Tech-Tips: Did you know? How LOG=NOFAIL works.

Document created by Jacques_Hulak Employee on Apr 15, 2016
Version 1Show Document
  • View in full screen mode

Per IBM documentation in IBM z/OS Security Server RACF:

 

If the authorization check fails, the attempt is not recorded. If the authorization check succeeds, the attempt is recorded as in ASIS.

 

In other words in Top Secret terms, we can say: In WARN mode where the access was allowed - logging took place, but in FAIL mode, because the access was failed, no logging was done.

 

This is the way LOG=NOFAIL works.

 

Here you are below what an excerpt from sectrace/SAF traces and TSSUTIL report show in such case:

 

**** SECTRACE

TSS-C-0877*USERX   XXXXXXXX B DASD-VOL200C G/0802020000,FF00200000 L/F00802

TSS-1 400010001000 00000000   T/8000000001 VOL000                          

TSS-2 000000 R/128880 S/000182,0A0000000000   INTRDR   A/191080 P/ADRDTDSC,3

TSS-4 02000000 009CABA0 7FF68B78  REQ/         SUB/   

0877 are the RC/DRC. * means the real return code is passed back to the call. 20 is FAIL mode. 08 is LOG=NOFAIL.                  

**** SAF trace

CAS21D0I TRACEID: TSST     EVENT#:  02995466                          

CAS21D0I JOBNAME: XXXXXXXX USERID:  USERX   ASID: 0060               

CAS21D1I PROGRAM: ADRDTDSC RB CURR: ADRDTDSC APF:  YES  SFR/RFR: 8/8:0

CAS2200I RACROUTE REQUEST=AUTH,CLASS=(=>)'DASDVOL',RELEASE=1.9,       

CAS2200I          ATTR=READ,DSTYPE=(DEFAULT)N,ENTITY=((=>)'VOL000'),  

CAS2200I          GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,                    

CAS2200I          WORKA=(STRUCTURE SAFWORKA,=>,0022D0F0) 

**** No logging was done. Note SFR/RFR 8/8:0 the real return code is passed back to the call.          

 

**** SECTRACE

TSS-C-0877 USERX   XXXXXXXX B DASD-VOL400C G/0802020000,FF00200000 L/D00802

TSS-1 400010001000 00000000   T/8000000001 VOL000                          

TSS-2 000000 R/128880 S/000182,0A0000000000   INTRDR   A/191080 P/ADRDTDSC,3

TSS-4 02000000 009CABA0 7FF68B50  REQ/         SUB/     

0877 are the RC/DRC. " " (blank)  means the real return code is NOT passed back to the call, zero as RC is passed back. 40 is WARN mode. 08 is LOG=NOFAIL.   

**** SAF trace

CAS21D0I TRACEID: TSST     EVENT#:  02995624                          

CAS21D0I JOBNAME: XXXXXXXX USERID:  USERX   ASID: 0060               

CAS21D1I PROGRAM: ADRDTDSC RB CURR: ADRDTDSC APF:  YES  SFR/RFR: 0/0:0

CAS2200I RACROUTE REQUEST=AUTH,CLASS=(=>)'DASDVOL',RELEASE=1.9,       

CAS2200I          ATTR=READ,DSTYPE=(DEFAULT)N,ENTITY=((=>)'VOL000'),  

CAS2200I          GENERIC=ASIS,LOG=NOFAIL,MSGSP=0,                    

CAS2200I          WORKA=(STRUCTURE SAFWORKA,=>,0022D0F0)              

**** logging took place. Note SFR/RFR 0/0:0 the real return code is NOT passed back to the call. 

 

**** The TSSUTIL report shows the violation:

DATE        TIME         SYSID ACCESSOR  JOBNAME     FACILITY   MODE  VC  PROGRAM     R-ACCESS  A-ACCESS   SRC/DRC

 

dd.mm.yy  hh:mm:ss  SYSX  USERX          XXXXXXXX    BATCH       WARN         ADRDTDSC   READ           CREATE       *08*-77

                                    RESOURCE TYPE & NAME           VOLUME    VOL000            

Attachments

    Outcomes