MVSSOX | z/OS Mainframe
This program is used to monitor specified datasets for any updates and is used for internal audit review.
Download
History
1.0.0
(03/05/2007) - Created.
1.1.3
(31/01/2011) - Added additional checks and now uses custom title for the email. Fixed issue where users were not parsed.
1.1.4
(23/06/2014) - To prevent errors during reading, each dataset is checked 3 times before skipping to the next in case of errors reading.
1.1.5
(17/07/2014) - Program split into two modules.
(29/07/2014) - Added custom text and dataset errors to the email.
(30/07/2014) - Reduced processing of data. Added code to copy data missed if a dataset access error occurred to the next generation.
1.1.6
(27/04/2015) - Link date/time could not be retrieved and would fail 83000813 for some datasets - buffer version was not supported - updated VERSION=1 on IEWBUFF calls to VERSION=7.
1.1.7
(20/01/2017) - Fixed typo in LOCATE call.
2.0.0
(09/03/2022) - Converted to relative addressing and split further into modules. INIT; parameter in DD:SYSIN will initialise the data. IEWBIND errors 83000505/507/510 are now handled.
Planned Changes
- None
Screenshots / Output
Description & Parameters
The program collects a number of statistics for members in PDS and LMOD datasets. These are written to DD:SYSUT2 which is compared with a previous generation of the data at DD:SYSUT1. Any changes between the two listings are written to DD:HISTORY and emailed to users. The program/JCL can be set up in automation to submit every specific interval so for example, checking the datasets for any changes every 60 minutes.Suggested uses of this program are monitoring configuration datasets such as PARMLIB, PROCLIB, database load modules and automation rules. By monitoring these datasets, it could alert you to any potential risks to your systems.
DD:SYSIN
A list of datasets to be monitored – source PDS and Load libraries should be split into different jobs. The volume for the dataset can be specified in column 45.
To create the baseline version for subsequent comparisons, you will need to specify INIT; as the first line of DD:SYSIN. After the baseline has been created, this should be removed.
To create the baseline version for subsequent comparisons, you will need to specify INIT; as the first line of DD:SYSIN. After the baseline has been created, this should be removed.
DD:USERS
A member containing a list of users.
DD:SYSUT1
The current version of the dataset used to record the listing of the members and statistics
DD:SYSUT2
Specifies the (+1) version of the dataset specified in DD:SYSUT1.
DD:HISTORY
A GDG dataset to record a list of changes.
DD:EMAIL
The DD where the changes are listed for inclusion in a subsequent step to send the email.
Set Up
This is an example of how to set up the process:1) Use your site JCL to define a GDG which is specified in DD:SYSUT1 and DD:SYSUT2 - this will be the listing of the members with detailed statistics. The number of generations to keep will depend on your audit requirements.
2) Use your site JCL to define a GDG which is specified in DD:HISTORY - this is used to record any changes each day. This GDG should be advanced to the next generation (+1) via automation (or similar process) at midnight each day. I create a new generation and write a simple header with the datestamp.
It is a good idea to log any SAF accesses to these datasets created above. This means that as well as protecting the configuration datasets, you are also protecting the audit trail for any changes.
3) If you are sending email notifications, you will need to set up the Email Header member. This contains the SMTP control statements as follows:
********************************* Top of Data ********************************** HELO hostname@test.com MAIL FROM:<mail.server@test.com> RCPT TO:<sysprog.team@test.com> DATA From: mail.server@test.com To: Mainframe_Team Subject: MVS Configuration Dataset Monitor: Updates Made!! This process has been monitoring configuration datasets and has reported the following: ******************************** Bottom of Data ********************************4) And then the Email Footer:
********************************* Top of Data ********************************** . QUIT ******************************** Bottom of Data ********************************5) If you intend to replace userids with real names, you will need to set up a member for DD:USERS. The logonid uses the first 9 characters followed by the user’s name.
----+----1----+----2----+----3----+----4----+----5----+----6----+----7----+----8 ********************************* Top of Data ********************************** IBMUSER IBM-supplied Logonid A123456 Staff Member ZYXWVUT Staff Member ******************************** Bottom of Data ********************************6) Lastly, create JCL using the example below. To create a baseline, specify INIT; as the first line in DD:SYSIN. On submission, it will create the baseline dataset without any notifications.
7) Remove INIT; from DD:SYSIN. You can test the program by updating a member in your dataset list and submitting the JCL. Any changes will be reported RC=1 and an email will be sent - see the Screenshots above.
JCL Example
//STEP1 EXEC PGM=MVSSOX,REGION=0M //STEPLIB DD DISP=SHR,DSN=OWDATA.EXAMPLE.LOAD //SYSPRINT DD SYSOUT=* //USERS DD DISP=SHR,DSN=OWDATA.EXAMPLE.ASM(USERS) //SYSUT1 DD DISP=SHR,DSN=OWDATA.MVSSOX.COMP(0) //SYSUT2 DD DSN=OWDATA.MVSSOX.COMP(+1), // DISP=(NEW,CATLG,DELETE),SPACE=(TRK,(3,2),RLSE), // DCB=(BLKSIZE=7700,LRECL=100,RECFM=FB) //EMAIL DD DSN=&&FILE1,DISP=(NEW,PASS,DELETE),SPACE=(CYL,(1,1)), // DCB=(BLKSIZE=6160,LRECL=80,RECFM=FB) //HISTORY DD DISP=MOD,DSN=OWDATA.MVSSOX.UPDATES(0) //SYSIN DD * INIT; <=== (only used for the baseline run) SYS1.PARMLIB SYS1.PROCLIB SYS1.IBM.PARMLIB SYS1.IBM.PROCLIB SYS1.IPLPARM MVS100 /* //*************************************************************** //* IF STEP1.RC = 1 THEN WE KNOW UPDATES HAVE BEEN FOUND SO //* WE CREATE AN EMAIL AND SEND IT //*************************************************************** //CHECK IF (STEP1.RC = 1) THEN //STEP2 EXEC PGM=IEBGENER //SYSIN DD DUMMY //SYSUT1 DD DISP=SHR,DSN=OWDATA.EXAMPLE.ASM(EMAILHDR) // DD DISP=SHR,DSN=&&FILE1 // DD DISP=SHR,DSN=OWDATA.EXAMPLE.ASM(EMAILFTR) //SYSUT2 DD SYSOUT=(B,SMTP) //SYSOUT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //END ENDIF //* //***************************************************************
Abend or Error Codes
U0001
Unable to read from DD - check SYSPRINT
U0002
Unable to write to DD - check SYSPRINT
U0005
Unable to write to DD for output
If a dataset cannot be accessed, an error message is written to the DD:SYSPRINT, DD:HISTORY and DD:EMAIL. The format is:
ERROR MESSAGES: (LOCATE R15)-(LOCATE R0)-(OBTAIN R15)-(S99 R15)-(S99 ERROR)-(S99 INFO)
Environment
This program was written in z/OS HLASM Assembler and will run under z/OS 31bit. The code is re-entrant.No additional authorisations are required.
This program was developed and tested under z/OS 1.12 up to z/OS 2.4.
Additional Macros
The program uses the STRING macro from https://gsf-soft.com/Freeware/STRING.html - I highly recommend this.MVSSOX also uses an internal macro, VERSION, which is included in the XMIT file.