Overview
ACF2 (Access Control Facility) is an access control security system for MVS, z/OS, VSE, z/VSE, VM and z/VM IBM mainframe operating systems.
Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on the Snare Central server (/data/SnareCollect/ACF2Log). The reports will then be analysed and process by a scheduled Snare Central processes, on a daily basis.
The ACF2 processed reports are generated by specific utilities, provided with ACF2. The utilities produce formatted reports on the following activity on a mainframe:
ACFRPTLL - Logonid Modification Log
ACFRPTRL - Dataset Rule Modification Log
ACFRPTEL - Infostorate Modification Log
ACFRPTDS - Dataset Violation/Logging
ACFRPTRV - Resource Violation/Logging
ACFRPTPW - Invalid Password Authority Log
The NOTES section below contains a listing of an example JCL job which could be used to run, extract and send the ACF2 processed reports to Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.
Note: Newlines in the original report are transformed to 'carriage returns' (\r) in the data section of the event.
DATE | TIME | SYSTEM | TABLE | USERNAME | RESOURCE | LOGTYPE | EVENTID | RETURN | DATA |
---|---|---|---|---|---|---|---|---|---|
2017-08-07 | 10:46:08 | DEVT | ACF2Log | ZXXX | APP | ACFRPTRL | BFORREPL | STORED | ACF75052 ACCESS RULE APP STORED BY ZXXXXX ON 23/03/04-15:08 $KEY(APP) $OWNER(OPERATIONS) ADVICES.PARAGRPH UID(BH ****X) READ(A) EXEC(A) ADVICES.PARAGRPH UID(PE SSSS'P) READ(A) WRITE(L) EXEC(A) ADVICES.PARAGRPH UID(ZZN KKKKX) READ(A) EXEC(A) ADVICES.PARAGRPH UID(SYO ****ZZZC) READ(A) WRITE(L) EXEC(A) APN.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) APNB.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) APPBRCA.BYPASS.CARDS UID(XXX SMS C) READ(A) WRITE(A) EXEC(A) APPBRCA.BYPASS.CARDS UID(NAT ADV N) READ(A) WRITE(A) EXEC(A) APPBRCA.PROD.TRANSFER.DDFS UID(********NMFTSCON) READ(A) WRITE(A) EXEC(A) APPBRCA.PROD.TRANSFER.DDFS UID(********NXPFBLOG) READ(L) WRITE(L) EXEC(A) APPBRCA.PROD.TRANSFER.DDFS UID(********PNMNXF) READ(A) WRITE(A) ALLOC(L) EXEC(A) APPBRCA.PROD.TRANSFER.DSS UID(********NXPFBLOG) READ(A) EXEC(A) APPBRCA.PROD.TRANSFER.DSS UID(********PNMNXF) READ(A) EXEC(A) APPXSHSP.DATA.G****V- UID(PE SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) BANKS.CANNEX.- UID(INC MIS N) READ(A) WRITE(A) EXEC(A) BANKS.DSS.EXTRACT.- UID(INC MIS N) READ(A) EXEC(A) CE.CONCESSN UID( NXPFBLOG) READ(A) EXEC(A) CE.CONCESSN UID( PNMNXF) READ(A) EXEC(A) CE.ERR.RPT.- UID( PNNXXF) READ(A) WRITE(A) ALLOC(A) EXEC(A) CE.ERR.RPT.- UID( PROD) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX LDR CAAKKR) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX LDR CCUUNN) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX LDR CCALOJ) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX SMS CCHHPP) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(ISISTESTNWALYHW) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(ISISTESTVFRANN) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(ISISTESTVPELLB) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(PEN SSO VROGEP) READ(A) WRITE(A) ALLOC(A) EXEC(A) HAMON.UNLOAD.CONTROL UID(MT SSSS'PMTSSSSS) READ(A) EXEC(A) HAMON.UNLOAD.CONTROL UID(SYO A*AAZZZ) READ(A) WRITE(L) EXEC(A) HAMON.UNLOAD.SELECT UID(SYO A*AAZZZ) READ(A) WRITE(L) ALLOC(L) EXEC(A) SHC.DATA UID(PE SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) TAXSTMTS.HEADER.RECORDS UID(SYO ****ZZZC) READ(A) WRITE(A) ALLOC(A) EXEC(A) VAN.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) VANB.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) - UID(XXX LDR C) READ(A) EXEC(A) - UID(XXX REP C) READ(A) EXEC(A) - UID(XXX SMS C) READ(A) EXEC(A) - UID(DG SSSS'PDGSSSSS) READ(A) WRITE(A) ALLOC(A) EXEC(A) - UID(NAT ADVN) READ(A) EXEC(A) - UID(PE SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) - UID(PEN SPR S) READ(A) EXEC(A) - UID(PP SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) - UID(*) NEXTKEY(BTCHALL) |
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | ACF2Log |
USERNAME | The user that ran the job |
RESOURCE | The resource associated with the event |
LOGTYPE | One of either:
|
EVENTID | “ACCESS” in the case of RPTDS reports |
RETURN | RPTDS: Columns 38 - 48 |
DATA | A range of carriage-return delimited data that is not specifically injected into other fields. |
Notes
The sample job below performs the following steps:
Deletes previous day's FTP transfer library.
Runs ACF2 report, placing output in a GDG (7 generations kept).
Allocate new FTP transfer library and copy report from GDG created in previous step.
FTP the transfer library to Snare Central.
The 'snarexfer' FTP user must be used.
This user's home directory defaults to "
/data/SnareCollect
" on the Snare Central server.The ACF2 processed reports must be placed in the "ACF2Log" sub-directory ("
/data/SnareCollect/ACF2Log
").Member level security is used to protect the FTP lid password.
The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved.
The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.
********************************** Top of Data ********************************** //CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J /*JOBPARM SYSAFF=PROD //----------------------------------------------------------------- //* //* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER //* //*---------- DELETE TEMP XFER LIB --------------------------------- //* //STEP1 EXEC PGM=IKJEFT01,REGION=8192K //SYSPRINT DD SYSOUT=* //SYSTSPRT DD SYSOUT=* //SYSTERM DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //SYSTSIN DD * DELETE 'CSC.SNARE01.LIDMODS.XFER' //* //*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------ //* //STEP2 EXEC PGM=ACFRPTLL //SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1), // DISP=(,CATLG), // VOL=SER=BTCH52, // UNIT=SYSDA, // SPACE=(TRK,(60,5),RLSE), // DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974) //SYSUDUMP DD SYSOUT=* //REC01 DD DSN=CTF.SMFJR,DISP=SHR //SYSIN DD * MASK(********) DETAIL NOUPDATE SYSID(****) //* //*---------- COPY REPORT FROM GDG TO XFER LIB --------------------- //* //COPY EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSUT1 DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1), DISP=SHR //SYSUT2 DD DSN=CSC.SNARE01.LIDMODS.XFER, // DISP=(NEW,CATLG,DELETE), // VOL=SER=BTCH52, // UNIT=SYSDA, // SPACE=(TRK,(60,5),RLSE), // DCB=*.SYSUT1 //* DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974) //SYSIN DD DUMMY //* //*---------- FTP XFER FILE TO SNARE SERVER ------------------------ //* //STEP4 EXEC FTP, // SERVER='CSCSNARE', // FTPUSER='SNAREXFER', // FTPCMDS='CSCSNR01', // ENV='PROD', // SOUT='*' //* //*---------- Notify Security Monitoring Team if job fails --------- //* //*JOBFAIL IF ((RC > 4) | (ABEND)) THEN //* //SENDMEMO EXEC PGM=IEBGENER //SYSPRINT DD SYSOUT=* //SYSUT1 DD * HELO NCC MAIL FROM:<PSC0SCHD@AGENCY.COM> RCPT TO:<ITSECMON@AGENCY.COM> DATA TO:ITSECMON<ITSECMON@AGENCY.COM> SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01 PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY. >> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE >> AGENCY'S MAINFRAME ENVIRONMENT. . QUIT /* //SYSUT2 DD SYSOUT=(B,SMTP) //SYSIN DD DUMMY //* //JOBFAIL ENDIF //*=================================================================== |