On Fri, 5 Jun 2009 22:58:10 +0800, Tommy Tsui <[email protected]> wrote:
>but one of audit report shows that an invalid user try to access the >APPC with "??????" jobid and userid...I don't know how to answer our >auditor ? What, exactly, does the audit report say? Does it say someone tried to access the APPC APPL, or does it say someone tried to sign on? Remember that APPC is a server, and as such, audit records related to it (as well as ICH408I message) generally refer to its clients. It is most likely that some user without an identity (e.g., some incoming APPC transaction that did not specify a user ID) caused your audit record. And there is nothing to tell the auditor, other than "someone without an identity tried to use APPC, and the system properly failed the access, so don't worry about it." Assuming, of course, that the SMF record indicated a failure. If it indicated a success, you may have more work to do :) -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
