Re: TSO user activity logger
--- that's a lot of foot-long chili dogs! --- Try steaks and lobsters! And 4 of the kids were teenagers. Quivering masses of hormones surrounded by a pairs of sneakers and RAVENOUS appetites! <> -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
In a message dated 11/14/2006 6:05:50 P.M. Central Standard Time, [EMAIL PROTECTED] writes: un-involved co-worker. Cost me a very expensive dinner for him, his wife, and their six kids. Worth every blankety-blank penny of the $350 it set me back! >> that's a lot of foot-long chili dogs! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
In a message dated 11/14/2006 4:19:18 P.M. Central Standard Time, [EMAIL PROTECTED] writes: He deleted several of those datasets, since they had no DSORG or open date. Need I say more? Duh? Sounds like a good candidate for AUDITing at dataset level. That's how I finally put him in his place. With the help of a un-involved co-worker. Cost me a very expensive dinner for him, his wife, and their six kids. Worth every blankety-blank penny of the $350 it set me back! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
In a message dated 11/14/2006 4:19:18 P.M. Central Standard Time, [EMAIL PROTECTED] writes: He deleted several of those datasets, since they had no DSORG or open date. Need I say more? >> Duh? Sounds like a good candidate for AUDITing at dataset level. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
Subject to the definition of "run pampant". I presume it wasn't destructive. - At that time, we used the presence or absence of certain datasets to determine whether the production streams should continue or be interrupted for problem resolution. He deleted several of those datasets, since they had no DSORG or open date. Need I say more? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
Just turn on the AUDIT attribute for those users, I believe RACF will then record everything they do (that is everything which invokes RACF such as OPEN, CICS checking for access to transactions, etc.) Tim Hare Senior Systems Programmer Florida Department of Transportation (850) 414-4209 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
On Tue, 14 Nov 2006 13:23:26 -0600 "Chase, John" <[EMAIL PROTECTED]> wrote: :>IMO, for *anybody* (let alone an auditor) to have deliberately :>"demonstrated" a newly-discovered "hole" in that manner on a system such :>as yours should have resulted in a criminal indictment of that person. Subject to the definition of "run pampant". I presume it wasn't destructive. It makes the point to senior management. I have done the same. :>People daily go to jail for far less. I doubt it. -- Binyamin Dissen <[EMAIL PROTECTED]> http://www.dissensoftware.com Director, Dissen Software, Bar & Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
> -Original Message- > From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman > > --- > > >It's not the auditors. > >It's a compliance issue; the auditor does/should not determine what to track. > >Rather, they require reporting on what is required to monitor compliance. > > > >It's a true separation of duty (generic terminology): > > > >1. Standards Officer -- determines what are "best practices". > >2. Auditor -- reports on which standards are(n't) being met. > >3. Compliance Officer -- enforces standards. > > > >Too many people are 'afraid' of auditors, but in a 'proper > environment', they have no enforcement capabilities. > > > >If there is no true separation of duty, then there is a > potential for conflicts of interest! > > > > > > In an ideal world, that's how it might work. > > I spent 4 weeks on unpaid leave because an auditor knew of a > single "hole" in our security. He used a newly-discovered > hole in a CA SVC to basically "run pampant" though my system, > then told senior management that "anyone" could do it. When I > challenged him, in front of my senior management, I got > "suspended without pay". It took me 4 weeks of conversations > with CA Tech Support to build a concrete case, which was > argued before the Board of Governors, just me vs. the > auditor. The net upshot was that CA fixed the hole, I got > reinstated in my position, the pay that was withheld from me > was duly paid over and my senior management got a reprimand > for treating me so shabbily. Needless to say, I've got very > strong feelings about most DP auditors in general, and > stronger feelings about the so-called "Security Auditor". IMO, for *anybody* (let alone an auditor) to have deliberately "demonstrated" a newly-discovered "hole" in that manner on a system such as yours should have resulted in a criminal indictment of that person. People daily go to jail for far less. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
--- It's not the auditors. It's a compliance issue; the auditor does/should not determine what to track. Rather, they require reporting on what is required to monitor compliance. It's a true separation of duty (generic terminology): 1. Standards Officer -- determines what are "best practices". 2. Auditor -- reports on which standards are(n't) being met. 3. Compliance Officer -- enforces standards. Too many people are 'afraid' of auditors, but in a 'proper environment', they have no enforcement capabilities. If there is no true separation of duty, then there is a potential for conflicts of interest! In an ideal world, that's how it might work. I spent 4 weeks on unpaid leave because an auditor knew of a single "hole" in our security. He used a newly-discovered hole in a CA SVC to basically "run pampant" though my system, then told senior management that "anyone" could do it. When I challenged him, in front of my senior management, I got "suspended without pay". It took me 4 weeks of conversations with CA Tech Support to build a concrete case, which was argued before the Board of Governors, just me vs. the auditor. The net upshot was that CA fixed the hole, I got reinstated in my position, the pay that was withheld from me was duly paid over and my senior management got a reprimand for treating me so shabbily. Needless to say, I've got very strong feelings about most DP auditors in general, and stronger feelings about the so-called "Security Auditor". When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TSO user activity logger
O.K. I need to have the access activity over the some dataset ( update, delete, etc. ) from " SPECIFIC USERS ", but I'dont want to activate the audit option for all dataset resource... I know that if I specify each additional logging activity for each profile, increases RACF and SMF processing and might affect RACF performance. So I would like get the logging activity from " SPECIFIC USERS " Atte. Alvaro. -Mensaje original- De: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] En nombre de Ted MacNEIL Enviado el: Martes, 14 de Noviembre de 2006 13:48 Para: IBM-MAIN@BAMA.UA.EDU Asunto: Re: TSO user activity logger >Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. Log what? Sign ons? Dataset activity? Commands? Specifics would help! When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
>IIRC, you can still get a "audit trail" of what TSO commands a user invokes, >but not under ISPF. TSOMON ($$) will track even under ISPF. >Sooner or later, even auditors have to realize that certain people must be >"trusted" to do their jobs correctly. It's not the auditors. It's a compliance issue; the auditor does/should not determine what to track. Rather, they require reporting on what is required to monitor compliance. It's a true separation of duty (generic terminology): 1. Standards Officer -- determines what are "best practices". 2. Auditor -- reports on which standards are(n't) being met. 3. Compliance Officer -- enforces standards. Too many people are 'afraid' of auditors, but in a 'proper environment', they have no enforcement capabilities. If there is no true separation of duty, then there is a potential for conflicts of interest! When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
>Someone know about the way to logger the any Tso user activity in centralized >way ( like SMF ) ?. Log what? Sign ons? Dataset activity? Commands? Specifics would help! When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
--- Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. The auditors are asking me this functionality for emergency users TSO. -- IIRC, you can still get a "audit trail" of what TSO commands a user invokes, but not under ISPF. The best you can hope for is tracking what datasets are accessed and/or updeted and logging of any RACF commands. Sooner or later, even auditors have to realize that certain people must be "trusted" to do their jobs correctly. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TSO user activity logger
Hi. Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. The auditors are asking me this functionality for emergency users TSO. Thanks. Alvaro. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html