On the "add Java statistics to the SMF record" point note NOTHING gets to inject stuff into SMF 30.
The one arguable exception to this is the Usage Data Section, but this is for licencing. Right now Java doesn't use the IFAUSAGE macro. Perhaps it could be taught to. If so maybe A VERY FEW statistics could be collected that way. Cheers, Martin Sent from my iPad > On 31 May 2016, at 02:17, Andrew Rowley <and...@blackhillsoftware.com> wrote: > > I just discovered that JZOS can now write Java statistics to SMF - nice! > > But... it looks like it requires users to have access to BPX.SMF to > write the record - not so nice. If I understand correctly, access means > you can write any type of record with any sort of garbage to SMF - not > what you need for an audit trail. > > I think Co:Z SFTP also creates SMF records that require everyone to have > access to BPX.SMF. BPX.SMF is supposed to be for server address space > userids, but it seems like it is being used as a shortcut to bypass > designing a proper way of cutting SMF records. I don't think that this > is a good thing. It is even worse that it is IBM shipping features > (JZOS) that encourage you to disable the security. (They don't tell you > to do it, but if it doesn't work if you don't...) > > Maybe what is required is an official interface for untrusted tasks to > write data to SMF? > > Something along the lines of: > > * A single SMF record type for all untrusted data > > * The interface adds a header that identifies the user & job that wrote > the record, plus some sort of key to identify the user record type > > * RACF control over who can write records with specific keys - even > better if you can control which programs can write the records > > * User data supplied is appended after the system generated header > > On the Java side, it would be nice if Java statistics were added to the > type 30 records. I assume the JVM already has various functions that > require authorization, so it shouldn't be too much of a stretch to keep > the statistics somewhere that they could be included in the type 30. > Much better than writing them from userland in JZOS. > > Andrew Rowley > > -- > Andrew Rowley > Black Hill Software > +61 413 302 386 > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
