That means to no user named XYX has caused any logon/logoff events. You probably mean XYZ*
Original Message:
Sent: Tue August 20, 2024 09:53 AM
From: Mohammed Ibrahem
Subject: RACF applications Logon/Logoff report
i use the below options and it give result "NO thing selected"
and even i ran the report as batch withput outlim=0 but empty report
------------------------------
Mohammed Ibrahem
Original Message:
Sent: Tue August 20, 2024 09:38 AM
From: Tom Zeehandelaar
Subject: RACF applications Logon/Logoff report
Hi Mohammed,
please note that your CARLa code contains outlim=0, which means that you do not want this CARLa program to produce any output!
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Tue August 20, 2024 09:22 AM
From: Mohammed Ibrahem
Subject: RACF applications Logon/Logoff report
thanks
i have checked the SMF and we collect most of the records.
the problem is even from option EV.U and
Logon/logoff/job start/job end/authentication
i can not see any logoff and logon for any user even TSO user
when i tried to run the query in background to see the code i got the below
n type=smf n=smfsel outlim=0
S,
( (USERID=xyz OR RACFCMD_USER=xyz OR R_USER=xyz),
( ((EVENT=RACINIT(SUCCESS) OR TYPE=30(1) OR (TYPE=30(5) EXISTS(COMPCODE))) AND AUTHENTICATOR_USED=PASSWORD)))
list type
mergelist
n type=smf tt="zSecure Admin+Audit for RACF user events",,
,
st="SMF records for all users with logon successes with password"
s likelist=SMFSEL
Sortlist datetime(nd) system(nd) smfdd(nd) recno(nd) userid(nd) datetime(19) system userid jobname terminal recorddesc
endmerge
i am sure we collect SMF 30 . is there any confugration from RACF that my allow or prevent write the logon/logoff records to SMF?
------------------------------
Mohammed Ibrahem
Original Message:
Sent: Tue August 20, 2024 08:50 AM
From: Tom Zeehandelaar
Subject: RACF applications Logon/Logoff report
Hi Mohammed,
when you generate the standard zSecure SMFSUBOP report, you can review which SMF records are actively logged on your SMF subsystem(s).
Go to STATUS AUDITING, option AU.S:
zSecure Audit for RACF - Audit - Status Command ===> ________________________________________________________________ Enter / to select report categories / MVS tables MVS oriented tables (reads first part of CKFREEZE) _ MVS extended MVS oriented tables (reads whole CKFREEZE) _ RACF control RACF oriented tables _ RACF user User oriented RACF tables and reports _ RACF resource Resource oriented RACF tables and reports Select options for reports: Audit policy / Select specific reports from selected categories 1 1. zSecure_ Include audit concern overview in overall prio order 2. C1 _ Only show reports that may contain audit concerns 3. C2 __ Minimum audit priority for audit concerns (1-99) 4. B1 _ Show differences _ Print format _ Concise (short) report Background run
Select audit category "MVS tables", option "Select specific reports from selected categories", and press Enter:
zSecure Audit for RACF - Audit - Status MVS tables Command ===> ____________________________________________________________ Enter "/" to select report(s) _ SYSTEM - System settings and software levels _ IPLPARM - Effective system IPL parameters / SMFSUBOP - SMF subsystem-dependent settings _ SUBSYS - Subsystem Communication Vector Tables _ VSM - Virtual storage map _ WRITABLE - Globally Writable Common Storage _ MPFMSG - Message Processing Facility message intercepts _ JOBCLASS - JES2 Job Class parameters (e.g. MVS command auth/BLP)_ CONSOLE - Operator Consoles _ PPT - Program Properties Table _ SVC - Supervisor Call Audit Display _ PC - Program Call Audit Display _ TAPE - Tape protection settings _ IOAPP - Authorized I/O Appendage table _ IP - TCP/IP reports
That generates a display/report of how your SMF subsystem(s) is(are) configured:
SMF subsystem-dependent settings 5 s elapsed, 0.2 s CPUCommand ===> _________________________________________________ Scroll===> CSR 19 Aug 2024 23:45 Complex System SMF subsystems Audit concerns Priority NMPIPL87 ZS14 3 0 Pri Subs Sup# Wri# Par# Ex# Det Interval Recording activity summary __ JES2 3 2044 1 6 No 00:00:00 Suppress 19 92(10,11) 99 126 __ STC 3 2044 1 7 No 00:00:00 Suppress 19 92(10,11) 99 126 __ SYS 3 2044 1 9 No 00:00:00 Suppress 19 92(10,11) 99 126 ******************************* Bottom of Data *******************************
You can zoom into the SMF subsystems with an '/' or 's':
SMF subsystem-dependent settings Line 1 of 2441Command ===> _________________________________________________ Scroll===> CSR 19 Aug 2024 23:45 Complex System SMF subsystems Audit concerns Priority NMPIPL87 ZS14 3 0 Pri Subs Sup# Wri# Par# Ex# Det Interval Recording activity summary JES2 3 2044 1 6 No 00:00:00 Suppress 19 92(10,11) 99 126 Exit Address Record Act Record description IEFU86 0 Yes IPL IEFU85 1 Yes IEFU84 2 Yes Dump Header IEFU83 3 Yes Dump Trailer IEFACTRT 4 Yes Step Termination IEFUJI 5 Yes Job Termination 6 Yes Output Writer or PSF 7 Yes Data Lost 8 Yes I/O Configuration 9 Yes VARY Device ONLINE 10 Yes Allocation Recovery 11 Yes VARY Device OFFLINE 12 Yes 13 Yes 14 Yes INPUT or RDBACK Data Set Activity ..... snap ....
The "Act" column shows "Yes" when that SMF record type is logged and "No" when that record type is not logged but suppressed instead. The description in each report line shows what type of SMF record it corresponds to.
Since I do not know how your .NET users authenticate to RACF as you mention, it is hard for me to guess what SMF record type that should write. Most likely, you need to verify whether SMF records for TSO (30-35 range) and RACF processing (80) are currently being logged. If that does not resolve your challenge, you might want to consult the application programmers and/or your systems programmers for more information about how the .NET users use RACF authentication.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Tue August 20, 2024 08:20 AM
From: Mohammed Ibrahem
Subject: RACF applications Logon/Logoff report
Thanks for you mail , it seems i miss some configruation from SMF side because i cant get logon/logoff report for any user
if you could please advise what the SMF record i miss to get this data?
thanks
------------------------------
Mohammed Ibrahem
Original Message:
Sent: Tue August 20, 2024 08:08 AM
From: Tom Zeehandelaar
Subject: RACF applications Logon/Logoff report
Hi Mohammed,
if your SMF subsystem is configured to log the appropriate SMF record types for these logons and logoffs, this report is even supported in the standard zSecure User Interface.
When you allocate the SMF data set or log stream to your zSecure session with option Setup Input files (SE.1), you can use option "User event from SMF ( EV.U)" to report successful logon and logoff activities logged to SMF:
zSecure Audit for RACF - Events - User Selection Command ===> __________________________________________________ _ start panel Show records that fit all of the following criteria: Userid . . . . . . ________ (userid or EGN mask) Owned by . . . . . ________ (group or userid, or EGN mask) System . . . . . . ____ (system name or EGN mask) Name . . . . . . . ___________________________ (name/part of name, no filter) Installation data . ___________________________ (scan of data, no filter) Jobname . . . . . . ________ (job name or EGN mask) Terminal . . . . . ________ (Terminal id or EGN mask) Advanced selection criteria / User actions _ User attributes _ Date and time _ Data set selection _ Unix selection _ Resource selection _ DB2 selection _ CICS selection _ Omegamon selection _ IP selection Output/run options / Include detail _ Summarize _ Specify scope _ Output in print format Customize title Send as e-mail Run in background Sort differently
Select option "User actions", and if the .NET users have a certain naming convention/prefix, you can enter that filter in the "Userid" option. Press Enter:
zSecure Audit for RACF - Events - User Action SelectionCommand ===> ___________________________________________________________SMF records for all users Show user related information Logon/logoff/job start/job end/authentication Password Passphrase MFA Passticket ACEE IdToken Unknown Failed Other user activity Revoke/resume activity RACF/CKGRACF commands issued Successful Failed Select command type(s) Include SETROPTS REFRESH/LIST commands Include ALTUSER RESUME commands Include CKGRACF commands Affected by RACF/CKGRACF commands
In the "Logon/Logoff..." section, you can select the appropriate authentication method(s) that you want to report about. If you prefer to produce a printed report rather than a display, select option "Output in print format" on the EV.U panel prior to pressing Enter.
After you report/display has been generated, you can access the COMMANDS work data set on the RESULTS panel. Then, you can review the CARLa code that the UI uses to produce the produced display/report showing the logon/logoff activities.
I hope this helps.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Tue August 20, 2024 06:11 AM
From: Mohammed Ibrahem
Subject: RACF applications Logon/Logoff report
Hi All
we have .Net applications that use RACF as authentication back end
is there any way to generate logon/logoff report from CARLA for the applications users from RACF ?
Thanks
Mohammed Ibrahem
------------------------------
Mohammed Ibrahem
------------------------------