You could set up an SMF exit to check for the suspicious record and check who is writing it.
Kees. -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Charles Mills Sent: 05 July, 2016 17:43 To: [email protected] Subject: Help identifying source of SMF 80 record X-posted IBM-MAIN and RACF-L. I am looking at an SMF 80 record from a customer that I am having trouble making sense of. The customer is definitely a RACF user, not a TSS user. The customer I believe is on z/OS V2R1. It is a valid SMF 80 record. The event.qualifier is 2.0. There are three relocatable sections: a 49 (User Name) that says "Detection Status", a 17 (Class name) that says "EK$CLASS" and a 1 (Resource Name) that says "EKCA.SECURITY.DETECTION". The record is 2959 bytes long, long for a RACF SMF record. So what's odd about it? 1. It is missing the RACF version SMF80VRM at offset 80 that was added to RACF around OS/390 V1R2. That leads me to believe the record was not produced by RACF. 2. Between roughly offset x'44' and offset x'B52' (the first relocatable section) there is binary data that looks like perhaps a series of binary counters that I am not familiar with. No recognizable EBCIDC data providing a clue. Does anyone have an idea what might be producing this record and where its format might be documented? It's at a customer so I don't have a thorough knowledge of what third-party products might be running, etc., etc. Thanks, Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ******************************************************** For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 ******************************************************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
