Alternatives for controlling File Manager CICS® auditing

FM/CICS auditing is an optional facility. There is no requirement to implement it and FM/CICS works if auditing is not implemented. You should consider:

  • Whether user access to data sets and other resources using File Manager CICS® requires auditing.
  • The information that File Manager audit log records can provide.
  • The information that File Manager audit log records cannot provide, and possible alternatives to obtaining that information.
  • If you do decide to use File Manager auditing, how you will handle any issues associated with large audit log data sets, or additional SMF records.
  • How you will use the information provided by File Manager audit log records.

If your site requires a record of a user's read access to data sets, an external security product such as RACF® can be configured to log access by some or all users, and may be a better alternative.

CICS® also provides logging facilities that may be a better alternative. File Manager audit of read access to data sets does not write audit log records for every record processed, rather the name of the data set and how many records were processed are written to the audit log.

File Manager audit of changes to data sets typically writes two log records, a before and after image of the record that was changed. If you intend to log update changes to data sets that are subject to heavy update activity you need to consider the performance impact of writing many audit log records, also the size of any audit log data sets that may be produced.

You have two choices with respect to auditing of FM/CICS audit activities:

FMN3POPT controlled auditing
The facilities available with FMN3POPT controlled auditing are that you can specify auditing to the user's audit log data set, to the user's audit log data set with automatic (mandatory) printing of the audit log at the completion of the session, or to SMF.
SAF-rule controlled auditing
This relies on various SAF FACILITY and XFACILIT resource rules which you define with an external security product, such as RACF® (or equivalent product).
These points summarize the facilities available with SAF-rule controlled auditing:
  • Auditing can be (optionally) specified for all FM/CICS functions.
  • Different auditing requirements can be specified for different TSO user IDs.
  • Different auditing requirements can be specified for access to different resources.
  • You can provide FM/CICS users with a "Create audit trail" option for the FM/CICS edit functions. This is also SAF-rule controlled. The presence of the "Create audit trail" option does not guarantee that the user can switch off auditing, since this depends on the level of access the user has to the appropriate SAF resource names. When a user has access to the "Create audit trail" option, they can always turn on auditing, even if the relevant SAF resource rules do not require auditing.
  • You can specify auditing to the user's audit log data set, to the user's audit log data set with automatic (mandatory) printing of the audit log at the completion of the session, or to SMF. Dual logging (to the user's audit log data set and to SMF) can also be specified.
Some other points to consider are:
  • Auditing to the user's audit log data set can result in large numbers of audit log data sets. This may have disk space implications. You may need to consider implementing automatic purging or archiving of audit log data sets.
  • Auditing to SMF (only) requires additional set-up, but provides a more reliable and secure environment for capturing audit information than audit logging to the user's audit log data set.
  • If you implement SAF-rule controlled auditing you need to decide how File Manager auditing will be enabled. This is described in more detail in Implementing SAF-rule controlled auditing. There are two alternatives. One requires an enabling SAF rule and the presence of a member in SYS1.PARMLIB. The other requires an enabling SAF rule but has no requirement for a member in SYS1.PARMLIB.

    The use of a member in SYS1.PARMLIB provides additional facilities compared with the alternative that does not require the use of SYS1.PARMLIB. The additional facilities are documented in File Manager options specified in PARMLIB members.

When you have determined the appropriate type of auditing for your installation, follow the instructions in Customizing the File Manager audit facility for CICS component.