TSSPARM equivalent to RACF SETROPTS

Document ID : KB000113535
Last Modified Date : 11/09/2018
Show Technical Document Details
Question:
We have received some recommandations about security product settings but they are for RACF SETROPTS

Can you give me the equivalent for TSSPARM ?

SETROPTS INISTATS(ON)
SETROPTS SAUDIT(ON)
SETROPTS CMDVIOL(ON)
SETROPTS OPERAUDIT(ON)
SETROPTS AUDIT(‘classe’)
SETROPTS BATCHALLRACF(ON)
SETROPTS PROTECTALL(FAILURES) 
Environment:
z/OS
Answer:
SETROPTS INISTATS(ON) ==> LOG(INIT) at FACILITY level and/or as global control option LOG(), see the link below:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/specifying-control-options-to-modify-your-security-environment/logcontrol-event-logging

SETROPTS SAUDIT(ON) ==> there is TSS equivalent as such, but see the global control option LOG(CMDA,CMDS), also refer to the above link.

SETROPTS CMDVIOL(ON) ==> Global option LOG(CMDA,CMDS) and the above link.

SETROPTS OPERAUDIT(ON) ==> there is no TSS equivalent as such, but see the AUDIT attribute, see the link below:

https://docops.ca.com/ca-top-secret-for-z-os/16-0/en/using/issuing-commands-to-communicate-administrative-requirements/keywords/audit-keywordaudit-acid-activity

SETROPTS AUDIT(‘classe’) ==> there is no TSS equivalent as such, but see the record AUDIT to audit resclass and resources, see the above link.

SETROPTS BATCHALLRACF(ON) for JES ==> see the TSS global control option JES(VERIFY/NOVERIFY) and TSS always checks the submitting acid.

SETROPTS PROTECTALL(FAILURES) ==> With TSS DATASET are protected by default in FAIL mode.