Release : 16.0

Component : CA ACF2 for z/OS

The ck_IPC_access entries in the ACFRPTOM report determines whether the current process has the requested access to the interprocess communication (IPC) key or identifier whose IPC security packet (IISP) is passed.

There are two methods of addressing the ck_IPC_access entries in the ACFRPTOM report. The logging entries can be stopped or the entries can be excluded the entries from the report.

The UNIXOPTS GSO record, allows sites to selectively control which USS events are logged such as the ck_IPC_access entries. There are seven parameters or options in the UNIXOPTS record that determine whether USS events within certain categories are logged to create an audit trail or whether these events are ignored. The IPCOBJ|NOIPCOBJ parameter can be used to control the cutting of the SMF records for ck_IPC_access, setting the GSO UNIXOPTS parameter IPCOBJ|NOIPCOBJ to NOIPCOBJ will suppress the ck_IPC_access SMF records.

IPCOBJ|NOIPCOBJ

Specifies if SMF records are to be cut for UNIX system services that control the auditing of the access control, IPC object changes and the creation and deletion of IPC objects. Some of the functions that will do this are msgctl, msgget, msgsnd, semctl, semget, semop, shmat, shmget and shmctl. The Security Server callable services that control cutting of this SMF record are ck_IPC_access, R_IPC_ctl, and makeISP.

The ACFRPTOM report 'EXCLUDE' parameter can be used to exclude service or services to be omitted from the ACFRPTOM report. For example:

//REPORT  EXEC PGM=ACFRPTOM
//SYSPRINT DD SYSOUT=*
//RECMAN1  DD DISP=SHR,DSN=SYS1.MAN1
//RECMAN2  DD DISP=SHR,DSN=SYS1.MAN2
//RECMAN3  DD DISP=SHR,DSN=SYS1.MAN3
//SYSIN    DD *
TITLE(ACFRPTOM)
DETAIL
EXCLUDE(ck_IPC_access)
/*