Hi jake,
i tried jeroen's suggestion and for me it works. What i usually do when i create alerts i first just try the CARLa itself from zSecure. Just type CARLA on the commandline and paste the CARLa below. With SMF input containing an ALTUSER xxxx REVOKE command and changing the default the default group in the CARLa to your liking it should work.
n type=smf
select event=altuser RACFCMD_USER:dfltgrp=crm*
sortlist userid(p) / ,
RACFCMD_USER(p) / ,
RACFCMD_USER:dfltgrp(p) /,
recorddesc(p) / / ,
racfcmd(p)
which results for me in
S M F R E C O R D L I S T I N G 26Jul21 21:42 to 26Jul21 21:42
User
RACF userid/ACF2 logonid CRMBRT1
RACF command target user CRMBRT8
User's default group CRMB
Description of the record CRMBRT1 RACF ALTUSER success: ALTUSER CRMBRT8
RACF command ALTUSER
RACF command CRMBRT8
RACF command REVOKE
cheers,
rene
------------------------------
RENE van TIL
------------------------------
Original Message:
Sent: Mon July 26, 2021 10:04 AM
From: Jack Zukt
Subject: zSecure Alerts - How to get an alert when a userid from a specific group get revoked
Hi Jeroen,
I finally had the opportunity to test your suggestion. Unfortunately it seems that using the RACFCMD_USER:DFLTGRP does not work. The alert validation process runs without errors but the REVOKE command is not intercepted. If I remove it I will get an alert for any REVOKE that is issued; however, with it, it does not work.
Jack
Original Message:
Sent: 6/28/2021 4:11:00 AM
From: Jeroen Tiggelman
Subject: RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked
Hi Jack,
Alert 1105 (System authority granted) contains the following selection code (in SCKRSLIB(C2PS1105)):
select likelist=recent event=(adduser(0,2),altuser(0,2)),
racfcmd_keywords_eff=(SPECIAL,OPERATIONS,AUDITOR,ROAUDIT,CLAUTH)
This does a primary selection on particular EVENTs for the ADDUSER and ALTUSER (or ALU for short) commands that it limits to certain event qualifiers (0 and 2) for each of those events. Event qualifier 0 means that the issued command completed normally, qualifier 1 means there was a violation (so the requested update did not really happen) and qualifier 2 means that there were some issues with some of the keywords of the command, so it was not fully performed as requested (but a partial update might have been done, so the event could still be relevant). BTW, these event qualifiers can be found in a table in the RACF Macros and Interfaces book, chapter on SMF records, section for record type 80.
It furthermore restricts the selection to the cases where the effective keywords (meaning that there was no problem with them) included at least one of certain values that the alert is looking for.
So for starters I think you might use a selection on EVENT=ALTUSER(0,2) RACFCMD_KEYWORDS_EFF=REVOKE
to find ALU REVOKEs that were actually applied to the RACF database.
That leaves the question of how to restrict it to user IDs with a specific default group.
The target user ID of the RACF command can be found in the RACFCMD_USER field.
So I think the restriction might be RACFCMD_USER:DFLTGRP=<group specification, which could be ABC*>
FTR, I did not test this.
I hope this helps.
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
Original Message:
Sent: Fri June 25, 2021 08:49 AM
From: Jack Zukt
Subject: zSecure Alerts - How to get an alert when a userid from a specific group get revoked
Hello all,
Is there a way to generate a zSecure Alert when an userid with a specific default group (or a default group beginning with the same letters) is REVOKED by an ALU RACF command?
Thanks in advance by any help that you can give me,
------------------------------
Regards
Jack Zukt
------------------------------