT Entries Specifying NOPASS in Parmlib report lists all Program Properties Table (PPT) entries that have NOPASS specified in z/OS PARMLIB member SCHEDxx. This report provides information about program entries that might lack security protection. Use this information to identify programs that can access the resources without security protection, and modify these entries to require password protection where necessary.
As a security administrator, you can make sure that only trusted programs have such exceptions and take corrective actions, such as removing unnecessary NOPASS entries or tightening access control policies to mitigate potential vulnerabilities.
System | Program |
|---|---|
TSOP | EPWINIT |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
PROGRAM | Program that has NOPASS in the PPT |
PPT > Entries Defined as NOSWAP
The PPT Entries Defined as NOSWAP in Parmlib report lists all Program Properties Table (PPT) entries with NOSWAP defined in z/OS PARMLIB member SCHEDxx. This report provides information to z/OS about programs that are configured to prevent z/OS from swapping them out to auxiliary storage. The NOSWAP parameter is important to ensure that critical processes or high-priority tasks remain in the main memory for faster execution. Use the information in this report to review and modify these entries to adjust the ability to swap programs based on security policies and requirements.
As a security administrator, you can make sure that essential processes are protected and prevent misuse by non-critical users or unauthorized programs to help maintain system performance and security.
System | Program | Key |
|---|---|---|
TSOP | AZFSTCMN | 2 |
TSOP | BNJLINTX | 8 |
TSOP | BPEINI00 | 7 |
TSOP | BPXBATA2 | 2 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
PROGRAM | Program name in the PPT |
KEY | MVS storage protect key that the program runs under and has been defined in the MVS PPT |
Misconfigured Settings
The Misconfigured Settings report lists all RACF and z/OS settings that might create security vulnerabilities on your system. It identifies settings and configurations that deviate from best practices or established security policies, including misconfigured user permissions, access controls, and system settings. Use this report to review and adjust settings that do not align with policies.
As a security administrator, you can take corrective actions to proactively safeguard the system from threats and ensure optimal configuration to prevent the risk of unauthorized access and data breaches.
System | Type | Setting | Current Value | Recommended | Description | Notes |
|---|---|---|---|---|---|---|
TSOP | PASSWORD | INTERVAL | 30 | 90 | Number of days before user must change password (1-254). | Specify as PASSWORD( INTERVAL(nn)). nn should be <=90 |
TSOP | PASSWORD | MINCHANGE | 0 | 1 | Number of days before user can change password again (0-254). | Specify as PASSWORD(MINCHANGE(nn)). nn should be >=1 |
TSOP | SETROPTS | APPLAUDIT | NOAPPLAUDIT | APPLAUDIT | Enables auditing of APPC transactions | Set as APPLAUDIT |
TSOP | SETROPTS | GENERICOWNER | NOGENERICOWNER | GENERICOWNER | Restricts creation of more specific undercutting profiles | Specify GENERICOWNER |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
TYPE | Setting type Type is either 'SETROPTS', 'PASSWORD', 'SMF' or 'SYSTEM' and |
SETTING | Setting name |
CURRENT VALUE | Current value of the setting from storage |
RECOMMENDED | Recommended setting |
DESCRIPTION | Description of the setting |
NOTES | Notes and recommendations |
All Settings
The All Settings report provides a comprehensive overview of all the RACF, TSS, or ACF2, and z/OS security settings currently configured within the system. This report includes details about user permissions, access controls, password policies, and other critical security parameters. Use this information to assess whether settings align with organizational policies, to identify potential security gaps, and to verify compliance with regulations.
As a security administrator, you can take corrective actions to enhance the overall security posture of your mainframe environment.
System | Type | Setting | Current Value |
|---|---|---|---|
TSOP | PASSWORD | HISTORY | 6 |
TSOP | PASSWORD | INTERVAL | 30 |
TSOP | PASSWORD | MINCHANGE | 0 |
TSOP | PASSWORD | MIXEDCASE | MIXEDCASE |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
TYPE | Setting type |
SETTING | Setting name |
CURRENT VALUE | Current value of the setting from storage |
STC Entries with Unprotected User ID
The Started Task Entries with Unprotected User ID report lists all started tasks (STCs) defined to RACF or TSS that are associated with user IDs lacking proper security protections, which could potentially be exploited. Use this information to investigate whether to increase security measures for these tasks or to reconfigure the security settings of the affected user IDs to prevent exploitation.
As a security administrator, you can secure the user IDs to mitigate potential security risks and ensure that only authorized users can access critical system tasks.
System | Profile | Stuser | Stgroup | Privileged | Trusted | Traced |
|---|---|---|---|---|---|---|
LPAR1 | BPXAS.* | OMVSKERN | OMVSGRP |
|
|
|
LPAR1 | FTPD.* | FTPD |
|
|
|
|
LPAR2 | TCPIP.* | TCPIP | OMVSGRP |
| Yes |
|
LPAR3 | TN3270.* | TN3270 | OMVSGRP |
| Yes |
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
PROFILE | Started task profile name |
STUSER | Started task user IDs associated with the profile |
STGROUP | Started task group associated with the profile |
PRIVILEGED | Whether the task is privileged |
TRUSTED | Whether the task is trusted |
TRACED | Whether the task is traced |
Inactive Monitored Jobs
The Inactive Monitored Jobs report lists all jobs that have been inactive for a specified period but are still being monitored. Use this report to identify dormant, idle, or unauthorized jobs that could pose security risks.
As a security administrator, you can take appropriate actions against anomalies in job activity and remove unnecessary jobs to enhance system security and maintain system performance.
System | Job not running |
|---|---|
TSOP | RSSTAM |
TSOP | CICSTS42 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
JOB NOT RUNNING | Name of the monitored job that appears not to be running |
Users
Click Users and select one of the following reports to display information about RACF users:
- Specific User Activity
- Weak Passwords
- Special and Audit
- Special, Operations, Auditor or ROAudit Privilege
- Operations
- No Password Interval
- UID(0)
- Not used for 90 days
- IBMUSER Not Revoked
- Revoked Special Users
- Duplicate Names
- File Transfers
Specific User Activity
Select Users > Specific User Activity to fetch information about a specific user. Enter the user ID you want to query, and click Submit.
The Detailed User Activity report is displayed as in the following example:
Weak Passwords
The Users with Weak Password report lists all RACF users that have weak passwords defined:
System | Userid | Name | Default Group | Special | Operations | Password Security Level | Generations |
|---|---|---|---|---|---|---|---|
TSOP | AUSER | Tina Smith | GRPAUSR | Y |
| 1 | 4 |
TSOP | BUSER | Fred Brown | GRPAUSR |
|
| 1 | 2 |
TSOP | CUSER | Ann Williams | GRPAUSR |
|
| 3 | 6 |
TSOP | DUSER | Dave Jones | GRPAUSR | Y |
| 2 | 2 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
PASSWORD SECURITY LEVEL | Type of weak password detected Contact BMC Support for details. |
GENERATIONS | Number of passwords in the password history You can also show if the account has ever been used. |
Special and Audit
The Users with Special and Audit report lists all RACF users that have system special and system audit attributes.
System | Userid | Name | Default Group | Special | Operations | Auditor |
|---|---|---|---|---|---|---|
TSOP | AUSER | Austin Smith | #RSM | Y |
| Y |
TSOP | BUSER | George Brown | #RSM | Y | Y | Y |
TSOP | CUSER | Janet Williams | #RSM | Y | Y | Y |
TSOP | DUSER | Mary White | #RSM | Y | Y | Y |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
Special, Operations, Auditor or ROAudit Privilege
The Users with Special, Operations, Auditor or ROAudit Privilege report lists all RACF users that have any of Special, Operations, Auditor, or ROAudit attributes.
System | Userid | Name | Default Group | Special | Operations | Auditor | ROAudit |
|---|---|---|---|---|---|---|---|
TSOP | AUSER | Austin Smith | #RSM | Y |
| Y | Y |
TSOP | BUSER | George Brown | #RSM | Y |
| Y | Y |
TSOP | CUSER | Janet Williams | #RSM | Y | Y | Y | |
TSOP | DUSER | Mary White | #RSM | Y |
| Y | Y |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
| ROAUDIT | Whether the user has the ROAUDITOR set |
Operations
The Users with Operations report lists all RACF users that have system operations attributes.
System | Userid | Name | Default Group | Special | Operations | Auditor |
|---|---|---|---|---|---|---|
TSOP | BATCH01 | BATCH PROCESSING | SYS1 |
| Y |
|
TSOP | RSS | RSS STARTED TASK | #RSM | Y | Y |
|
TSOP | AUSER | Bert Wilson | #RSM | Y | Y | Y |
TSOP | BUSER | Fredda Mayflower | #RSM | Y | Y | Y |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
No Password Interval
The Users with No Password Interval report lists all RACF users that do not have a password interval defined:
System | Userid | Name | Default Group | Special | Operations | Auditor |
|---|---|---|---|---|---|---|
TSOP | AUSER | Ernie Brown | #RSM |
|
|
|
TSOP | BUSER | Phill Smith | #RSM | Y |
|
|
TSOP | CUSER | Joe Smith | #RSM | Y |
|
|
TSOP | DUSER | Sue Wilson | #RSM | Y | Y | Y |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
UID(0)
The Users with UID(0) report lists all RACF users that have UID(0) defined, that is, superuser attribute in Unix System Services (USS):
System | Userid | Name | Default Group | Special | Operations | Auditor |
|---|---|---|---|---|---|---|
TSOP | ADCDMST | ADCD MASTER | SYS1 |
|
|
|
TSOP | BATCH01 | BATCH PROCESSING | SYS1 |
| Y |
|
TSOP | BPXOINIT | BPXOINIT | SYS1 |
|
|
|
TSOP | AUSER | Brian Small | #RSM |
|
| Y |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
Not used for 90 days
The Users not used for 90 days report lists all RACF users that have not been used for the past 90 days:
System | Userid | Name | Default Group | Special | Operations | Auditor | Last connect date | NumDays |
|---|---|---|---|---|---|---|---|---|
TSOP | ADCDMST | ADCD MASTER | SYS1 |
|
|
| 17Oct2012 | 2311 |
TSOP | ADCDN | ADCDN | TEST |
|
|
| 06Nov2008 | 3752 |
TSOP | ADCDO | ADCDO | TEST |
|
|
| 06Nov2008 | 3752 |
TSOP | ADCDP | ADCDP | TEST |
|
|
| 06Nov2008 | 3752 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
LAST CONNECT DATE | Date the user last connected |
NUMDAYS | Number of days since last use |
IBMUSER Not Revoked
The IBMUSER Not Revoked report lists IBMUSER details if it does not have the Revoked attribute:
System | Userid | Name | Default Group | Special | Operations | Auditor | Last connect date | Not used x days |
|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID, IBMUSER |
NAME | Associated name, if available |
DEFAULT GROUP | IBMUSER's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
LAST CONNECT DATE | Date the IBMUSER last connected |
NOT USED X DAYS | Number of days since last use |
Revoked Special Users
The Revoked Special Users report lists all RACF system special users with the Revoked attribute:
System | Userid | Name | Default Group | Special | Operations | Auditor | Last connect date | Not used x days |
|---|---|---|---|---|---|---|---|---|
TSOP | AUSER | June Smith | PMIUSER | Y |
|
| 13Mar2013 | 2164 |
TSOP | BUSER | Peter Brown | PMIUSER | Y |
|
| 20Oct2010 | 3039 |
TSOP | CUSER | Charlie White | #RSM | Y |
|
| 26Jun2018 | 233 |
TSOP | DUSER | John Wilson | #RSM | Y |
|
| 26Jun2018 | 233 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
NAME | Associated name, if available |
DEFAULT GROUP | User ID's default group |
SPECIAL | Whether the user has the SPECIAL attribute set |
OPERATIONS | Whether the user has the OPERATIONS attribute set |
AUDITOR | Whether the user has the AUDITOR attribute set |
LAST CONNECT DATE | Date the user last connected |
NOT USED X DAYS | Number of days since last use |
Duplicate Names
The Users with Duplicate Names report lists all RACF users that have the same name defined in field 'Name':
System | Userid | Duplicated name | Default Group | Owner | Password Interval | Last use | Passwords in History | Revoke Count | Installation Data |
|---|---|---|---|---|---|---|---|---|---|
TSOP | AUTALERT | AUTOOPERATOR | INGAUTO | TSGTS | 30 | 11Oct2016 | 0 | 0 | AUTOMATION AUTOTASK: USED FOR ALERT BASED NO |
TSOP | BLZ400 | DSN PROFILE ID | #RSM | #RSM | 30 | 27Mar2018 | 0 | 0 | GENERAL DATASET PROFILE ID |
TSOP | BPXROOT | RUI FEIO NO 2 | #RSM | #RSM | 30 | 29Jun2018 | 0 | 0 | 123456 |
TSOP | C2PSUSE2 | ZSECURE ALERT STC | SYSAUDIT | SYSAUDIT | 30 | 13Oct2015 | 0 | 0 |
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
USERID | User ID |
DUPLICATED NAME | Name that is duplicated |
DEFAULT GROUP | Default RACF group (DFLTGRP) |
OWNER | Owner |
PASSWORD INTERVAL | User ID's password interval |
LAST USE | Date of last use |
PASSWORDS IN HISTORY | Number of passwords in the password history for this user |
REVOKE COUNT | Number of unsuccessful password attempts |
INSTALLATION DATA | Displays any INSTDATA |
File Transfers
The User File Transfers report lists the following:
System | Date | Time | System | User | Action | Program | Dataset | Jobname |
|---|---|---|---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
DATE | Date the file transfer was run |
TIME | Time the file transfer was run |
SYSTEM | System the file transfer was run from |
USER | User ID performing the file transfer |
ACTION | PUT (Send) or GET (Receive) |
PROGRAM | Name of the program used to transfer the file |
DATASET | Name of the data set that was transferred |
JOBNAME | Name of the job that ran the file transfer |
Compliance
Click Compliance and select one of the following reports to display information about security violations detected in the z/OS environment:
Access Violations
The Access Violations report lists all security access violations detected in your z/OS environment:
System | Date | Time | Userid | Name | Class | Resource | Volser | Intent | Allowed |
|---|---|---|---|---|---|---|---|---|---|
TSOP | 2019-02-19 | 14:29:14 | RSS | RSS STARTED TASK | MQCMDS | QCBA.DISPLAY.SECURITY | Read | None | |
TSOP | 2019-02-19 | 14:29:14 | RSS | RSS STARTED TASK | MQCMDS | QCBB.DISPLAY.SECURITY | Read | None | |
TSOP | 2019-02-19 | 14:00:16 | RSSCHIP | RSS STARTED TASK | MQCMDS | QCBA.DISPLAY.SECURITY | Read | None | |
TSOP | 2019-02-19 | 14:00:16 | RSSCHIP | RSS STARTED TASK | MQCMDS | QCBA.DISPLAY.ARCHIVE | Read | None |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR where the violation is detected |
DATE | Event date |
TIME | Event time |
USERID | User ID who caused the violation |
NAME | User ID's name |
CLASS | Class of the resource that generated the violation |
RESOURCE | Resource that generated the violation |
VOLSER | Volume serial number if appropriate |
INTENT | Access 'intent' by the ESM that is being reported on* |
ALLOWED | Access 'allowed' by the ESM that is being reported on* |
*For more information about access (intent and allowed), see the individual documentation for the ESM for which you are running the report.
Allowlists
Many of the SPM queries can exclude results by using allowlists. Allowlists are defined in the index member of the rules data set and consist of exceptions that can be used to prevent specific users or resources from being reported on as non-compliant.
For example, if only one user ID is allowed to update APF libraries, then an allowlist containing that one user ID can be defined, and the compliance query can specify a clause such as:
AND userid NOT IN (SELECT userid FROM allowlist WHERE type='APF')
The allowlist defined would be:
Allowlist APF
TSGAPF Userid allowed to update APF data sets.
For an example of the allowlist, see Sample-index-member.
Compliance Reports
Select Overview to see the Compliance Overview dashboard that is described in Logging-on-and-viewing-compliance-summaries.
Select All to see all the compliance reports defined on the system, including all policies contained in the index member, their last run time, next run time, and result of the run. For more information, see "Examining all compliance reports" and "To run individual reports" in Logging-on-and-viewing-compliance-summaries.
Select one of the following report categories:
- DISA STIG
- z/OS
- DB2
- RACF (RACF users, only)
- TSS (TSS users, only)
- USS
- TCP/IP
- CICS
- REXX
- (SPE2410) (SPE2507)CIS RACF (RACF users, only)
- (SPE2501)PCI DSS RACF (RACF users, only)
The list of categories might change, depending on your system configuration.
If you add a custom category to the HLQ.RULES(INDEX) member and update the rules with the /f stc, loadrules command (or restart the product), the custom category is displayed in the Compliance menu and the All Compliance Reports table. For an example of the index member, see Sample-index-member.
RACF
Click RACF and select one of the following reports to display information about issues on your RACF environment:
- Profiles with > UACC > None
- Profiles with > ID(*) > None
- Profiles with > Warning
- Profiles with > Empty ACL
- Groups > Owner Not Supgroup
- Groups > Universal Settings
Profiles with > UACC > None
The Profiles with UACC > None report lists all RACF data set and general resource profiles with universal access (UACC) greater than NONE:
System | Class | Profile | Owner | UACC | ID(*) | Warn | S/F Audit | Level |
|---|---|---|---|---|---|---|---|---|
TSOP | APPL | FEKAPPL | TSGSJ | Read |
| N | /R | 0 |
TSOP | APPL | GPMSERVE | TSGSJ | Read |
| N | /R | 0 |
TSOP | APPL | GPM4CIM | TSGSJ | Read |
| N | /R | 0 |
TSOP | CSFSERV | CSF%%C | TSGMK | Read |
| N | /R | 0 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF Profile |
OWNER | Profile owner |
UACC | Universal ACCess setting for the profile |
ID(*) | ID(*) setting for the profile. |
WARN | Whether the WARNING attribute is on |
S/F AUDIT | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
LEVEL | Profile level |
Profiles with > ID(*) > None
The Profiles with ID(*) > None report lists all RACF data set and general resource profiles with ID(*) defined in the access control list (ACL) with access greater than NONE:
System | Class | Profile | Owner | UACC | ID(*) | Warn | S/F Audit | Level |
|---|---|---|---|---|---|---|---|---|
TSOP | ACCTNUM | ACCT# | IBMUSER | None | Read | N | /R | 0 |
TSOP | CCICSCMD | ** | TSGMW | None | Read | N | /R | 0 |
TSOP | DATASET | ADCD.** | #RSM | None | Read | N | /R | 0 |
TSOP | DATASET | AFF260.** | #RSM | None | Read | N | /R | 0 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF profile |
OWNER | Profile owner |
UACC | Universal ACCess setting for the profile |
ID(*) | ID(*) setting for the profile |
WARN | Whether the WARNING attribute is on |
S/F AUDIT | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
LEVEL | Profile level |
Profiles with > Warning
The Profiles with Warning report lists all RACF data set and general resource profiles in WARNING mode:
System | Class | Profile | Owner | UACC | ID(*) | S/F Audit | Level |
|---|---|---|---|---|---|---|---|
TSOP | DATASET | ISVR.RSS.** | #RSM | Read | Update | R/R | 0 |
TSOP | DATASET | ISVR.RSS.SUE.** | #RSM | Read | Read | R/R | 99 |
TSOP | DATASET | SYS1.PARMLIB | TSGMW | None | Read | /R | 90 |
TSOP | DATASET | TSGAF.CARLA.EXER.** | #RSM | Alter |
| /R | 0 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF profile |
OWNER | Profile owner |
UACC | Universal ACCess setting for the profile |
ID(*) | ID(*) setting for the profile |
S/F AUDIT | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
LEVEL | The profile level. |
Profiles with > Empty ACL
The Profiles with an Empty ACL report ists all RACF data set and general resource profiles with no users or groups defined in the access control list (ACL):
System | Class | Profile | Owner | UACC | ID(*) | Warn | S/F Audit | Level |
|---|---|---|---|---|---|---|---|---|
TSOP | ACCTNUM | RSMTST | SYS1 | None |
| N | /R | 0 |
TSOP | APPL | #OPSMVS | #OPSMVS | None |
| N | /R | 0 |
TSOP | APPL | CICSTS3* | TSGMW | None |
| N | /R | 0 |
TSOP | CDT | #TESEMP | SYS1 | None |
| N | /R | 0 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
CLASS | RACF class |
PROFILE | RACF profile |
OWNER | Profile owner |
UACC | Universal ACCess setting for the profile |
ID(*) | ID(*) setting for the profile |
WARN | Whether the WARNING attribute is on |
S/F AUDIT | Audit successes and failures The audit levels can have the following values:
For example, U/R is equal to Success(Update)/Failures(Read). |
LEVEL | Profile level |
Groups > Owner Not Supgroup
The Groups where the Owner is not the Supgroup report lists all RACF groups where the superior group (SupGroup) is different from the owner:
System | Group | Owner | Supgroup | #Sub Groups | #Users | Creation Date YYYY/MM/DD | Installation Data | Universal Group | UACC | Notermuacc | ACL Count |
|---|---|---|---|---|---|---|---|---|---|---|---|
TSOP | #EPSINC | TSGMK | SYS1 |
|
| 2018/05/01 |
| N | NONE |
| 5 |
TSOP | #TIVOMAD | TSGHS | SYS1 |
|
| 2018/08/07 | TIVOLI OUTPUT MANAGER ADMIN | N | NONE |
| 3 |
TSOP | $JMLMAST | TSGNJC | #RSM |
|
| 2018/02/16 |
| N | NONE |
| 3 |
TSOP | $JMLTEMP | TSGNJC | #RSM |
|
| 2018/02/16 |
| N | NONE |
| 1 |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
GROUP | RACF group name |
OWNER | Group owner |
SUPGROUP | Group's superior group |
#SUB GROUPS | Number of subgroups connected to this group |
#USERS | Total connects to this group |
CREATION DATE YYYY/MM/DD | Group creation date |
INSTALLATION DATA | Group's INSTDATA setting |
UNIVERSAL GROUP | Whether it is a universal group |
UACC | Group's Universal ACCess setting |
NOTERMUACC | NOTERMUACCC value |
ACL COUNT | Count of connected users |
Groups > Universal Settings
The Universal Group Settings report lists all Universal groups defined to RACF:
System | Group | Owner | Supgroup | #Sub Groups | #Users | Creation Date | Installation Data | UACC | Notermuacc | ACL Count |
|---|---|---|---|---|---|---|---|---|---|---|
TSOP | #TEST | #RSM | #RSM |
|
| 2011/10/31 |
| NONE |
| 2 |
TSOP | #TEST2 | #RSM | #RSM |
|
| 2011/11/01 |
| NONE |
| 1 |
TSOP | SUBZSEC | ZSECURE | ZSECURE |
|
| 2017/10/18 |
| NONE |
|
|
TSOP | TESTUNIV | #RSM | #RSM |
|
| 2013/09/18 | UNIVSAL TEST GROUP | NONE |
|
|
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
GROUP | RACF group name |
OWNER | Group owner |
SUPGROUP | Group's superior group |
#SUB GROUPS | Number of subgroups connected to this group |
#USERS | Total connects to this group |
CREATION DATE | Group creation date |
INSTALLATION DATA | Whether it is a universal group |
UACC | Group's Universal ACCess setting |
NOTERMUACC | NOTERMUACCC value |
ACL COUNT | Count of connected users |
z/VM
SPMintegrates with BMC AMI Datastream for z/VM (Datastream for z/VM) to displays relevant reports for z/VM.
To support this, the GETRACF EXEC member gathers RACF information regarding users, surrogate profiles, and groups along with information such as user and group access for the z/VM system. The GETRACF EXEC member is part of Datastream for z/VM. For more information, see Installing the z/VM RACF facility.
BMC AMI Datastreamuses an existing database created by SPM. The current allowlist includes SYSPROG, TSOEMER, RACFSECADM, OPSYSFUNC, and AUDITOR. These are commonly used in the z/VM reports and SPM running on z/OS.
The z/VM tables are created as DISK tables in SPM.
To view z/VM reports in SPM, perform the following steps:
- Make sure that you have the BMC AMI Datastream agent running on the SPM LPAR.
- Make sure that you have the BMC AMI Datastream for z/VM agent running on the z/VM system.
- Perform a warm start of SPM to have data populated by BMC AMI Datastream.
Click z/VM and select one of the following reports to display information about issues in your z/VM environment.
All
The z/VM rules summary report lists all the reports relevant to z/VM:
System | Reference | Rule | ESM | Category | Version | Priority | Failures | Last Run | Next Run | Description |
|---|---|---|---|---|---|---|---|---|---|---|
TSOP | ZVM.1 | ZVM00001 | RACF | ZVM | Base | 1 | 0 | Sep 17, 2024 09:13:31 | Sep 18, 2024 09:13:31 | Protecting z/VM surrogate users |
TSOP | ZVM.2 | ZVM00002 | RACF | ZVM | Base | 1 | 1 | Sep 17, 2024 09:13.31 | Sep 18, 2024 09:13:31 | Protecting z/VM logonby resources |
TSOP | ZVM.3 | ZVM00003 | RACF | ZVM | Base | 1 | 0 | Sep 17, 2024 09:13.31 | Sep 18, 2024 09:13:31 | Protecting z/VM allowlists |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
REFERENCE | Reference ID |
RULE | Name of the report in the product |
ESM | Type of ESM |
CATEGORY | Category of the report |
VERSION | Version of the supported compliance rule |
PRIORITY | Priority of the risk reported |
FAILURES | Number of failures |
LAST RUN | Last time when the policy was run |
NEXT RUN | Next time when the policy is to run |
DESCRIPTION | Description of the z/VM report |
Surrogate users
The Protecting z/VM surrogate users report lists surrogate user activity within the z/VM environment. It includes authorized shared user IDs, surrogate users, their privileges, and audit records capturing their actions. Use this information to ensure proper controls and visibility to monitor and secure surrogate user privileges in RACF.
System | Policy fail |
|---|---|
TSOP | Z/vm shared userid RACMAINT should have protected attribute set means NOPASSPHRASE assigned |
TSOP | Z/vm surrogate userid SVMADMIN should be defined to RACF AND assigned to group |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
POLICY FAIL | Reason for which the policy failure is reported |
Logonby resources
The Protecting z/VM logonby resources report lists user logon activity within a z/VM environment. It includes details about successful and failed logon attempts, user IDs, and associated resources accessed during logon. Use this information to monitor user logon activity within a z/VM environment, identify potential security risks and take necessary actions to secure and safeguard the system.
System | Policy fail |
|---|---|
TSOP | Non-authorized userid/group=IBMVM1 has Read access to LOGONBY.RACMAINT |
TSOP | Non-authorized userid/group=VMGUEST has Read access to LOGONBY MAINT |
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
POLICY FAIL | Reason for which the policy failure is reported |
Allowlists
The Protecting z/VM allowlists report displays discrepancies when authorized surrogate user accounts do not have their required associated permissions. Use this information to monitor and manage access control, ensuring that only approved surrogate accounts operate within the system.
The current allowlist includes SYSPROG, TSOEMER, RACFSECADM, OPSYSFUNC, and AUDITOR.
Column | Description |
|---|---|
SYSTEM | Name of the LPAR on which the report is generated |
COMPLIANCE FAILURE | Reason for which the policy failure is reported |