IBM Security Z Security

 View Only

 Violation summary report

Jump to  Best Answer
Joseph Sumi's profile image
Joseph Sumi posted Tue February 04, 2025 03:59 PM

Hello - I'm trying to produce a 1-line summary violation report (with the count at the end). The following CARLA below works but I can't add RESOURCE or PROFILE on the SUMMARY line. If I add RESOURCE on the SUMMARY line, i get error - "CKR0505 12 Compound summary key at level 1 cannot contain repeat group". If I add a SORTLIST RESOURCE after SELECT, it works BUT the RESOURCE is shown on the next line.

Is there a way to accomplish what i am looking for on 1 line which includes the resource and profile ??  Thanks.

NEWLIST TYPE=SMF                                                      
SELECT  DESC=(VIOLATION) type=(80,81,83) (EVENT=ACCESS(FAILURE))      
SUMMARY  USER  NAME  CLASS  SYSTEM  DATE(10) INTENT  ACCESS  JOBNAME  

Output without resource/profile :

SUMI     SUMI,JOSEPH J        FACILITY SYS1 03Feb2025  READ    NONE    SUMI            7 

USER1   TEST, USER                FACILITY SYS2 03Feb2025  READ    NONE    USER1         5  

Jeroen Tiggelman's profile image
Jeroen Tiggelman posted Tue February 04, 2025 06:11 PM  Best Answer

Hi Joe,

If the first values in RESOURCE and PROFILE are sufficient for what you are trying to achieve, you can use the FIRSTONLY modifier on the fields to discard the secondary values.

If you do need them, you can use a SORTLIST to write the output to a file to use as input for a second pass (with NOPAGE to just get the data, and RETAIN to repeat the non-repeated fields).
The second pass would use DEFTYPE and just summarize the values that are the same.

Regards,
Jeroen

Joseph Sumi's profile image
Joseph Sumi posted Tue February 04, 2025 07:31 PM

Thank you Jeroen !!!!! it worked exactly as i was hoping for !!!!

NEWLIST TYPE=SMF                                                      
SELECT  DESC=(VIOLATION) type=(80,81,83) (EVENT=ACCESS(FAILURE))      
SUMMARY  USER  NAME  CLASS  SYSTEM  DATE(10) INTENT  ACCESS  JOBNAME  PROFILE(FIRSTONLY) RESOURCE(FIRSTONLY)

Joseph Sumi's profile image
Joseph Sumi posted Tue February 04, 2025 08:59 PM

Hello Jeroen, I ran into a snag. I added TIME(5)  ..... I want the summary based on the hour:minute, not hour:minute:seconds, etc.

I thought TIME(5) would do it but the SUMMARY must be looking at the full timestamp because the violations within the same minute are not summarized. I tried different things with datetime and a define but no luck. Is there are way to add TIME and only consider the hour/minute ?

thanks.

Jeroen Tiggelman's profile image
Jeroen Tiggelman posted Wed February 05, 2025 01:55 AM

Hi Joe,

As to your follow-up question, this is exactly a difference between the two methods I described.

If you write out the original data and read it back in as DEFTYPE, the second pass uses the values as printed [and by default treats everything as ASIS, which is similar to CHAR] as opposed to the original internal values.

Regards,

Jeroen

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Thu February 06, 2025 05:17 AM

The TIME field in CARLa is derived from the SMFxxTME, the 4 byte binary number of 1/100 seconds (csec) since midnight, at offset 6 in each SMF record.  CARLa does not have a field that contains seconds, minutes or hours, and there is no CONVERT( ) function to calculate these.

However, you could define a field across the first 2 bytes of the SMFxxTME, ignoring the last 16 bits.  This would count the 256*256/100 = 655 seconds since midnight, or close to 11 minutes.  If you add this defined field in a summary, you would get counts with an 11 minute granularity.

But you also want to see the time stamp of the beginning of the interval, or close to the beginning.  If you simply add TIME in the SUMMARY command, you will get 1 line for each time value, ignoring the 11 minute interval.  If you change TIME into a statistic of the interval by using TIME(MIN) in the summary command, or the DEFINE equivalent, only the lowest value in the interval is shown.

You could try

NEWLIST TYPE=SMF
define eleven_minutes(dec) as smf_field(6,2)
define first_time min(time)
  SELECT  DESC=(VIOLATION) type=(80,81,83) (EVENT=ACCESS(FAILURE))      
  SUMMARY  USER  NAME  CLASS  SYSTEM  DATE(10) eleven_minutes(nd) first_time(5) INTENT  ACCESS  JOBNAME  PROFILE RESOURCE(FIRSTONLY)

Note: I have not tested this code.

Joseph Sumi's profile image
Joseph Sumi posted Thu February 06, 2025 08:19 PM

Thanks both of you !

Rob, a consolidation at 11 minutes is a better solution than the 1 minute consolidation for us.  I tweaked what you provided and added the COUNT field since i was not seeing that anymore. I also needed to add FIRSTONLY to profile. I did a bunch of testing with sample violations close in time and the report looks really good. Thanks!!!

NEWLIST TYPE=SMF                                                      
define ten_minutes(dec) as smf_field(6,2)                             
define first_time min(time)                                           
SELECT  DESC=(VIOLATION) type=(80,81,83) (EVENT=ACCESS(FAILURE))      
SUMMARY  USER  NAME  CLASS  SYSTEM  DATE(10) ,                        
ten_minutes(nd) first_time(5,'Time') ,                                
resource(firstonly) profile(firstonly) count                          

Joseph Sumi's profile image
Joseph Sumi posted Thu February 06, 2025 09:15 PM

Hello Rob,   .... would there an explantion for this ? While the totals add up correctly, i see some summary lines within 5 minutes and within 6 minutes of each other for the same violation and was expecting the 10/11.  Im ok with that but wondering why.... thanks.

05:20 XDE0.WISV.PTSFRAMB   XDE0.WISV.**   38       
05:31 XDE0.WISV.PTSFRAMB   XDE0.WISV.**   34       
05:44 XDE0.WISV.PTSFRAMB   XDE0.WISV.**   26       
05:49 XDE0.WISV.PTSFRAMB   XDE0.WISV.**   44       
10:31 XDE0.WISV.PTSFRAMB   XDE0.WISV.**    6       
10:37 XDE0.WISV.PTSFRAMB   XDE0.WISV.**    2       
10:50 XDE0.WISV.PTSFRAMB   XDE0.WISV.**   14
11:11 XDE0.WISV.PTSFRAMB   XDE0.WISV.**    4 
11:27 XDE0.WISV.PTSFRAMB   XDE0.WISV.**    2 
11:37 XDE0.WISV.PTSFRAMB   XDE0.WISV.**   30   

   

Rob van Hoboken's profile image
Rob van Hoboken IBM Champion posted Fri February 07, 2025 03:11 AM

The MIN(TIME) statistic calculates the earliest time stamp (for the given user ID, date, profile and resource) of the selected events that it found in the 11 minute interval.  If there are no failures in the interval, there is no MIN(TIME), of course.  If the (one single) failure occurred towards the end of the interval, hey, that determines the time value you will see, not the start of the interval.

So it looks like your intervals start at 05:20, 05:31, 05:42, 05:49, etc., but in the 3rd interval, there was nothing much happening with the user ID until 05:44.

Joseph Sumi's profile image
Joseph Sumi posted Fri February 07, 2025 11:27 AM

Thanks !!! This report exceeds expectations and is perfect for us. thanks!

Related Content