ACF2 report on user logon events and their source
search cancel

ACF2 report on user logon events and their source

book

Article ID: 26487

calendar_today

Updated On:

Products

ACF2 ACF2 - DB2 Option ACF2 for zVM ACF2 - z/OS ACF2 - MISC

Issue/Introduction

Is there any way that ACF2 can report on user logons and their source?

Environment

Release: R16
Component: ACF2 for z/os

Resolution

Running ACFRPTLL utility with the UPDATE parameter specified on the input parameters would display entries for successful logons.
Entries with UPDATE in the CHANGE field are created at logon time.

  • For TSO logons, the JOBNAME field will always be MSTJCL00.
  • Jesx logins will have the id running the job for the JOBNAME.

To pull all the login events away from the other information, the LL report can be ran with the LOGON parameter instead of the UPDATE parameter.
The LOGON output will give more information as to how the user logged in in the USING field.
Valid options are: AAM, KERBEROS, MFA, NOPASSWD, PASS-TKT, PASSWORD, PHRASE, PIV-CAC, and RADIUS.

Example LL report using UPDATE parameter:

DATE 06/15/22 (22.166) TIME 16.49                                              
     DATE    TIME        LOGONID   JOBNAME    CHANGER  CHANGE   CPU       USING
    FIELD       OLD VALUE                NEW VALUE                SIGNAL 

22.166 06/15 16.44       USER01    ADMIN        ADMIN  CHANGE   SYS1           
    PSWD-EXP     PSWD-EXP                 NOPSWD-EXP                                                                                                                     

22.166 06/15 16.45       USER01    ADMIN               UPDATE   SYS1           
    *** NO FIELDS CHANGED ***                                                  
                                                                               

22.166 06/15 16.47       USER01    MSTJCL00            UPDATE   SYS1           
    *** NO FIELDS CHANGED ***                                       

In this example, there are 2 logon entries and one change entry made by an admin changing a field on the logonid record. 

Example LL report using LOGON parameter:

DATE 06/15/22 (22.166) TIME 16.57                                              
     DATE    TIME        LOGONID   JOBNAME    CHANGER  CHANGE   CPU       USING
    FIELD       OLD VALUE                NEW VALUE                SIGNAL       
                                                                              

22.166 06/15 16.45       USER01    ADMIN               LOGON    SYS1      PASSWORD
22.166 06/15 16.47       USER01    MSTJCL00            LOGON    SYS1      PASSWORD 

This example shows the same logon entries from above without the other CHANGE record.

The ACFRPTLL report is useful in the case of TSO logons but will not show all logons in MUSASS (Multi User Single Address Space System) regions that have NO-STATS specified.
For example if the TCP/IP region logonid has NO-STATS specified only one logon request per day would show in ACFRPTLL.

To see the source of a logon, add MON-LOG field to a logonid, entries.
For successful logons made after this change can be displayed in the ACFRPTPW report (entries with RC=254).

CA ACF2 - ACFRPTPW - INVALID PASSWORD/AUTHORITY LOG -                 PAGE    
DATE mm/dd/yy (yy.ddd) TIME hh.mm                                               
                                                                                
    DATE      TIME        LID    JNAME  SUBMIT'R     SOURCE    PROGRAM    RC   RS
                                                                                
yy.ddd mm/dd hh.mm       USER01  USER01  P-LOGON    ABCDEFGH                   254   
RC FIELD DESCRIPTIONS                                                           
  254  LOGONID HAS MON-LOG ATTRIBUTE                                           

Details of each utility is explained in Report and Utilities Guide, and details of MON-LOG field is explained in Administrator Guide.

ACF2 cannot generate a report for logoff events as ACF2 doesn't cut a SMF record for logoff processing.

Powered by Wolken Software