Large amount of SMF records being cut and appear to be coming from CEMETOM .
Release : 6.0
Component : CA COMPLIANCE EVENT MANAGER
ACF2
16.0
Likely using multiple processes for tracing events.
If too many SMF records are observed, it would suggests there are two different tracking mechanisms in play.
A. Compliance Event Manager USS CK_ACCESS events,
and
B. The ACF2 GSO UNIXOPTS DIRACC_ACTIVE which cuts SMF records for UNIX system service ck_access and ck_owner_2_files.
Determine what is of interest.
- Generating USS CK_ACCESS records, using both methods CEVM CK_ACCESS events and ACF2 SMF records for CK_ACCESS will result in large SMF recording.
- Identify which one is required and turn off the other to limit SMF record generation.
note: if UNIXOPTS DIRACC|NODIRACC is set to DIRACC, this will cause additional SMF records to be cut for USS directory search(ck_access) that corresponds to the screen print of the Compliance Event Manager event data provided.
UNIXOPTS DIRACC|NODIRACC
Specifies whether SMF records are to be cut for UNIX system services that control access checks for read/write access to directories. Some of the functions that access directories with read or write access are open, opendir, rename, rmdir, mount, mkdir, link, mknod, getcwd, and vlink.
The Security Server callable services that control cutting this SMF record are ck_access and ck_owner_2_files.