Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Overview

ACF2 (Access Control Facility) is an access control security system for MVS, z/OS, VSE, z/VSE, VM and z/VM IBM mainframe operating systems.

Snare Central is able to collect ACF2 processed reports, via FTP transfer. The processed reports need to be transferred to a particular directory on the Snare Central server (/data/SnareCollect/ACF2Log). The reports will then be analysed and process by a scheduled Snare Central processes, on a daily basis.

The ACF2 processed reports are generated by specific utilities, provided with ACF2. The utilities produce formatted reports on the following activity on a mainframe:

  • ACFRPTLL - Logonid Modification Log

  • ACFRPTRL - Dataset Rule Modification Log

  • ACFRPTEL - Infostorate Modification Log

  • ACFRPTDS - Dataset Violation/Logging

  • ACFRPTRV - Resource Violation/Logging

  • ACFRPTPW - Invalid Password Authority Log

The NOTES section below contains a listing of an example JCL job which could be used to run, extract and send the ACF2 processed reports to Snare Central. This sample job has been set up for the Logonid Modification Log report, but could easily be configured for all the reports listed above. Note that a fixed transfer library name is used because a reference to this library is stored in an FTP parm library which cannot be changed with each run. Some of the programs used in this job are defined below.

Note: Newlines in the original report are transformed to 'carriage returns' (\r) in the data section of the event.

DATE

TIME

SYSTEM

TABLE

USERNAME

RESOURCE

LOGTYPE

EVENTID

RETURN

DATA

2017-08-07

10:46:08

DEVT

ACF2Log

ZXXX

APP

ACFRPTRL

BFORREPL

STORED

ACF75052 ACCESS RULE APP STORED BY ZXXXXX ON 23/03/04-15:08 $KEY(APP) $OWNER(OPERATIONS) ADVICES.PARAGRPH UID(BH ****X) READ(A) EXEC(A) ADVICES.PARAGRPH UID(PE SSSS'P) READ(A) WRITE(L) EXEC(A) ADVICES.PARAGRPH UID(ZZN KKKKX) READ(A) EXEC(A) ADVICES.PARAGRPH UID(SYO ****ZZZC) READ(A) WRITE(L) EXEC(A) APN.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) APNB.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) APPBRCA.BYPASS.CARDS UID(XXX SMS C) READ(A) WRITE(A) EXEC(A) APPBRCA.BYPASS.CARDS UID(NAT ADV N) READ(A) WRITE(A) EXEC(A) APPBRCA.PROD.TRANSFER.DDFS UID(********NMFTSCON) READ(A) WRITE(A) EXEC(A) APPBRCA.PROD.TRANSFER.DDFS UID(********NXPFBLOG) READ(L) WRITE(L) EXEC(A) APPBRCA.PROD.TRANSFER.DDFS UID(********PNMNXF) READ(A) WRITE(A) ALLOC(L) EXEC(A) APPBRCA.PROD.TRANSFER.DSS UID(********NXPFBLOG) READ(A) EXEC(A) APPBRCA.PROD.TRANSFER.DSS UID(********PNMNXF) READ(A) EXEC(A) APPXSHSP.DATA.G****V- UID(PE SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) BANKS.CANNEX.- UID(INC MIS N) READ(A) WRITE(A) EXEC(A) BANKS.DSS.EXTRACT.- UID(INC MIS N) READ(A) EXEC(A) CE.CONCESSN UID( NXPFBLOG) READ(A) EXEC(A) CE.CONCESSN UID( PNMNXF) READ(A) EXEC(A) CE.ERR.RPT.- UID( PNNXXF) READ(A) WRITE(A) ALLOC(A) EXEC(A) CE.ERR.RPT.- UID( PROD) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX LDR CAAKKR) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX LDR CCUUNN) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX LDR CCALOJ) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(XXX SMS CCHHPP) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(ISISTESTNWALYHW) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(ISISTESTVFRANN) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(ISISTESTVPELLB) READ(A) WRITE(A) ALLOC(A) EXEC(A) DOWNLOAD.- UID(PEN SSO VROGEP) READ(A) WRITE(A) ALLOC(A) EXEC(A) HAMON.UNLOAD.CONTROL UID(MT SSSS'PMTSSSSS) READ(A) EXEC(A) HAMON.UNLOAD.CONTROL UID(SYO A*AAZZZ) READ(A) WRITE(L) EXEC(A) HAMON.UNLOAD.SELECT UID(SYO A*AAZZZ) READ(A) WRITE(L) ALLOC(L) EXEC(A) SHC.DATA UID(PE SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) TAXSTMTS.HEADER.RECORDS UID(SYO ****ZZZC) READ(A) WRITE(A) ALLOC(A) EXEC(A) VAN.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) VANB.- UID(SPC PACACHUTE) UNTIL(18/09/04) READ(A) EXEC(A) - UID(XXX LDR C) READ(A) EXEC(A) - UID(XXX REP C) READ(A) EXEC(A) - UID(XXX SMS C) READ(A) EXEC(A) - UID(DG SSSS'PDGSSSSS) READ(A) WRITE(A) ALLOC(A) EXEC(A) - UID(NAT ADVN) READ(A) EXEC(A) - UID(PE SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) - UID(PEN SPR S) READ(A) EXEC(A) - UID(PP SSSS'P) READ(A) WRITE(A) ALLOC(A) EXEC(A) - UID(*) NEXTKEY(BTCHALL)

Fields

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

ACF2Log

USERNAME

The user that ran the job

RESOURCE

The resource associated with the event

LOGTYPE

One of either:

  • RPTLL

  • RPTRL

  • RPTDS

  • RPTEL

  • RPTRV

  • Access

  • RPTPW

EVENTID

“ACCESS” in the case of RPTDS reports
Column 76 onward, in RPTRV reports

RETURN

RPTDS: Columns 38 - 48
RPTRV: Columns 50-55

DATA

A range of carriage-return delimited data that is not specifically injected into other fields.

Notes

The sample job below performs the following steps:

  • Deletes previous day's FTP transfer library.

  • Runs ACF2 report, placing output in a GDG (7 generations kept).

  • Allocate new FTP transfer library and copy report from GDG created in previous step.

  • FTP the transfer library to Snare Central.

    • The 'snarexfer' FTP user must be used.

    • This user's home directory defaults to "/data/SnareCollect" on the Snare Central server.

    • The ACF2 processed reports must be placed in the "ACF2Log" sub-directory ("/data/SnareCollect/ACF2Log").

    • Member level security is used to protect the FTP lid password.

The IEBGENER program used in the sample job is an IBM-supplied utility program designed to generate copies of data sets when disk storage or tape is involved.

The IKJEFT01 program is the TSO/E program, and is used to perform a TSO function within a batch job.

********************************** Top of Data **********************************
//CSCSNR01 JOB (P,SCF81),ACT.SECURITY,CLASS=C,MSGCLASS=J
/*JOBPARM SYSAFF=PROD
//-----------------------------------------------------------------
//*
//* JOB TO PRODUCE ACF2 LIDMOD REPORT FOR XFER TO SNARE SERVER
//*
//*---------- DELETE TEMP XFER LIB ---------------------------------
//*
//STEP1 EXEC PGM=IKJEFT01,REGION=8192K
//SYSPRINT DD SYSOUT=*
//SYSTSPRT DD SYSOUT=*
//SYSTERM DD SYSOUT=*
//SYSUDUMP DD SYSOUT=*
//SYSTSIN DD *
DELETE 'CSC.SNARE01.LIDMODS.XFER'
//*
//*---------- ACF2 LID DB MODIFICATION LOG REPORT ------------------
//*
//STEP2 EXEC PGM=ACFRPTLL
//SYSPRINT DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
//
DISP=(,CATLG),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=(GDGMODEL,RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSUDUMP DD SYSOUT=*
//REC01 DD DSN=CTF.SMFJR,DISP=SHR
//SYSIN DD *
MASK(********)
DETAIL
NOUPDATE
SYSID(****)
//*
//*---------- COPY REPORT FROM GDG TO XFER LIB ---------------------
//*
//COPY
EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1
DD DSN=CSC.SNARE01.LIDMODS.REPORT(+1),
DISP=SHR
//SYSUT2
DD DSN=CSC.SNARE01.LIDMODS.XFER,
//
DISP=(NEW,CATLG,DELETE),
//
VOL=SER=BTCH52,
//
UNIT=SYSDA,
//
SPACE=(TRK,(60,5),RLSE),
//
DCB=*.SYSUT1
//*
DCB=(RECFM=FB,LRECL=142,BLKSIZE=27974)
//SYSIN
DD DUMMY
//*
//*---------- FTP XFER FILE TO SNARE SERVER ------------------------
//*
//STEP4 EXEC FTP,
//
SERVER='CSCSNARE',
//
FTPUSER='SNAREXFER',
//
FTPCMDS='CSCSNR01',
//
ENV='PROD',
//
SOUT='*'
//*
//*---------- Notify Security Monitoring Team if job fails ---------
//*
//*JOBFAIL IF ((RC > 4) | (ABEND)) THEN
//*
//SENDMEMO EXEC PGM=IEBGENER
//SYSPRINT DD SYSOUT=*
//SYSUT1 DD *
HELO NCC
MAIL FROM:<PSC0SCHD@AGENCY.COM>
RCPT TO:<ITSECMON@AGENCY.COM>
DATA
TO:ITSECMON<ITSECMON@AGENCY.COM>
SUBJECT:SNARE REPORT FTP JOB FAILURE: JOB CSCSNR01
PLEASE CHECK SDSF OUTPUT FOR THIS JOB ASAP AND DETERMINE WHY.
>> THIS E-MAIL IS GENERATED BY A BATCH JOB RUNNING ON THE
>> AGENCY'S MAINFRAME ENVIRONMENT.
.
QUIT
/*
//SYSUT2 DD SYSOUT=(B,SMTP)
//SYSIN DD DUMMY
//*
//JOBFAIL ENDIF
//*===================================================================


  • No labels