RACF Logging Options equivalents under CA Top Secret.

Document ID : KB000117618
Last Modified Date : 16/10/2018
Show Technical Document Details
Issue:
Can you tell me the RACF logging option equivalents in TSS ? 

IN RACF: 

INISTATS 
Ensures that account statistics that are authenticated to z / OS are logged 

SETROPTS INISTATS (ON) 

SAUDIT 
Ensures that the RACF commands performed by the administrators (having the attribute SPECIAL or GROUP SPECIAL) are recorded. 

SETROPTS SAUDIT (ON) 

CMDVIOL 
Ensures that failed command attempts after the protection check are logged. 

SETROPTS CMDVIOL (ON) 

OPERAUDIT 
Ensures that successful access to files by accounts with the OPERATION attribute is logged. 

SETROPTS OPERAUDIT (ON) 

Can testing be done without isolating the TSS from a CPF network using the NEWPW (MC) option without forcing via NEWPW (LC) or (UC) ? 
Resolution:
.
Questions: 

Can you tell me if there is the equivalent in TSS ? 

IN RACF: 

INISTATS 
Ensures that account statistics that are authenticated to z / OS are logged 
Answer:
CA Top Secret Control Option LOG(INIT) is the equivalent on INISTATS which tracks user authentication. 

Putting the AUDIT attribute will also cause the authentication to be tracked even if you dont have LOG(INIT) control option set. AUDIT attribute records all security related activity for a user. 


SETROPTS INISTATS (ON) 

SAUDIT 
Ensures that the RACF commands performed by the administrators (having the attribute SPECIAL or GROUP SPECIAL) are recorded. 
Answer: 
TSS always record successful admin activity. There is no way to disable this. 

SETROPTS SAUDIT (ON) 

CMDVIOL 
Ensures that failed command attempts after the protection check are logged. 
Answer: 
Currently failed TSS commands are not tracked.Only successfful TSS admin commands are tracked. 

SETROPTS CMDVIOL (ON) 

OPERAUDIT 
Ensures that successful access to files by accounts with the OPERATION attribute is logged. 
Answer: 
The AUDIT attribute is the equivalent which can be specified on a user or a particular resource. 

SETROPTS OPERAUDIT (ON) 

Can testing be done without isolating the TSS from a CPF network using the NEWPW (MC) option without forcing via NEWPW (LC) or (UC) ? 

Answer: 
The NEWPW setting only affect the one system it is set on. It will not affect the other CPFed systems. So you can have multiple system with different NEWPW setting that CPF to one another,but this is NOT a good security practice or standard. Most site have a unified password standard that applies to all their systems and platforms. NEWPW is checked when a users changes their password via signon panel and not TSS REPLACE PASSWORD command. A TSS admin can always override the NEWPW password controls.