How can I use Compliance Event Manager to track Security Administration rule changes?
The POLICYADMIN event can be used to track logonid changes with the Alert, Warehouse or Logger components.
A Policy Statement for the Policy Administration event can be created. Test Conditions can be used against the following fields:
Account
Command
Date
Day
ESM
Jobname
Operation
Policy Class
Policy Entity
SYSID
SYSPLEX
Source
Time
Userid
The fields that are returned are as follow.
Category
Class
Command
Date
DATE_UTC
Entity
ESM
Event
Jobname
Length
Operation
Policy Class
Policy Entity
Policy UUID
Record Length
Source
SYSID
SYSPLEX
Time
Userid
Version
For Example:
Security administrator logonid SEC0001 changes FACILITY resource Class rule BPX TYPE(FAC) to add a rule entry.
LOGONID SEC0001(with SECURITY Privilege) logs on to TSO
Command issued from TSO:
ACF
SET RESOURCE(FAC)
reckey bpx add(delete.me.rule.entry UID(*) log)
Compliance Event Manager Policy Administration Event fields returned:
Category: POLICYADMIN
Class: RFAC
Command: reckey bpx add(delete.me.rule.entry UID(*) log)
Date: 06-Feb-2017
DATE_UTC: Monday
Entity: RFACBPX
ESM : ACF2
Event: POLICYADMIN
Jobname: SEC0001
Length: 212
Operation: INSERT
Policy Class: RFAC
Policy Entity: RFACBPX
Policy UUID: 588499fe-6183-41d1-ba9a-fd9e8daeb112
Record Length: 212
Source: A99KO888
SYSID: SYS8
SYSPLEX: MINIPLEX
Time: 20:38:04
Userid: SEC0001
Version: 1