IBM Security Z Security

 View Only
  • 1.  RACF Events - Warnings

    Posted Wed December 08, 2021 03:32 PM
    I have recently put a lot of dataset rules in Warning mode as the updated DISA STIG's are requiring more dataset rules to not have UACC=READ. I have run the listing under EVents > Warnings, and the output only shows that there was a Warning messages, the UserID and the dataset name. There are some other fields, but not really useful for my needs. I need to know what the attempted access was, that generated the Warning - READ, Update or ALTER. I feel certain that information is in the SMF record, I just don't know what would need to be added to the Carla statement to get it to show for each record shown.

    Larry Barnett

  • 2.  RE: RACF Events - Warnings

    Posted Wed December 08, 2021 04:31 PM
    Hi Larry,

    Yes, the output in print format for that report is pretty basic (it imbeds SCKRCARL member CKALFDES); there is a lot more detail when you generate an interactive report (which imbeds SCKRCARL member CKADFDRA, which is pretty extensive).

    I think you are looking for the INTENT field.

     000313        / / 'Event identification'(ch),                                  
     000314          / eventdesc(p,0,wordwrap,noretain),                            
     000315          / eventqual(p,0),                                              
     000316          / descriptor(p,0,explode,hor,et),                              
     000317          / reason(p,0,explode,hor,et),                                  
     000318          / racfauth(p,0,explode,hor,et),                                
     000319          / intent(p),                                                   
     000320          / access(p),                                                   
     000321          / logstr(p,0,wordwrap,et,noretain),                                                    ​


    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite