The table in the following shows the objects and their auditable events, the abbreviated names of the events and indication of their audit attributes.
The /MODIFY-SAT-PRESELECTION command enables the security administrator to modify the SAT preselection values for most events.
The individual columns have the following meanings:
OBJECT Event columnSpecification of the object, accompanied by the operations which result in auditable events.
Event name columnEach event has a 3-character event name which may be used as a keyword in the commands /SHOW-SAT-STATUS and /MODIFY-SAT-PRESELECTION as well as in the statements //ADD-SELECTION-CONDITIONS and //SELECT-RECORDS .
Audit attribute Chg columnIndication of whether the audit attribute for the event can be changed.
Y (YES)
The audit attribute can be changed
N (NO)
The audit attribute cannot be changed
(permanently security-relevant event)-
Entry not relevant
Audit attribute Dft
columnShows the default setting for the audit attribute (see "Selection procedure") of the event:
A
Audit attribute ALL, i.e. the event is always logged
S
Audit attribute SUCCESS, i.e. the event is logged if it has been successfully executed
(data fieldres equal Sin the SATLOG record)F
Audit attribute FAILURE, i.e. the event is logged if it has not been successfully executed
(data fieldres equal Fin the SATLOG record)N
Audit attribute NONE, i.e. the event is not logged
-
Entry not relevant
Note
The events and fields documented in this manual correspond to the status at the time when the manual was published. However, the type and scope of the audited information may change for products which pass information to SAT for logging and which appear after publication of this manual. The related product manual will contain an updated list of events and fields, and you should therefore use only the information provided in these product manuals.
OBJECT | Event name | Audit attribute | |
Chg | Dft | ||
ADAM (device management) | |||
Add device operation | ADO | Y | N |
ANY | |||
Any event (system exit) (see note) | ANY | Y | N |
APPLICATION (DCAM) | |||
Open application (YOPEN) | DON | Y | N |
Close application (YCLOSE) | DCL | Y | N |
Connect application (YOPNCON) | DCN | Y | N |
Disconnect application (YCLSCON) | DDS | Y | N |
BCAM | |||
Open TSAP | BAO | Y | N |
Close TSAP | BAC | Y | N |
Open connection | BCN | Y | N |
Close connection | BDS | Y | N |
CATALOG (PVS) | |||
Start import pubset task | CIP | Y | S |
Start export pubset task | CEP | Y | S |
Check catalog | CKR | Y | N |
Convert catalog | CVR | Y | N |
CONSLOG (see note) | |||
CONSLOG entry | - | - | |
COOWNER PROTECTION | |||
Add co-owner protection rule | CRA | Y | N |
Modify co-owner protection rule | CRM | Y | N |
Display co-owner authorization rule | CRQ | Y | N |
Remove co-owner protection rule | CRR | Y | N |
Display co-owner protection rule | CRS | Y | N |
DATA SPACES (see note) | |||
Create DATA SPACE | DSB | Y | N |
Connect to DATA SPACE | DSC | Y | N |
Release connection to DATA SPACE | DSD | Y | N |
Delete DATA SPACE | DSE | Y | N |
Modify/reset DATA SPACE | DSM | Y | N |
DEFAULT PROTECTION | |||
Define default values for protection attributes | DAA | Y | N |
Modify default values for protection attributes | DAM | Y | N |
Display default values for protection attributes | DAS | Y | N |
Add default protection rule | DRA | Y | N |
Modify default protection rule | DRM | Y | N |
Display default protection attributes for object | DRQ | Y | N |
Remove default protection rule | DRR | Y | N |
Display default protection rule | DRS | Y | N |
Add user ID for object path | DUA | Y | N |
Remove user ID for object path | DUR | Y | N |
Display user ID for object path | DUS | Y | N |
EVENTING-ITEM (see note) | |||
Activate eventing | EEE | Y | N |
Deactivate eventing | EDE | Y | N |
Activate serialization | EES | Y | N |
Deactivate serialization | EDS | Y | N |
FILE (see note) | |||
Create file | FCD | Y | N |
Read file | FRD | Y | N |
Execute file (open exec) | FED | Y | N |
Modify file | FMD | Y | N |
Close file | FCL | Y | N |
Delete file | FDD | Y | N |
Rename file with ARCHIVE | FAR | Y | N |
Rename file | FRN | Y | N |
Define protection attributes | FCS | Y | N |
Modify protection attributes | FMS | Y | N |
Delete protection attributes | FDS | Y | N |
Read protection attributes | FRS | Y | N |
Import protection attributes | FIS | Y | N |
Export protection attributes | FES | Y | N |
Convert file into decrypted file | FDC | Y | N |
Convert file into encrypted file | FEC | Y | N |
Move file extents (SPACEOPT) | FME | Y | N |
Select object for reorganization (SPACEOPT) | FSO | Y | N |
FITC (Fast Intertask Comm.) (see note) | |||
Define port access | POA | Y | N |
Define port | POB | Y | N |
Connect to port | POC | Y | N |
Disconnect from port | POD | Y | N |
Release port | POE | Y | N |
Release port access | POR | Y | N |
Implicit exchange with port | POX | Y | N |
GROUP (user group) | |||
Add | GSH | Y | A |
Modify | GRM | Y | A |
Remove | GMD | Y | A |
Show | GAD | Y | N |
GUARDS | |||
Generate a guard | GUB | Y | N |
Copy a guard | GUC | Y | N |
Delete a guard | GUD | Y | N |
Change guards catalog | GUF | Y | N |
Repair guards catalog | GUR | Y | N |
Modify attributes | GUM | Y | N |
Show attributes | GUS | Y | N |
Define access conditions | GAA | Y | N |
Modify access conditions | GAM | Y | N |
Remove access conditions | GAR | Y | N |
Show access conditions | GAS | Y | N |
Interrogate access conditions | GAQ | Y | N |
IPSEC | |||
Load IPSEC security database | ILD | Y | N |
Security policy infringement during data transfer | IPV | Y | N |
JOB (see note) | |||
Initiate batch job or subtask | JBE | Y | F |
Abort job | JCN | Y | N |
Initiate dialog or RLOGIN | JDE | Y | A |
End job | JED | Y | N |
Initialize batch job or subtask | JIN | Y | A |
Modify batch job | JMD | Y | N |
Generate POSIX task | JFK | Y | A |
JOB VARIABLES | |||
Rename with ARCHIVE | JVA | Y | N |
Create protection attributes | JVC | Y | N |
Delete protection attributes | JVD | Y | N |
Modify protection attributes | JVM | Y | F |
Read data (GETJV) | JVG | Y | F |
Write data (SETJV) | JVS | Y | F |
Query JV | JVQ | Y | N |
Rename JV | JVR | Y | N |
KEY | |||
Add KERBEROS Encryption Type | KEA | Y | A |
Delete KERBEROS Encryption Type | KED | Y | A |
Add KERBEROS Principal | KPA | Y | A |
Delete KERBEROS Principal | KPD | Y | A |
Modify KERBEROS Principal | KPM | Y | A |
KERBEROS ticket check | KTC | Y | F |
Abortive attempt at a crypto password check after exceeding | KXM | Y | F |
MEMORY-POOL (see note) | |||
Enable (ENAMP) | MEN | Y | N |
Disable (DISMP) | MDS | Y | N |
Release (RELMP) | MRL | Y | N |
Make readable for TU (with ($)CSTMP in TPR) | MRD | Y | N |
Make readable with CSTMP in TU | MAC | Y | S |
OPERATOR ROLE | |||
Add routing code | ORA | Y | N |
Create operator role | ORB | Y | N |
Assign operator role | ORC | Y | N |
Delete operator role from user record | ORD | Y | N |
Delete operator role | ORE | Y | N |
Withdraw routing code | ORR | Y | N |
PLAM | |||
Create library member | LCE | Y | N |
Modify library member | LME | Y | N |
Read library member | LRE | Y | N |
Execute library member | LEE | Y | N |
Close library member | LCL | Y | N |
Delete library member | LDE | Y | N |
Rename library member | LRN | Y | N |
Create security attributes | LCS | Y | N |
Delete security attributes | LDS | Y | N |
Modify security attributes | LMS | Y | N |
POSIX-CHILD-Process (see note) | |||
Create new process (fork) | XFK | Y | N |
Create new process on rlogin access (rfork) | XRF | Y | N |
POSIX-FILE-and-Directory (see note) | |||
Change current directory (chdir) | XCD | Y | N |
Close file (close) | XCL | Y | N |
Change file access rights (chmod) | XCM | Y | N |
Change file owner or group (chown) | XCO | Y | N |
Create new file (creat) | XCR | Y | N |
Create directory via descriptor (mkdirat) | XDA | Y | N |
Duplicate file descriptor (dup) | XDP | Y | N |
File control operation (fcntl) | XFC | Y | N |
Change current directory via descriptor (fchdir) | XFD | Y | N |
Change file access rights via descriptor (fchmod) | XFM | Y | N |
Change a file’s owner or group via descriptor (fchown) | XFO | Y | N |
Create a link to a file via descriptor (linkat) | XLA | Y | N |
Create a link to a file (link) | XLN | Y | N |
Change the owner or group of a file or link (lchown) | XLO | Y | N |
Change file access rights via descriptor (fchmodat) | XMA | Y | N |
Create directory (mkdir) | XMD | Y | N |
Map file in virtual memory(mmap) | XMM | Y | N |
Set protection attributes for file mapping in virtual memory | XMP | Y | N |
Mount file system (mount) | XMT | Y | N |
Cancel mapping of file in virtual memory (munmap) | XMU | Y | N |
Open file via descriptor (openat) | XOA | Y | N |
Open file (open) | XOP | Y | N |
Rename file via descriptor (renameat) | XRA | Y | N |
Remove directory (rmdir) | XRD | Y | N |
Rename file (rename) | XRN | Y | N |
Create symbolic link to a file via descriptor (symlinkat) | XSA | Y | N |
Create symbolic link to a file (symlink) | XSL | Y | N |
Delete file or directory via descriptor (unlinkat) | XUA | Y | N |
Set file bit mask for a process (umask) | XUM | Y | N |
Delete file (remove/unlink) | XUN | Y | N |
Unmount file system (umount) | XUT | Y | N |
Change file group or owner via descriptor (fchownat) | XWA | Y | N |
POSIX-PROCESS (see note) | |||
Set effective group number for a process (setegid) | XEG | Y | N |
Set effective user number for a process (seteuid) | XEU | Y | N |
Execute file (exec) | XEX | Y | N |
Set maximum number of group members for a process | XGR | Y | N |
Send signal to process or process group (kill) | XKL | Y | N |
Set process limits (ulimit) | XLM | Y | N |
Set real and effective group number for a process (setregid) | XRG | Y | N |
Set real and effective user number for a process (setreuid) | XRU | Y | N |
Set group number of a process (setgid) | XSG | Y | N |
Set process group number (setpgrp) | XSP | Y | N |
Set limit value for a resource (setrlimit) | XSR | Y | N |
Set user number of a process (setuid) | XSU | Y | N |
POSIX-SYSTEM-Resources (see note) | |||
Change system time (adjtime) | XAJ | Y | N |
Set user attributes (pwent) | XPW | Y | N |
Semaphore control operations (semsys) | XSE | Y | N |
Shared memory control operations (shmsys) | XSH | Y | N |
PRIVILEGE | |||
Grant | PST | N | A |
Revoke | PRT | N | A |
Create privilege set | PSC | Y | S |
Delete privilege set | PSD | Y | S |
Add privilege to privilege set | PSA | N | A |
Remove privilege from privilege set | PSR | N | A |
PROGRAM (see note) | |||
Load/execute | XLD | Y | Y |
Unload | XUL | Y | Y |
SAT (see note) | |||
Command HOLD-SAT-LOGGING | ZHO | N | A |
Command RESUME-SAT-LOGGING | ZRE | N | A |
Command MODIFY-SAT-PRESELECTION | ZPS | N | A |
Command MODIFY-SAT-SUPPORT-PARAMETERS | ZMS | N | A |
Command CHANGE-SAT-FILE | ZCH | N | A |
Command SAVE-SAT-PARAMETERS | ZSP | N | A |
Open SATLOG file (HEADER record) | ZBG | N | A |
Close SATLOG file (TRAILER record) | ZND | N | A |
SAT event preselection | ZEP | N | A |
SAT-ALARM | |||
Command ADD-SAT-ALARM-CONDITIONS | ZCA | N | A |
Command REMOVE-SAT-ALARM-CONDITIONS | ZDA | N | A |
Command MODIFY-SAT-ALARM-CONDITIONS | ZMA | N | A |
Trigger SAT alarm | ZAL | N | A |
SAT-FILTER | |||
Command ADD-SAT-FILTER-CONDITIONS | ZCF | N | A |
Command REMOVE-SAT-FILTER-CONDITIONS | ZDF | N | A |
Command MODIFY-SAT-FILTER-CONDITIONS | ZMF | N | A |
SESAM (see note) | |||
Administer DBH session | SEA | Y | N |
Change access rights and user accesses | SEP | Y | N |
DDL, SSL, utility statement | SES | Y | N |
Start/stop SESAM task (DBH or service task) | SET | Y | N |
Stop process | SEU | Y | N |
SMS (System Managed Storage) | |||
Create storage class | SCC | ||
Modify characteristics of storage class | SCM | ||
Delete storage class | SCD | ||
Bind storage class to volume set list | SCB | ||
PVSREN: delete all storage classes | SCP | ||
Unbind storage class from volume set list | SCU | ||
Command CHANGE-STORAGE-CLASS-CATALOG | SCX | ||
Create volume set list | VLC | ||
Modify volume set list | VLM | ||
Delete volume set list | VLD | Y | N |
Add volume to volume set list | VLA | Y | N |
Remove volume from volume set list | VLR | Y | N |
Command CHANGE-VOLUME-SET-LIST-CATALOG | VLX | Y | N |
PVSREN: rename volume set | VP1 | Y | N |
PVSREN: rename all volume sets | VP2 | Y | N |
PVSREN: delete all volume sets | VP3 | Y | N |
SPOOL DEVICE | |||
Define RSO device | SDA | Y | N |
Modify attributes | SDM | Y | N |
Delete entry | SDR | Y | N |
SPOOL JOBS (see note) | |||
Request printing | JPR | Y | N |
Delete job | JPC | Y | N |
Terminate printing | JPE | Y | N |
Interrupt printing | JPI | Y | N |
SUBSYSTEM (see note) | |||
Activate | SCR | Y | A |
Deactivate | SDL | Y | A |
Hold | SHD | Y | A |
Remove | SRM | Y | A |
Resume | SRS | Y | A |
Connection with nonprivileged subsystem | SCN | Y | N |
Disconnection from nonprivileged subsystem | SDS | Y | N |
Catalog management | SCT | Y | A |
Load subsystem part | SLP | Y | N |
Change subsystem file | SFC | Y | N |
SYNTAX FILE | |||
Activate | YAC | Y | N |
Modify | YMD | Y | N |
Open hierarchy (OPNCALL macro) | YON | Y | N |
Activate for subsystem | YAD | Y | N |
Check | YCK | Y | N |
TAPE encryption | |||
CREATE-ENCRYPTION-KEY statement | TKC | Y | A |
ADD-ENCRYPTION-KEY statement | TKA | Y | A |
COPY-ENCRYPTION-KEYS statement | TKP | Y | A |
REMOVE-ENCRYPTION-KEYS statement | TKR | Y | A |
SHOW-ENCRYPTION-KEYS statement | TKS | Y | N |
SET-WRITE-ENCRYPTION-KEY statement | TWK | Y | A |
DELETE-KEY-BOX statement | TBD | Y | A |
EXPORT-KEY-BOX statement | TBE | Y | A |
IMPORT-KEY-BOX statement | TBI | Y | A |
REPAIR-KEY-BOX statement | TBR | Y | N |
MODIFY-VOLUME-ENCRYPTION-ATTR statement | TVM | Y | A |
SHOW-VOLUME-ENCRYPTION-ATTR statement | TVS | Y | N |
Access to key box | TBA | Y | A |
TERMINAL SET | |||
Generate | TSB | Y | N |
Copy | TSC | Y | N |
Delete | TSD | Y | N |
Modify | TSM | Y | N |
USERID (see note) | |||
Add | UAD | Y | A |
Modify attributes | UMD | Y | N |
Remove | URM | Y | A |
Lock | ULK | Y | N |
Unlock | UUL | Y | S |
Check | UCK | Y | F |
Define protection attributes | USL | Y | A |
Modify protection attributes | UML | Y | A |
Modify password protection | UMP | Y | A |
Command REQUEST-OPERATOR-ROLE | UOP | Y | A |
Command MODIFY-POSIX-USER-ATTRIBUTES | UPA | Y | N |
Command MODIFY-POSIX-USER-DEFAULTS | UPD | Y | N |
Command MODIFY-USER-PUBSET-ATTRIBUTES | UUP | Y | A |
Command MODIFY-LOGON-DEFAULTS | UDM | Y | A |
Command SET-LOGON-DEFAULTS | UDS | Y | A |
Command UNLOCK-USER-SUSPEND | UUS | Y | A |
UTM events (see note) | TRM | Y | A |
VOLUME (MAREN) (see note) | |||
Administrator is modifying attributes | VMA | Y | N |
Remove volume | VRM | Y | N |
Add volume | VAD | Y | N |
User is modifying attributes | VMU | Y | N |
User is processing volume | VVP | Y | N |
Modify MAREN parameters | VMM | Y | N |
Show volume attributes | VSA | Y | N |
Show MAREN parameters | VSP | Y | N |
VOLUME (other products) (see note) | |||
Open volume | VON | Y | N |
Close volume | VCL | Y | N |
Initialize protected volume | VIP | Y | A |
Initialize unprotected volume | VIN | Y | N |
Initialize disk | VID | Y | A |
Install IOCF | VIO | Y | N |
Request volume (FDDRL) | VDA | Y | S |
Release volume (FDDRL) | VDR | Y | N |
Modify volume (FDDRL) | VDU | Y | S |
Table 4: Object-related events, event names and audit attributes
Notes on objects and events relating to them
Note on ANY events
The $SATANY macro may be issued by the security administrator and the SAT file manager (using system exit 110) to write to the SATLOG file any information they wish to record about an event that is to be logged (see section “Refining selection with system exit no.110”).
Note on CONSLOG
CLG are not auditable events.
For the purpose of SATUT evaluation, however, it is also possible to use standard format CONSLOG as input files. The entries in these files are converted into CLG records for evaluation, and as a result can be incorporated in the selection. The contents of the audit record are dependent on the type of CONSLOG message (see "Tables of auditable information on object-related events (1)").
Note on DATA SPACES
Operations in the privileged state (TPR) are not logged. If SCOPE=LOCAL is used, failure of the command is logged.
Note on EVENTING-ITEM
If SCOPE = LOCAL applies, no auditing takes place.
Note on FILE and FITC
If the audit attribute of a file is activated, all attempted or successful accesses to the file are logged, provided the event result matches the value of the audit attribute (seesection “Subject, object and event”).
The following file attributes are security-relevant: user-access, access, audit, passwords, retention period, basic access control list. Since system administration under TSOS is authorized to read the passwords entered in the directory entry, this event (’read password’) is also rated as security-relevant.
The following two events may be logged when deleting a file:
delete data
delete protection attributes
The same events may occur in conjunction with the renaming of a file with simultaneous modification of the protection attributes.
In the event of a single programmed instruction closing all files, the event (’close file’) is recorded separately for each file.
In multiprocessor systems, auditing is performed by the computer from which the file was opened, while the shareability and the access rights are checked on the computer on which the file is cataloged.
Since ARCHIVE subtasks make use of the Subject Identification Interface (SID), all events relating to a FILE object are treated as if they were part of the main task and therefore logged [5]. In addition, the ARCHIVE-specific event ’rename file’ is logged.
The FSO event is used to log user requests, i.e. requests from the job to SPACEOPT.
The FME event is used to log the result of job processing.
An FSO event record can be associated with no, one or multiple FME result records depending on whether any, and if so how many, files have been moved during job processing.
In contrast, a record containing the FME result is always preceded by a record with the FSO result.
Notes on JOB
Jobs that are canceled while in the wait state are only logged via the CANCEL command.
Print jobs are logged in conjunction with the appropriate commands (see SPOOL JOBS).
Job classes are irrelevant for SAT logging.
In multiprocessor systems, REMOTE ENTER and REMOTE CANCEL are logged in the target computer, while OPEN is recorded in the source computer.
SAT does not log the event ’terminate job’ (JED) unless expressly requested to do so; this is because the event is already logged by CONSLOG and accounting.
Notes on MEMORY-POOL
When in privileged mode (TPR), the only logged event is ’Make readable in TU’.
For memory pools with SCOPE = LOCAL, the only logged events are ’Modify read access’ and ’Make readable in TU’.
Note on POSIX-...
Logging of events for POSIX-CHILD-Process, POSIX-FILE-and-Directory, POSIX-PROCESS and POSIX-System-Resources takes place only if SAT support has been activated for these events:
/MODIFY-SAT-SUPPORT-PARAMETERS POSIX-EVENTS=*ENABLED
Note on PROGRAM
No SAT logging is performed in the event of SLICE OVERLOADING.
Note on SAT events
SAT events are always logged, and auditing cannot be deactivated for these events even via a selection function. SATLOG files always have a header and a trailer record corresponding to the special events ’start of SATLOG file’ (ZBG) and ’end of SATLOG file’ (ZND). ZBG and ZND events are likewise always logged and cannot be excluded by means of deactivation.
A header record corresponding to the event “Create an analysis file” is created in the analysis files generated by SATUT (ZRR for replacement files, ZRA for analysis files).
Each event which is related to the definition of alarms or filters (ZCA, ZDA, ZMA, ZAL, ZCF, ZDF, ZMF) is also logged. This also includes saving the SAT parameter file (ZSP).
Note on SESAM
SESAM/SQL Server provides the SESAM administrator with options for switching the SAT logging on and off for SESAM. This means that SESAM events can only occur if
SESAM/SQL Server is being used, and only then if the SAT logging is enabled for SESAM. The settings of the SAT preselection have no effect on the SESAM results in all other cases.
Therefore, to log the SESAM events, both the SAT logging in SESAM and the SESAM events in the SAT preselection must be enabled.
Further information on the SESAM options can be found in the “SESAM/SQL Server Database Operation” manual [33].
Note on SPOOL JOBS
Only the fact that /PRINT and /CANCEL commands have been issued is recorded, i.e. the command execution itself is not recorded.
Notes on SUBSYSTEM
Any subsystem activation that takes place prior to SYSTEM READY is not logged in the SATLOG file, but in the CONSLOG. Thus security is ensured by setting system parameter SECSTART=Y (see the "Commands" manual), what forces creation of the CONSLOG file.
When a subsystem is accessed, the access request is recorded but not the subsystem operations (since they are performed under a different TSN).
Only connection or disconnection requests to nonprivileged subsystems are logged, provided they have been successful.
Notes on USERID
The audit data does not indicate whether the authorization to activate AUDIT mode (event UAD or UMD) has been modified.
The rejection of interactive and batch jobs is recorded only indirectly by the ’check user ID’ event, since it does not involve any other security-relevant events.
Notes on UTM events
Since the subject of a UTM event usually is not a BS2000 user ID, such events are treated differently by SAT.
SAT only recognizes that a UTM event has occurred. The audit data contains a subcode indicating the specific UTM events.
For detailed information on SAT logging under openUTM, refer to the openUTM manual “Generating Applications” [17].
Notes on VOLUME
SAT does not record whether or not the write-enable ring of a magnetic tape was present.
SAT records any reservation of a magnetic tape via DMS (see the “Introductory Guide to DMS” [6]), FDDRL (see the “FDDRL” manual [9]) or INIT (see the “Utility Routines” manual [14]). The VSN of a tape being initialized is unknown.
SHOW-VOLUME-ATTRIBUTES statements are not considered to be security-relevant events unless they are part of a user job under TSOS or under a user ID possessing the TAPE-ADMINISTRATION privilege.
MAREN parameters are those parameters to be modified by means of the MAREN statement MODIFY-MAREN-PARAMETERS.