Release : 3.2

Component : CA VM:Secure for z/VM

The 1090 audit record (see AUDITEXT documentation in the Reference for audit record layout information) is for an accepted DIAGNOSE X’A0’ subcode X’04’ or DIAGNOSE X’88’ subcode X’08’ .

Diagnose X'A0' subcode X'04' requires DIAGPCHK.  However, I assume your functions are already using Diagnose X'88' subcode X'08' which is the preferred method of password validation.

To specifically allow a user to issue Diagnose X'88' subcode X'08', use the DIAG88 rule. Likewise to disallow it, use a REJECT for DIAG88.  If you are running with NORULE ACCEPT, which I believe you are since the diagnose was accepted via 'NORULE, I would recommend putting in a DEFAULT system rule that REJECTs all users (*) from using DIAG88, and put a override system rule in place allow specific users to use the diagnose. 

This is a good practice for all rules, to have a SYSTEM default rule to REJECT requests if a specific rule is not in place higher in the rule hierarchy. (See Rule Evaluation topic in the beginning of the Rules Reference) when you are using NORULE ACCEPT (open system).  However, if you are working towards NORULE REJECT configuration (closed system)  you likely want to let things go so you can find items like this that you want to put a rule in for.

You can find additional information the following manual - 

https://techdocs.broadcom.com/us/en/ca-mainframe-software/traditional-management/ca-vm-secure-for-z-vm-with-security/3-2/rules-facility/rules-reference/diag88-rule.html