ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Top Secret SMF Type 80 Records - Logging Indicators - $LOGVIOL EQU X'80' VIOLATION

book

Article ID: 187670

calendar_today

Updated On:

Products

Top Secret

Issue/Introduction

For the Top Secret SMF Type 80 Records - Logging Indicators - $LOGVIOL  EQU   X'80'   VIOLATION there is an audit question regarding the criteria that causes $LOGVIOL  EQU   X'80'   VIOLATION. 

BMC says the ‘LogReas_Violation=Yes’ maps to Top Secret SMF type 80 records, specifically if field ‘$LOGVIOL  EQU   X'80'   VIOLATION, then 'LogReas_Violation=Yes'.  Please review and provide feedback.

Draft Audit Response:

The criteria that causes ‘LogReas_Violation=Yes’ is  a Top Secret SMF type 80 record representing a violation which includes - ‘insufficient authority’ , ’not a valid password’, ’Not Authorized to access protected object’ for event types   - Job Initiation  (01), Resource Access (02) and Policy Director Authorization (71) .

Job Initiation event records are created for user logons and batch job initiations. Violation qualifiers include ‘not a valid password’.

Resource access event records are created by the access to a resource (datasets, CICS transactions, Databases, etc). Violation qualifiers include ‘insufficient authority’.

Policy Director Authorization event records are created for Policy Director Authorization Services. Violation qualifiers include ‘Not authorized to access protected object’.

Environment

Release : 16.0

Component : CA Top Secret for z/OS

Resolution

The $LOGVIOL  EQU   X'80'   VIOLATION flag should be set for the following DRCs:
 
01 - 1D, 46, and 64, Initiation violation codes, including Password and OID violations (07 - 0F).
1E $BADPARM - Bad parameter passed on any RACROUTE call - any type of call.
20 $BADCLAS - Bad Resource Class Name passed on any AUTH or FASTAUTH call.
21 SYSERR - System internal error on a RACROUTE call.
23 $NOPRB - TSS cannot determine the program environment for a RACROUTE call.
2C $NOCORE - Storage problems prevented the call from succeeding.
65 – 72 Data set violation codes.
73 – 81 Volume violation codes.
42, 5F - 63, and 82 – 101 Resource violations.
 
For what each DRC means, please see the following chart in the documentation:

DRCtoMessageCrossReference