OA61439: IMPROVE CONDITIONS FOR ALERTING ON SMF 42-27 RECORDS

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• Improve conditions for alerting on SMF 42-27 records
  
  
  The SMF 42-27 RESOURCE and PROFILE fields are missing.
  
  Documentation does not reflect that the SMF 42-27 RESOURCE and
  PROFILE fields are missing.
  
  Documentation does not reflect that INTENT tests are to be
  combined with RESOURCE, rather than DATASET tests.
  
  Wrong values DOP1 and the other values have been replaced
  with DOPI and other correct values.
  

Local fix

• N/A
  

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit, Alert and Audit      *
  *                 interface for QRadar SIEM.                   *
  ****************************************************************
  * PROBLEM DESCRIPTION: zSecure Audit documentation does not    *
  *                      specify that for SMF records type 42,   *
  *                      sub-type 27 (VTOC audit log), the       *
  *                      DATASET and RESOURCE field reported by  *
  *                      zSecure SMF report are missing. The     *
  *                      TRANSACTION field of SMF report might   *
  *                      contain wrong values.                   *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided and review the        *
  *                 documentation updates.                       *
  ****************************************************************
  zSecure Audit documentation does not specify that for SMF
  records type 42, sub-type 27 (VTOC audit log), the DATASET and
  RESOURCE field reported by zSecure SMF report are missing. The
  TRANSACTION field of SMF report might contain wrong values
  resulting in incorrect alerts.
  

Problem conclusion

• zSecure documentation has been modified to reflect that for SMF
  records type 42, sub-type 27 (VTOC audit log), the DATASET and
  RESOURCE fields reported by zSecure SMF report are missing.
  zSecure Audit has been modified so that the TRANSACTION field of
  SMF report displays correct values. Please note the
  documentation changes as provided by the APAR tracking comment
  data.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UJ05749

Modules/Macros

• C2R3SM01 C2R3SM06 C2R3SM0C C2R3SM0L C2R3SM0V CKASINT  CKQCEFG
  CKQLEEF  CKQLEEFL CKROUACC GKROUACC GKRSINT
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R240 PSY UJ05749

     UP21/06/17 P F106

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.