How can I make a rule for the 1090 audit record?

book

Article ID: 224596

calendar_today

Updated On:

Products

CA VM:Secure for z/VM

Issue/Introduction

 
I have an audit record :
210914153331DSC     VSMREQIN1090MAINT720NORULE                  D
How can I make it rule ?
 

Environment

Release : 3.2

Component : CA VM:Secure for z/VM

Resolution

The 1090 audit record (see AUDITEXT documentation in the Reference for audit record layout information) is for an accepted DIAGNOSE X’A0’ subcode X’04’ or DIAGNOSE X’88’ subcode X’08’ .

Diagnose X'A0' subcode X'04' requires DIAGPCHK.  However, I assume your functions are already using Diagnose X'88' subcode X'08' which is the preferred method of password validation.

To specifically allow a user to issue Diagnose X'88' subcode X'08', use the DIAG88 rule. Likewise to disallow it, use a REJECT for DIAG88.  If you are running with NORULE ACCEPT, which I believe you are since the diagnose was accepted via 'NORULE, I would recommend putting in a DEFAULT system rule that REJECTs all users (*) from using DIAG88, and put a override system rule in place allow specific users to use the diagnose. 

This is a good practice for all rules, to have a SYSTEM default rule to REJECT requests if a specific rule is not in place higher in the rule hierarchy. (See Rule Evaluation topic in the beginning of the Rules Reference) when you are using NORULE ACCEPT (open system).  However, if you are working towards NORULE REJECT configuration (closed system)  you likely want to let things go so you can find items like this that you want to put a rule in for.

Additional Information

You can find additional information the following manual - 

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-with-security/3-2/rules-facility/rules-reference/diag88-rule.html