ACFRPTDA - MLS DIRAUTH Event Log

Describes the ACFRPTDA MLS DIRAUTH event log report generator.
acf2src
The ACFRPTDA report generator uses the SMF records issued for CA ACF2 recovery purposes to provide an updated report on MLS DIRAUTH event loggings. These SMF records can be cut for one of two reasons. The first is that the DIRAUTH call could not be performed successfully because of invalid parameters passed on the call, or not enough information supplied on the call to properly validate the access. It is possible in this case that access will still be permitted, depending on the mode MLS which has been set. The second instance is if the MLS call was able to process completely, however access has been denied as determined by mandatory access control validation processing.
Checking Authorization
ACFRPTDA does not perform any authorization checking itself. However, when MLS is active, and the SMF data is classified with a security label (SYSHIGH is recommended), mandatory access control checking is done to validate a user's access to the SMF data.
ISPF Panel Descriptions
You can run the ACFRPTDA report from the ACFRPTDA - MLS Dirauth Event Log ISPF Panel. The following parameters can be found on the ACFRPTDA ISPF panel.
  • INCLUDE SECLABELS
    Specifies the security labels (SECLABELs) for which you would like to see MLS DIRAUTH event loggings which have been collected. You may specify up to ten SECLABELs. Once you have entered a SECLABEL on each available line provided in the panel, hit ENTER and you will be prompted with a message indicating how many SECLABELs have been entered so far, and a new blank list to continue entering up to ten SECLABELs.
  • EXCLUDE SECLABELS
    Specifies the SECLABELs which you would like to exclude from MLS DIRAUTH event loggings which have been collected. Once you have entered a SECLABEL on each available line provided in the panel, hit ENTER and you will be prompted with a message indicating how many SECLABELs have been entered so far, and a new blank list to continue entering up to ten SECLABELs.
  • TIME
    Specifies the desired format of the timestamp in the report : M (default) displays HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
  • LOGSTREAM
    Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SNF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
Running the Report Using JCL
This ACFRPTDA report uses standard
ACF2
report JCL like the following for batch submission:
//ACFRPTDA JOB 1,'MLS DIRAUTH RPT',MSGCLASS=A,TYPRUN=HOLD //* //REPORT EXEC PGM=ACFRPTDA,PARM='TITLE(MLS DIRAUTH EVENTS)' //* //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //RECMAN1 DD DSN=SYS1.MAN1,DISP=SHR //SYSIN DD DUMMY //
JCL Parameters
The ACFRPTDA report uses standard CA ACF2 report JCL for batch submission. The following parameters are specific to ACFRPTDA.
  • INCLUDE(seclabel1,seclabel2)
    Specifies multiple SECLABELs for which you would like to see MLS DIRAUTH event loggings which have been collected. You may specify up to ten SECLABELs.
  • EXCLUDE(seclabel1,seclabel2)
    Specifies multiple SECLABELs which you would like to exclude from MLS DIRAUTH event loggings which have been collected. You may specify up to ten SECLABELs.
  • DETAIL[Y|N]
    The DETAIL option is defaulted to 'NO'. When DEFAULT is changed to 'Y' a hexadecimal dump of the ACEE, UTOKEN and RTOKEN associated with the DIRAUTH call is also provided with each record displayed in the output.
Common Parameters
The ACFRPTDA panel accepts the following parameters.
  • LINECNT
  • TITLE
  • FORMAT
  • JOBMASK
  • SDATE
  • STIME
  • EDATE
  • ETIME
  • SYSID
  • SELECT
  • COND
  • TIME
Sample Output
The following ACFRPTDA report output shows the logging of MLS DIRAUTH events:
08/08/06 06.220 7.28 - DIRAUTH REPORT - PAGE 1 DATE TIME JOBNAME SYSID CPU USER RSRC SAF RACF RACF LOGONID SECLABEL SECLABEL CLASS TYPE ACC RC RC RSN RETURN/REASON CODE EXPLANATION 12/13/05 05.347 14.21.04.70 MLSUSER SYS9 SYS9 MLSUSER SYSLOW SYSHIGH DATASET MAC R 8 8 0 Not authorized, user SECLABEL doesn't dominate RTOKEN SECLABEL 12/14/05 05.348 15.27.36.85 MLSUSER YMDA SYS9 *NONE* MAC R 4 12 0 No decision made, neither RTOKEN or resource SECLABEL specified 12/14/05 05.348 17.17.15.63 MLSUSER YMDA SYS9 *NONE* MAC R 4 12 0 No decision made, neither RTOKEN or resource SECLABEL specified 12/14/05 05.348 17.29.12.42 MLSUSER YMDA SYS9 *NONE* MAC R 4 12 0
No decision made, neither RTOKEN or resource SECLABEL specified
In the example above, output was generated without the detail option set.
The following ACFRPTDA report output shows the logging of MLS DIRAUTH events with the DETAIL option set:
07/30/04 04.212 19.21.03 MLSUSER XE59 XE59 MLSUSER SYSLOW PRJU DATASET MAC RW 8 8 0 Not authorized, user SECLABEL doesn't dominate RTOKEN SECLABEL, but user has one that could ACEE: 000000 C1C3C5C5 FF000219 03000000 006F2830 *ACEE............* 000010 00000000 07D4D3E2 E4E2C5D9 40015C40 *.....MLSUSER .* * 000020 40404040 4040A100 0004212F 00000000 * ..........* 000030 00000000 006FF5E0 00000000 00000000 *......5.........* 000040 C1F5F9D3 D6F9F0F5 00000000 00000000 *A59LO905........* 000050 00000000 00000000 00000000 00000000 *................* 000060 00000000 006FF660 00000000 00000000 *......6-........* 000070 00000000 00000000 00000000 0104212F *................* 000080 00000000 00200000 00000000 00000000 *................* 000090 00000000 00000000 006FF678 00000000 *..........6.....* 0000A0 00000000 006FFF28 00000000 00000000 *................* 0000B0 00000000 00000000 00000000 00000000 *................* 0000C0 00000000 00000000 00000000 00000000 *................* 0000D0 00000000 00000000 00000000 00000000 *................* 0000E0 00000000 00000000 00000000 00000000 *................* 0000F0 00000000 00000000 00000000 00000000 *................* 000100 00000000 00000000 00000000 00E2E8E2 *.............SYS* 000110 D3D6E640 40000000 40404040 40404040 *LOW ... * 000120 40404040 40404040 40404040 40404040 * * 000130 40404040 40404040 40404040 40404040 * * 000140 40404040 40404040 40404040 40404040 * * 000150 40404040 40404040 40404040 40404040 * * 000160 40400000 00000000 00000000 00000000 * ..............* 000170 00000000 00000000 00000000 00000000 *................* 000180 00000000 00000000 00000000 00000000 *................* 000190 00000000 00000000 00000000 00000000 *................* 0001A0 00000000 00000000 00000000 00000000 *................* 0001B0 00000000 00000000 00000000 00000000 *................* 0001C0 00000000 00000000 00000000 00000000 *................* 0001D0 00000000 00000000 C1F5F9D3 D6F9F0F5 *........A59LO905* 0001E0 00000000 00000000 40404040 40404040 *........ * 0001F0 40404040 40404040 00000000 00000000 * ........* 000200 0000000C 40404040 40404040 40404040 *.... * 000210 40 * ...............* UTOKEN: 000000 00000000 00000000 00000000 00000000 *................* 000010 00000000 00000000 00000000 00000000 *................* 000020 00000000 00000000 00000000 00000000 *................* 000030 00000000 00000000 00000000 00000000 *................* 000040 00000000 00000000 00000000 00000000 *................* RTOKEN:
Field Descriptions
The following fields are available on the ACFRPTDA report.
  • ACCESS
    Specifies the type of ACCESS that was requested for the resource. This can be READ, READWRITE or WRITE (R,RW,W).
  • ACEE
    ACEE associated with the user associated with the DIRAUTH call.
  • CLASS
    CLASS name specified on the DIRAUTH call.
  • CPU
    SMF name of the CPU that validated the request.
  • DATE
    The Julian or Gregorian date when the access was attempted. The format of the Gregorian date is mm/dd or dd/mm, depending on the DATE option in the GSO OPTS infostorage record.
  • JOBNAME
    Name of the job under which the access was issued.
  • LOGONID
    Logonid of the user associated with the record.
  • RACF RC
    RACF return code associated with the DIRAUTH call.
  • RACF RSN
    RACF reason code associated with the DIRAUTH call.
  • RESOURCE SECLABEL
    SECLABEL of the resource being accessed.
  • RTOKEN
    TOKEN of the resource associated with the DIRAUTH call.
  • SAF RC
    SAF return code associated with the DIRAUTH call.
  • SYSID
    CA ACF2 system ID associated with the logging records.
  • TIME
    Time of day when the access attempt occurred.
  • TYPE
    TYPE specified on the DIRAUTH call, this can be MAC, EQUALMAC or REVERSE MAC (MAC, EMAC or RMAC) depending on the class specified on the DIRAUTH call.
  • USER SECLABEL
    SECLABEL of the user trying to access the resource.
  • UTOKEN
    TOKEN of the user associated with the DIRAUTH call.