We have noticed when we make changes to our Offline Database, those RACF Changes are also being reported to the Command Logger and appearing in the Logstream data.  When I go to CR.2 and run a report of the commands issued, I see commands from the live RACF DB and from the offline DB.     If audit were to look at the commands they would believe those commands from the Offline DB were commands to the live RACF DB.

I don't see anything in the data to attempt to exclude.  Or is there a way to turn off command logging for the offline db?

I have taken the Carla from CR.2 and tweaked it to try to get the command and the ticket information on a single line:  Still having some instances of wrapping.

symbolic num summaryopt=0
symbolic num ConciseFields=1
n type=ckxlog name=CKXLOG header=prefix prefixlen=0,
 t="Command history" required
 exclude ifdefined(CKXLOG_EXCLUDE)
 sortlist etod(nd),
     (ConciseFields=1 ?,
      datetime_runtz(nop),
      user(nop),
      command(nop,170),
      ticket_id(nop,15) ticket_desc(nop,ww,0))

------------------------------
Linnea Sullivan
------------------------------

As a follow-up to the question above.   
When using zSecure to change a User ID on the Offline DB, it's prompting me for a ticket/description.    It then queues the command including the CKXLOGID SET command.   When you try to run them from zSecure and the offline DB you get this response:

CKXLOGID SET ID('art 6705000') DESC('testing cmd logger with offline')
CKR962W Command not found
altuser RBCRI CSDATA($RLEKEY(XXXX))

The altuser command still executes successfully.

All works fine if I am in the live RACF DB.   I assume I might be having an issue with the Linklst?


------------------------------
Linnea Sullivan
------------------------------

Original Message:
Sent: Thu March 12, 2020 01:06 PM
From: Linnea Sullivan
Subject: Command Logger receiving data from Offline Database

We have noticed when we make changes to our Offline Database, those RACF Changes are also being reported to the Command Logger and appearing in the Logstream data.  When I go to CR.2 and run a report of the commands issued, I see commands from the live RACF DB and from the offline DB.     If audit were to look at the commands they would believe those commands from the Offline DB were commands to the live RACF DB.

I don't see anything in the data to attempt to exclude.  Or is there a way to turn off command logging for the offline db?

I have taken the Carla from CR.2 and tweaked it to try to get the command and the ticket information on a single line:  Still having some instances of wrapping.

symbolic num summaryopt=0
symbolic num ConciseFields=1
n type=ckxlog name=CKXLOG header=prefix prefixlen=0,
 t="Command history" required
 exclude ifdefined(CKXLOG_EXCLUDE)
 sortlist etod(nd),
     (ConciseFields=1 ?,
      datetime_runtz(nop),
      user(nop),
      command(nop,170),
      ticket_id(nop,15) ticket_desc(nop,ww,0))

------------------------------
Linnea Sullivan
------------------------------

Indeed, the zSecure Admin User Interface does not know that the saved commands are going to be executed against an Offline database. It's only during the final execution of the RACF command that it is clear that the target is an Offline database. Any form of pre-execution logging might be incorrect. If you want to prevent pre-commands from being logged that way, the only solution is to stop logging pre-commands, and use the zSecure Command Verifier process of logging commands "during" execution. However, that form of logging is limited to those commands that are captured by CV: notable exceptions are RACDCERT and RACMAP.

Because RACF-Offline avoids calling CV, there is no zSecure logging of RACF-Offline commands.

------------------------------
Guus Bonnes
------------------------------

Original Message:
Sent: Thu March 12, 2020 01:06 PM
From: Linnea Sullivan
Subject: Command Logger receiving data from Offline Database

We have noticed when we make changes to our Offline Database, those RACF Changes are also being reported to the Command Logger and appearing in the Logstream data.  When I go to CR.2 and run a report of the commands issued, I see commands from the live RACF DB and from the offline DB.     If audit were to look at the commands they would believe those commands from the Offline DB were commands to the live RACF DB.

I don't see anything in the data to attempt to exclude.  Or is there a way to turn off command logging for the offline db?

I have taken the Carla from CR.2 and tweaked it to try to get the command and the ticket information on a single line:  Still having some instances of wrapping.

symbolic num summaryopt=0
symbolic num ConciseFields=1
n type=ckxlog name=CKXLOG header=prefix prefixlen=0,
 t="Command history" required
 exclude ifdefined(CKXLOG_EXCLUDE)
 sortlist etod(nd),
     (ConciseFields=1 ?,
      datetime_runtz(nop),
      user(nop),
      command(nop,170),
      ticket_id(nop,15) ticket_desc(nop,ww,0))

------------------------------
Linnea Sullivan
------------------------------

Would a related RFE to have a "switch" profile to enable or disable Command Logging for RACF Offline related programs be a viable solution?

It sounds like an XFACILIT class profile CKX.CKXLOG.LOG.C4RMAIN can be defined to log only Command Verifier processed commands but as you specified this would exclude some RACF commands, so is not really an ideal path.

------------------------------
Adam Klinger
------------------------------

Original Message:
Sent: Wed March 18, 2020 04:16 AM
From: Guus Bonnes
Subject: Command Logger receiving data from Offline Database

Indeed, the zSecure Admin User Interface does not know that the saved commands are going to be executed against an Offline database. It's only during the final execution of the RACF command that it is clear that the target is an Offline database. Any form of pre-execution logging might be incorrect. If you want to prevent pre-commands from being logged that way, the only solution is to stop logging pre-commands, and use the zSecure Command Verifier process of logging commands "during" execution. However, that form of logging is limited to those commands that are captured by CV: notable exceptions are RACDCERT and RACMAP.

Because RACF-Offline avoids calling CV, there is no zSecure logging of RACF-Offline commands.

------------------------------
Guus Bonnes

Original Message:
Sent: Thu March 12, 2020 01:06 PM
From: Linnea Sullivan
Subject: Command Logger receiving data from Offline Database

We have noticed when we make changes to our Offline Database, those RACF Changes are also being reported to the Command Logger and appearing in the Logstream data.  When I go to CR.2 and run a report of the commands issued, I see commands from the live RACF DB and from the offline DB.     If audit were to look at the commands they would believe those commands from the Offline DB were commands to the live RACF DB.

I don't see anything in the data to attempt to exclude.  Or is there a way to turn off command logging for the offline db?

I have taken the Carla from CR.2 and tweaked it to try to get the command and the ticket information on a single line:  Still having some instances of wrapping.

symbolic num summaryopt=0
symbolic num ConciseFields=1
n type=ckxlog name=CKXLOG header=prefix prefixlen=0,
 t="Command history" required
 exclude ifdefined(CKXLOG_EXCLUDE)
 sortlist etod(nd),
     (ConciseFields=1 ?,
      datetime_runtz(nop),
      user(nop),
      command(nop,170),
      ticket_id(nop,15) ticket_desc(nop,ww,0))

------------------------------
Linnea Sullivan
------------------------------

From a technical viewpoint it would be possible to test inside the logger task if RACF-Offline is active, and simply block updates.  An RFE would be the way to get it registered, and prioritized (sorry if that sounds like a put off, but I really can't commit to anything).

------------------------------
Guus Bonnes
------------------------------