IBM Security Z Security

 View Only
  • 1.  Zsecure Visual client Admin CKGRACF commands

    Posted Sun November 20, 2022 04:32 AM
    Hi
    I ran daily report to find the commands issued by RACF admin

    N TYPE=SMF NOPAGE
    DEF TYPE=SMF COMTYPE(CHAR,12) AS WORD(LOGSTR,4,' ')
    S (APPL=CNGRACF OR LOGSTR=:CNGRACF OR APPL=CKGRACF OR LOGSTR=:CKGRACF),
    date=today type=(80,81,83)
    X (LOGSTR=:"CKGRACF CMD" OR LOGSTR=:"CKGRACF SHOW" OR
    LOGSTR=:"CKGRACF LIST")
    sortlist date(7) time(5) user("Admin_ID") USER:NAME("ADMIN_NAME",20),
    racfcmd_user(8,"User") racfcmd_user:NAME("USER_NAME",20),
    COMTYPE('COMTYPE',12) appl,
    LOGSTR('COMMAND',hor,wrap,0)

    i can see from report we i use zsecure visual client options 1- SET Password or RESUME for users the report shows as the command issued 2 times 
    the below report come from only one run of set password option in GUI

    CKGRACF USER xyz PWSET PASSWORD(********) EXPIRED REQUEST
    CKGRACF USER xyz RESUME REQUEST
    CKGRACF USER xyz PWSET PASSWORD(********) EXPIRED REQUEST
    CKGRACF USER xyz RESUME REQUEST

    same happen if you use from TSO EV.2
    CKGRACF zSecure Admin CKGRACF commands report

    would you please adivse about this and why this happen?

    Thanks
    Mohammed Ibrahem

    ------------------------------
    Mohammed Ibrahem
    ------------------------------


  • 2.  RE: Zsecure Visual client Admin CKGRACF commands

    Posted Tue November 22, 2022 06:14 AM
    Edited by RENE van TIL Tue November 22, 2022 06:14 AM
    Hi mohammed,

    i tried to recreate this but for me it works. No duplicate records. My best guess is that your input does contain those records twice. 

    using this CARLa query

    n type=smf
    s type=(80,81,83) user=....
    display recno datetime recorddesc

    i expect to see the same record description  twice but with different record numbers

    cheers

    rene







    ------------------------------
    RENE van TIL
    ------------------------------



  • 3.  RE: Zsecure Visual client Admin CKGRACF commands

    Posted Tue November 22, 2022 10:04 AM
    Hi Mohammed,  I would add the system field to see where those records are coming from and extend the width of the time field
    eg sortlist date(7) time(12) system user("Admin_ID")  . . . . 

    I am wondering if by chance that is being propagated somewhere else, and you have combined/merged SMF data.  Are you propagating "application"  updates via RRSF by chance ? 

    Like Rene, I am wondering if this is the same record being processed twice or two separately audited records, ie two separate events.


    ------------------------------
    Simon Dodge
    ------------------------------



  • 4.  RE: Zsecure Visual client Admin CKGRACF commands

    Posted Wed November 23, 2022 01:41 AM
    Thanks all for your replies
    i did password rest and choose also resume  from visual client only one time
    i use only active SMF , but it seems as it issue the command 2 times and in second time it give violation for rest password command because of password history.
    I ran the query and I got the below result


    Sys RecNo Date/time Description
    MYsystem 9721 23Nov2022 09:08:48.15 RACF CKG success for Admin_ID: logstr=CKGRACF SHOW MYACCESS NOTERM
    MYsystem 9827 23Nov2022 09:09:08.48 RACF CKG success for Admin_ID: logstr=CKGRACF LIST USER Admin_ID TAG
    MYsystem 9926 23Nov2022 09:09:34.51 RACF CKG success for Admin_ID: logstr=CKGRACF SHOW MYACCESS
    MYsystem 10106 23Nov2022 09:11:59.14 RACF CKG success for Admin_ID: logstr=CKGRACF USER Test_user PWSET PASSWORD(********) EXPIRED REQUEST
    MYsystem 10107 23Nov2022 09:11:59.14 RACF CKG success for Admin_ID: logstr=CKGRACF USER Test_user RESUME REQUEST
    MYsystem 10108 23Nov2022 09:11:59.15 RACF CKG success for Admin_ID: logstr=CKGRACF LIST USER Test_user TAG
    MYsystem 10117 23Nov2022 09:11:59.58 RACF CKG violation for Admin_ID: logstr=CKGRACF USER Test_user PWSET PASSWORD(********) EXPIRED REQUEST
    MYsystem 10118 23Nov2022 09:11:59.58 RACF CKG success for Admin_ID: logstr=CKGRACF USER Test_user RESUME REQUEST
    MYsystem 10119 23Nov2022 09:11:59.59 RACF CKG success for Admin_ID: logstr=CKGRACF LIST USER Test_user TAG

    ------------------------------
    Mohammed Ibrahem
    ------------------------------



  • 5.  RE: Zsecure Visual client Admin CKGRACF commands

    Posted Wed November 23, 2022 08:27 AM
    Hi mohammed,

    that shed some more light on the issue. So the 2nd SMF record is caused by issuing the same command but that now fails because of password history. And i could recreate this problem. No idea where that 2nd command is coming from :(

    As this looks like a real defect in the visual client, can you please open a defect ?

    cheers

    rene

    ------------------------------
    RENE van TIL
    ------------------------------



  • 6.  RE: Zsecure Visual client Admin CKGRACF commands

    Posted Sun November 27, 2022 03:28 AM
    Hi All
    Thanks for all your replies
    i have opened case with IBM and they confirmed the issue 

    "

    regarding duplicate CKGRACF USER PWSET commands when using the zSecure Visual client function Set Password.

    I have recreated this issue also with zSecure 2.5.0 (you reported that you see this with zSecure 2.4.0), and I have opened an internal ticket with zSecure L3/Dev to pursue this further.

    I note that the duplicate CKGRACF USER PWSET commands are seen whether you select "Also resume" or not. When "Also resume" is not selected,"



    ------------------------------
    Mohammed Ibrahem
    ------------------------------