IBM Mainframe Forum Index
 
Log In
 
IBM Mainframe Forum Index Mainframe: Search IBM Mainframe Forum: FAQ Register
 

Need help in Finding who changed the password


IBM Mainframe Forums -> JCL & VSAM
Post new topic   Reply to topic
View previous topic :: View next topic  
Author Message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Wed Jan 27, 2016 9:01 pm
Reply with quote

Hi,

We had a situation wherein many of our jobs failing because a group id was revoked. We figured out somoeone had changed the password (by checking the PASSDATE column from TSO LU command output). Our RACF administrators do not admit that they changed the password. We asked them to run an audit but the whole RACF administration team is very young and they have no idea about the Audits (sounds scary. huh?!!).

Is it possible to check who changed the password? Does anybody have any JCL which you could share with me to identify who changed it? I am a mainframe administrator and have most of the RACF privileges. (I did not change the password, though.. lol)

Please let me know should you have any questions.

Thanks in advance for your help!
Back to top
View user's profile Send private message
Pete Wilson

Active User


Joined: 31 Dec 2009
Posts: 490
Location: London

PostPosted: Thu Jan 28, 2016 1:35 am
Reply with quote

Perhaps the group ID had an end date set for it at the time it was defined and just naturally revoked itself when it reached that date?

But my money would be on someone you've already asked lying. icon_lol.gif
Back to top
View user's profile Send private message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Thu Jan 28, 2016 1:55 am
Reply with quote

It had non expiry password. When we had failure for the first time we just resumed the id and did nothing to the password. Jobs failed when they tried to access with the original password. Later we had resumed and set the id back to the original password. since then we had no issues.

Yeah, I would bet my money on them too because they do not know what they are doing icon_smile.gif
Back to top
View user's profile Send private message
Willy Jensen

Active User


Joined: 01 Sep 2015
Posts: 416
Location: Denmark

PostPosted: Thu Jan 28, 2016 7:07 pm
Reply with quote

You can probably get the info from SMF type 80.

//*
//SMFFLT1A EXEC PGM=IFASMFDP
//SMFIN DD DSN=SMF.HISTORY,DISP=SHR
//SMFOUT DD DSN=&&EXTRACT,
// RECFM=VB,LRECL=27998,BLKSIZE=0,
// UNIT=SYSDA,DISP=(,PASS),SPACE=(CYL,(100,200),RLSE)
//SYSPRINT DD SYSOUT=*
INDD(SMFIN,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(80))
DATE(2012348,2012348)
START(1615)
END(1630)
//*
//* REPORT
//*
//REPORT EXEC PGM=IKJEFT01
//SYSTSPRT DD SYSOUT=*
//SYSPRINT DD SYSOUT=*
//SORTWK01 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SORTWK02 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//SORTWK03 DD UNIT=SYSDA,SPACE=(CYL,(5,5))
//RSMFIN DD DISP=SHR,DSN=&&EXTRACT
//SYSTSIN DD *
RACFRW
SELECT USER(XX00001)
LIST
END
Back to top
View user's profile Send private message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Thu Jan 28, 2016 8:43 pm
Reply with quote

Thanks Willy Jensen. let me try it and update you.
Back to top
View user's profile Send private message
steve-myers

Active Member


Joined: 30 Nov 2013
Posts: 870
Location: The Universe

PostPosted: Thu Jan 28, 2016 9:59 pm
Reply with quote

Mr. Jensen has a good idea, but I don't think RACF writes an SMF 80 record for a user initiated change. In other words, if XX00001 changed his own password, either through ALTUSER or the TSO-E LOGON panel, it won't be there.
Back to top
View user's profile Send private message
aprocon

New User


Joined: 26 Oct 2010
Posts: 41
Location: chennai

PostPosted: Thu Jan 28, 2016 11:27 pm
Reply with quote

Yeah, I can confirm your words, Steve-Myers. I ran the job against SMF record type 80 as Jensen suggested but I do not see any hits for ALTUser command. I could see hits for successful dataset access and dataset delete and one hit for RACINIT.

So no other way to identify who changed the password?
Back to top
View user's profile Send private message
View previous topic :: :: View next topic  
Post new topic   Reply to topic View Bookmarks
All times are GMT + 6 Hours
Forum Index -> JCL & VSAM

 


Similar Topics
Topic Forum Replies
No new posts compare two file to find position/dat... SYNCSORT 2
No new posts can someone please help me in finding... IBM Tools 9
This topic is locked: you cannot edit posts or make replies. Finding the age of the person COBOL Programming 1
No new posts Finding Esoteric Unit Names Programma... All Other Mainframe Topics 2
No new posts Related to performing validation of f... DFSORT/ICETOOL 19
Search our Forums:

Back to Top