Format of the Command Audit Trail data display

Use this information to understand how to suppress, filter, and interpret Command Audit Trail data.

The example in Figure 1 shows the output of the C4RCATMN command. This output is the same as the lines appended at the end of the regular RACF® list commands. For the RACF list commands, the information is shown if the user has READ access to the =CMDAUD.=MAINT policy profile. If the RACF list command specifies multiple RACF profiles, the Command Audit Trail information for the specified profiles is shown after all RACF information for all profiles. Examples of such list commands are: 
   LISTDSD   DA(dsn1,dsn2)
   LISTUSER  (user1,user2)
Each Command Audit Trail section is identified by a header line, like: 
   C4R736I Command Audit Trail for USER user1
The Command Audit Trail is not included if the RACF list command specifies a pattern or prefix for the profiles to be shown. Examples of such list command are:
   LISTDSD   PREFIX(user1)
   RLIST     FACILITY *

If the terminal user has READ access to =CMDAUD.=MAINT policy profile, the Command Audit Trail information is shown. There is no option on the RACF list commands to suppress these additional lines. There are two indirect ways to suppress the Command Audit Trail information:

  • Issue the C4RCATMN command with the NOMSG keyword. The Command Audit Trail information is no longer shown. It is still possible to show the information by using the C4RCATMN command, but it requires a higher authorization than the regular RACF commands need. You can use the C4RCATMN MSG command to reactivate showing the Command Audit Trail. The MSG / NOMSG setting is saved across sessions. The initial setting of the MSG / NOMSG setting if you did not issue the C4RCATMN (NO)MSG command is MSG.
  • Allocate a ddname (=filename) with the name C4RNOCAT. This ddname does not need to be allocated to a particular data set, sysout class, or device. The preferred allocation is to DUMMY. The allocation of this ddname is sufficient to suppress display of all Command Audit Trail information as part of the regular RACF list commands. It is still possible to show this information by using the C4RCATMN command, although it requires a higher authorization to the =CMDAUD.=MAINT policy profile.

The user can be the submitting user ID if the actual user ID has more than NONE access to the =CMDAUD.=SURROGATE policy profile.

The Command Audit Trail information consists of several sections.

  • The Header

    Shows the class and profile that is listed.

  • The PROFILE section

    Contains information about who created the profiles (User, Group, Dataset, General Resource profile). The first line starts with the word Profile:, followed by information about when the profile was created and which user ran the command. It also contains the highest non-zero return code from the pre-, RACF, and post-command.

    Collection is controlled by the policy profile
    C4R.class=CMDAUD.=SEGMENT.profile-identification
  • The Segments section

    Contains the information about the last change to non-base segments. The first line starts with the word Segment:, followed by an abbreviated name for the segment. The remainder of the line contains information about the type of change, like add, change, delete, when the change was made, and which user ran the command. It also contains the highest non-zero return code from the pre-command, RACF, and post-command. For modifications to existing segments, only the last change is shown.

    Collection is controlled by the policy profile
    C4R.class=CMDAUD.=SEGMENT.profile-identification

    A separate block (add, change, delete) is shown for each segment that was modified. The following segments and pseudo-segment are currently supported.

    USER
    CICS®
    DCE
    DFP
    CSDATA
    EIM
    KERB
    LANGUAGE
    LNOTES
    MFA
    NDS
    NETVIEW
    OMVS
    OPERPARM
    OVM
    PROXY
    TSO
    WORKATTR
    GROUP
    CSDATA, DFP, OMVS, OVM, TME
    DATASET
    CSDATA, DFP, TME
    General Resource
    CFDEF
    CDTINFO
    CSDATA
    DLFDATA
    EIM
    ICSF
    ICTX
    IDTPARMS
    JES
    KERB
    MFA
    MFPOLICY
    PROXY
    SESSION
    SIGVER
    SSIGNON
    STDATA
    SVFMR
    TME
  • The Attributes section

    Contains the attributes and the information about the last change to the attributes. The first line starts with the word Attrib:, followed by an abbreviated name for the attribute. The remainder of the line contains information about the type of change such as add or remove, when the change was made, and which user ran the command. It also contains the highest non-zero return code from the pre-, RACF, and post-command. If the profile already has the attribute, a possible confirmation command is not shown. The information that is shown reflects the date, time, and ID that changed the profile.

    Collection is controlled by the policy profile 
    C4R.class=CMDAUD.=ATTR.profile-identification

    A separate block (add, change, remove) is shown for each attribute that was modified. The following attributes are currently supported.

    USER
    ADSP
    AUDITOR
    CATEGORY
    CLAUTH
    DFLTGRP
    EXPIRED
    GRPACC
    INSTDATA
    INTERVAL
    MODEL
    NAME
    OIDCARD
    OPERATIONS
    OWNER
    PASSWORD
    PHRASE
    RESTRICTED
    RESUME
    REVOKE
    ROAUDIT
    SECLEVEL
    SECLABEL
    SPECIAL
    UAUDIT
    WHEN
    GROUP
    INSTDATA, MODEL, OWNER, SUPGRP, TERMUACC, UNIVERSAL
    DATASET
    ACL
    AUDIT
    CATEGORY
    ERASE
    FROM
    GAUDIT
    INSTDATA
    LEVEL
    NOTIFY
    OWNER
    SECLEVEL
    SECLABEL
    UACC
    WARNING
    General Resource
    ACL
    APPLDATA
    AUDIT
    CATEGORY
    FROM
    GAUDIT
    INSTDATA
    LEVEL
    NOTIFY
    OWNER
    SECLEVEL
    SECLABEL
    SINGLEDS
    TVTOC
    TIMEZONE
    UACC
    WARNING
    WHEN
  • The Connects section

    Contains the Groups, the Authorizations, and the UACC together with information about the last change to the connect.

    Collection is controlled by the policy profile 
    C4R.class=CMDAUD.=CONNECT.profile-identification

    The Connects section is only present for USER profiles. It is not included for GROUP profiles. The first line in this section starts with the word Connect:. Each line shows the GROUPNAME, followed by the UACC, the GROUP-Authority, the date and time when the change was made, which user ID executed the command, and the highest non-zero return code from the pre-, RACF and post-command. If both the UACC and the GROUP-Authority have their default value (that is, UACC=NONE and AUTH=USE) their values are not explicitly shown. This makes it easier to spot non-default settings. For more information about the UACC and AUTH settings, see the RACF Security Administrator 's Guide and the RACF Command Language Reference.

    Because of size limitations, only the last 64 changes to the connect groups are shown.

  • The Group-Attributes section

    This section immediately follows the Connect section and it contains information about the last change to any GROUP-attribute. The first line starts with the word GrpAttr:, followed by an abbreviated name for the attribute.

    Collection is controlled by policy profile 
    C4R.class=CMDAUD.=CONNECT.profile-identification

    The Group-Attributes section is only present for User profiles. It is not included in Group profiles. The lines show the attribute, followed by the GROUP name, when the change was made, and which user ran the command. It also shows the highest non-zero return code from the pre-, RACF, and post-command. There can be multiple lines for the same attribute, if the attribute was added and removed. The lines for each attribute are in date/time sequence, so the last line reflects the status.

    Because of size limitations, only the last 64 changes to the connect groups are shown. The following attributes are currently supported.

    ADSP, SPECIAL, OPERATIONS, REVOKE, GRPACC, AUDITOR, RESUME
  • The Access List section

    Contains access list entries and the information about the last change to the access list entries. The lines show the access level that was granted, followed by when the change was made, and which user ran the command. It also shows the highest non-zero return code from the pre-, RACF, and post-command. There is only one line for each user, group, or profile. The last instance of granting or removing access is shown. If a user was removed from the access list, the value Removed is shown. The special ID **ALL** is used to reflect the use of the RESET keyword on the PERMIT command. Because of size limitations, only the last 64 changes to the access list are collected.

    Collection is controlled by policy profile 
    C4R.class=CMDAUD.=ACL.profile-identification
  • The Member section

    Contains members that are part of a grouping class profile. The lines reflect adding or removing entries to and from the member list of grouping class profiles. Each line has one member, followed by when the change was made, and which user ran the command. It also shows the highest non-zero return code from the pre-, RACF, and post-command. There is only one line for each member, reflecting the last action. Because of size limitations, only the last 64 changes to the member list are shown. Also, only the first 128 bytes of the member name are collected and thus included in the display.

    Collection is controlled by policy profile 
    C4R.class=CMDAUD.=MEMBER.profile-identification

An example for a user profile is shown here:

Figure 1. Command Audit Trail data for a user profile
Command Audit Trail for USER C4RUSER
Profile:          Created on 19.238/14:24 by C4RTEST 
Segment:  CICS    Added on 19.241/03:19 by C4RTEST 
                  Changed on 19.241/03:20 by C4RTEST 
          TSO     Changed on 19.241/03:19 by C4RTEST 
Attrib:   PASSWRD Removed on 19.238/14:24 by C4RTEST 
          INTERV  Changed on 19.241/04:42 by C4RTEST
          RESTR   Added on 19.238/14:24 by C4RTEST      
          WHEN    Added on 19.238/14:24 by C4RTEST
Clauth:           USER Added on 19.241/10:04 by C4RTEST
                  TCICSTRN Removed on 19.241/10:05 by C4RTEST
Connect:          C4RGRP1 Added on 19.238/14:24 by C4RTEST
GrpAttr:  ADSP    C4RGRP1 Removed on 19.238/14:24 by C4RTEST

An example for a data set profile is shown in the following figure. In this example, a DFP segment was added, the profile was placed in WARNING mode, and several access list entries were changed or removed. On 14 September 2019 (19.257) the entire access list was reset by IBMUSER by using the PERMIT RESET command.

Figure 2. Command Audit Trail data for a data set profile
Command Audit Trail for DATASET C4RUSER.** 
Profile:          Created on 19.234/09:39 by C4RTEST
Segment:  DFP     Added on 19.245/05:21 by C4RTEST 
Attrib:   FROM    DATASET C4RUSER.TEST.** on 19.234/09:39 by C4RTEST
          WARNING Added on 19.245/05:20 by C4RTEST 
          AUDIT   SUCCESS Removed on 19.245/08:41 by C4RTEST 
                  FAILURES Changed on 19.246/01:30 by C4RTEST 
          GAUDIT  SUCCESS Changed on 19.245/09:38 by C4RTEST
                  FAILURES Changed on 19.245/09:38 by C4RTEST
Access:           DATASET C4RUSER.TEST.** access Added on 19.234/09:39 by C4RTEST 
                  C4RGRP1 access READ on 19.234/09:39 by C4RTEST 
                  C4RGRP2 access READ on 19.234/09:39 by C4RTEST 
                  C4RTEST access READ on 19.234/09:39 by C4RTEST 
                  SYS1 access READ on 19.234/09:39 by C4RTEST 
                  IBMUSER access READ on 19.234/09:39 by C4RTEST 
                  * access UPD on 19.234/09:39 by C4RTEST 
                  CRMBGUS access Removed on 19.234/09:39 by C4RTEST 
                  **ALL** access Removed on 19.257/15:06 by C4RTEST

The following example shows the Command Audit Trail information for adding and removing members from a profile in a grouping resource class.

Figure 3. Command Audit Trail data for managing members in a profile in a grouping resource class
Command Audit Trail for GCICSTRN CICSA.SPRO
Member:           CICSA.CEDA Added on 19.249/14:21 by C4RTEST
                  CICSA.CEMT Removed on 19.249/14:21 by C4RTEST

The information about a segment or attribute is presented in date/time sequence. The last line that is shown for a particular segment or attribute is the last recorded action. If an attribute was granted and later removed, the first line shows who granted the attribute and the last line shows who removed the attribute.

For Access List entries and Member Lists, only the last 64 changes are retained. This restriction is mainly for profile size and performance reasons. Only the last action for each ID or member is recorded.