blueshantung

MVSSOX | z/OS Mainframe

This program is used to monitor specified datasets for any updates and is used for internal audit review.

Download

History

1.0.0
(03/05/2007) - Created.
1.1.3
(31/01/2011) - Added additional checks and now uses custom title for the email. Fixed issue where users were not parsed.
1.1.4
(23/06/2014) - To prevent errors during reading, each dataset is checked 3 times before skipping to the next in case of errors reading.
1.1.5
(17/07/2014) - Program split into two modules.
 
(29/07/2014) - Added custom text and dataset errors to the email.
 
(30/07/2014) - Reduced processing of data. Added code to copy data missed if a dataset access error occurred to the next generation.
1.1.6
(27/04/2015) - Link date/time could not be retrieved and would fail 83000813 for some datasets - buffer version was not supported - updated VERSION=1 on IEWBUFF calls to VERSION=7.
1.1.7
(20/01/2017) - Fixed typo in LOCATE call.
2.0.0
(09/03/2022) - Converted to relative addressing and split further into modules. INIT; parameter in DD:SYSIN will initialise the data. IEWBIND errors 83000505/507/510 are now handled.

Planned Changes

  1. None

Screenshots / Output

Description & Parameters

The program collects a number of statistics for members in PDS and LMOD datasets. These are written to DD:SYSUT2 which is compared with a previous generation of the data at DD:SYSUT1. Any changes between the two listings are written to DD:HISTORY and emailed to users. The program/JCL can be set up in automation to submit every specific interval so for example, checking the datasets for any changes every 60 minutes.

Suggested uses of this program are monitoring configuration datasets such as PARMLIB, PROCLIB, database load modules and automation rules. By monitoring these datasets, it could alert you to any potential risks to your systems.

DD:SYSIN
A list of datasets to be monitored – source PDS and Load libraries should be split into different jobs. The volume for the dataset can be specified in column 45.

To create the baseline version for subsequent comparisons, you will need to specify INIT; as the first line of DD:SYSIN. After the baseline has been created, this should be removed.

DD:USERS
A member containing a list of users.
DD:SYSUT1
The current version of the dataset used to record the listing of the members and statistics
DD:SYSUT2
Specifies the (+1) version of the dataset specified in DD:SYSUT1.
DD:HISTORY
A GDG dataset to record a list of changes.
DD:EMAIL
The DD where the changes are listed for inclusion in a subsequent step to send the email.

Set Up

This is an example of how to set up the process:

1) Use your site JCL to define a GDG which is specified in DD:SYSUT1 and DD:SYSUT2 - this will be the listing of the members with detailed statistics. The number of generations to keep will depend on your audit requirements.

2) Use your site JCL to define a GDG which is specified in DD:HISTORY - this is used to record any changes each day. This GDG should be advanced to the next generation (+1) via automation (or similar process) at midnight each day. I create a new generation and write a simple header with the datestamp.

It is a good idea to log any SAF accesses to these datasets created above. This means that as well as protecting the configuration datasets, you are also protecting the audit trail for any changes.

3) If you are sending email notifications, you will need to set up the Email Header member. This contains the SMTP control statements as follows:

********************************* Top of Data **********************************
HELO hostname@test.com                                                           
MAIL FROM:<mail.server@test.com>                                              
RCPT TO:<sysprog.team@test.com>                                              
DATA                                                                            
From: mail.server@test.com                                                    
To: Mainframe_Team                                                              
Subject: MVS Configuration Dataset Monitor: Updates Made!!               
                                                                                
This process has been monitoring configuration datasets and has reported        
the following:                                                                  
                                                                                
******************************** Bottom of Data ********************************
					
4) And then the Email Footer:
********************************* Top of Data **********************************
.                                                                               
QUIT                                                                            
******************************** Bottom of Data ********************************
					
5) If you intend to replace userids with real names, you will need to set up a member for DD:USERS. The logonid uses the first 9 characters followed by the user’s name.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8
********************************* Top of Data **********************************
IBMUSER  IBM-supplied Logonid
A123456  Staff Member
ZYXWVUT  Staff Member                                                    
******************************** Bottom of Data ********************************
					
6) Lastly, create JCL using the example below. To create a baseline, specify INIT; as the first line in DD:SYSIN. On submission, it will create the baseline dataset without any notifications.

7) Remove INIT; from DD:SYSIN. You can test the program by updating a member in your dataset list and submitting the JCL. Any changes will be reported RC=1 and an email will be sent - see the Screenshots above.

JCL Example

//STEP1   EXEC PGM=MVSSOX,REGION=0M                                 
//STEPLIB   DD DISP=SHR,DSN=OWDATA.EXAMPLE.LOAD                     
//SYSPRINT  DD SYSOUT=*                                             
//USERS     DD DISP=SHR,DSN=OWDATA.EXAMPLE.ASM(USERS)               
//SYSUT1    DD DISP=SHR,DSN=OWDATA.MVSSOX.COMP(0)                   
//SYSUT2    DD DSN=OWDATA.MVSSOX.COMP(+1),                          
//             DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(3,2),RLSE),      
//             DCB=(BLKSIZE=7700,LRECL=100,RECFM=FB)                
//EMAIL     DD DSN=&&FILE1,DISP=(NEW,PASS,DELETE),SPACE=(CYL,(1,1)),
//             DCB=(BLKSIZE=6160,LRECL=80,RECFM=FB)                 
//HISTORY   DD DISP=MOD,DSN=OWDATA.MVSSOX.UPDATES(0)                
//SYSIN     DD *                                                    
INIT;		<=== (only used for the baseline run)
SYS1.PARMLIB                                                        
SYS1.PROCLIB                                                        
SYS1.IBM.PARMLIB                                                    
SYS1.IBM.PROCLIB                                                    
SYS1.IPLPARM                                MVS100                  
/*                                                                  
//***************************************************************   
//* IF STEP1.RC = 1 THEN WE KNOW UPDATES HAVE BEEN FOUND SO         
//* WE CREATE AN EMAIL AND SEND IT                                  
//***************************************************************   
//CHECK IF (STEP1.RC = 1) THEN                                      
//STEP2   EXEC PGM=IEBGENER                                      
//SYSIN     DD DUMMY                                             
//SYSUT1    DD DISP=SHR,DSN=OWDATA.EXAMPLE.ASM(EMAILHDR)         
//          DD DISP=SHR,DSN=&&FILE1                              
//          DD DISP=SHR,DSN=OWDATA.EXAMPLE.ASM(EMAILFTR)         
//SYSUT2    DD SYSOUT=(B,SMTP)                                   
//SYSOUT    DD SYSOUT=*                                          
//SYSPRINT  DD SYSOUT=*                                          
//END    ENDIF                                                   
//*                                                              
//***************************************************************                                                                       
					

Abend or Error Codes

U0001
Unable to read from DD - check SYSPRINT
U0002
Unable to write to DD - check SYSPRINT
U0005
Unable to write to DD for output

If a dataset cannot be accessed, an error message is written to the DD:SYSPRINT, DD:HISTORY and DD:EMAIL. The format is:

ERROR MESSAGES: (LOCATE R15)-(LOCATE R0)-(OBTAIN R15)-(S99 R15)-(S99 ERROR)-(S99 INFO)

Environment

This program was written in z/OS HLASM Assembler and will run under z/OS 31bit. The code is re-entrant.
No additional authorisations are required.

This program was developed and tested under z/OS 1.12 up to z/OS 2.4.

Additional Macros

The program uses the STRING macro from https://gsf-soft.com/Freeware/STRING.html - I highly recommend this.

MVSSOX also uses an internal macro, VERSION, which is included in the XMIT file.

Assemble & Link

The program contains multiple source members. Each member will compile into object files in a separate dataset. Member #BUILD will link these modules together. The JCL runs under JES3 so you will probably need to tailor it for your environment.