We want to know in a USS environment if we change the file permission, e.g from 777 to 755, will this be captured by ACF2? Is there any reports we can generate?

book

Article ID: 16783

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction



We want to know in a USS environment if we change the file permission, e.g from 777 to 755, will this be captured by ACF2?  Is there any reports we can generate?

Environment

Release:
Component: ACF2MS

Resolution

If the ACF2 GSO UNIXOPTS FSSEC is set a SMF record will be cut for the 'chmod' issued from OMVS.

The GSO UNIXOPTS FSSEC|NOFSSEC field controls the following.

FSSEC|NOFSSEC 

Specifies whether SMF records are to be cut for UNIX system services that control the auditing of changes to the security data (FSP) for file system objects. Some of the functions that modify the FSP are chaudit, chmod, chown, chattr, write, fchaudit, fchmod, and setfacl. The Security Server callable services that control cutting of this SMF Record are R_chaudit, R_chown, R_chmod, clear_setid, and R_setfacl. 

For example:

'cmod' command issued command from OMVS:

CHMOD 666 scart0.zip

ACFRPTOM report shows the following entry.

      SERVICE      USERID    GROUP        UID         GID    SAF  RC   RSN    
        DATE          TIME    JOBNAME   SOURCE   SYSID   CPU   SECLABEL       

  R_chmod          USER002  TESTGRP            0          10   0    0    0
  12/07/17  17.341   11.19.41 USER002           SYS8     SYS28             
  Successful - Logging active by Trace/Audit options                      
   Old Permission bits -  Owner: rwx Group: rwx Other: rwx                
   New Permission bits -  Owner: rw- Group: rw- Other: rw-                
   Function: chmod                User Type: Local                        
   Pathname: scart0.zip                                                   
   Filename: scart0.zip                                                   
   File Permissions: Owner: rw- Group: rw- Other: rw-                     
   Owning UID:    100000004   Owning GID:          10                     
   Volume  : SYSC88  File Identifier:   E3E2D6C3F2F86DD00000000000030124  
   File Audit Options:                                                    
   User    : Read Failure  Write Failure  Exec/Search Failure             
   Auditor : Read None     Write None     Exec/Search None

Also note the ACFRPTOM report should be run the the 'DETAIL' parameter otherwise only the R_chmod will be reported on, not the file, path, old permission, new permission etc will be omitted.