The TSSUTIL batch utility processes security-related activity that is recorded in SMF data sets and the
CA Top Secret
Audit/Tracking File. Security administrators use TSSUTIL to perform the following activities:
  • Produce reports about activity.
  • Archive activity.
In a single TSSUTIL execution, you can generate multiple different reports that are based on the same SMF or Audit/Tracking File input data.
Archive Security-Related Activity
To use TSSUTIL to report and archive the security-related activity:
  1. Configure logging options to ensure that relevant security information is available for archiving and reporting.
  2. Assemble JCL for the TSSUTIL job. JCL includes the following components:
    • DD statements (if using the SMF input)
    • Verbs (EXTRACT to archive security incidents and REPORT to report on incidents)
    • Selection criteria (to select types of incidents to process)
  3. Submit the JCL to execute TSSUTIL.
    CA Top Secret
    extracts data or produces reports according to your specifications.
TSSUTIL Utility Usage Considerations
The following considerations affect the TSSUTIL utility:
  • Reports
    are produced with events in the order they are found in the SMF or Audit/Tracking Files. No sorting is performed. For SMF data sets, the order is normally chronological. When the input is the
    CA Top Secret
    audit tracking file, the records are in the order from the beginning of the files. If the file wrapped or if an audit file switch occurred, the report may not be in a chronological order. Use the CA SORT or DFSORT utilities to create an input file sorted by date. For information, see the section TSSUTIL JCL.
  • Report and tracking
    depend upon the correct specification of logging options. The LOG control option lets you specify the type of events to be logged, where logging information is recorded, and where the violation notification is to be made.
  • The following
    logging options
    are required to record the related security information for later reporting with TSSUTIL:
    LOG(INIT,...) requests logging of all job/session initiations and terminations. LOG(SMF,...) requests SMF recording of selected events. LOG(ACCESS,...) requests logging of all resource access.
  • Logging options
    can be set globally by the LOG control option or by facility using the LOG suboption of the FACILITY control option.
  • Security violations
    are reported in the EVENT(AUDIT) report. To obtain audited events other than security violations, run the EVENT(AUDIT) report and audit events for resources or user activity with one of the following commands:
    ) resclass(
  • The
    Audit/Tracking Files
    should be backed up using the TSSARCHI job that is provided in CAI.CAKOJCL0. This job uses the EXTRACT keyword to retrieve all events that are recorded in the Audit/Tracking Files and places them on tape using the DCB attributes RECFM=VB and LRECL=465.
  • The
    function produces the SMFOUT file, XTROUT file, or both depending on the situation. For a descripition of these files, see the explanation of the EXTRACT keyword.
  • For z/OS 1.9 and above
    , SMF data may be sent to the LOGGER services controlling the write of SMF data in LOGSTREAM structures. SMF data is not recorded in the usual SYS1.MANx data sets. The TSSRPTST utility can read the data when:
    • The LOGR services are active on the system with the definitions that contains the SMF data.
    • A LOGR subsystem is active on the system
    • An IEFSSNxx member is defined and activated at the IPL time with the definition:
    The RECxxxxx DD used to read the data has the following format:
    //RECxxxxx DD DSN=IFASMF.DATA.LOGSTRM,DISP=SHR, // SUBSYS=(LOGR,IFASEXIT,subsys-options1,subsys-options2)
    Description of SUBSYS options-1 includes:
    [FROM={({[yyyy/ddd][,hh:mm[:ss]] }) | OLDEST}] [TO={({[yyyy/ddd][,hh:mm[:ss]] }) | YOUNGEST}] [,DURATION=(nnnn,HOURS)] [,VIEW={ACTIVE|ALL|INACTIVE}] [,GMT|LOCAL]
    The subsys-options1 parameters that are used by the IBM IFASEXIT are the same parameters used by the IFBSEXIT.
Authority and Scope
To use TSSUTIL, an ACID must possess REPORT authority. Anyone with REPORT authority can give this authority by entering the following command.
A user with no administrative authority may use TSSUTIL if given USE access to the entity “TSSUTILITY.TSSUTIL” in the CASECAUT resource class. An administrator can grant this access by entering the following command:
You can only extract those incidents that are generated for ACIDs within the scope of your authority. The scopes are as follows:
  • SCA
    Every event
  • LSCA
    Every event within the LSCAs scope
  • ZCA
    Entire zone or specific divisions, departments, or ACIDs within the zone
  • VCA
    Entire division or specific departments or ACIDs within the division
  • DCA
    Entire department or specific ACIDs within the department
  • USER
    The user's personal incidents
When using EVENT(VIOL) or EVENT(AUDIT), VCAs and DCAs can view VIOL and AUDIT events for owned resources even if the subject ACID is not within their scope. VCAs using EVENT (VIOL|AUDIT) and specifying a department get resources within that department's scope.