[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: How turn on SMF Event.Qualifier 1.0 Successful Logon?
From:       Charles Mills <charlesm () MCN ! ORG>
Date:       2016-05-10 13:09:31
Message-ID: 01dc01d1aabd$317a1400$946e3c00$ () mcn ! org
[Download RAW message or body]

Thanks all!

I thought this might be more complicated than one parameter in a manual.

I have conveyed this information to the user and my interpretation of his
answer is that by "I always used to get .0's for TSO" what he really meant
was "I get .0's for other event types and I would really like to get them
for TSO logons."

Yes, FYI, I am real aware of the additional event 1 qualifiers and 44x
relocates for MFA. I implemented day one support in our product. <g>

Charles

-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Bruce Wells
Sent: Monday, May 09, 2016 10:13 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: How turn on SMF Event.Qualifier 1.0 Successful Logon?

Walt Farrell <walt.farrell@GMAIL.COM> wrote on 05/09/2016 06:19:20 AM:

> From: Walt Farrell <walt.farrell@GMAIL.COM>
> To: RACF-L@LISTSERV.UGA.EDU
> Date: 05/09/2016 06:21 AM
> Subject: Re: [RACF-L] How turn on SMF Event.Qualifier 1.0 Successful
Logon?
> Sent by: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU>
> 
> On 5/8/2016 8:42 PM, Charles Mills wrote:
> > @Phil, thanks. What you say makes sense.
> >
> >> What application or applications are authenticating users for which
no
> > Successful Logon SMF records are being produced?
> >
> > TSO
> 
> For TSO logons, as well as batch jobs, the RACF Report Writer uses 
> either SMF type 20 or 30 records, and RACF SMF Unload uses SMF type 30 
> records. Those are all that will be produced, I believe, unless you 
> have

> specified SETR AUDIT(USER) and the user changes his password during 
> logon (or on the JOB statement).
> 

Just to round out this discussion, the Type 80 event 1 records, when
created, will certainly have more security-specific information in them. 

RACF overrides the application's specification of LOG= and always creates
Type 80 records when the REQUEST=VERIFY request is denied, and when it is
successful in the following situations:
- SETROPTS AUDIT(USER) is active and a user's password or password phrase is
changed
- authentication using a PassTicket
- authentication of an IBM Multi-Factor Authentication user using a
password, PassTicket, or password phrase.

The last one is obviously new. 

The Auditor's Guide did not list the success cases where it documents a list
of unconditionally audited events.  We've improved that within the MFA APAR
documentation:

ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/pdf/oa48359.pdf

 and the RACF publication will be updated moving forward.

 While on the topic, note that the MFA APAR (OA48359) added additional
information to the Type 80 event 1 record, including the method of
authentication used.  See relocate section 443 in the linked documentation.
The extra information will start getting logged when the APAR is applied,
even if MFA is not used.
[prev in list] [next in list] [prev in thread] [next in thread]