The SAT exit routine is only called for events that are to be logged, see the “SECOS“ manual [12]. This only happens immediately before the event is written to the SAT log file. The exit routine must be loaded by systems support and activated by a security administrator
(/MODIFY-SAT-PRESELECTION EXIT=YES).
The SAT exit routine can then trigger one of the following:
initiate selective responses (for example blocking a user ID after a certain number of failed LOGON attempts)
write a separate audit record (ANY event, $SATANY macro)
on return to SAT via the return code, allow or suppress writing of the analyzed audit record.
The following information is passed to the routine:
R1 = A(EX110 parameter area) R12 = A(TPR program manager) R13 = A(save areat) R14 = A(indirect return) R15 = A(exit routine)
The return code for the calling system component is sent via the SATZPMDL parameter area in the SATZSR1 field.
SATZSR1 = X'00' The event is to be written to the SAT logging file.
SATZSR1 = X'04' The event is not to be written to the SAT logging file.
The parameter list transferred to the exit routine contains a copy of the audit record. This ensures that the original information cannot be modified.
The parameter list contains the following:
standard header
length of the record (2 bytes)
reserved (2 bytes)
audit record (fixed and variable parts)
The audit record is described in the “SECOS” manual [12]. It consists of two parts, one fixed and one variable. The variable part contains a list of information fields. There are two types of information field:
The standard information field
length specification
identifier (see the “SECOS” manual [12])
associated data field
The *LNG field
field with the value 255 (indicator for the *LNG field)
negative indicator
length specification
2 reserved bytes
associated data field
The description of the parameter area specifies only the layout for one information field (standard information field or *LNG field) of the variable part.
DSECT
EX110 MF=D
MFTST MF=D,PREFIX=S,MACID=ATZ,ALIGN=F, C
DMACID=ATZ,SUPPORT=(D,C),DNAME=ATZPMDL
SATZPMDL DSECT ,
*,##### PREFIX=S, MACID=ATZ #####
* set for subcode_1
SATZLOG EQU 0 record-log requested
SATZRJ EQU 4 reject record
*
SATZIMDL EQU 5900 max. length of logging record
*
SATZILFP EQU 28 length of fixed part in
* logging record
*
* parameter list description
SATZHDR FHDR MF=(C,SATZ),EQUATES=NO standard header
SATZHDR DS 0A
SATZFHE DS 0XL8 0 GENERAL PARAMETER AREA HEADER
*
SATZIFID DS 0A 0 INTERFACE IDENTIFIER
SATZFCTU DS AL2 0 FUNCTION UNIT NUMBER
* BIT 15 HEADER FLAG BIT,
* MUST BE RESET UNTIL FURTHER NOTICE
* BIT 14-12 UNUSED, MUST BE RESET
* BIT 11-0 REAL FUNCTION UNIT NUMBER
SATZFCT DS AL1 2 FUNCTION NUMBER
SATZFCTV DS AL1 3 FUNCTION INTERFACE VERSION NUMBER
*
SATZRET DS 0A 4 GENERAL RETURN CODE
SATZSRET DS 0AL2 4 SUB RETURN CODE
SATZSR2 DS AL1 4 SUB RETURN CODE 2
SATZSR1 DS AL1 5 SUB RETURN CODE 1
SATZMRET DS 0AL2 6 MAIN RETURN CODE
SATZMR2 DS AL1 6 MAIN RETURN CODE 2
SATZMR1 DS AL1 7 MAIN RETURN CODE 1
SATZFHL EQU 8 8 GENERAL OPERAND LIST HEADER LENGTH
*
* main return codes
SATZOK EQU 0 no error
*
SATZLEN DS H length of logging record
SATZRS1 DS XL2 alignment
*
SATZREC DS 0XL5928 logging record
*
SATZFIX DS 0XL28 fixed part of logging record
SATZUID DS CL8 user id
SATZTSN DS CL4 TSN
SATZEVT DS CL3 event
SATZRES DS CL1 event result
*
SATZTSP DS 0XL8 time stamp
SATZDAT DS CL4 YYYYMMDD
SATZTIM DS CL4 HHMMSS00
*
SATZSAT DS X SAT version
SATZETT DS X reserved for extent
SATZSCF DS X caller
SATZSCV DS X caller version
*
SATZVAR DS 0XL5900 variable part of logging
* record
SATZDAR DS CL5900 variable part
ORG SATZVAR
*
SATZFLD DS 0XL258 layout of a standard field
SATZVLN DS X length of the field
SATZVID DS CL2 id of the field
SATZVDT DS CL255 data
*
ORG SATZVAR
*
SATZEFLD DS 0XL4007 layout of a *LNG field
SATZVLND DS X 255 to indicate *LNG-field
SATZNIDE DS CL2 negative id of the field
SATZFLEN DS CL2 length of *LNG-field
SATZABRL DS CL2 on exit 110 always zero
SATZLVAL DS CL4000 data
*
ORG SATZVAR+5900
*
SATZ# EQU *-SATZHDR