ACFRPTRV - Resource Event Log

1
acf2src
 
 
1
 
 
The resource facility produces journal information based upon the results of resource validation requests. The ACFRPTRV report generator processes the SMF records issued by the resource facility producing a report describing the nature of resource accesses, the user requesting the access, and the final disposition of the access. ACFRPTRV also processes this type of information for CA ACF2 for DB2. For more information about CA ACF2 for DB2, see CA ACF2 Option for DB2.
CA ACF2 records four separate types of resource events: loggings, violations, MLS Seclabel Audit, and trace requests. Many resource events are not logged if the rule specifies that the request is permitted. When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited. Trace requests occur when a security officer specifies that a specific user's access be journaled. When a user is traced, CA ACF2 performs normal resource validation processing and writes any logging or violation records. CA ACF2 then writes a record.
At the end of the report, an index cross-references the resource name with the logonid of the user or batch job that accessed the resource. The index also shows the number of times the data set was accessed.
Checking Authorizations
CA ACF2 checks whether the person submitting the utility is authorized to view or manipulate the input SMF data. If you specify RPTSCOPE in the GSO OPTS record, a user is restricted to the SMF record data that matches his or her privileges and restrictions. In the default case of NORPTSCOPE, no authorization checking is done.
For the ACFRPTRV report, the following privileges and restrictions of the user running the report are validated as part of the report processing when RPTSCOPE is specified: SECURITY or AUDIT and the INF field in the associated scope record. If the user has one of these authorities and the SMF record is within the scope of the user's logonid, the user can view the report. In addition, if the logonid of the user being journaled falls within the UID/LID scope of the user running the report, then the record can be viewed.
Running the Report Using the ISPF Panel
You can use the ACFRPTRV ISPF panel to create your input for the report. The following parameters can be found on the ACFRPTRV ISPF panel.
 
TITLE
Specifies a character string added to other title information at the top of the report. This character string can be up to 35 characters in length. If you do not specify this parameter, the report generator uses the first 35 characters in the PARM field of the EXEC statement. If this character string is longer than 35 characters, only the first 35 characters are used.
 
LOGONID MASK
Specifies invalid or logged data set accesses for a particular logonid or group of logonids. The default is all logonids.
 
CLASS
Specifies the one-character storage class code of the infostorage records to be processed. The default is R (for resource rule sets). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). For more information about CA ACF2 for DB2 rule sets, see CA ACF2 Option for DB2.
 
TYPE
Specifies that only records for resources with the matching type codes are selected. The default is all type codes.
 
ID
Specifies that only records with resource names matching the ID mask are selected. The default is all resources.
An ID mask is automatically treated as a mask. For instance, the ID(CSVAPF.S) not only matches itself, but also matches any string that begins with the characters CSVAPF.S.
By omitting characters, you can form a more general ID mask. For example, characters can be omitted from the CSVAPF.S to form a mask that represents all resource that start with CSVAPF:
ID(CSVAPF)
The mask matches any ID resource name that begins with the characters CSVAPF.
  • Using a Dash-An ID mask containing a dash must fit one of the following cases. If the dash falls at the end of a UID mask, it has the same effect as no dash. For example, the following two ID masks are equivalent:
    • ID(CSVAPF.S-)
    • ID(CSVAPF.S)
If the dash falls in the UID mask, it is treated literally as a dash and cannot represent any other character.
  • Using an Asterisk-Asterisks that fall at the end of the ID mask have the same effect as a dash or as no asterisks. For example, the following three IDs are equivalent:
    • ID(CSVAPF.S-)
    • ID(CSVAPF.S***)
    • ID(CSVAPF.S)
 
TIME
Specifies the desired format of the time stamp in report : M (detail) displays HH.MM, S = HH.MM.SS or H = HH.MM.SS.TH.
: The default format of the ACFRPTRV report is designed to fit a limited width display terminal. Therefore, if you specify TIME(H), the TH is not included. To ensure the entire time stamp of HH.MM.SS.TH is included in the report, you must specify the PRINTER parameter. The PRINTER parameter produces a report format designed for output to a 133-column line printer. 
Produces a report format designed for output to a 133-column line printer. If you do not specify this parameter, ACFRPTRV uses the default format designed to fit a limited width display terminal. 
 
DCLASS
Specifies a 32-byte DCLASS name that limits the number of records appearing on the report to resources defined in the specified data class. This DCLASS value should match exactly to the DCLASS field of the DCO DATA records on your CA ACF2 system. For more information, see the Data Classification Records. The default is no screening of resources by data class.
 
REPORT TYPE
Specifies the type of records processed by ACFRPTRV. You can specify any combination of these parameters. If you specify none of these parameters, ACFRPTRV uses ALL. These parameters act in an inclusive OR fashion, so that, for example, a specification of VIO and TRACE causes all violation and trace records to be listed.
  • ALL-specifies that all of the previous journal information is listed.
  • LOGGING-specifies accesses that are permitted and logged because the resource rule specified LOG. Loggings also occur when a user with the SECURITY, NON-CNCL, or READALL privilege issues a request that is normally prevented.
  • VIO-specifies all accesses that violated rule sets.
  • TRACE-specifies all records produced as a result of the TRACE field in the logonid record or from a RACROUTE REQUEST=AUDIT call. If the access was logged or was a violation, TRACE requests might have more than one SMF record written.
 
OUTPUT LIST NAME: LIST ID
Specifies the 1- to 8-character output list name. ISPF prefixes the name you specify with the user's prefix from his profile and the characters ACF2.ACFRPTRV. For example, if you specify TEST as the output list name, your output list data set name is 
dft-pfx
.ACF2.ACFRPTRV.TEST.
 
SPECIFY INPUT DATA SET(S) FOR ACFRPTRV
For an explanation of the options available, see Input and Output Files for Report Generators in Reporting.
 
LOGSTREAM
Indicates if LOGSTREAM SMF data needs to be retrieved. This parameter is available for z/OS1.9 and higher when the SMF data is being captured by a LGR LOGSTREAM structure. When Y is specified an ACFRPTAL is displayed to provide specific logstream parameters.
PAGEHDR(
YES
|NO|ONCE)
Specifies how the page header is appears.
  •  
     
    YES
     
    Header is printed at the beginning of each page.
  •  
    NO
    No header is printed.
  •  
    ONCE
    Header is printed only once, at the beginning of the first page.
 
LINECTL|NOLINECTL
 
Specifies if blank lines and/or ANSI line control characters are produced.
Running the Report Using JCL
You can use JCL to run the ACFRPTRV utility. To run the ACFRPTRV report, see the documentation about using sample JCL to execute reports. The following are the parameters for this report.
 
[
SUMMARY
|DETAIL]
Specifies the format of the ACFRPTRV report. The SUMMARY parameter produces information about each resource access request that results in a logging, violation, or trace record. All users should specify SUMMARY, except those who want to see additional lines of information related to CA ACF2 for DB2. If you are using CA ACF2 for DB2, the DETAIL parameter provides the original, primary, and secondary authorization IDs for users of DB2. See the CA ACF2 Option for DB2 for samples of the SUMMARY and DETAIL parameters.
 
[LOG|VIO|TRACE|
ALL
]
Specifies the type of records processed by ACFRPTRV. You can specify any combination of these parameters. If you specify none of these parameters, ACFRPTRV uses ALL. These parameters act in an inclusive OR fashion, so that, for example, a specification of VIO and TRACE causes all violation and trace records to be listed.
  • LOG-specifies accesses that are permitted and logged because the resource rule specified LOG. Loggings also occur when a user with the SECURITY, NON-CNCL, or READALL privilege issues a request that is normally prevented.
  • VIO-specifies all accesses that violated rule sets.
  • TRACE-specifies all records produced as a result of the TRACE field in the logonid record or from a RACROUTE REQUEST=AUDIT call. If the access was logged or was a violation, TRACE requests might have more than one SMF record written.
  • ALL-specifies that all of the previous journal information is listed. This is the default.
 
[MASK(
********
|
logonidmask
)]
Specifies records for logonids matching the specified mask are selected. The default is all logonids.
 
[PRINTER]
Produces a report format designed for output to a 133-column line printer. If you do not specify this parameter, ACFRPTRV uses the default format designed to fit a limited width display terminal. 
 
[CLASS(
R
|class)]
Specifies the one-character storage class code of the infostorage records to be processed. The default is R (for resource rule sets). The storage class code for CA ACF2 for DB2 rule sets is D (for DB2). See the CA ACF2 Option for DB2 for more information about CA ACF2 for DB2 rule sets.
 
[TYPE(
***
|typemask)]
Specifies that only records for resources with the matching type codes are selected. The default is all type codes.
 
[ID(
-
|idmask)]
Specifies that only records with resource names matching the ID mask are selected. The default is all resources.
 
DCLASS
Specifies a 32-byte DCLASS name that limits the number of records appearing on the report to resources defined in the specified data class. This DCLASS value should match exactly to the DCLASS field of the DCO DATA records on your CA ACF2 system. For more information, see Data Classification Records. The default is no screening of resources by data class.
Common Parameters
ACFRPTRV accepts the following parameters.
  • LINECNT
  • JOBMASK
  • TITLE
  • SDATE
  • EDATE
  • STIME
  • ETIME
  • SELECT
  • SYSID
  • HEX
  • COND
  • TIME
Input and Output Files
ACFRPTRV uses the standard SYSPRINT, SYSIN, and RECxxxxx files, described in the documentation about input and output files for report generators.
Sort Sequence
The recommended sort sequence for the ACFRPTRV report is by infostorage record key (major), logonid, date, and then time. The infostorage record key consists of the storage class, type code, and record name or key of the resource rule set. Perform this sorting using your own routine or modify the prototype JCL provided with CA ACF2.
Sample Output
The following is sample output for the ACFRPTRV report.
Terminal Format
The following sample shows the terminal format of the ACFRPTRV output when default TIME(M) is used:
CA ACF2 SECURITY - ACFRPTRV - GENERALIZED RESOURCE LOG - PAGE 1 DATE 03/31/98 (98.090) TIME 10.50 RESOURCE RULE EVENT LOG REQUESTED RESOURCE REC LOOKUP KEY UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV DATE TIME JNAME LID NAME PRE RMC INT PST FIN RTAC-FNN1 LOG RTAC-FN** CHFSEASTTLC429 LV431 CPU1 LOGON RULE - DIRECTRY 98.019 01/19 08.01 TLC429 TLC429 CARL 0 4 4 0 4 RTAC-FN01 LOG RTAC-FN** CHFSEASTTLC429 LV431 CPU1 LOGON RULE - DIRECTRY 98.019 01/19 08.04 TLC429 TLC429 CARL 0 4 4 0 4 RDVC-HM01 *VIO RDVC-HM** CHFSEASTTLC871 LV431 CPU1 LOGON NO-RULE - DIRECTRY 98.019 01/19 08.46 TLC871 TLC429 STEVE 0 4 20 0 16 SAF RESOURCE CLASS: DEVICES USER'S DN: Test DN001 REGISTRY: Test RN001
Printer Format
The following sample shows the printer format of the ACFRPTRV output.
CA ACF2 SECURITY - ACFRPTRV - GENERALIZED RESOURCE LOG - PAGE 1 DATE 07/03/98 (98.184) TIME 11.15 PRINTER DATE TIME SOURCE JNAME LID NAME DISP REC SERV LOOKUP-KEY PRE PST RMC INT FIN UID CPU MODULE KEY-MOD DS P-MOD REQUESTED RESOURCE 98.321 11/17 18.15 A8DL909 KIETH01 KIETH01 MOE HOWARD NO-RULE LOG RTAC-1 0 0 4 20 4 KIETH01 XE8D LOGON - SEC-OFF RTAC-1 RESOURCE NAME: 1 98.344 12/10 10.59 A8DL902 BLAMI02 BLAMI02 MIKE RULE TRC UPDT RSAF-******** 0 0 0 0 0 BLAMI02 XE8D ACF9CAUT - - RSAF-JES2.CANCEL.BAT SAF RESOURCE CLASS OPERCMDS RESOURCE NAME: JES2.CANCEL.BAT 98.344 12/10 10.59 A8DL902 BLAMI02 BLAMI02 MIKE RULE TRC UPDT RSAF-******** 0 0 0 0 0 BLAMI02 XE8D ACF9CAUT - - RSAF-MVS.MCSOPER.BLAMI02 SAF RESOURCE CLASS OPERCMDS RESOURCE NAME: MVS.MCSOPER.BLAMI02
Field Descriptions
 
CPU
 
 
 
The SMF name of the CPU that validated this resource request.
 
DATE
 
 
 
The Julian or Gregorian date when the access was attempted. The format of the Gregorian date is MM/DD or DD/MM, depending on the DATE option in the GSO OPTS infostorage record
 
DISP
 
 
 
The name of the element that determined the disposition of this request:
  • NO-REC-no record matching the rule key was found in the CA ACF2 database.
  • NO-RULE-no rule matching the environment of the request was found in the rule set.
  • RULE-the disposition was determined by a resource rule in the rule set.
 
DSPMOD
 
Various exits and conditions can modify the disposition. This field details these conditions.
  • LMP-LOG-access was permitted because CA ACF2 was in LOG mode due to failure of LMP Product Key verification.
  • PRE-VALD-a user prevalidation exit altered the final request disposition.
  • PST-VALD-a user postvalidation exit altered the final request disposition.
  • NON-CNCL-the requester logonid marked as non-cancel. The request was permitted.
  • SEC-OFF-the requester was a security officer. The request was permitted.
  • ABORT-the request was unconditionally aborted.
  • LIMITED-the request was prevented because a LIMITED user matched a UID(*) ALLOW rule.
 
FIN
 
The final return code from the CA ACF2 resource validation function. Possible return codes are:
  • 0 Allow
  • 4 Allow and log
  • 8 Allow request and reverify password
  • 12 Allow request, log, and reverify password
  • 16 Prevent request
 
INT
The return code from the resource rule interpreter. Possible return codes are:
  • 0 Allow request
  • 4 Allow and log request
  • 8 Allow request and reverify password
  • 12 Allow and log request, and reverify password
  • 16 Prevent access
  • 20 No rule applies
  • 24 Rule record not proper format
  • 255 ACF74xxx message issued by generalized resource rule interpreter for record-level validations.
 
JNAME
The name of the job under which the access was issued.
 
KEYMOD
CA ACF2 modifies the resource name to perform its database lookup operations. This field indicates what resource validation component modified the key.
  • PRE-VALD-user prevalidation exit altered the request key.
  • DIRECTRY-a resource rule directory was used because the resource type code is in the GSO INFODIR record and defined as globally resident. Being defined as globally resident, the rule is validated from a directory instead of from an I/O to the database. The key may have been modified if a masked rule was used.
    • The resource is part of a Cross-Reference Resource Group (X-RGP) record.
  • PREV/DIR-user prevalidation exit and CA ACF2 directory modified the key.
 
LID
The logonid of the user issuing the request.
 
LOG STRING
The LOGSTR parameter specified in the RACROUTE REQUEST=AUTH call to validate access to the specified resource. This value is a log string variable length character data field used for information and report purposes. Report entries related to PDS Member Level Protection will display the member's PDS Dataset name as the log string data.
 
MODULE
The name of the requesting module as identified in the resource request parameter list. This can be a user-supplied name. Some possible CA ACF2 standard values are:
  • ACF$Cxxx-the name of the CA ACF2 CICS parameter module for that CICS system.
  • ACFDCRUL-the requesting module is the CA ACF2 IMS TM (online) interface.
  • LOGON-TSO logon processing validation.
 
NAME
The name of the user making the request.
 
NEXTKEY
The NEXTKEY parameters that CA ACF2 uses to find the matching rule entry. The rule that prevents or allows access is also shown in the resource violation LOOKUP-KEY field.
 
PRE
The return code from the user prevalidation exit. Possible return codes are:
  • 0 - Continue normal processing
  • 4 - Logonid (logonid) not found
  • 8 - Allow and log request
  • 12 - Allow request and reverify password
  • 16 - Allow and log request, and reverify password
  • 20 - Prevent request
 
PST
The return code from the user postvalidation exit. Possible return codes are:
  • 0 - Continue normal processing
  • 4 - Allow request
  • 8 - Allow and log request
  • 12 - Allow request and reverify password
  • 16 - Allow and log request, and reverify password
  • 20 - Prevent request
 
REC
A three-character code indicating whether the record is a logging, violation, or trace record. Violation records are highlighted with an asterisk (*) before this field.
 
Registry
The distributed identity registry name that is associated with the z/OS userid. This field is shown only when z/OS Identity Propagation is being used.
 
REQUESTED RESOURCE
The name of the resource for which access is requested. The resource is identified by the infostorage record key in the following format:
class-type-name
The storage class and type code can be one of the following letters:
  • D
    CA ACF2 for DB2 rule set-type code SYS, DBS, PLN, TBL, BPL STG, TSP, COL, and PKG.
  • R
    Resource rule set-type code CDB, CFC, CKC, CMR, CPC, CTD, CTS, DAT, IAG, ICM, IPS, ITR, PGM, PGN, PSB, SSC, TAC, TGR, TPR, TSK, and VTA
  • P
    Profile records-type code ALU, DLF, DSN, GRP, PTK, SMV, and USR.
The name of the record can be one of the following:
  • DB2 subsystem ID followed by the CA ACF2 for DB2 resource name ($KEY)
  • Key (designated in the $KEY control statement) for resource rule sets
  • Segment data name for profile records
 
RESOURCE NAME
The resource name used during validation. This field might show up to a maximum of 256 characters.
RMC
The return code from the CA ACF2 resource record manager. Possible return codes are:
  • 0 - Record was already resident
  • 4 - I/O needed to obtain record
  • 8 - Record was not found
 
LOOKUP-KEY
The name of the rule set used to validate the request. This name shows any modifications to the resource name from the prevalidation exit or the CA ACF2 directory.
 
SAF RESOURCE CLASS
This value indicates a request from SAF to validate access to the specified resource class. This specified resource class was used to determine the type of resource rule to be used for validation.
 
SERV
The type of service requested. Service type is not a required parameter for a resource validation call; the caller supplies the service type when applicable. Possible values are:
  • READ - the access request was for read only.
  • ADD - the access request was to add new records to an existing file.
  • DEL - the request was to delete (erase) existing records.
  • UPDT - the request was to modify existing records.
The possible values for DB2 depend on the resource type. See CA ACF2 Option for DB2 for more information about the values of the SERVICE keyword.
SOURCE
The logical input source where the resource request was issued.
 
TIME
The time of day when the access attempt occurred.
 
UID
The requester's user identification string.
 
User’s DN:
The distinguished name that is associated with the z/OS userid. This field is shown only when z/OS Identity Propagation is being used.
When MLS is active, the following fields are captured when an unauthorized attempt is made to access a classified resource:
USER-SECLABEL
The 8-byte user session seclabel.
 
RSRC-SECLABEL
The 8-byte resource seclabel.
 
MODE
The MLS mode value from the compiled profile record if it exists; otherwise it specifies the global MLS mode.
 
SRC
.
The SAF return code
 
ROL=ROLE
The role assigned to the user and applicable to this request if a ROLE ruleset is part of the validation path.
 
RRC
The RACF return code
 
RSN
The RACF reason code
When a record is cut with MLS Seclabel Audit a '+' will appear in front of the seclabel being audited. A new header line was added to the report:
MLS USER-SECLABEL RSRC-SECLABEL MODE SRC RRC RSN
A new line was added to include the MLS related data on the report.
Sample MLS Output
CA ACF2 Security - ACFRPTRV - GENERALIZED RESOURCE LOG - PAGE 3 DATE 02/05/04 (04.036) TIME 12.22 REQUESTED RESOURCE REC LOOKUP KEY UID SOURCE CPU MODULE DISP DSP-MOD KEY-MOD SERV DATE TIME JNAME LID NAME PRE RMC INT PST FIN MLS USER-SECLABEL RSRC-SECLABEL MODE SRC RRC RNS RXDC-ZAP.PRIVATE.SUBPOOL.255 LOG RXDC-ZAP SHS USERA01 A69LO907 XE69 ACF9CAUT NO-REC SEC-OFF - UPDT 04.036 02/05 12.14 USERA01 USERA01 JANICE HALVETA 0 8 0 0 4 SAF RESOURCE CLASS XDC MLS SLC001 SLD010 LOG 4 24 4 RESOURCE NAME: ZAP.PRIVATE.SUBPOOL.255
For complete information on how to implement MLS on a system using CA ACF2, see the Multilevel Security Planning. 
Return Codes
 
PRE
 
The return code from the user prevalidation exit. Possible return codes are:
  • 0 - Continue normal processing
  • 4 - Logonid (logonid) not found
  • 8 - Allow and log request
  • 12 - Allow request and reverify password
  • 16 - Allow and log request, and reverify password
  • 20 - Prevent request
 
RMC
 
The return code from the CA ACF2 resource record manager. Possible return codes are:
  • 0 - Record was already resident
  • 4 - I/O needed to obtain record
  • 8 - Record was not found
 
INT
 
The return code from the resource rule interpreter. Possible return codes are:
  • 0 - Allow request
  • 4 - Allow and log request
  • 8 - Allow request and reverify password
  • 12 - Allow and log request, and reverify password
  • 16 - Prevent access
  • 20 - No rule applies
  • 24 - Rule record not proper format
 
PST
 
The return code from the user postvalidation exit. Possible return codes are:
  • 0 - Continue normal processing
  • 4 - Allow request
  • 8 - Allow and log request
  • 12 - Allow request and reverify password
  • 16 - Allow and log request, and reverify password
  • 20 - Prevent request
 
FIN
 
The final return code from the CA ACF2 resource validation function. Possible return codes are:
  • 0 - Allow
  • 4 - Allow and log
  • 8 - Allow request and reverify password
  • 12 - Allow request, log, and reverify password
  • 16 - Prevent request