Perryman, Brian wrote:
Hi folks
I've noticed that our system (z/OS 1.4) seems to set dataset profiles to AUDIT FAILURES(READ) by default.
I'm wondering what the value of this is, since we also get a violation record written whenever an access failure occurs, so this seems to be a bit of overkill, if not wasteful on SMF space.
For audit reports, I'm only interested in successful access attempts. I have the violation reports for the unsuccessful ones.
I'm thinking of going through the RACF database with a combination of ICETOOL and Rexx and turning all the audit failure settings off - is this reasonable? Is it possible to change the default setting to FAILURES(NOAUDIT) as well?
1. AUDIT(FAILURES(READ)) is default. You cannot change default, but you
can specify other value every time you define/alter the profile.
2. This is not overkill. Violation records are created just because of
this setting. Do not confuse ICH408I message with SMF record. The record
is created because of the AUDIT setting.
3. If you want to audit succesful attempts, then you should use
AUDIT(SUCCESS(READ)) or similiar settings. Caution: it may be overkill
(SMF record flood).
You can also change LOGOPTIONS for given class to ignore profile AUDIT
settings. It would mean no records or just SMF flood.
4. You can set AUDIT(NONE) in profile or change
LOGOPTIONS(NEVER(your_class)) for whole class.
HTH
--
Radoslaw Skorupka
Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
