Portal | Manuals | References | Downloads | Info | Programs | JCLs | Master the Mainframes
IBM Mainframe Computers Forums Index
 
Register
 
IBM Mainframe Computers Forums Index Mainframe: Search IBM Mainframe Forum: FAQ Memberlist Usergroups Profile Log in to check your private messages Log in
 

 

Need help in Finding who changed the password

 
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM
View previous topic :: :: View next topic  
Author Message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Wed Jan 27, 2016 9:01 pm    Post subject: Need help in Finding who changed the password
Reply with quote

Hi,

We had a situation wherein many of our jobs failing because a group id was revoked. We figured out somoeone had changed the password (by checking the PASSDATE column from TSO LU command output). Our RACF administrators do not admit that they changed the password. We asked them to run an audit but the whole RACF administration team is very young and they have no idea about the Audits (sounds scary. huh?!!).

Is it possible to check who changed the password? Does anybody have any JCL which you could share with me to identify who changed it? I am a mainframe administrator and have most of the RACF privileges. (I did not change the password, though.. lol)

Please let me know should you have any questions.

Thanks in advance for your help!
Back to top
View user's profile Send private message

Pete Wilson

Active User


Joined: 31 Dec 2009
Posts: 437
Location: London

PostPosted: Thu Jan 28, 2016 1:35 am    Post subject:
Reply with quote

Perhaps the group ID had an end date set for it at the time it was defined and just naturally revoked itself when it reached that date?

But my money would be on someone you've already asked lying. icon_lol.gif
Back to top
View user's profile Send private message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Thu Jan 28, 2016 1:55 am    Post subject:
Reply with quote

It had non expiry password. When we had failure for the first time we just resumed the id and did nothing to the password. Jobs failed when they tried to access with the original password. Later we had resumed and set the id back to the original password. since then we had no issues.

Yeah, I would bet my money on them too because they do not know what they are doing icon_smile.gif
Back to top
View user's profile Send private message
Willy Jensen

New User


Joined: 01 Sep 2015
Posts: 96
Location: Switzerland

PostPosted: Thu Jan 28, 2016 7:07 pm    Post subject:
Reply with quote

You can probably get the info from SMF type 80.

//*
//SMFFLT1A EXEC PGM=IFASMFDP
//SMFIN DD DSN=SMF.HISTORY,DISP=SHR
//SMFOUT DD DSN=&&EXTRACT,
// RECFM=VB,LRECL=27998,BLKSIZE=0,
// UNIT=SYSDA,DISP=(,PASS),SPACE=(CYL,(100,200),RLSE)
//SYSPRINT DD SYSOUT=*
INDD(SMFIN,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(80))
DATE(2012348,2012348)
START(1615)
END(1630)
//*
//* REPORT
//*
//REPORT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SORTWK02 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SORTWK03 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//RSMFIN DD DISP=SHR,DSN=&&EXTRACT
//SYSTSIN DD *
RACFRW
SELECT USER(XX00001)
LIST
END
Back to top
View user's profile Send private message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Thu Jan 28, 2016 8:43 pm    Post subject:
Reply with quote

Thanks Willy Jensen. let me try it and update you.
Back to top
View user's profile Send private message
steve-myers

Active User


Joined: 30 Nov 2013
Posts: 461
Location: The Universe

PostPosted: Thu Jan 28, 2016 9:59 pm    Post subject:
Reply with quote

Mr. Jensen has a good idea, but I don't think RACF writes an SMF 80 record for a user initiated change. In other words, if XX00001 changed his own password, either through ALTUSER or the TSO-E LOGON panel, it won't be there.
Back to top
View user's profile Send private message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Thu Jan 28, 2016 11:27 pm    Post subject:
Reply with quote

Yeah, I can confirm your words, Steve-Myers. I ran the job against SMF record type 80 as Jensen suggested but I do not see any hits for ALTUser command. I could see hits for successful dataset access and dataset delete and one hit for RACINIT.

So no other way to identify who changed the password?
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic    IBMMAINFRAMES.com Support Forums -> JCL & VSAM All times are GMT + 6 Hours
Page 1 of 1

 

Search our Forum:

Similar Topics
Topic Author Forum Replies Posted
No new posts Random Password (in string format) ge... ezhavendhan COBOL Programming 10 Mon Aug 29, 2016 3:18 pm
No new posts Finding unreferenced datasets without... Alan Playford JCL & VSAM 5 Tue Jul 12, 2016 9:07 pm
No new posts Finding repetead surnames in differen... blackjack202 DFSORT/ICETOOL 7 Tue Jun 07, 2016 7:42 pm
No new posts REST API call - username and password... vasanthz All Other Mainframe Topics 1 Thu Mar 10, 2016 6:34 pm
No new posts Finding a File Containing a Particula... rexx77 DFSORT/ICETOOL 8 Tue Dec 22, 2015 2:19 am


Facebook
Back to Top
 
Mainframe Wiki | Forum Rules | Bookmarks | Subscriptions | FAQ | Tutorials | Contact Us