Greg Shirey wrote: >I dumped the SMF records for both July 7 and July 8 and ran a RACFRW to list >all the records and there is no reference to this User ID.
From what LPARs are you collecting your records? Do you have RRSF? Do you have an IRREVX01 exit (RACF command processor exit) Do you have any password exit? Alternatively, rather use IRRADU00 for your audits. That will catch new things not possible with RACFRW. >(Did someone modify SMF for a period? No. Really? Check your SMF status and check if SMFPRMxx parmlib member has been replaced/tampered? If you have audited OPERCMDS for all and any commands issued, perhaps you can catch someone who messed around with that SMF parmlib member. Think of using a phantom SMFPRMxx member and those T SMF=xx commands... >If anyone has a suggestion for what to look for, I'd appreciate hearing about >it. I would like to be interested of course! Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
