Reports for TSS

For details about the Tools menu, see Administering.

Data sets

Click Data sets and select one of the following reports to display information about sensitive data sets:

• Non-Fully Qualified Generic > APF
• Non-Fully Qualified Generic > Other
• Sensitive Data Sets > With *ALL* > None
• Sensitive Data Sets > Uncatalogued
• Sensitive Data Sets > All

Non-Fully Qualified Generic > APF

The APF Data Sets without Fully Qualified Generic profile report lists sensitive data sets that are specified as Authorized Program Facility (APF) libraries and are protected by a generic security profile (for example, SYS1.**) or have no security profile defined (*Unprotected*). Executable code within these data sets can perform sensitive system functions and has access to sensitive data.

Assign unprotected data sets a security profile to make sure that only authorized users have access. Review generic profiles to make sure they grant appropriate access to the data sets.

Non-Fully Qualified Generic > Other

The Other Data Sets with Non-Fully Qualified Generic profiles report lists system data sets that are protected by a generic security profile (for example, SYS1.**) or have no security profile defined (*Unprotected*). These data sets might contain sensitive system parameters that could affect system integrity. They might also include executable modules that provide sensitive system services, reporting or monitoring.

Assign unprotected data sets a security profile to make sure that only authorized users have access. Review generic profiles to make sure that they grant appropriate access to the data sets.

Sensitive Data Sets > With *ALL* > None

The All sensitive resources with *ALL* ACCESS > None report lists all TSS sensitive resources with *ALL* access greater than none:

Sensitive Data Sets > Uncatalogued

The Uncatalogued Sensitive Data Sets report lists sensitive data sets that are not cataloged. Use this information to make sure that all sensitive data sets are properly cataloged, allowing for centralized monitoring and access management. We recommend that you catalog these data sets or remove from the system.

Sensitive Data Sets > All

The All Sensitive Data Sets report lists all sensitive data sets and their file types. Use this information to review your sensitive data landscape so that you can implement proper access controls and security measures. To enhance security, evaluate and strengthen your security based on the report's findings.

Sensitive Commands

Click Sensitive Commands and select one of the following reports to display information about sensitive commands:

• z/OS.SETPROG
• All z/OS Commands

z/OS.SETPROG

The z/OS.SETPROG Commands report lists all z/OS.SETPROG commands issued in the system, who issued the command, and related information. Use this information to review the impact of the SETPROG commands on critical system configuration, security, stability, and performance. A decline in these factors can occur because of unauthorized changes to the APF list, incorrect LPA modifications, enabling or disabling of protection of REFR programs, incorrect tracking settings of directed load modules, and so on.

As a security administrator, you can rely on this report to monitor authorized changes and prevent unauthorized modifications.

All z/OS Commands

The All z/OS Commands report lists all z/OS commands issued in the system, who issued the command, and related information. Use this information to perform a security audit and report anomalies. This helps you monitor commands, detect unauthorized or suspicious activities, assess compliance with security policies, and identify potential vulnerabilities.

As a security administrator, you can investigate any unexpected or high-impact commands, and take corrective actions as needed to assert system integrity and security.

Resources

Click Resources and select one of the following reports to display information about TSS general resources:

• Missing Profiles > OPERCMD
• Missing Profiles > STGADMIN
• Missing Profiles > UNIXPRIV
• Missing Profiles > Command Verifier
• Missing Profiles > Certificate
• Certificates > All Profiles
• Certificates > Expiring
• Certificates > Expired
• Certificates > All
• Misconfigured Settings > CICS SIT
• Misconfigured Settings > IMS
• Misconfigured Settings > DB2
• Misconfigured Settings > MQ
• Software Security Settings > CICS SIT
• Software Security Settings > IMS
• Software Security Settings > Db2
• Software Security Settings > MQ
• Profiles with Inappropriate Audit
• All Profiles

Missing Profiles > OPERCMD

The Missing OPERCMD Profiles report identifies profiles associated with the OPERCMD resource class that are missing or not properly defined. Use this information to identify and review inadequately configured OPERCMD profiles, define and configure the required profiles, and assign appropriate access and permissions to only users authorized for each action.

As a security administrator, you can address security concerns arising out of unauthorized access to critical system commands.

Missing Profiles > STGADMIN

The Missing STGADMIN Profiles report lists storage administration profiles in the FACILITY and XFACILIT classes related to the STGADMIN resource class that are absent or incorrectly set up. Use this information to verify that STGADMIN profiles are properly defined and that storage administration tasks are restricted to authorized personnel only. Defining and configuring these profiles reduces the need for superuser authority and minimizes security risks.

As a security administrator, you can ensure that storage management functions, such as compression, ACL overrides, and changing permissions, are protected and secure.

Missing Profiles > UNIXPRIV

The Missing UNIXPRIV Profiles report lists profiles with z/OS UNIX privileges related to the UNIXPRIV resource class that are missing or misconfigured. Use this information to validate that UNIXPRIV profiles are correctly set up. 

This ensures proper access control for UNIX-related resources. You can create user profiles without superuser authority and grant them specific privileges using these UNIXPRIV profiles with fine granularity. This enhances security of your mainframe environment by ensuring user privileges are granted only where necessary.

As a security administrator, you can ensure controlled access to superuser-level actions, such as changing ownership or managing ACLs. You can activate and inactivate the UNIXPRIV class and define profiles with the necessary permissions to authorized UNIX administrators.

Missing Profiles > Command Verifier

The Missing Command Verifier Profiles report lists instances where profiles related to the Command Verifier (C4R) in the XFACILIT resource class are absent. Use this information to understand which profiles are missing, and ensure that the C4RPIER module is correctly configured and that zSecure Command Verifier is up-to-date.

As a security administrator, you can investigate unauthorized attempts to access system resources.

The Missing Command Verifier Profiles report lists instances where profiles related to the Command Verifier (C4R) in the XFACILIT resource class are absent. Use this information to understand which profiles are missing, and ensure that the C4RPIER module is correctly configured and that zSecure Command Verifier is up-to-date.

As a security administrator, you can investigate unauthorized attempts to access system resources.

Missing Profiles > Certificate

The Missing Certificate Profiles report lists RACF certificate management-related profiles in the FACILITY class, which are not defined. It includes all the recommended general resource profiles related to digital certificates that are not defined to RACF. Use this information to ensure that only authorized personnel have access to commands used to store and maintain digital certificate information in RACF.

As a security administrator, you can ensure that digital certificate information is stored securely without any unauthorized access or change attempts.

Certificates > All Profiles

The All Certificate Profiles report lists all the general resource profiles related to the maintenance of digital certificates including Profile name, Owner, Universal Access, Audit controls, and ACL Count. Use this information to verify the validity of the profile definitions and make necessary updates or deletions to maintain system security.

As a security administrator, you can identify and validate access to maintain certificates, ensuring proper configuration and security.

Certificates > Expiring

The Expiring Certificates report provides a comprehensive list of certificates that are due to expire in 365 days or less. It includes details such as the certificate label, start date, end date, owner, days to expiry, and the certificate profile. Use this information to proactively renew or replace expiring certificates and avoid service disruptions.

As a security administrator, you can proactively manage expiring certificates, safeguard security, and ensure compliance within the mainframe environment.
 

Certificates > Expired

The Expired Certificates report provides a detailed list of digital certificates that have already expired and not been deleted. It includes information such as the certificate label, start and end date, owner, days since expiry, and the certificate profile. Use this information to manage expired certificates that might cause security vulnerabilities or service disruptions. 

As a security administrator, you can promptly ensure that the mainframe environment remains secure and compliant.
 

Certificates > All

The All Certificates report provides a comprehensive list of all digital certificates managed within the mainframe environment. It includes details such as the certificate label, start and end dates, and the certificate profile. Use this information to gain a complete overview of the certificates in use.

As a security administrator, you can regularly review this information to identify and address any issues related to certificates, ensuring a secure and compliant mainframe environment.

Misconfigured Settings > CICS SIT

The Misconfigured CICS SIT Settings report lists security configurations in CICS sessions defined in the CICS system initialization table (SIT) that conflict with BMC recommendations. This report includes information about improperly configured security settings, such as unauthorized access and incorrect permissions. Use this information to correct these misconfigurations and to ensure that access controls are properly enforced and the system remains secure. 

As a security administrator, you can identify security misconfigurations to correct them and maintain system integrity and compliance with security policies.
 

Misconfigured Settings > IMS

The Misconfigured IMS Settings report lists IBM Information Management System (IMS) environment settings that conflict with BMC recommendations. It provides information about improperly configured security settings, such as unauthorized access, outdated or incorrect permissions, and deviations from BMC recommendations in integrating with IMS. 

Use this information to correct these misconfigurations, adjust access controls, and enforce stringent security policies to ensure that IMS environments are configured securely in line with organizational and regulatory requirements.

As a security administrator, you can address configuration and access concerns to help maintain a secure and compliant mainframe system.
 

Misconfigured Settings > DB2

The Misconfigured Db2 Settings report lists Db2 environment settings that conflict with BMC recommendations. Potential security misconfigurations in the Db2 database environment can include issues such as incorrect user access levels, improperly assigned roles, and discrepancies between the ESM and Db2 access control settings. Use this information to gain insights into areas in which access controls might be lenient or inconsistent with security policies, and correct user permissions to ensure that the Db2 security settings align with organizational security standards. 

As a security administrator, you can mitigate risks and enhance the overall security posture of the mainframe system.
 

Misconfigured Settings > MQ

The Misconfigured MQ Settings report lists MQ environment settings that conflict with BMC recommendations. This can include issues such as improper user access, unsecured queue permissions, and discrepancies between the ESM and MQ security configurations. 

Use this information to identify potential vulnerabilities where unauthorized users might be able to gain access to sensitive messages or queues. You can adjust user roles, refine access controls, and enforce security policies to ensure that MQ settings are tightly controlled.

As a security administrator, you can monitor and manage these misconfigurations, prevent unauthorized access, and enhance the overall security of the messaging infrastructure.
 

Software Security Settings > CICS SIT

The CICS SIT Settings report lists the security settings defined in the CICS system initialization table (SIT) of each active CICS region. This report provides details about the security settings for the CICS (Customer Information Control System) environment and reflects configurations related to resource access and control mechanisms defined in the CICS SIT. Use this information to identify any security vulnerabilities, misconfigurations, or deviations from best practices in CICS settings.

As a security administrator, you can monitor compliance with organizational security policies, and fine-tune access controls, enforce security policies, and enhance the overall protection of CICS applications.
 

Software Security Settings > IMS

The IMS Security Settings report provides information about the security configurations for IBM Information Management System (IMS) applications defined for each active IMS region. It details access controls and resource protections defined within these applications. Use this information to review how IMS is configured to secure sensitive data and manage user access. 

As a security administrator, you can identify potential vulnerabilities and misconfigurations in security policies and ensure that only authorized users can interact with critical IMS data and services. You can thus enforce stronger security policies, prevent unauthorized access, and maintain compliance with security standards.
 

Software Security Settings > Db2

The Db2 Security Settings report lists the security settings defined for each active Db2 region. It provides a detailed view of the security configurations for Db2, a relational database management system and outlines settings related to user access controls and resource protections for Db2 databases. 

Use this information to detect potential security risks, such as overly permissive access and misconfigured permissions.

As a security administrator, you can fine-tune access controls, regulate authority and access, enforce security policies, strengthen database security, and make sure that the Db2 configurations align with your organizational security standards.
 

Software Security Settings > MQ

The MQ Security Settings report lists the security settings defined for each active MQ region. This report provides a detailed overview of the security configurations for IBM MQ. It also highlights access control settings, encryption protocols, user permissions, and authentication methods used within the MQ environment. Use this information to identify potential security risks related to message queuing, such as unauthorized access or weak encryption, and misconfigurations or vulnerabilities that might compromise MQ system integrity.

As a security administrator, you can ensure that sensitive messages and data are protected during transmission. You can adjust security settings, implement tighter controls, and enforce compliance with organizational security policies. 
 

Profiles with Inappropriate Audit

The Resource Profiles with Inappropriate Audit report lists all general resource profiles that do not comply with the recommended audit settings, including profiles for which auditing might be disabled or wrongly configured, potentially leaving security events untracked. Use this report to help spot gaps in monitoring audit parameters and to ensure that all critical resources are properly audited for access and activity. 

As a security administrator, you can review and update audit settings and ensure proper supervision to mitigate potential security vulnerabilities and enhance detection capabilities, strengthen compliance with audit policies, and improve overall security monitoring.
 

All Profiles

The All Resource Profiles report lists all general resource profiles from the recommended RACF classes defined in the system. This report includes details such as resource class, resource name, access levels, and audit settings offering a snapshot of how each resource is protected. Use this information to review and audit resource profiles, detect unauthorized or outdated settings, and adjust access controls to align with security policies.

As a Security Administrator, you can identify resource access control configurations and ensure that the appropriate security measures are in place for each resource. You can proactively manage risk and ensure all resources are secured according to best practices to maintain system security and compliance with policies.

System Settings

Click System Settings and select one of the following reports to display information about your TSS and z/OS environment:

• PPT > Entries Specifying NOPASS
• PPT > Entries Defined as NOSWAP
• All Settings
• STC Entries with Unprotected User ID
• Inactive Monitored Jobs
• Misconfigured Settings
• TSSPARM Settings

PPT > Entries Specifying NOPASS

The PPT Entries Specifying NOPASS in Parmlib report lists all Program Properties Table (PPT) entries that have NOPASS specified in z/OS PARMLIB member SCHEDxx. This report provides information about program entries that might lack security protection. Use this information to identify programs that can access the resources without security protection, and modify these entries to require password protection where necessary. 

As a security administrator, you can make sure that only trusted programs have such exceptions and take corrective actions, such as removing unnecessary NOPASS entries or tightening access control policies to mitigate potential vulnerabilities.
 

PPT > Entries Defined as NOSWAP

The PPT Entries Defined as NOSWAP in Parmlib report lists all Program Properties Table (PPT) entries with NOSWAP defined in z/OS PARMLIB member SCHEDxx. This report provides information to z/OS about programs that are configured to prevent z/OS from swapping them out to auxiliary storage. The NOSWAP parameter is important to ensure that critical processes or high-priority tasks remain in the main memory for faster execution. Use the information in this report to review and modify these entries to adjust the ability to swap programs based on security policies and requirements.

As a security administrator, you can make sure that essential processes are protected and prevent misuse by non-critical users or unauthorized programs to help maintain system performance and security.
 

All Settings

The All Settings report provides a comprehensive overview of all the RACF, TSS, or ACF2, and z/OS security settings currently configured within the system. This report includes details about user permissions, access controls, password policies, and other critical security parameters. Use this information to assess whether settings align with organizational policies, to identify potential security gaps, and to verify compliance with regulations. 

As a security administrator, you can take corrective actions to enhance the overall security posture of your mainframe environment.

STC Entries with Unprotected User ID

The Started Task Entries with Unprotected User ID report lists all started tasks (STCs) defined to RACF or TSS that are associated with user IDs lacking proper security protections, which could potentially be exploited. Use this information to investigate whether to increase security measures for these tasks or to reconfigure the security settings of the affected user IDs to prevent exploitation. 

As a security administrator, you can secure the user IDs to mitigate potential security risks and ensure that only authorized users can access critical system tasks.
 

Inactive Monitored Jobs

The Inactive Monitored Jobs report lists all jobs that have been inactive for a specified period but are still being monitored. Use this report to identify dormant, idle, or unauthorized jobs that could pose security risks.

As a security administrator, you can take appropriate actions against anomalies in job activity and remove unnecessary jobs to enhance system security and maintain system performance.

Misconfigured Settings

The Misconfigured Settings report lists

TSSPARM Settings

The TSSPARM Settings report lists

Users

Click Users and select one of the following reports to display information about TSS users:

• Specific User Activity
• Inactive (Non-STC)
• File Transfers
• ACIDs > No 'Last Used' Date
• ACIDs > With NOxxxCHK
• ACIDs > With Non-Expiring Passwords
• ACIDs > With UID(0)

Specific User Activity

Select Users > Specific User Activity to fetch information about a specific user. Enter the user ID you want to query, and click Submit.

The Detailed User Activity report is displayed as in the following example:

Inactive (Non-STC)

The All Inactive Non-STC Users report lists user accounts that are inactive and not associated with started tasks.

File Transfers

The User File Transfers report lists the following:

ACIDs > No 'Last Used' Date

The ACIDs with no 'Last Used' Date report lists the following:

ACIDs > With NOxxxCHK

In the ACIDs with NOxxxCHK report, for the listed ACID with expanded privileges, the access and activity are logged, but the specified security checks are not performed.

ACIDs > With Non-Expiring Passwords

The ACIDs with Non-Expiring Passwords report lists the following:

ACIDs > With UID(0)

The ACIDs with UID(0) report lists users with UID(0)—that is, users with root accounts (also referred to as superusers).

Compliance

Click Compliance and select one of the following reports to display information about security violations detected in the z/OS environment:

Access Violations

The Access Violations report lists all security access violations detected in your z/OS environment:

*For more information about access (intent and allowed), see the individual documentation for the ESM for which you are running the report.

Allowlists

Many of the SPM queries can exclude results by using allowlists. Allowlists are defined in the index member of the rules data set and consist of exceptions that can be used to prevent specific users or resources from being reported on as non-compliant.

For example, if only one user ID is allowed to update APF libraries, then an allowlist containing that one user ID can be defined, and the compliance query can specify a clause such as:
AND userid NOT IN (SELECT userid FROM allowlist WHERE type='APF')

The allowlist defined would be:

For an example of the allowlist, see Sample-index-member.

Compliance Reports

Select Overview to see the Compliance Overview dashboard that is described in Logging-on-and-viewing-compliance-summaries.

Select All to see all the compliance reports defined on the system, including all policies contained in the index member, their last run time, next run time, and result of the run. For more information, see "Examining all compliance reports" and "To run individual reports" in Logging-on-and-viewing-compliance-summaries.

Select one of the following report categories:

• DISA STIG
• z/OS
• DB2
• RACF (RACF users, only)
• TSS (TSS users, only)
• USS
• TCP/IP
• CICS
• REXX
• (SPE2410) (SPE2507)CIS RACF (RACF users, only)
• (SPE2501)PCI DSS RACF (RACF users, only)

The list of categories might change, depending on your system configuration.

If you add a custom category to the HLQ.RULES(INDEX) member and update the rules with the /f stc, loadrules command (or restart the product), the custom category is displayed in the Compliance menu and the All Compliance Reports table. For an example of the index member, see Sample-index-member.

TSS

Click TSS and select the Resources with *ALL* Access > None report to display information about issues on your TSS environment: