PI54361: DITTO IS USING LOG=NONE TOO WIDELY ON SECURITY CHECKS, SO AUDIT LOG INFORMATION IS INCOMPLETE.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• DITTO is using LOG=NONE incomplete too widely on security
  checks, so audit log information is incomplete.
  

Local fix

• No Workaround
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of DITTO/ESA for MVS on z/OS           *
  ****************************************************************
  * PROBLEM DESCRIPTION: When DITTO is running APF authorized,   *
  *                      security check audit logging is         *
  *                      suppressed too much.                    *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  When DITTO is running APF authorized, it supports more than one
  alternative method of permitting access to various resources, so
  for example full pack read access to a disk may either be
  authorized by UPDATE access to DITTO.DISK.FULLPACK, which allows
  read access to all disks, or it may be authorized by a
  combination of READ access to DITTO.DISK.FULLPACK and access to
  DASDVOL.volume for the appropriate volume.  This means that if
  security checks were issued with default logging options,
  spurious access violation warnings would be issued if one method
  of checking failed but another one succeeded.  To avoid such
  warnings, DITTO used the option LOG=NONE on security checks,
  which was probably the only available solution at the time that
  it was written.  However, this has the side-effect of
  suppressing audit log information, including records of
  successful accesses.  It should now be using the option
  LOG=NOFAIL, which suppresses logging of failures but uses the
  installation specified audit logging options for successful
  accesses.  For data set checks when using RACF, this option can
  even be overriden if necessary, using the SETROPTS command with
  PROTECTALL(WARNING).
  

Problem conclusion

• The DITTO security check routine has been modified so that when
  DITTO is running APF authorized it will use the option
  LOG=NOFAIL instead of LOG=NONE.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UI34248

Modules/Macros

•    DIT0LVL  DIT0SAF
  

Fix information

• Fixed component name

  DITTO/ESA MVS

• Fixed component ID

  565510300

Applicable component levels

• R310 PSY UI34248

     UP16/01/07 P F601

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.