[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Password alter record
From:       "VANDER WOUDE, PETER I" <pwoude () HARRISTEETER ! COM>
Date:       2023-04-10 15:10:22
Message-ID: BLAPR15MB4020599286ED8AD796E43735AD959 () BLAPR15MB4020 ! namprd15 ! prod ! outlook ! com
[Download RAW message or body]

RACFICE does have a report, that will list out all of the commands done 

Regards,
Peter 



In theory, there's no difference between theory and practice. In practice, there is.

Worry more about your character than your reputation.   Character is what you are, \
reputation merely what others think you are. - John Wooden

If you don't have time to do it right, when will you have the time to do it over? - \
John Wooden


-----Original Message-----
From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of Gibney, Dave
Sent: Monday, April 10, 2023 3:09 AM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: Password alter record

CAUTION: This email originated from outside the organization. Do not click links or \
open attachments unless you recognize the sender and know the content is safe.

I haven't looked lately. I would expect one or more of the RACFICE (DFSORT ICETOOLS \
for RACF) would come close

> -----Original Message-----
> From: RACF Discussion List <RACF-L@LISTSERV.UGA.EDU> On Behalf Of 
> Bogdan Belciu
> Sent: Sunday, April 9, 2023 10:06 PM
> To: RACF-L@LISTSERV.UGA.EDU
> Subject: Re: Password alter record
> 
> [EXTERNAL EMAIL]
> 
> Hi,
> 
> It's not that simple as someone pass you a sample of JCL.
> 
> And to answer straight.
> Yes, the password can be changed by the user itself if it is logonable 
> or by someone issuing ALTUSER xxxx PASSWORD () command.
> Finding the command will tell you who changed it, the record contains 
> who issued it.
> You would extract all records for the time interval when you think it 
> occured and then find yourself what happened using the timestamps of 
> each record.
> A prerequisite for the records to exist it is to have SAUDIT turned on 
> in RACF and you need AUDITOR privilege to check it. (Setr list 
> command) As for extracting SMF, it would be 10 times easier if you 
> have ZSecure installed there.
> 
> Cu stimă/Best regards,
> Bogdan Belciu
> 
> On Mon, 10 Apr 2023, 05:22 Jake Anderson, <justmainframes@gmail.com>
> wrote:
> 
> > Any sample JCL which helps here to get a list of changes to a user 
> > id by whom ?
> > 
> > On Mon, Apr 10, 2023, 4:26 AM Charles Mills <charlesm@mcn.org> wrote:
> > 
> > > The SMF record says who (well, what userid, actually) made the change.
> > > 
> > > Keeping a database or generating a report organized in some 
> > > particular
> > way
> > > other than chronologically would be up to the installation.
> > > 
> > > 22 16 SMF80USR 8 EBCDIC Identifier of the user associated with 
> > > this event (jobname is used if the user is not defined to RACF).
> > > 
> > > That would be who made the change.
> > > 
> > > Event code 13 is ALTUSER.
> > > 
> > > "Relocate section 6" contains the affected userid and a bit flag 
> > > to indicate if PASSWORD was specified.
> > > 
> > > Charles
> > > 
> > > 
> > > -----Original Message-----
> > > From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On
> Behalf Of
> > > robhbridges@GMAIL.COM
> > > Sent: Sunday, April 9, 2023 12:32 PM
> > > To: RACF-L@LISTSERV.UGA.EDU
> > > Subject: Re: Password alter record
> > > 
> > > But I'm missing the important part of the answer to his question:  
> > > Does the SMF record say WHO changed a password?  You say you can 
> > > see
> every
> > > command issued by a particular admin, but can you work it the 
> > > other way
> > and
> > > see who altered a particular user ID?  I know TSS does keeps a 
> > > record of such things, and I imagine RACF does too but I'm rusty in RACF.
> > > 
> > 


[prev in list] [next in list] [prev in thread] [next in thread]