IBM Security Z Security

We are seeing instances of when CKGRACF commands are used, that the Command Audit trail is not being updated.

In zSecure if I list a User ID, and put a P beside the ID to perform a password change, and I fill in the appropriate fields and press enter I can choose Option 1 for the command to be executed as a RACF command or 2 as a CKGRACF command.   If I choose CKGRACF, the command executes successfully, but the command audit trail is not updated.   If I choose RACF, the command audit trail is updated.

If I list a User ID and put a CO beside the ID to connect the ID to a group, I am given the same options to process the function as a RACF Command or CKGRACF command.   In this case both RACF and CKGRACF commands do update the audit trail.

Did we miss setting up an option that audits all CKGRACF commands in the audit trail?

------------------------------
Linnea Sullivan
------------------------------

Hello Linnea,
I believe this technote may explain what you are seeing:
https://www.ibm.com/support/pages/node/267027

In summary, the Command Audit Trail information is only updated by Command Verifier when processing native RACF commands.

------------------------------
Regards,
Mike Riches
------------------------------

Original Message:
Sent: Fri April 03, 2020 12:15 PM
From: Linnea Sullivan
Subject: Command Auditing and CKGRACF Commands

We are seeing instances of when CKGRACF commands are used, that the Command Audit trail is not being updated.

In zSecure if I list a User ID, and put a P beside the ID to perform a password change, and I fill in the appropriate fields and press enter I can choose Option 1 for the command to be executed as a RACF command or 2 as a CKGRACF command.   If I choose CKGRACF, the command executes successfully, but the command audit trail is not updated.   If I choose RACF, the command audit trail is updated.

If I list a User ID and put a CO beside the ID to connect the ID to a group, I am given the same options to process the function as a RACF Command or CKGRACF command.   In this case both RACF and CKGRACF commands do update the audit trail.

Did we miss setting up an option that audits all CKGRACF commands in the audit trail?

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea
As Mike points out, the Command Audit Trail (CAT) is maintained by Command Verifier under control of C4R.class.=CMDAUD profiles.  An ALTUSER or CONNECT command (even one that is pre-processed by CKGRACF) would get verified by Command Verifier and (possibly) logged in the CAT.  A CKGRACF USER xx PASSWORD command is not processed by Command Verifier, and consequently not logged in the CAT.

More consistent logging is possible with Command Execution Log (CKXLOG), where the command execution module (CKX), CKGRACF, CKRCARLA and Command Verifier all write log records to the CKXLOG started task and from there to a log stream, under control of C4R.command.=CKXLOG and CKX.CKXLOG policy profiles.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Fri April 03, 2020 12:15 PM
From: Linnea Sullivan
Subject: Command Auditing and CKGRACF Commands

We are seeing instances of when CKGRACF commands are used, that the Command Audit trail is not being updated.

In zSecure if I list a User ID, and put a P beside the ID to perform a password change, and I fill in the appropriate fields and press enter I can choose Option 1 for the command to be executed as a RACF command or 2 as a CKGRACF command.   If I choose CKGRACF, the command executes successfully, but the command audit trail is not updated.   If I choose RACF, the command audit trail is updated.

If I list a User ID and put a CO beside the ID to connect the ID to a group, I am given the same options to process the function as a RACF Command or CKGRACF command.   In this case both RACF and CKGRACF commands do update the audit trail.

Did we miss setting up an option that audits all CKGRACF commands in the audit trail?

------------------------------
Linnea Sullivan
------------------------------