IBM Security Z Security

Hi,
We use passtickets for signon to TSO and these can be found in SMF using event=racinit(32). However, we would like to have an alert in the event of someone signing on using a password instead of a passticket. We can't find a field to test. Has anyone done this please?

Thanks.

------------------------------
Anji Stephens
------------------------------

TSO explicitly suppresses RACINIT logging for normal TSO logon, so you will find no EVENT=RACINIT for a logon, unless there is an exception for the logon, such as changing password, user having UAUDIT, or interesting authentication.  zSecure and other SMF based reporting has to use SMF 30 to keep track of those unremarkable logon event, so zSecure creates a simulated fake RACINIT event when an SMF 30 subtype 1 or 5 is found (see the CARLa manual for SMF field EVENT).

However, Access Monitor can also be used to feed zSecure Alert, look at alert 1122 for inspiration.  This alert uses TYPE=VERIFY record, one of the fields contains the verification method:

REQ_VERIFY_METHOD
This field shows what method was used to authenticate the user. Possible values for this field are:
Omitted, None, Password, Passphrase, Passticket, Started, and MultiFactor. For many
verify events, the identity of an existing user is propagated to a new environment. Examples are batch
jobs and commands issued through SDSF. In those situations, the REQ_VERIFY_METHOD field shows
the value None. The width of the field is 12 characters.

------------------------------
Rob van Hoboken
------------------------------

Thank you Rob. We haven't used EventsToAlerts so far. Is there much of an overhead?

------------------------------
Anji Stephens
------------------------------

Original Message:
Sent: Fri February 25, 2022 06:32 AM
From: Rob van Hoboken
Subject: zSecure alert for signon with password

TSO explicitly suppresses RACINIT logging for normal TSO logon, so you will find no EVENT=RACINIT for a logon, unless there is an exception for the logon, such as changing password, user having UAUDIT, or interesting authentication.  zSecure and other SMF based reporting has to use SMF 30 to keep track of those unremarkable logon event, so zSecure creates a simulated fake RACINIT event when an SMF 30 subtype 1 or 5 is found (see the CARLa manual for SMF field EVENT).

However, Access Monitor can also be used to feed zSecure Alert, look at alert 1122 for inspiration.  This alert uses TYPE=VERIFY record, one of the fields contains the verification method:

REQ_VERIFY_METHOD
This field shows what method was used to authenticate the user. Possible values for this field are:
Omitted, None, Password, Passphrase, Passticket, Started, and MultiFactor. For many
verify events, the identity of an existing user is propagated to a new environment. Examples are batch
jobs and commands issued through SDSF. In those situations, the REQ_VERIFY_METHOD field shows
the value None. The width of the field is 12 characters.

------------------------------
Rob van Hoboken
------------------------------