Sorry to be a little slow to respond -- been travelling. It was not part of the user's question, but I got to wondering about the following when considering your answer (and perhaps this was even part of the user's "SMF 30 does not cut it" thinking).
Is there then no logging of the situations that are reported by the new MFA 44x Extended Relos, such as "this user is supposed to be MFA but we let him on with a password only because the MFA server is down"? That would seem to be an exposure if that information is "lost." Charles -----Original Message----- From: RACF Discussion List [mailto:rac...@listserv.uga.edu] On Behalf Of Sokolsky, Hayim Z. Sent: Tuesday, May 22, 2018 5:50 PM To: rac...@listserv.uga.edu Subject: Re: Can TSO permit RACF to log logon successes? IMHO ... TSO issues LOG=NONE because it would produce duplicate records. There is no simple way to change this behavior out of the box. The SMF type 30 (or 20) has the necessary information - and it is processed by RACF and the OEM vendor reporting tools. You can write your own RACF RACINIT-post processing exit (ICHRIX02) and generate your own SMF type 80 record. I have to state that this is a total waste of effort. Placating the user in this case is a waste of time and money. Good luck! Hayim Sokolsky Director, Security Architect Security Architecture and Technology Technology Risk Management DTCC Tampa Direct: +1 813 470-2177 | hsokol...@dtcc.com Visit us at www.dtcc.com or follow us on Twitter @The_DTCC and on LinkedIn. To learn about career opportunities at DTCC, please visit dtcc.com/careers. The views I have expressed in this email are my own personal views, and are not endorsed or supported by, and do not necessarily express or reflect, the views, positions or strategies of my employer. DTCC Public (White) -----Original Message----- From: RACF Discussion List [mailto:rac...@listserv.uga.edu] On Behalf Of Charles Mills Sent: Tuesday, May 22, 2018 11:12 To: rac...@listserv.uga.edu Subject: Can TSO permit RACF to log logon successes? ATTENTION! This email originated outside of DTCC; exercise caution. X-Posted IBM-MAIN and RACF-L. Apparently TSO specifies LOG=NONE or something like that on a TSO signon, such that no SMF record is cut in the event that the logon is successful -- is that correct? Is that behavior configurable? Is there a way to configure TSO or RACF such that we would see an SMF type 80 record in the event of a successful TSO signon? (Yes, I know we see an SMF Type 30 subtype 1 -- that is unfortunately not what the user wants.) Charles DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN