LOG—Control Event and Command Logging

ctsfz
Valid on z/OS and z/VM
Use the LOG control option to perform the following activities:
  • Identify the types of events that
    Top Secret
    logs.
  • Specify whether events or commands are logged to the audit/tracking file and System Management Facility (SMF) file.
  • Specify whether to display violation messages.
The LOG option affects all facilities; however, a global LOG command can be overridden by a LOG operand that you enter as a suboption for a specific facility.
A LOG option issued after the startup of
Top Secret
resets the global LOG options and the LOG setting of every facility.
All entry methods are accepted.
This control option has the following format:
LOG(ACCESS,ACTIVITY,CMDA,CMDS,INIT,MSG,SEC9,SMF)|(NONE)|(ALL)
  • ACCESS
    Logs all resource access, except for DBD, FCT, JCT, LCF, OTRAN, PPT, PROGRAM, and PSB access.
    LOG(ACCESS) produces many records. Writing a large volume of records on the audit/tracking file can cause excessive file wrapping or problems with the CSA storage utilization. If you implement LOG(ACCESS), we recommend performing load testing and logging to SMF instead of the audit/tracking file. To avoid altering
    Top Secret
    logging to record all events, use CA Compliance Event Manager to log all security events for later reporting. For complete information, see the CA Compliance Event Manager documentation.
  • ACTIVITY
    Logs all activity for all facilities. This specification is the same as specifying LOG(ACCESS,INIT).
  • ALL
    Selects all log options for all facilities.
  • CMDA
    Writes TSS commands to the audit/tracking file.
    TSSUTIL selection criteria option:
    CLASS(O)
  • CMDS
    Writes TSS commands to the SMF file.
    TSSUTIL selection criteria option:
    CLASS(O)
  • INIT
    Logs all job/session initiations and terminations.
  • NONE
    Deactivates all SMF and audit/tracking file logging, except for violations and audited events, which continue being written to the audit/tracking file.
    If the user facility is in DORMANT mode, no logging takes place unless the permitted resource is specified with ACTION(FAIL).
  • MSG
    Displays violation messages for batch jobs, started tasks, or at the online user's terminal.
    For users in FAIL mode, violation messages always appear, regardless of the MSG setting. Password violations also appear
  • SEC9
    Routes the following violation summary messages to the security console through route code 9:
    • TSS7100E
    • TSS7220E
    • TSS7200E
    • TSS7250E
  • SMF
    Writes events to the SMF file in addition to the audit/tracking file.
Default:
LOG(SMF, INIT, SEC9, MSG)
Type 80 Format
Top Secret
uses SMF type 80 format records. A DSECT (Dummy Control Section) for these records is documented in the installation exit (TSSINSTX) source code.
LOG(ACCESS), LOG(ACTIVITY), and LOG(ALL) are primarily diagnostic tools for
Broadcom Support
people. Because each option produces many records, dumping such a large volume of records on the audit/tracking file might cause excessive wrapping of the file, which means you need a larger file. In short, limit your use of these three options.
Protection of Option
The LOG option is protected by the operator accountability feature.
Top Secret
prompts the person entering the command for the proper ACID/password combination before processing the LOG option.
Top Secret
also creates an audit trail identifying the ACID under which the LOG specification was made.
Recording Violations
If the AUDIT DD-statement is entered into the
Top Secret
started task procedure, then the recording of violations into the audit/tracking file always occurs. Violations are always written to available files. Violation recording cannot be prevented (in all modes except DORMANT), even if LOG(NONE) is entered. See DRC and MSG for instructions on how to tailor and/or suppress violation messages.
Use of Report Utilities
An important prerequisite to the reporting and tracking of security events is the correct specification of log options. TSSUTIL and TSSTRACK can be used to build reports, but only based on data that is stored in the SMF and audit/tracking file.
Example: Log Commands to SMF
This example logs commands to SMF:
LOG(INIT,CMDS,SEC9,MSG)
Example: Log Commands to the Audit/Tracking File
This example logs commands to the audit/tracking file:
LOG(INIT,CMDA,SEC9,MSG)