Auditors have requested the following information from our system: "if there's not a way to query for accounts without the *PW= record, we will need to see the contents of all user directory entries to ensure all users have an appropriate password expiration setting".

Of course we don't want to divulge the contents of the entire VM directory to anyone not authorized.

Is there a way to report on the presence or absence of *PW in the directory entries?

z/VM 5.4  running with VM:Secure r3.2

Use VMSECURE ULIST command that provides password status values. 

The ULIST command displays the User List Menu. 
It allows directory managers to list directory entries they manage and perform full-screen directory management functions on those entries. 

It also provides information about the status of logon passwords and the number of days since logon passwords have been changed. 

When an asterisk is displayed in the PwAge column, it indicates that the associated user ID does not have a *PW= special comment in its associated directory entry. Therefore, there is no associated password age information to report. 

Here’s the link to the ULIST command if you want to read more about it. 

https://docops.ca.com/ca-vm-director-for-zvm/3-1/en/reference/command-reference/ulist-command


 

Provided insight regarding answers to some questions raised during our annual audit process.

The customer was able to take the results of a VMSECURE ULIST, and the results of a VMSECURE SCAN, and through some REXX "magic" create an exception report of directory entries where a *PW record was absent (one of the audit requirements).