| ACD$ |
Users who are using automatic command
direction |
Identifies users who are using the RACF® remote sharing facility for
automatic command direction |
| CADU |
Count of the IRRADU00 records |
Shows the number of SMF-recorded
events |
| CCMD |
Count of commands issued (by user) |
Shows the command activity for a
specific user |
| ECD$ |
Users who are directing commands
explicitly |
Identifies users who are using the RACF remote sharing facility to
explicitly direct commands by specifying "AT(node.user_ID)" |
| LOGB |
Users who log on with LOGON BY, a
VM facility |
Identifies users who are logging
on as other users |
| LOGF |
Users with excessive incorrect passwords |
Identifies users who have exceeded
a "bad password" threshold. This threshold is independent of
the SETROPTS PASSWORD(REVOKE(nn)) value |
| OPER |
Accesses allowed because the user
has OPERATIONS |
Identifies users with the OPERATIONS
attribute |
| PWD$ |
Users who are using password synchronization |
Identifies users who are using the RACF remote sharing facility |
| RACL |
RACLINK audit records |
Identifies users who are using the RACF remote sharing facility |
| RINC |
RACF class
initialization information |
Shows the status of RACF classes at RACF initialization |
| SELU |
All audit records for a specific
user |
Reports on all audited events for
a user |
| SPEC |
Accesses allowed because the user
has SPECIAL |
Identifies users with the SPECIAL
attribute |
| TRMF |
Excessive incorrect passwords from
terminals |
Identifies intruders who are attempting
to guess passwords but are moving from one ID to another to avoid
the revocation of user IDs |
| VIOL |
Access violations |
Identifies failed events |
| WARN |
Accesses allowed due to WARNING mode
profiles |
Identifies events that are allowed
but which you might want to prevent in the future |
z/OS Security Server RACF Auditor's Guide
Copyright IBM Corporation 1990, 2014