Huge amount of SMF records generated in CEM.

book

Article ID: 142731

calendar_today

Updated On:

Products

CA Compliance Event Manager

Issue/Introduction

Large amount of  SMF records being cut and appear to be coming from CEMETOM .

Cause

Likely using multiple processes for tracing events. 

Environment

Release : 6.0
Component : CA COMPLIANCE EVENT MANAGER

ACF2
16.0

Resolution

If too many SMF records are observed, it would suggests there are two different tracking mechanisms in play.

A. Compliance Event Manager USS CK_ACCESS events, 
and 
B. The ACF2 GSO UNIXOPTS DIRACC_ACTIVE which cuts SMF records for UNIX system service ck_access and ck_owner_2_files.

Determine what is of interest. 

- Generating USS CK_ACCESS records, using both methods CEVM CK_ACCESS events and ACF2 SMF records for CK_ACCESS will result in large SMF recording.
- Identify which one is required and turn off the other to limit SMF record generation.

note: if UNIXOPTS DIRACC|NODIRACC is set to DIRACC, this will cause additional SMF records to be cut for USS directory search(ck_access) that corresponds to the screen print of the Compliance Event Manager event data provided. 

UNIXOPTS DIRACC|NODIRACC

Specifies whether SMF records are to be cut for UNIX system services that control access checks for read/write access to directories. Some of the functions that access directories with read or write access are open, opendir, rename, rmdir, mount, mkdir, link, mknod, getcwd, and vlink. 
The Security Server callable services that control cutting this SMF record are ck_access and ck_owner_2_files.