A basic step on a z/OS and RACF audit is review a DSMON output.
The first is to create a JCL to launch DSMON and SUBMIT on a AUDITOR / SPECIAL user.
//DSMON JOB CLASS=A,MSGLEVEL=(1,1),MSGCLASS=A
//********************************************************
//* LAUNCH DSMON *
//********************************************************
//* DATE: ACTION: NAME: *
//* 2013/10/23 CREATE JCL CAPI_X *
//********************************************************
//ICHDSM00 EXEC PGM=ICHDSM00
//SYSUT2 DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
Once are finished we need the SYSUT2 output (TSO SDSF -> ST)
SDSF STATUS DISPLAY ALL CLASSES LINE 1-40 (180)
COMMAND INPUT ===> SCROLL ===> PAGE
NP JOBNAME JobID Owner Prty Queue C Pos SAff ASys Status
? ICHDSM00 JOB00531 ADMSPUSR 1 PRINT A
Using the XDC command we can create a new dataset and store the output on it. (XDC closes the file)
SDSF JOB DATA SET DISPLAY - JOB ICHDSM00 (JOB00531) DATA SET DISPLAYED
COMMAND INPUT ===> SCROLL ===> PAGE
NP DDNAME StepName ProcStep DSID Owner C Dest Rec-Cnt Page
JESMSGLG JES2 2 ADMSPUSR A LOCAL 16
JESJCL JES2 3 ADMSPUSR A LOCAL 8
JESYSMSG JES2 4 ADMSPUSR A LOCAL 13
XDC SYSUT2 ICHDSM00 102 ADMSPUSR A LOCAL 886
SYSPRINT ICHDSM00 103 ADMSPUSR A LOCAL 19
This is a example of the NEW dataset options (NOTE: Change the Record format to FB to have newline chars)
SDSF Open Print Data Set
COMMAND INPUT ===> SCROLL ===> PAGE
Data set name ===> ADMSPUSR.OUT.DSMON
Member to use ===>
Disposition ===> NEW (OLD, NEW, SHR, MOD)
If the data set is to be created, specify the following.
Volume serial will be used to locate existing data sets if specified.
Management class ===> (Blank for default management class)
Storage class ===> (Blank for default storage class)
Volume serial ===> (Blank for authorized default volume)
Device type ===> (Generic unit or device address)
Data class ===> (Blank for default data class)
Space units ===> BLKS (BLKS, TRKS, CYLS, BY, KB, or MB)
Primary quantity ===> 500 (In above units)
Secondary quantity ===> 500 (In above units)
Directory blocks ===> (Zero for sequential data set)
Record format ===> FB
Record length ===> 240
Block size ===> 3120
To get the SETROPTS LIST output you can use this JCL to run TSO commands and get your output.
//SETROPTS JOB (CAPI),'TSO SR EXAMPLE',CLASS=A,MSGCLASS=X,
// MSGLEVEL=(1,1),NOTIFY=&SYSUID
//********************************************************
//* LIST SETROPTS OPTIONS *
//********************************************************
//* DATE: ACTION: NAME: *
//* 2013/10/23 CREATE JCL CAPI_X *
//********************************************************
//STEP01 EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SORTMSG DD SYSOUT=*
//SYSOUT DD SYSOUT=*
//OUTPUT DD SYSOUT=*
//LISTOUT DD SYSOUT=*
//SYSTSIN DD *
SETROPTS LIST
/*
Now you can repeat the last SDSF commands.
Once all are done we can download the DSMON and SETROPTS datasets and analyze it.
ftp> ASCII
200 Representation type is Ascii NonPrint
ftp> GET OUT.DSMON
200 Port request OK.
125 Sending data set ADMSPUSR.OUT.DSMON
250 Transfer completed successfully.
ftp> GET OUT.SETROPTS
200 Port request OK.
125 Sending data set ADMSPUSR.OUT.SETROPTS
250 Transfer completed successfully.