Trying to run a report to look for just writes to OMVS files - used the following to produce a report:

OPTION EMPTYLIST=HIDE REQUIRED

define type=smf StartTime(" Start",8) min(time)

define type=smf EndTime(" End",8) max(time)

n type=smf n=smfsel outlim=0 nopage

S,

( (unix_pathname=("/XXXX/tmp/fred"g)))

list type

n type=smf tt="zSecure Admin+Audit for RACF file system events",,

,

st="Event log records for paths like /XXXX/tmp/fred"

s likelist=SMFSEL

Sortlist datetime(nd) system(nd) smfdd(nd) recno(nd) userid(nd) date,

time system recorddesc

summary unix_pathname(key,pas) / " ",

* user(key,pas) jobtag(nd) jobname jobid,

system date(9) StartTime EndTime

This produced output which included all actions - using the EV.F panel identified the following SELECT using the "Further pathname selection" and selecting "Access used WRITE"

S,

(((((UNIX_ACCESS_USED="u+w"M OR,

UNIX_ACCESS_USED="g+w"M OR UNIX_ACCESS_USED="o+w"M)),

unix_pathname=(,"/XXXX/tmp/fred"g))))

But this returned no data - has anyone got some sample CARLA that can be used ?

Have you tried using

select unix_access_intent='w'm,

unix_pathname=(,"/XXXX/tmp/fred"g)

If this does not immediately help, print the values of unix_access_intent and unix_access_used in the summary that works

Run the following :

OPTION EMPTYLIST=HIDE REQUIRED

16Apr2021 09:43:50.74 XXXXXXX close UNIX file read 1821 bytes /XXX/usr/local/fred XXXXXXX -r-- -r--

16Apr2021 09:45:44.28 XXXXXXX close UNIX file written 1821 bytes /XXX/usr/local/fred XXXXXXX --w- --w-

S,

unix_access_intent='w'm,

unix_pathname=(,"/ANZ/usr/local/fr*"g)

Access intent mask: =, + or - expected; found word "w"m,"

Hi Brett

My CARLa code lacked the + in the permission mask, it should have read

S,

unix_access_intent='+w'm,

unix_pathname=(,"/ANZ/usr/local/fr*"g)

Have CARLA working in our DEV environment, promoted into Production, and as a test replaced +W with +R to ensure we'd get output. 

Tested Prod SMF data in Dev and got output in the report but in Production (using the same Carla and SMF data) get an empty report. Seems that the same CARLA report in our Prod environment is finding unix_access_intent field as blank yet that same SELECT works fine in our Dev system.

n type=smf n=smfselz outlim=0                                   

S unix_access_intent='+r'm

list type

n type=smf tt="zSecure Admin+Audit for RACF file system events",,

   empty="Test Activity",

  st="OMVS READ"

s likelist=SMFSELZ

Sortlist datetime userid UNIX_PATHNAME(130)                     

Any ideas why the SELECT and the same SMF data would work differently ?

​

I would have tried to see if any UNIX records are available for reporting in your user ID/data set. Reasons why this fails could be:

• Your user ID has no access to CKR.READALL
• The SMF data set has no SMF 92 subtype 10 + 11
• PROD has a different PTF level or release of CKRCARLA