Is there any way that ACF2 can report on user logons and their source?
Release: R16
Component: ACF2 for z/os
Running ACFRPTLL utility with the UPDATE parameter specified on the input parameters would display entries for successful logons.
Entries with UPDATE in the CHANGE field are created at logon time.
To pull all the login events away from the other information, the LL report can be ran with the LOGON parameter instead of the UPDATE parameter.
The LOGON output will give more information as to how the user logged in in the USING field.
Valid options are: AAM, KERBEROS, MFA, NOPASSWD, PASS-TKT, PASSWORD, PHRASE, PIV-CAC, and RADIUS.
Example LL report using UPDATE parameter:
DATE 06/15/22 (22.166) TIME 16.49
DATE TIME LOGONID JOBNAME CHANGER CHANGE CPU USING
FIELD OLD VALUE NEW VALUE SIGNAL
22.166 06/15 16.44 USER01 ADMIN ADMIN CHANGE SYS1
PSWD-EXP PSWD-EXP NOPSWD-EXP
22.166 06/15 16.45 USER01 ADMIN UPDATE SYS1
*** NO FIELDS CHANGED ***
22.166 06/15 16.47 USER01 MSTJCL00 UPDATE SYS1
*** NO FIELDS CHANGED ***
In this example, there are 2 logon entries and one change entry made by an admin changing a field on the logonid record.
Example LL report using LOGON parameter:
DATE 06/15/22 (22.166) TIME 16.57
DATE TIME LOGONID JOBNAME CHANGER CHANGE CPU USING
FIELD OLD VALUE NEW VALUE SIGNAL
22.166 06/15 16.45 USER01 ADMIN LOGON SYS1 PASSWORD
22.166 06/15 16.47 USER01 MSTJCL00 LOGON SYS1 PASSWORD
This example shows the same logon entries from above without the other CHANGE record.
The ACFRPTLL report is useful in the case of TSO logons but will not show all logons in MUSASS (Multi User Single Address Space System) regions that have NO-STATS specified.
For example if the TCP/IP region logonid has NO-STATS specified only one logon request per day would show in ACFRPTLL.
To see the source of a logon, add MON-LOG field to a logonid, entries.
For successful logons made after this change can be displayed in the ACFRPTPW report (entries with RC=254).
CA ACF2 - ACFRPTPW - INVALID PASSWORD/AUTHORITY LOG - PAGE
DATE mm/dd/yy (yy.ddd) TIME hh.mm
DATE TIME LID JNAME SUBMIT'R SOURCE PROGRAM RC RS
yy.ddd mm/dd hh.mm USER01 USER01 P-LOGON ABCDEFGH 254
RC FIELD DESCRIPTIONS
254 LOGONID HAS MON-LOG ATTRIBUTE
Details of each utility is explained in Report and Utilities Guide, and details of MON-LOG field is explained in Administrator Guide.
ACF2 cannot generate a report for logoff events as ACF2 doesn't cut a SMF record for logoff processing.