IBM Security Z Security

 View Only

 CKRCARLA not writing SMF Type 1154 record

SALLY KWOK's profile image
SALLY KWOK posted Fri October 25, 2024 09:21 AM

This is about z Security Compliance Centre v1.2

I am running the compliance evidence started task CKCS1154 to collect data on z/OS. 

I am testing it by simulating ENF86 signals, CKRCARLA fails to write the record

I have included SMF type 1154 into the recording logstream.

LSNAME(IFASMF.ZA31.SYSTEM,TYPE(0:99,103:127,1154)) -- PARMLIB 
RECORDING(LOGSTREAM) -- PARMLIB                         

Can someone advice what could be missing here. Thank you.

From the CKCS1154 log:

CKC0100I z/OS Compliance Integration Manager task started                   
CKC0153I Previous execution detected                                        
CKC0197I z/OS Compliance Integration Manager 3.1.0 initialization successful
CKC0202I Received command DIAGNOSE ENF86                                    
CKC0183I Simulate ENF86 event for request CKCS1154SIMEVENT                  
CKC0144W Return code 0004 from CKFCOLL , see CKCDEBUG                       
CKC0144W Return code 0016 from CKRCARLA, see CKCDEBUG                       
CKC0139I Finished writing SMF 1154 records  

From CKCDEBUG:                               

CKR3226 16 SMFEWTM failed RC=36: SMF type not recorded for system SMF      at CKRCARLA(CKCC1154) line 28
CKR3226 16 SMFEWTM failed RC=36: SMF type not recorded for smfopt SMFSUBS  at CKRCARLA(CKCC1154) line 29
CKR3226 16 SMFEWTM failed RC=36: SMF type not recorded for console CONSOLE  at CKRCARLA(CKCC1154) line 30
CKR3226 16 SMFEWTM failed RC=36: SMF type not recorded for ssh_daemon SSHD     at CKRCARLA(CKCC1154) line 26
CKR3226 16 SMFEWTM failed RC=36: SMF type not recorded for ip_inetd INETD    at CKRCARLA(CKCC1154) line 27

Tom Zeehandelaar's profile image
Tom Zeehandelaar posted Fri October 25, 2024 10:53 AM
Report that shows the configuration of an SMF subsystem on a z/OS system.

Hi Sally, 

Which SMF record types are written or suppressed is configured by your systems programmer(s) in the SMF subsystem configuration. The CKR3226 seems to indicate that your SMF subsystem does not record SMF record type 1154 at all. 
zSecure Audit supports a report SMFSUBOP that shows which SMF record types are actively written. It requires a recent CKFREEZE data set of your target system. 
Use option AU.S, for Audit Status, and select the category MVS tables and for convenience, also tag option "Select specific reports from selected categories". On the next panel that shows the MVS table reports, select report SMFSUBOP and press Enter.

Zoom in to your define SMF subsystems with action command "S". Scroll down, or execute a find 1154 command:

Check that on your system the 1154 SMF record types and subtypes are indeed recorded for your SMF subsystems.