IBM Security Z Security

 View Only
  • 1.  Access Monitor filtering out records as result of LOG=NONE

    InnerCircle
    Posted Fri September 10, 2021 12:36 PM
    There are a number of software products that make calls to the ESM to predetermine a user's access (i.e. for the purposes of building a menu). Typically these calls use LOG=NONE so that no access violation messages appear in your system log / SMF.    However Access Monitor does report on these calls to RACF.    Is there a way to filter out those records on my select / exclude statements.

    I know the data for Access Monitor should not be used in the place of SMF reporting, but I am being asked to look historically at our users and what type of access violations they have received.    I really don't want to report on these access failures that are not typically logged anyway.

    I am aware of some of these calls are flagged as 'Retrieval of Access Allowed' and I can filter them out, but there are some made by SDSF, NDM, and others that I would like to filter out since they appear to be made via LOG=NONE.

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Access Monitor filtering out records as result of LOG=NONE

    Posted Mon September 13, 2021 03:53 AM
    Edited by Rob van Hoboken Mon September 13, 2021 03:55 AM
    Linnea
    If you know of classes that are used by applications, and they clutter your reports, you could just exclude those classes entirely (or for specific resources using masks), by adding

    exclude class=xxxx resource=(aa.bb, aa.cc, bb.**)

    If you happen to have an indicator in your current RACF database, stored in profiles that you would want to omit from reports, you could use the SIM_PROFILE capability and implicit lookup in ACCESS newlists to retrieve this indicator, and use it to exclude ACCESS events that would have been covered by the profile. 

    Note:
    One of the SIM_ fields must be referenced in the SORTLIST command.
    CSDATA fields are not supported.

    For example, if you tag these profiles with string LOG=NONE in the installation data field, you could use this as a filter using

    exclude :instdata=:"LOG=NONE"c

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: Access Monitor filtering out records as result of LOG=NONE

    InnerCircle
    Posted Tue September 14, 2021 05:25 PM
    Thanks for the suggestions.    I was hoping that there was some flag/indicator in the Access Monitor data that I could use that indicated the RACROUTE was a LOG=NONE.   Similar to the way you can filter out RETALL.


    ------------------------------
    Linnea Sullivan
    ------------------------------



  • 4.  RE: Access Monitor filtering out records as result of LOG=NONE

    Posted Mon September 27, 2021 08:55 AM

    Hi,

    I agree with Rob. And I'm afraid that the only real solution is through the RFE route. The LOG status is currently not recorded. It would involve a new bit in the Access record itself. To economize on the number of extra bits, we would probably combine NOFAIL, NONE, and NOSTAT into a single bit.



    ------------------------------
    Guus Bonnes
    ------------------------------