TSO user activity logger
Hi. Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. The auditors are asking me this functionality for emergency users TSO. Thanks. Alvaro. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
-snip-- Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. The auditors are asking me this functionality for emergency users TSO. unsnip-- IIRC, you can still get a audit trail of what TSO commands a user invokes, but not under ISPF. The best you can hope for is tracking what datasets are accessed and/or updeted and logging of any RACF commands. Sooner or later, even auditors have to realize that certain people must be trusted to do their jobs correctly. G -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. Log what? Sign ons? Dataset activity? Commands? Specifics would help! When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
IIRC, you can still get a audit trail of what TSO commands a user invokes, but not under ISPF. TSOMON ($$) will track even under ISPF. Sooner or later, even auditors have to realize that certain people must be trusted to do their jobs correctly. It's not the auditors. It's a compliance issue; the auditor does/should not determine what to track. Rather, they require reporting on what is required to monitor compliance. It's a true separation of duty (generic terminology): 1. Standards Officer -- determines what are best practices. 2. Auditor -- reports on which standards are(n't) being met. 3. Compliance Officer -- enforces standards. Too many people are 'afraid' of auditors, but in a 'proper environment', they have no enforcement capabilities. If there is no true separation of duty, then there is a potential for conflicts of interest! When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
TSO user activity logger
O.K. I need to have the access activity over the some dataset ( update, delete, etc. ) from SPECIFIC USERS , but I'dont want to activate the audit option for all dataset resource... I know that if I specify each additional logging activity for each profile, increases RACF and SMF processing and might affect RACF performance. So I would like get the logging activity from SPECIFIC USERS Atte. Alvaro. -Mensaje original- De: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] En nombre de Ted MacNEIL Enviado el: Martes, 14 de Noviembre de 2006 13:48 Para: IBM-MAIN@BAMA.UA.EDU Asunto: Re: TSO user activity logger Someone know about the way to logger the any Tso user activity in centralized way ( like SMF ) ?. Log what? Sign ons? Dataset activity? Commands? Specifics would help! When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
--snip- It's not the auditors. It's a compliance issue; the auditor does/should not determine what to track. Rather, they require reporting on what is required to monitor compliance. It's a true separation of duty (generic terminology): 1. Standards Officer -- determines what are best practices. 2. Auditor -- reports on which standards are(n't) being met. 3. Compliance Officer -- enforces standards. Too many people are 'afraid' of auditors, but in a 'proper environment', they have no enforcement capabilities. If there is no true separation of duty, then there is a potential for conflicts of interest! -unsnip--- In an ideal world, that's how it might work. I spent 4 weeks on unpaid leave because an auditor knew of a single hole in our security. He used a newly-discovered hole in a CA SVC to basically run pampant though my system, then told senior management that anyone could do it. When I challenged him, in front of my senior management, I got suspended without pay. It took me 4 weeks of conversations with CA Tech Support to build a concrete case, which was argued before the Board of Governors, just me vs. the auditor. The net upshot was that CA fixed the hole, I got reinstated in my position, the pay that was withheld from me was duly paid over and my senior management got a reprimand for treating me so shabbily. Needless to say, I've got very strong feelings about most DP auditors in general, and stronger feelings about the so-called Security Auditor. When in doubt. PANIC!! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
-Original Message- From: IBM Mainframe Discussion List On Behalf Of Rick Fochtman --snip- It's not the auditors. It's a compliance issue; the auditor does/should not determine what to track. Rather, they require reporting on what is required to monitor compliance. It's a true separation of duty (generic terminology): 1. Standards Officer -- determines what are best practices. 2. Auditor -- reports on which standards are(n't) being met. 3. Compliance Officer -- enforces standards. Too many people are 'afraid' of auditors, but in a 'proper environment', they have no enforcement capabilities. If there is no true separation of duty, then there is a potential for conflicts of interest! -unsnip--- In an ideal world, that's how it might work. I spent 4 weeks on unpaid leave because an auditor knew of a single hole in our security. He used a newly-discovered hole in a CA SVC to basically run pampant though my system, then told senior management that anyone could do it. When I challenged him, in front of my senior management, I got suspended without pay. It took me 4 weeks of conversations with CA Tech Support to build a concrete case, which was argued before the Board of Governors, just me vs. the auditor. The net upshot was that CA fixed the hole, I got reinstated in my position, the pay that was withheld from me was duly paid over and my senior management got a reprimand for treating me so shabbily. Needless to say, I've got very strong feelings about most DP auditors in general, and stronger feelings about the so-called Security Auditor. IMO, for *anybody* (let alone an auditor) to have deliberately demonstrated a newly-discovered hole in that manner on a system such as yours should have resulted in a criminal indictment of that person. People daily go to jail for far less. -jc- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
On Tue, 14 Nov 2006 13:23:26 -0600 Chase, John [EMAIL PROTECTED] wrote: :IMO, for *anybody* (let alone an auditor) to have deliberately :demonstrated a newly-discovered hole in that manner on a system such :as yours should have resulted in a criminal indictment of that person. Subject to the definition of run pampant. I presume it wasn't destructive. It makes the point to senior management. I have done the same. :People daily go to jail for far less. I doubt it. -- Binyamin Dissen [EMAIL PROTECTED] http://www.dissensoftware.com Director, Dissen Software, Bar Grill - Israel Should you use the mailblocks package and expect a response from me, you should preauthorize the dissensoftware.com domain. I very rarely bother responding to challenge/response systems, especially those from irresponsible companies. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
Just turn on the AUDIT attribute for those users, I believe RACF will then record everything they do (that is everything which invokes RACF such as OPEN, CICS checking for access to transactions, etc.) Tim Hare Senior Systems Programmer Florida Department of Transportation (850) 414-4209 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
---snip- Subject to the definition of run pampant. I presume it wasn't destructive. -unsnip At that time, we used the presence or absence of certain datasets to determine whether the production streams should continue or be interrupted for problem resolution. He deleted several of those datasets, since they had no DSORG or open date. Need I say more? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
In a message dated 11/14/2006 4:19:18 P.M. Central Standard Time, [EMAIL PROTECTED] writes: He deleted several of those datasets, since they had no DSORG or open date. Need I say more? Duh? Sounds like a good candidate for AUDITing at dataset level. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
---snip- In a message dated 11/14/2006 4:19:18 P.M. Central Standard Time, [EMAIL PROTECTED] writes: He deleted several of those datasets, since they had no DSORG or open date. Need I say more? Duh? Sounds like a good candidate for AUDITing at dataset level. unsnip That's how I finally put him in his place. With the help of a un-involved co-worker. Cost me a very expensive dinner for him, his wife, and their six kids. Worth every blankety-blank penny of the $350 it set me back! G -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: TSO user activity logger
In a message dated 11/14/2006 6:05:50 P.M. Central Standard Time, [EMAIL PROTECTED] writes: un-involved co-worker. Cost me a very expensive dinner for him, his wife, and their six kids. Worth every blankety-blank penny of the $350 it set me back! G that's a lot of foot-long chili dogs! -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html