IBM Security Z Security

We have a requirement to produce a list of RACF changes on a daily basis.    So we are using SMF data and Command Logger data to accomplish that task.   The only reason for the command logger data is that our administrators are supposedly entering in ticket and description information.

Since our environment has a number of LPARs, we capture all the RACF changes from all the LPARs and merge them into one report.   With SMF I can look at CMCSRC and exclude commands that were executed due to RRSF propagation.   However my change file still has lots of duplicate records due to Command Logger.    Is there a field on the command logger record that tells me that command was not entered locally, but was processed on that LPAR due to RRSF propagation?

See I need to collect the data from every system, because of the chance an administrator issued a command with ONLYAT.    When I goto zsecure IN.D I do not think I see data in the record that indicates the command was propagated from another system.

Is there a way to determine if the command was issued locally or was propagated?

------------------------------
Linnea Sullivan
------------------------------

CKXLOG fields ORIGIN_NODE and ORIGIN_USER were meant to indicate inbound RRSF commands, same as those fields in the CMDSRC (SMF) fields.  Then again, they are also set for CKNSERVE propagated commands.
RRSF inbound commands are executed in the RACF address space, whereas CKNSERVE (or whatever you renamed the STC to) runs the CKNSERVE propagation, so you could look at the JOBNAME field to discern these.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Fri July 08, 2022 12:17 PM
From: Linnea Sullivan
Subject: Command Logger and RRSF Propagation

We have a requirement to produce a list of RACF changes on a daily basis.    So we are using SMF data and Command Logger data to accomplish that task.   The only reason for the command logger data is that our administrators are supposedly entering in ticket and description information.

Since our environment has a number of LPARs, we capture all the RACF changes from all the LPARs and merge them into one report.   With SMF I can look at CMCSRC and exclude commands that were executed due to RRSF propagation.   However my change file still has lots of duplicate records due to Command Logger.    Is there a field on the command logger record that tells me that command was not entered locally, but was processed on that LPAR due to RRSF propagation?

See I need to collect the data from every system, because of the chance an administrator issued a command with ONLYAT.    When I goto zsecure IN.D I do not think I see data in the record that indicates the command was propagated from another system.

Is there a way to determine if the command was issued locally or was propagated?

------------------------------
Linnea Sullivan
------------------------------