Question regarding reports / audit log IPV6 vs. IPV4
search cancel

Question regarding reports / audit log IPV6 vs. IPV4

book

Article ID: 138824

calendar_today

Updated On:

Products

VM:Secure for z/VM

Issue/Introduction

Currently on zVM 6.4 RSU 1901+ with VMSECURE 3.2 RSU-1801+. 

We've recently changed our AUDIT LOG to be RECFM V as part of the recent VMSECURE RULES Enhancement PTF. 

This now lets us see IPV6 addresses in the terminal address portion of the reports which is great news. 


I've noticed though in the reports, the address displayed for a specific user / session  will start out as IPV6 but switch over to IPV4 at some point. 

The address is the same - no real issue with that. I'm just curious as to why. Since these reports go to management and audit, I'm sure someone is going to ask me this question in the future and I'd like to be able to give them an answer on the spot. 


Environment

Release : 3.2

Component : CA VM:Secure for z/VM

z/VM 6.4 and z/VM 7.1

Resolution

Apply VM:Secure PTF SO10299 which changes VMXSRA/VMXSRB to output IPV4 formatted addresses when it discovers 

IPV4 addresses formatted for IPV6. 

Additional Information

The terminal address in the VMXSRB/VMXSRA audit reports can be different for audited events that are CP command or function related and those that are related to directory management functions for the same user ID during the same duration of being logged on.  This only occurs for customers using a variable length audit file which supports IPV6 addresses.


Audit reports can also be misleading or confusing without closer inspection.


To resolve, apply VM:Secure PTF SO10299.