Setup of zSecure Admin Command Logger
zSecure Admin provides an option to log all RACF® commands that are issued through the zSecure interface in a central repository. This section provides an overview of the functions and describes the required installation and activation steps.
About this task
The command log records are kept in a z/OS® log stream. Using zSecure functions, it is possible to select and report about the recorded RACF commands. The z/OS log stream must be defined in the LOGR policy data set. The actual recording of the commands in the log stream is done through a started task (CKXLOG) that runs on each system (LPAR) where RACF commands are run. The record of the command can be annotated with a ticket identification and a ticket description. The zSecure Admin ISPF interface and zSecure Command Verifier send the commands to the zSecure Admin Command Logger.
- Step 1: Define a log stream (or log stream model) for use by the Command Logger
- Step 2: Update C2R$PARM to specify a value for CKXCUST.
- Step 3: Update the CKXCUST member CKXPARM for installation parameters.
- Step 4: Define the STC user ID and STARTED profile for the CKXLOG started task.
- Step 5: Copy the STC procedure to your STC proclib.
- Step 6: Authorize the STC user ID to allocate and write the log stream.
- Step 7: Start the CKXLOG started task.
- Step 8: Define the Command Log policies for components and users.
- Step 9: Configure the zSecure Admin ISPF user interface for command logging.
- Step 10: Configure zSecure Command Verifier to ensure logging of commands that are issued in a batch job or from outside the zSecure Admin ISPF interface.
- Step 11: Optionally, enable calling CKXLOGID from APF environment.
The first administrator uses the zSecure Admin ISPF interface to enter changes. The ISPF interface uses the CKR.CKXLOG.** profile and resources that start with CKR as shown in the associated rectangular box. The presence and access of these profiles and resources determine if the zSecure Admin ISPF interface passes command records to the CKXLOG started task. Step 9 describes these resources.
The second administrator enters a command directly without using the zSecure Admin ISPF interface. These commands might be intercepted by zSecure Command Verifier. In that case, logging is controlled through resources that start with C4R, of which a sample is shown in the associated rectangular box. Step 10 describes these resources.
Note that commands that are executed through the zSecure Admin ISPF interace might also pass through zSecure Command Verifier, and might thus be passed to the CKXLOG started task twice: once by zSecure Admin, and once by zSecure Command Verifier. It is the CKXLOG started task that determines whether or not the passed CKXLOG records are actually recorded in the CKXLOG log stream.
Depending on your environment, you might need profiles for one or more of these types of resources, using generic profiles where possible.