For the Top Secret SMF Type 80 Records - Logging Indicators - $LOGVIOL EQU X'80' VIOLATION there is an audit question regarding the criteria that causes $LOGVIOL EQU X'80' VIOLATION.
BMC says the ‘LogReas_Violation=Yes’ maps to Top Secret SMF type 80 records, specifically if field ‘$LOGVIOL EQU X'80' VIOLATION, then 'LogReas_Violation=Yes'. Please review and provide feedback.
Draft Audit Response:
The criteria that causes ‘LogReas_Violation=Yes’ is a Top Secret SMF type 80 record representing a violation which includes - ‘insufficient authority’ , ’not a valid password’, ’Not Authorized to access protected object’ for event types - Job Initiation (01), Resource Access (02) and Policy Director Authorization (71) .
Job Initiation event records are created for user logons and batch job initiations. Violation qualifiers include ‘not a valid password’.
Resource access event records are created by the access to a resource (datasets, CICS transactions, Databases, etc). Violation qualifiers include ‘insufficient authority’.
Policy Director Authorization event records are created for Policy Director Authorization Services. Violation qualifiers include ‘Not authorized to access protected object’.
Release : 16.0
Component : CA Top Secret for z/OS