ok, you will know the user was authorised for using the cp command by getting the exit code. But how will you get it? What other alternates are? If you find a good way for solve this, plz share with us..
On 12/6/06, Schuh, Richard <[EMAIL PROTECTED]> wrote:
You are on the right track. Instead of relying on an EXEC, CP Exit code or altered commands might be a better path to take. One can almost always find a way of circumventing or subverting an EXEC if bypassing the logging is desired. ------------------------------ *From:* The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] *On Behalf Of *Zoltan Balogh *Sent:* Wednesday, December 06, 2006 11:27 AM *To:* IBMVM@LISTSERV.UARK.EDU *Subject:* Re: Are priv CP commands logged somewhere? i know world of VM's is very new for me but if i were under linux or windows i would rename the application, and i place (in this case) an EXEC what calls the original program with all of the given parameters, but then you can put some logging/any function for traces.. I dont know here is it a good way too or not On 12/6/06, Jim Vincent <[EMAIL PROTECTED]> wrote: > > According to my monitoring configurator (aka, Rick B) the CP VARY PROC > would be system config change and gets monitored. CP SET SHARE is > another > puppy. We need to know (without an ESM) when someone enters a command > like > that to be able to audit when, who and to what it was done. > > _______________________________________ > James Vincent > Systems Engineering Consultant > Nationwide Services Co., Technology Solutions > Mainframe, z/VM and z/Linux Support > One Nationwide Plaza 3-20-13 > Columbus OH 43215-2220 U.S.A > Voice: (614) 249-5547 Fax: (614) 677-7681 > mailto: [EMAIL PROTECTED] > > > The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> wrote on > 12/06/2006 > 02:16:36 PM: > > > IBMVM@LISTSERV.UARK.EDU > > > > Are configuration monitor records cut for these events? > > > > Neale > > On Wednesday, 12/06/2006 at 01:58 EST, Jim Vincent > > < [EMAIL PROTECTED]> wrote: > > > I am just starting to dig, but thought I would toss this out to the > > list. > > > If someone enters a command like CP SET SHARE or CP VARY PROCESSOR, > are > > > those logged anywhere? Are they in the monitor data or accounting > data? >