Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------

Hi Konstantinos,

when your SMF subsystem logs all user profile changes in RACF as activated by SETROPTS AUDIT(USER) settings to log all USER profile changes (or the use of the SPECIAL attribute) an ALTUSER NOMFA comand must result in cutting an SMF record for this RACF command. 

Then, you can build a custom Alert that triggers a User Alert message when a successful  ALTUSER NOMFA command occurs. However, currently our standard zSecure Alert user interface does not support such an alert out-off-the-box. Thus, momentarily, you will have to build a custom alert for this yourself.
Perhaps you can review User Alert ID 1121 (Protected status removed) for inspiration how to build it yourself. 

Alternatively, you can open a enhancement request to add a standard Alert for the successful removal of MFA credentials.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue June 20, 2023 09:21 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------

Dear Tom,

thank you for the response, I 'll give a try as per your recommendation following the sample alert id 1121.

Kind regards

Konstantinos

Hi Konstantinos,

when your SMF subsystem logs all user profile changes in RACF as activated by SETROPTS AUDIT(USER) settings to log all USER profile changes (or the use of the SPECIAL attribute) an ALTUSER NOMFA comand must result in cutting an SMF record for this RACF command. 

Then, you can build a custom Alert that triggers a User Alert message when a successful  ALTUSER NOMFA command occurs. However, currently our standard zSecure Alert user interface does not support such an alert out-off-the-box. Thus, momentarily, you will have to build a custom alert for this yourself.
Perhaps you can review User Alert ID 1121 (Protected status removed) for inspiration how to build it yourself. 

Alternatively, you can open a enhancement request to add a standard Alert for the successful removal of MFA credentials.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue June 20, 2023 09:21 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------

Dear Tom,

On predefined alert 1121 for Protected status removed  there is )SEL &C2PEPASS. What is the equivalent of MFA attribute removed )SEL? In addition, 

what are the required changes on the following IM section :

)IM C2PSGNEW                                                
 select,                                                    
   event=ALTUSER racfcmd_keywords=(PASSWORD,PHRASE,OIDCARD),
   descriptor<>(violation) likelist=recent ,                
   racfcmd_user:protected racfcmd_user:ljtime<>'FFFFFFFF'x  

Is there any document other the 'z/Secure alert user reference Manual' or 'CARLa command reference' on building custom user alerts ?

A guidance should be very helpful.

Kind regards

Konstantinos

Dear Tom,

thank you for the response, I 'll give a try as per your recommendation following the sample alert id 1121.

Kind regards

Konstantinos

Hi Konstantinos,

when your SMF subsystem logs all user profile changes in RACF as activated by SETROPTS AUDIT(USER) settings to log all USER profile changes (or the use of the SPECIAL attribute) an ALTUSER NOMFA comand must result in cutting an SMF record for this RACF command. 

Then, you can build a custom Alert that triggers a User Alert message when a successful  ALTUSER NOMFA command occurs. However, currently our standard zSecure Alert user interface does not support such an alert out-off-the-box. Thus, momentarily, you will have to build a custom alert for this yourself.
Perhaps you can review User Alert ID 1121 (Protected status removed) for inspiration how to build it yourself. 

Alternatively, you can open a enhancement request to add a standard Alert for the successful removal of MFA credentials.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue June 20, 2023 09:21 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------

Dear Tom,

On predefined alert 1121 for Protected status removed  there is )SEL &C2PEPASS. What is the equivalent of MFA attribute removed )SEL? In addition, 

what are the required changes on the following IM section :

)IM C2PSGNEW                                                
 select,                                                    
   event=ALTUSER racfcmd_keywords=(PASSWORD,PHRASE,OIDCARD),
   descriptor<>(violation) likelist=recent ,                
   racfcmd_user:protected racfcmd_user:ljtime<>'FFFFFFFF'x  

Is there any document other the 'z/Secure alert user reference Manual' or 'CARLa command reference' on building custom user alerts ?

A guidance should be very helpful.

Kind regards

Konstantinos

Dear Tom,

thank you for the response, I 'll give a try as per your recommendation following the sample alert id 1121.

Kind regards

Konstantinos

Hi Konstantinos,

when your SMF subsystem logs all user profile changes in RACF as activated by SETROPTS AUDIT(USER) settings to log all USER profile changes (or the use of the SPECIAL attribute) an ALTUSER NOMFA comand must result in cutting an SMF record for this RACF command. 

Then, you can build a custom Alert that triggers a User Alert message when a successful  ALTUSER NOMFA command occurs. However, currently our standard zSecure Alert user interface does not support such an alert out-off-the-box. Thus, momentarily, you will have to build a custom alert for this yourself.
Perhaps you can review User Alert ID 1121 (Protected status removed) for inspiration how to build it yourself. 

Alternatively, you can open a enhancement request to add a standard Alert for the successful removal of MFA credentials.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue June 20, 2023 09:21 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------

Dear Tom,

On predefined alert 1121 for Protected status removed  there is )SEL &C2PEPASS. What is the equivalent of MFA attribute removed )SEL? In addition, 

what are the required changes on the following IM section :

)IM C2PSGNEW                                                
 select,                                                    
   event=ALTUSER racfcmd_keywords=(PASSWORD,PHRASE,OIDCARD),
   descriptor<>(violation) likelist=recent ,                
   racfcmd_user:protected racfcmd_user:ljtime<>'FFFFFFFF'x  

Is there any document other the 'z/Secure alert user reference Manual' or 'CARLa command reference' on building custom user alerts ?

A guidance should be very helpful.

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos

Original Message:
Sent: Mon June 26, 2023 06:39 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear Tom,

thank you for the response, I 'll give a try as per your recommendation following the sample alert id 1121.

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos

Original Message:
Sent: Tue June 20, 2023 11:09 AM
From: Tom Zeehandelaar
Subject: z/Alert: New alert during ALTUSER NOMFA

Hi Konstantinos,

when your SMF subsystem logs all user profile changes in RACF as activated by SETROPTS AUDIT(USER) settings to log all USER profile changes (or the use of the SPECIAL attribute) an ALTUSER NOMFA comand must result in cutting an SMF record for this RACF command. 

Then, you can build a custom Alert that triggers a User Alert message when a successful  ALTUSER NOMFA command occurs. However, currently our standard zSecure Alert user interface does not support such an alert out-off-the-box. Thus, momentarily, you will have to build a custom alert for this yourself.
Perhaps you can review User Alert ID 1121 (Protected status removed) for inspiration how to build it yourself. 

Alternatively, you can open a enhancement request to add a standard Alert for the successful removal of MFA credentials.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue June 20, 2023 09:21 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------

Hi Konstantinos,

The sections are headed by )CM name.

The "CM" actually stands for "comment", which allows a text to follow that has no influence on the generated CARLa.

By contrast "IM" is "imbed" .

So ")IM C2PSGNEW" means: at this point, imbed the contents of SCKRSLIB(C2PSGNEW). This generates the NEWLIST statement.

So the section you are actually in is ")CM Alert condition", where you essentially write the SELECT statement that determines when you want to send an alert.

As Rob explained ")SEL condition" specifies a condition under which the next section should be expanded. (SEL means "select", but on the level of generating the query, not on the level of the condition being used in the query.)

The )SELs usually go together with the )CMs. Where the comment tells you what pass or function follows, and the )SEL specifies the actual condition that is tested to see whether that code must be expanded now.

)CM Pass one query  
)SEL &C2PEPASS = Y  
)ENDSEL             

The Environment pass for this alert: not needed.

)CM Alert condition                                          
)SEL &C2PEPASS = N                                           
)IM C2PSGNEW                                                 
 select,                                                     
   event=ALTUSER racfcmd_keywords=(PASSWORD,PHRASE,OIDCARD), 
   descriptor<>(violation) likelist=recent ,                 
   racfcmd_user:protected racfcmd_user:ljtime<>'FFFFFFFF'x   

The alert condition: select SMF records for ALTUSER that contain one of the listed keywords, that are not a violation (so succeeded) from the current interval (usu. the last minute), where the target user has the PROTECTED attribute, etc.

This NEWLIST and SELECT should be followed by a SORTLIST to specify the requested output. This depends on the output format.

)CM EMAIL sortlist          
)SEL &C2PERCTP = MAIL       

This heads the e-mail format.

)CM Cellphone sortlist      
)SEL &C2PERCTP = CELL       
 sortlist,                  
  recno(nd),                
)IM C2PSFMSG                
)ENDSEL                     

This specifies that the text message format is just according to what you put in the identification section. The imbedded C2PSFMSG formats that information according to the current output format.

I hope this helps,

------------------------------
Jeroen Tiggelman
IBM - Software Development and Level 3 Support Manager IBM Security zSecure Suite
Delft

Original Message:
Sent: Wed July 05, 2023 08:51 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear Tom,

On predefined alert 1121 for Protected status removed  there is )SEL &C2PEPASS. What is the equivalent of MFA attribute removed )SEL? In addition, 

what are the required changes on the following IM section :

)IM C2PSGNEW                                                
 select,                                                    
   event=ALTUSER racfcmd_keywords=(PASSWORD,PHRASE,OIDCARD),
   descriptor<>(violation) likelist=recent ,                
   racfcmd_user:protected racfcmd_user:ljtime<>'FFFFFFFF'x  

Is there any document other the 'z/Secure alert user reference Manual' or 'CARLa command reference' on building custom user alerts ?

A guidance should be very helpful.

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos

Original Message:
Sent: Mon June 26, 2023 06:39 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear Tom,

thank you for the response, I 'll give a try as per your recommendation following the sample alert id 1121.

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos

Original Message:
Sent: Tue June 20, 2023 11:09 AM
From: Tom Zeehandelaar
Subject: z/Alert: New alert during ALTUSER NOMFA

Hi Konstantinos,

when your SMF subsystem logs all user profile changes in RACF as activated by SETROPTS AUDIT(USER) settings to log all USER profile changes (or the use of the SPECIAL attribute) an ALTUSER NOMFA comand must result in cutting an SMF record for this RACF command. 

Then, you can build a custom Alert that triggers a User Alert message when a successful  ALTUSER NOMFA command occurs. However, currently our standard zSecure Alert user interface does not support such an alert out-off-the-box. Thus, momentarily, you will have to build a custom alert for this yourself.
Perhaps you can review User Alert ID 1121 (Protected status removed) for inspiration how to build it yourself. 

Alternatively, you can open a enhancement request to add a standard Alert for the successful removal of MFA credentials.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue June 20, 2023 09:21 AM
From: Konstantinos Zafiropoulos
Subject: z/Alert: New alert during ALTUSER NOMFA

Dear All,

There is a request to generate a real time notification during Multifactor Authentication deletion (altuser nomfa). Can this notification be produced through  z/Alert?

Kind regards

Konstantinos

------------------------------
Konstantinos Zafiropoulos
------------------------------