Hi Jyri,
I cannot see anything wrong in your CARLa code to report successful SERVAUTH resource access events that were allowed by the UACC setting at the time of the event.
Running some experiments with both option AM.9.4 and the CARLa that you included on one of our development systems appears to produce consistent results for me.
On what grounds do you conclude that the reports do not include all UACC exploiters in the CICS and SERVAUTH classes?
And a second question is, can you verify whether the historic UACC setting of the concerning CICS and SERVAUTH resources as stored in the ACCESS record differs from the UACC setting in the RACF input source (active primary, unload, copy) that you are using, that might explain the missing entries that you expected to be reported?
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Delft
+31643351728
------------------------------
Original Message:
Sent: Mon December 13, 2021 05:50 AM
From: Jyri Tamminen
Subject: Access Monitor and UACC cleanup
Hi,
I'm trying to get rid of UACC permissions.
While doing analysis using either AM.9.4 or following carla, The result will not include all UACC exploiters, specially in CICS and SERVAUTH classes.
Any suggestions how to get more precise results?
newlist type=ACCESS nopage nodup retainselect class=SERVAUTH sim_via=UACC,rectype=(auth,fast) access_result=("00"x)sortlist sim_profile userid userid:dfltgrp intentsummary sim_profile
------------------------------
Jyri Tamminen
------------------------------