Format of the Command Audit Trail data display
Use this information to understand how to suppress, filter, and interpret Command Audit Trail data.
LISTDSD DA(dsn1,dsn2)
LISTUSER (user1,user2)
C4R736I Command Audit Trail for USER user1
LISTDSD PREFIX(user1)
RLIST FACILITY *
If the terminal user has READ access to =CMDAUD.=MAINT policy profile, the Command Audit Trail information is shown. There is no option on the RACF list commands to suppress these additional lines. There are two indirect ways to suppress the Command Audit Trail information:
- Issue the C4RCATMN command with the NOMSG keyword. The Command Audit Trail information is no longer shown. It is still possible to show the information by using the C4RCATMN command, but it requires a higher authorization than the regular RACF commands need. You can use the C4RCATMN MSG command to reactivate showing the Command Audit Trail. The MSG / NOMSG setting is saved across sessions. The initial setting of the MSG / NOMSG setting if you did not issue the C4RCATMN (NO)MSG command is MSG.
- Allocate a ddname (
=filename
) with the name C4RNOCAT. This ddname does not need to be allocated to a particular data set, sysout class, or device. The preferred allocation is to DUMMY. The allocation of this ddname is sufficient to suppress display of all Command Audit Trail information as part of the regular RACF list commands. It is still possible to show this information by using the C4RCATMN command, although it requires a higher authorization to the =CMDAUD.=MAINT policy profile.
The user can be the submitting user ID if the actual user ID has more than NONE access to the =CMDAUD.=SURROGATE policy profile.
The Command Audit Trail information consists of several sections.
- The Header
Shows the class and profile that is listed.
- The PROFILE section
Contains information about who created the profiles (User, Group, Dataset, General Resource profile). The first line starts with the word Profile:, followed by information about when the profile was created and which user ran the command. It also contains the highest non-zero return code from the pre-, RACF, and post-command.
Collection is controlled by the policy profileC4R.class=CMDAUD.=SEGMENT.profile-identification
- The Segments section
Contains the information about the last change to non-base segments. The first line starts with the word Segment:, followed by an abbreviated name for the segment. The remainder of the line contains information about the type of change, like add, change, delete, when the change was made, and which user ran the command. It also contains the highest non-zero return code from the pre-command, RACF, and post-command. For modifications to existing segments, only the last change is shown.
Collection is controlled by the policy profileC4R.class=CMDAUD.=SEGMENT.profile-identification
A separate block (add, change, delete) is shown for each segment that was modified. The following segments and pseudo-segment are currently supported.
- USER
-
CICS®
DCE
DFP
CSDATA
EIM
KERBLANGUAGE
LNOTES
MFA
NDS
NETVIEW
OMVSOPERPARM
OVM
PROXY
TSO
WORKATTR
- GROUP
- CSDATA, DFP, OMVS, OVM, TME
- DATASET
- CSDATA, DFP, TME
- General Resource
-
CFDEF
CDTINFO
CSDATA
DLFDATA
EIM
ICSF
ICTXIDTPARMS
JES
KERB
MFA
MFPOLICY
PROXYSESSION
SIGVER
SSIGNON
STDATA
SVFMR
TME
- The Attributes section
Contains the attributes and the information about the last change to the attributes. The first line starts with the word Attrib:, followed by an abbreviated name for the attribute. The remainder of the line contains information about the type of change such as add or remove, when the change was made, and which user ran the command. It also contains the highest non-zero return code from the pre-, RACF, and post-command. If the profile already has the attribute, a possible confirmation command is not shown. The information that is shown reflects the date, time, and ID that changed the profile.
Collection is controlled by the policy profileC4R.class=CMDAUD.=ATTR.profile-identification
A separate block (add, change, remove) is shown for each attribute that was modified. The following attributes are currently supported.
- USER
-
ADSP
AUDITOR
CATEGORY
CLAUTH
DFLTGRP
EXPIRED
GRPACC
INSTDATA
INTERVALMODEL
NAME
OIDCARD
OPERATIONS
OWNER
PASSWORD
PHRASE
RESTRICTEDRESUME
REVOKE
ROAUDIT
SECLEVEL
SECLABEL
SPECIAL
UAUDIT
WHEN - GROUP
- INSTDATA, MODEL, OWNER, SUPGRP, TERMUACC, UNIVERSAL
- DATASET
-
ACL
AUDIT
CATEGORY
ERASE
FROM
GAUDIT
INSTDATA
LEVEL
NOTIFY
OWNERSECLEVEL
SECLABEL
UACC
WARNING - General Resource
-
ACL
APPLDATA
AUDIT
CATEGORY
FROM
GAUDITINSTDATA
LEVEL
NOTIFY
OWNER
SECLEVEL
SECLABELSINGLEDS
TVTOC
TIMEZONE
UACC
WARNING
WHEN
- The Connects section
Contains the Groups, the Authorizations, and the UACC together with information about the last change to the connect.
Collection is controlled by the policy profileC4R.class=CMDAUD.=CONNECT.profile-identification
The Connects section is only present for USER profiles. It is not included for GROUP profiles. The first line in this section starts with the word Connect:. Each line shows the GROUPNAME, followed by the UACC, the GROUP-Authority, the date and time when the change was made, which user ID executed the command, and the highest non-zero return code from the pre-, RACF and post-command. If both the UACC and the GROUP-Authority have their default value (that is, UACC=NONE and AUTH=USE) their values are not explicitly shown. This makes it easier to spot non-default settings. For more information about the UACC and AUTH settings, see the RACF Security Administrator 's Guide and the RACF Command Language Reference.
Because of size limitations, only the last 64 changes to the connect groups are shown.
- The Group-Attributes section
This section immediately follows the Connect section and it contains information about the last change to any GROUP-attribute. The first line starts with the word GrpAttr:, followed by an abbreviated name for the attribute.
Collection is controlled by policy profileC4R.class=CMDAUD.=CONNECT.profile-identification
The Group-Attributes section is only present for User profiles. It is not included in Group profiles. The lines show the attribute, followed by the GROUP name, when the change was made, and which user ran the command. It also shows the highest non-zero return code from the pre-, RACF, and post-command. There can be multiple lines for the same attribute, if the attribute was added and removed. The lines for each attribute are in date/time sequence, so the last line reflects the status.
Because of size limitations, only the last 64 changes to the connect groups are shown. The following attributes are currently supported.
ADSP, SPECIAL, OPERATIONS, REVOKE, GRPACC, AUDITOR, RESUME
- The Access List section
Contains access list entries and the information about the last change to the access list entries. The lines show the access level that was granted, followed by when the change was made, and which user ran the command. It also shows the highest non-zero return code from the pre-, RACF, and post-command. There is only one line for each user, group, or profile. The last instance of granting or removing access is shown. If a user was removed from the access list, the value Removed is shown. The special ID **ALL** is used to reflect the use of the RESET keyword on the PERMIT command. Because of size limitations, only the last 64 changes to the access list are collected.
Collection is controlled by policy profileC4R.class=CMDAUD.=ACL.profile-identification
- The Member section
Contains members that are part of a grouping class profile. The lines reflect adding or removing entries to and from the member list of grouping class profiles. Each line has one member, followed by when the change was made, and which user ran the command. It also shows the highest non-zero return code from the pre-, RACF, and post-command. There is only one line for each member, reflecting the last action. Because of size limitations, only the last 64 changes to the member list are shown. Also, only the first 128 bytes of the member name are collected and thus included in the display.
Collection is controlled by policy profileC4R.class=CMDAUD.=MEMBER.profile-identification
An example for a user profile is shown here:
Command Audit Trail for USER C4RUSER
Profile: Created on 19.238/14:24 by C4RTEST
Segment: CICS Added on 19.241/03:19 by C4RTEST
Changed on 19.241/03:20 by C4RTEST
TSO Changed on 19.241/03:19 by C4RTEST
Attrib: PASSWRD Removed on 19.238/14:24 by C4RTEST
INTERV Changed on 19.241/04:42 by C4RTEST
RESTR Added on 19.238/14:24 by C4RTEST
WHEN Added on 19.238/14:24 by C4RTEST
Clauth: USER Added on 19.241/10:04 by C4RTEST
TCICSTRN Removed on 19.241/10:05 by C4RTEST
Connect: C4RGRP1 Added on 19.238/14:24 by C4RTEST
GrpAttr: ADSP C4RGRP1 Removed on 19.238/14:24 by C4RTEST
An example for a data set profile is shown in the following figure. In this example, a DFP segment was added, the profile was placed in WARNING mode, and several access list entries were changed or removed. On 14 September 2019 (19.257) the entire access list was reset by IBMUSER by using the PERMIT RESET command.
Command Audit Trail for DATASET C4RUSER.**
Profile: Created on 19.234/09:39 by C4RTEST
Segment: DFP Added on 19.245/05:21 by C4RTEST
Attrib: FROM DATASET C4RUSER.TEST.** on 19.234/09:39 by C4RTEST
WARNING Added on 19.245/05:20 by C4RTEST
AUDIT SUCCESS Removed on 19.245/08:41 by C4RTEST
FAILURES Changed on 19.246/01:30 by C4RTEST
GAUDIT SUCCESS Changed on 19.245/09:38 by C4RTEST
FAILURES Changed on 19.245/09:38 by C4RTEST
Access: DATASET C4RUSER.TEST.** access Added on 19.234/09:39 by C4RTEST
C4RGRP1 access READ on 19.234/09:39 by C4RTEST
C4RGRP2 access READ on 19.234/09:39 by C4RTEST
C4RTEST access READ on 19.234/09:39 by C4RTEST
SYS1 access READ on 19.234/09:39 by C4RTEST
IBMUSER access READ on 19.234/09:39 by C4RTEST
* access UPD on 19.234/09:39 by C4RTEST
CRMBGUS access Removed on 19.234/09:39 by C4RTEST
**ALL** access Removed on 19.257/15:06 by C4RTEST
The following example shows the Command Audit Trail information for adding and removing members from a profile in a grouping resource class.
Command Audit Trail for GCICSTRN CICSA.SPRO
Member: CICSA.CEDA Added on 19.249/14:21 by C4RTEST
CICSA.CEMT Removed on 19.249/14:21 by C4RTEST
The information about a segment or attribute is presented in date/time sequence. The last line that is shown for a particular segment or attribute is the last recorded action. If an attribute was granted and later removed, the first line shows who granted the attribute and the last line shows who removed the attribute.
For Access List entries and Member Lists, only the last 64 changes are retained. This restriction is mainly for profile size and performance reasons. Only the last action for each ID or member is recorded.