z/OS log streams

IBM Security Guardium S-TAP for IMS monitors the IMS Online regions and batch jobs and writes audit data to z/OS log streams.

The IBM Security Guardium S-TAP for IMS Online and DLI/DBB batch data collectors audit DLI events that occur in the IMS Online and DLI/DBB Batch regions. Audited DLI events are written to z/OS System Logger log streams, which are then read by the IBM Security Guardium S-TAP for IMS agent. The IMS agent sends the audit data to the IBM Guardium appliance by using TCP/IP connections.

To permit the IMS Online and DLI/DBB batch collectors to write to the log streams, systems authorization facility (SAF) security access of UPDATE to the z/OS log stream is required for all user IDs associated with the audited IMS Control region and DLI/DBB batch jobs that might cause IMS DLI calls to be audited.

You can now use an additional SAF resource to further secure the online and batch log streams. For example, you can now prevent the log streams from being read by a user program or utility that is initiated by a user who is authorized to update to the log stream. Apply z/OS V2R3 and V2R4 APAR OA56050 to optionally add an additional authority check for a SAF profile that covers resource (WRITE_ONLY_log-stream-name) in class LOGSTRM. This new profile option enables you to limit users to only connecting to (IXGCONN REQUEST=CONNECT), writing to (IXGWRITE), and disconnecting from (IXGCONN REQUEST=DISCONNECT) the log stream. Other IXG calls, such as IXGBRWSE (read), are rejected with return code 8 and reason code '081C'x. For more information, refer to the documentation provided in the HOLD data for APAR OA56050.

Note: User IDs that are associated with the IBM Security Guardium S-TAP for IMS agent must have authority to read and delete data from the log stream and should not be limited by using resource (WRITE_ONLY_log-stream-name). Log stream UPDATE authority is recommended for the IBM Security Guardium S-TAP for IMS agents.