CEM didn't catch a DEL from CA-CLEANUP

book

Article ID: 198510

calendar_today

Updated On:

Products

CA Compliance Event Manager

Issue/Introduction

Recently had a problem where CA-CLEANUP erroneously deleted a rule that was required by TCPIP. Had a policy set in CEM to capture ACF2 ADMINISTRATION events. In the report from CEMV_POLICY_ADMIN I do find where the rule was added back but I don't find the delete command. Can you tell me if there is some way CA-CLEANUP could go undetected or am I just looking in the wrong place? I did verify that CEMLOGGR was running at the time the CA-CLEANUP job did the delete.

The command that deleted the rule was:

AT5NRUL         KEY(EZB)          TYPE(SER) -         DEL( INITSTACK.- UID(*) SERVICE(READ) ALLOW) NOLIST NOVERIFY                   

Environment

Release : 6.0

Component : CA COMPLIANCE EVENT MANAGER

Resolution

The command AT5NRUL KEY(EZB) TYPE(SER) DEL(- INITSTACK.- UID(*) SERVICE(READ) ALLOW) NOLIST NOVERIFY does not issue a delete command in ACF2 terms.

The AT5NRULE command does a list command followed by an insert command to change the rule. Afterwards, it issues another list for the rule.

Additional Information

When the AT5NRULE command is passed to ACF2 it needs to take different commands to update the rule. First, it will need to do a listing of the rule. This will be seen in CEM as OPERATION=LIST. Then it will try to compile and store the rule. This will be seen in CEM as an OPERATION=INSERT. Lastly, ACF2 will re-list the rule. This will be seen in CEM as OPERATION=LIST. Then it will try to compile and store the rule.

So in your example when the command AT5NRUL KEY(EZB) TYPE(SER) DEL(- INITSTACK.- UID(*) SERVICE(READ) ALLOW) NOLIST NOVERIFY was issued we can see the events happening in the WTO:

11.45.45 STC60608 CEMWTO1I <86> 1 DATE=26-Aug-2020 DAY=Wednesday TIME=15:45:45 096 00001600
096 DATE_SYSTEM=26-Aug-2020 DAY_SYSTEM=Wednesday TIME_SYSTEM=11:45:44 00001700
096 DATE_UTC=26-Aug-2020 DAY_UTC=Wednesday TIME_UTC=15:45:45 SYSID=ABCD 00001800
096 SYSPLEX=PLEXVM CEMMSG [syslog{Facility=10 Severity=6 Version=1} 00001900
096 VERSION=4 PUUID=28f2144d-ec89-423f-a2c2-62d59fa9ca9f CATEGORY=POLICYAD 00002000
096 MIN EVENT=POLICYADMIN ESM=ACF2 USERID=USER01 JOBNAME=ACFNR 00002100
096 ULE SOURCE=TNVM2201 ACCOUNT= CLASS=RSER COMMAND=LIST EZB ENTITY=RSERE 00002200
096 ZB OPERATION=LIST] 00002300

11.45.45 STC60608 CEMWTO1I <86> 1 DATE=26-Aug-2020 DAY=Wednesday TIME=15:45:45 104 00004700
104 DATE_SYSTEM=26-Aug-2020 DAY_SYSTEM=Wednesday TIME_SYSTEM=11:45:45 00004800
104 DATE_UTC=26-Aug-2020 DAY_UTC=Wednesday TIME_UTC=15:45:45 SYSID=ABCD 00004900
104 SYSPLEX=PLEXVM CEMMSG [syslog{Facility=10 Severity=6 Version=1} 00005000
104 VERSION=4 PUUID=28f2144d-ec89-423f-a2c2-62d59fa9ca9f CATEGORY=POLICYAD 00005100
104 MIN EVENT=POLICYADMIN ESM=ACF2 USERID=USER01 JOBNAME=ACFNR 00005200
104 ULE SOURCE=TNVM2201 ACCOUNT= CLASS=RSER COMMAND=COMPILE * STORE 00005300
104 ENTITY=RSEREZB OPERATION=INSERT] 00005400
11.45.45 STC60608 CEMWTO1I <86> 1 DATE=26-Aug-2020 DAY=Wednesday TIME=15:45:45 105 00005500
105 DATE_SYSTEM=26-Aug-2020 DAY_SYSTEM=Wednesday TIME_SYSTEM=11:45:45 00005600
105 DATE_UTC=26-Aug-2020 DAY_UTC=Wednesday TIME_UTC=15:45:45 SYSID=ABCD 00005700
105 SYSPLEX=PLEXVM CEMMSG [syslog{Facility=10 Severity=6 Version=1} 00005800
105 VERSION=4 PUUID=28f2144d-ec89-423f-a2c2-62d59fa9ca9f CATEGORY=POLICYAD 00005900
105 MIN EVENT=POLICYADMIN ESM=ACF2 USERID=USER01 JOBNAME=ACFNR 00006000
105 ULE SOURCE=TNVM2201 ACCOUNT= CLASS=RSER COMMAND=COMPILE * STORE 00006100
105 ENTITY=RSEREZB OPERATION=LIST] 00006200

We can also see it in the report RPTPOL-CEMV_POLICY_ADMIN:

ABCD PLEXVM 2020-08-26-11.45.44.943812 USER01 LAST FIRST ACFNRULE TNVM2201 POLICY ADMINISTRATION POLICY ADMINISTRATION N LIST LIST EZB 0 0 Successful Administration 54908dab-41d5-427b-ac6a-5d4a3475d645
ABCD PLEXVM 2020-08-26-11.45.45.259091 USER01 LAST FIRST ACFNRULE TNVM2201 POLICY ADMINISTRATION POLICY ADMINISTRATION N INSERT COMPILE * STORE 0 0 Successful Administration 54908dab-41d5-427b-ac6a-5d4a3475d645
ABCD PLEXVM 2020-08-26-11.46.33.041690 USER01 LAST FIRST USER01 TNVM2201 POLICY ADMINISTRATION POLICY ADMINISTRATION N LIST LIST EZB 0 0 Successful Administration 54908dab-41d5-427b-ac6a-5d4a3475d645