Global Security Forum

 View Only
  • 1.  ZALERT

    Posted Fri August 02, 2024 05:19 PM

    Hi how can I create an Alert under ZALERT that reads and verifies the logon of a series of users defined in a racf group?? I can't with any of the Alerts available on zalert Thanks for your collaboration Maurizio



    ------------------------------
    maurizio bonelli
    ------------------------------


  • 2.  RE: ZALERT

    IBM Champion
    Posted Mon August 05, 2024 03:27 AM
    Edited by Rob van Hoboken Mon August 05, 2024 03:41 AM

    Hi Maurizio,

    There is a forum specifically for security on Z, including zSecure here.

    The easiest way to create a new alert is to find a similar alert, copy the alert definition with a C line command, and edit the alert skeleton from the SE.A.A dialog.

    Alerting on the use of a specific user ID is done with alert 1102 
    This uses a panel to query the user IDs, and fills those users into a select statement with 

    USER=(,
    id,
    id,
    )

    If you modify the skeleton to reference field USER_GROUPS, it allows you to select events based on the groups that the user is connected to, e.g.

    USER_GROUPS=(,
    SYS*,
    DBA,
    DBMAINT,

    )

    You could reuse the ISPF panel from alert 1101 to fill in the group names from the dialog.

    Also, if you only wanted to monitor a small number of groups (in a BIG RACF database), you could use the PRIV_USER_GROUPS field, and specifically define the groups to be monitored using the SIMULATE PRIV_USER_GROUPS command.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: ZALERT

    Posted Mon August 05, 2024 03:59 AM

    Hi Rob van Hoboken, first of all thanks for the answer, I want to read a racf(auditadm) group where there are accounts inside. alert Logon or Logoff I want them only on those accounts inside the group how do I modify the panel and the skeleton?? Thanks and sorry again






  • 4.  RE: ZALERT

    IBM Champion
    Posted Mon August 05, 2024 04:12 AM
    Edited by Rob van Hoboken Mon August 05, 2024 04:15 AM

    No problem, a question not asked is an opportunity lost ;-)

    You copy an alert by using the C line command in the SE.A.A alert selection list.  See alert manual.  Next you select "View/edit alert skeleton" to edit the skeleton.

    For more details about the alert skeleton see here.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: ZALERT

    Posted Mon August 05, 2024 04:24 AM

    You are absolutely right Thank you for your kindness and time Best regards








  • 6.  RE: ZALERT

    Posted Mon August 05, 2024 05:44 AM

    Hi Rob van Hoboken sorry again because the alert 1701 doesn't work for me I did what is written in the manual To receive this alert, you must have SETROPTS setting SAUDIT, AUDIT(USER), or AUDIT(GROUP) enabled but it doesn't work for me I'm really hopeless. Only when you have time please answer me By Maurizio




    Da: Maurizio Bonelli
    Inviato: lunedì 5 agosto 2024 10:24
    A: IBMTECHXCHANGECOMMUNITY-globalsecurityforum@ConnectedCommunity.org
    Oggetto: Re: [*Newsletter*] RE: Global Security Forum : ZALERT
     

    You are absolutely right Thank you for your kindness and time Best regards








  • 7.  RE: ZALERT

    IBM Champion
    Posted Mon August 05, 2024 08:32 AM
    Edited by Rob van Hoboken Mon August 05, 2024 08:32 AM

    Alert 1701 should react when a CONNECT command is issued with a group name that is in the list of important groups.

    First you should verify if an SMF record was generated for the CONNECT command.  You could use EV.G to process the SMF records from your system.

    If you find the SMF record, you have to check if the alert was correctly configured, and active at the time when the CONNECT command was issued.

    ------------------------------
    Rob van Hoboken
    ------------------------------