IBM Security Z Security

 View Only
  • 1.  ZSECURE Alert for zsecure visual client operations

    Posted Fri January 14, 2022 07:36 AM
    Hi
    i want to create an ZSECURE ALERT when user resumed or revoked or password rest or connected to group. this actions done from zsecure visual client
    i do this carla code

    s (APPL=CNGRACF OR LOGSTR=:CNGRACF OR APPL=CKGRACF OR LOGSTR=:CKGRACF)

    this bring to me all the commands issued and in sortlist i put recorddesc so i can see the issued command
    i want one alert for each command for ex alert for resume only, so how i can select resume only command
    and also in the alert notifcation mail how i can put the user which had been resumed and his name


    thanks

    ------------------------------
    Mohammed Ibrahem
    ------------------------------


  • 2.  RE: ZSECURE Alert for zsecure visual client operations

    IBM Champion
    Posted Mon January 17, 2022 04:47 AM
    Edited by Rob van Hoboken Mon January 17, 2022 04:47 AM
    The CKGRACF command is logged in field LOGSTR, so you have to adjust your CARLa SELECT command to find the actions you want to notify on.  For example, a RESUME action would be captured by

    S EVENT=GENERAL AND LOGSTR=:"CKGRACF USER" AND LOGSTR=:" RESUME" AND NOT(LOGSTR=:" PWSET")

    A password reset might be

    S EVENT=GENERAL AND LOGSTR=:"CKGRACF USER" AND LOGSTR=:" PWSET"

    You would find the user ID by doing

    define target_user(8,"Userid") as parse(logstr,"CKGRACF USER "," ")

    although you could verify on your system if CLASS and PROFILE happen to contain anything useful.  You could test alert functionality in a CARLa program like so:

    newlist type=smf
      define target_user(8,"Userid") as parse(logstr,"CKGRACF USER "," ")
      S EVENT=GENERAL AND LOGSTR=:"CKGRACF USER" AND LOGSTR=:" RESUME" AND NOT(LOGSTR=:" PWSET")
      sortlist date(7) time(4) desc userid class profile(8) target_user logstr

    The select variant "APPL=CKGRACF" finds XFACILIT resource access checks issued from CKGRACF, to verify authority of the issuer, for actions where the command is not in LOGSTR.  Since you're interested in commands only, you can focus on the LOGSTR=:CKGRACF variants.

    NB. I typed this from memory and have not tested for syntax or other mistakes.  Caveat emptor.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: ZSECURE Alert for zsecure visual client operations

    Posted Mon January 17, 2022 09:05 AM
    thanks for you reply it was so helpful

    ------------------------------
    Mohammed Ibrahem
    ------------------------------



  • 4.  RE: ZSECURE Alert for zsecure visual client operations

    IBM Champion
    Posted Mon January 17, 2022 09:22 AM
    Edited by Rob van Hoboken Tue January 18, 2022 05:21 AM
    If you are on a recent PTF level of zSecure, check Chapter 4 of the Alert User Guide for the C2PCTEST procedure.  This is used to test alert configurations from an SMF input data set, so you can see the effect of changes to alert skeletons and parameters, in a batch job using historic SMF events.

    ------------------------------
    Rob van Hoboken
    ------------------------------