IBM Security Z Security

 View Only

  • 1.  Alert 1205 and 1206

    Posted Wed October 04, 2023 11:57 AM

    Hello,

    In the 2 Alerts 1205 and 1206 (APF add/remove), we are trying to have the Console ID come out as an actual ID instead of a *ROUTE . Is there anyway to have this changed? I tried to create my own alert with some different user fields to grab the userid but it is always blank.

    Thank you in advance! 

    Joseph

    EX:

       Alert id        1205
       Date and time   08Sep2022 04:01:40.16
       Data set        EXAMPLE.XXXX.XXXX
       Volume          XXXXXX
       Console ID      *ROUTE
       System ID       MVGX


    ------------------------------
    Joseph Armas
    ------------------------------


  • 2.  RE: Alert 1205 and 1206

    Posted Thu October 05, 2023 03:29 AM

    Hello Joseph,

    The console ID of *ROUTExx is seen when the z/OS command is routed via sysplex routing using the RO command, for example: RO (PRD1,PRD2),SET PROG=P1

    Here are some options I can think of:

    1) Issue two separate MVS ROUTE commands, i.e. ROUTE PRD1, SET PROG=P1 and then ROUTE PRD2,SET PROG=P1 because then the console name in the CSV410I message would be the issuing userid and that will then be reported in the alert.

    2) Open an RFE/Idea against z/OS so that the console name written because of commands being routed via sysplex routing is not *ROUTExx but is the actual issuing userid of the original MVS ROUTE command.

    3) Create a custom alert which can indirectly report on the issuing userid by processing the RACF SMF record seen because of the access check for the OPERCMDS profile used when the MVS ROUTE command is issued, for example:

            SELECT LIKELIST=RECENT,
              EVENT=ACCESS DESCRIPTOR(SUCCESS),
              PROFILE='MVS.ROUTE.**',
              CLASS=OPERCMDS,
              LOGSTR=:'SET PROG'

    Regards, Mike



    ------------------------------
    Mike Riches
    ------------------------------

    Original Message


  • 3.  RE: Alert 1205 and 1206

    Posted Thu October 05, 2023 09:05 AM

    Hi joseph,

    As an alternative you could use predefined alerts 1217/1218. They are based on SMF record 90 subtype 37 instead of the CSV message for adding/deleting APF datasets.  The userid is correctly displayed by these 2. 

    cheers

    rene



    ------------------------------
    RENE van TIL
    ------------------------------

    Original Message


  • 4.  RE: Alert 1205 and 1206

    Posted Thu October 05, 2023 09:19 AM

    Hi Joseph,

    The CONSOLE variable used is defined in SCKRSLIB(C2PSGLOB). 
    The WTO (deftype) report type reports on the data being sent to the EMCS console.
    So this is simply the console name that is being passed by console services.
    So from that perspective--no, you cannot really change that, you would have to switch to some alternative way of alerting.

    Regards,



    ------------------------------
    Jeroen Tiggelman
    IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
    Delft
    ------------------------------

    Original Message