IBM Security Z Security

 View Only

  • 1.  Reporting on Failed/Unsuccessful RACF commands with SMF data

    Posted Fri October 07, 2022 01:59 PM
    I am being requested to create a report that would show failed RACF Commands.   Whether they have failed via a syntax/typo in the command, or if Command Verifier failed the command.

    Since SELECT EVENTS=ALLCMDS(ALLOWED) worked for selecting successful command I assume SEELCT EVENTS=ALLCMDS DESC=VIOLATION would work for unsuccessful commands.   But that does not seem to be the case.    I went to IN.D to look at the SMF data for any thing related to my UserID.  I see the successful commands, but I do not see the unsuccessful ones.   For example ALTUSER PWSYN01 ORAUDIT (trying to simulate someone mistyping a command).   I tried doing a group connect I know Command Verifier would block, but I see nothing on the command failure.   I do see an event=access pointing to the Command Verifier profile.

    It does seem that you can report on failed RACF commands via Command Logger, and it seems you can report on failed CKGRACF Commands in SMF.

    Are failed RACF Commands recorded in SMF?   How do I select them?



    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Reporting on Failed/Unsuccessful RACF commands with SMF data

    IBM Champion
    Posted Mon October 10, 2022 02:56 AM
    Edited by Rob van Hoboken Mon October 10, 2022 03:12 AM

    Command Verifier decides on validity of RACF commands by checking C4R profiles.  If access to specific C4R profiles fails, the RACF command will be rejected.  Command Verifier never fires up the actual RACF command for rejected commands, so you will not get an ALLCMDS event in SMF.

    To see the rejected RACF commands, list resource access violations on XFACILIT C4R profiles.  This flags the keyword that failed the command.  The command may be found in the LOGSTR field.  This analysis is illustrated in Chapter 4, section "Regular access recording through SMF" of the manual.

    I understand you would have expected a normal command event record in SMF, indicating a "failed by envelope exit" status, but that is not within scope of command envelope processing.  You would have to file an enhancement request.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: Reporting on Failed/Unsuccessful RACF commands with SMF data

    Posted Thu October 13, 2022 09:31 AM
    I understand that anything failed by Command Verifier could be reported by looking at violations on C4R profiles.   But what about RACF Commands that failed that are not failed by Command Verifier.    Like an administrator with Group Special and trying to modify an ID outside their scope.   Or an administrator trying to issue a RACF command with an improper syntax.

    Sorry, I am being asked about ways to report on RACF commands that were submitted but we not processed for whatever reason.

    ------------------------------
    Linnea Sullivan
    ------------------------------

    Original Message


  • 4.  RE: Reporting on Failed/Unsuccessful RACF commands with SMF data

    IBM Champion
    Posted Thu October 13, 2022 10:07 AM
    Edited by Rob van Hoboken Thu October 13, 2022 10:07 AM
    You could try if SELECT EVENT=ALLCMDS(FAILURE) works better than SELECT EVENT=ALLCMDS DESC=FAILURE, but if there are no SMF records to be found at all, the issue is elsewhere.    Have you checked that SETROPTS CMDVIOL was specified (NOCMDVIOL would not log incorrect commands).

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 5.  RE: Reporting on Failed/Unsuccessful RACF commands with SMF data

    Posted Thu October 13, 2022 01:30 PM
    SETROPTS CMDVIO is on.
    Will do some testing with EVENT=ALLCMDS(FAILURE)

    ------------------------------
    Linnea Sullivan
    ------------------------------

    Original Message