Re: Who changed the mount attrib of a zFS?
True. Not just anybody can do those commands. I just don't know if the command itself would show up in any "log". RACF might well record the security event for requesting access to the proper profile. But that may not include the filesystem name in it. I wonder if z/OS UNIX has a tendency that I've seen in Linux. If I get a filesystem corruption, the filesystem automatically switches to READ-ONLY mode. -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Scott Ford > Sent: Wednesday, November 07, 2012 7:57 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Who changed the mount attrib of a zFS? > > Yes , but someone has to have the RACF,acf2 or TSS authority to issue > the command right ? > > Scott ford > www.identityforge.com > > Tell me and I'll forget; show me and I may remember; involve me and > I'll understand. - Chinese Proverb > > > On Nov 7, 2012, at 8:45 AM, "McKown, John" > wrote: > > > Which "log"? And what is the source of the command? I can do an > UNMOUNT in TSO (interactive or batch) to remount a filesystem to READ. > I can also do a "chmount" command from a UNIX shell session > (interactive or batch) to do the same. I don't think either of these > commands writes to the z/OS SYSLOG or the UNIX syslog daemon (assuming > the OP is running it). > > > > -- > > John McKown > > Systems Engineer IV > > IT > > > > Administrative Services Group > > > > HealthMarkets(r) > > > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > > (817) 255-3225 phone * > > john.mck...@healthmarkets.com * www.HealthMarkets.com > > > > Confidentiality Notice: This e-mail message may contain confidential > > or proprietary information. If you are not the intended recipient, > > please contact the sender by reply e-mail and destroy all copies of > > the original message. HealthMarkets(r) is the brand name for products > > underwritten and issued by the insurance subsidiaries of > > HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), > > Mid-West National Life Insurance Company of TennesseeSM and The MEGA > > Life and Health Insurance Company.SM > > > > > >> -Original Message- > >> From: IBM Mainframe Discussion List [mailto:IBM- > m...@listserv.ua.edu] > >> On Behalf Of Scott Ford > >> Sent: Tuesday, November 06, 2012 6:17 PM > >> To: IBM-MAIN@LISTSERV.UA.EDU > >> Subject: Re: Who changed the mount attrib of a zFS? > >> > >> Roger, > >> > >> No problem, so that leaves an Operator or someone authorized to > issue > >> the command. > >> Another possibility would be a software product, maybe. > >> > >> If you have you sys logs you could try to find who issued the > command > >> > >> Scott ford > >> www.identityforge.com > >> > >> Tell me and I'll forget; show me and I may remember; involve me and > >> I'll understand. - Chinese Proverb > >> > >> > >> On Nov 6, 2012, at 3:26 PM, Roger Lowe > wrote: > >> > >>> Scott, > >>> I should have been a little more clear on my original post - > >>> the BPXRMxx parmlib member has the file being mounted in RW mode, > >>> but somehow during normal operations, the file mount attribute got > >> changed > >>> from RW to R. I can't use the SMF Type 92 records as they are > >>> currently not being recorded :( I have also looked at the Type 80 > >>> records and RACF Event Codes 44 and 55 (Mount and UnMount) but that > >>> has also been unsuccessful > >>> > >>> Roger > >>> > >>> On Tue, 6 Nov 2012 10:21:29 -0500, Scott Ford > >> wrote: > >>> > >>>> Roger, > >>>
Re: Who changed the mount attrib of a zFS?
ftp://public.dhe.ibm.com/eserver/zseries/zos/racf/pdf/r05_unix_file_security.pdf Scott ford www.identityforge.com Tell me and I'll forget; show me and I may remember; involve me and I'll understand. - Chinese Proverb On Nov 7, 2012, at 8:45 AM, "McKown, John" wrote: > Which "log"? And what is the source of the command? I can do an UNMOUNT in > TSO (interactive or batch) to remount a filesystem to READ. I can also do a > "chmount" command from a UNIX shell session (interactive or batch) to do the > same. I don't think either of these commands writes to the z/OS SYSLOG or the > UNIX syslog daemon (assuming the OP is running it). > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] >> On Behalf Of Scott Ford >> Sent: Tuesday, November 06, 2012 6:17 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: Who changed the mount attrib of a zFS? >> >> Roger, >> >> No problem, so that leaves an Operator or someone authorized to issue >> the command. >> Another possibility would be a software product, maybe. >> >> If you have you sys logs you could try to find who issued the command >> >> Scott ford >> www.identityforge.com >> >> Tell me and I'll forget; show me and I may remember; involve me and >> I'll understand. - Chinese Proverb >> >> >> On Nov 6, 2012, at 3:26 PM, Roger Lowe wrote: >> >>> Scott, >>> I should have been a little more clear on my original post - >>> the BPXRMxx parmlib member has the file being mounted in RW mode, but >>> somehow during normal operations, the file mount attribute got >> changed >>> from RW to R. I can't use the SMF Type 92 records as they are >>> currently not being recorded :( I have also looked at the Type 80 >>> records and RACF Event Codes 44 and 55 (Mount and UnMount) but that >>> has also been unsuccessful >>> >>> Roger >>> >>> On Tue, 6 Nov 2012 10:21:29 -0500, Scott Ford >> wrote: >>> >>>> Roger, >>>> >>>> If Its the member of parmlib, look at the security subsystems >>>> definitions for that library, I.e.; DATASET >>>> >>>> Scott ford >>>> www.identityforge.com >>>> >>>> Tell me and I'll forget; show me and I may remember; involve me and >>>> I'll understand. - Chinese Proverb >>>> >>>> >>>> On Nov 5, 2012, at 8:50 PM, Roger Lowe >> wrote: >>>> >>>>> Hi, >>>>> is there an easy way to identify who might have changed the MOUNT >> attribute of a zFS from RW to R? >>>>> >>>>> Thanks, Roger >>>>> >>>>> --- >> - >>>>> -- For IBM-MAIN subscribe / signoff / archive access instructions, >>>>> send email to lists...@listserv.ua.edu with the message: INFO >>>>> IBM-MAIN >>> - >> - >>> For IBM-MAIN subscribe / signoff / archive access instructions, send >>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Who changed the mount attrib of a zFS?
Yes , but someone has to have the RACF,acf2 or TSS authority to issue the command right ? Scott ford www.identityforge.com Tell me and I'll forget; show me and I may remember; involve me and I'll understand. - Chinese Proverb On Nov 7, 2012, at 8:45 AM, "McKown, John" wrote: > Which "log"? And what is the source of the command? I can do an UNMOUNT in > TSO (interactive or batch) to remount a filesystem to READ. I can also do a > "chmount" command from a UNIX shell session (interactive or batch) to do the > same. I don't think either of these commands writes to the z/OS SYSLOG or the > UNIX syslog daemon (assuming the OP is running it). > > -- > John McKown > Systems Engineer IV > IT > > Administrative Services Group > > HealthMarkets(r) > > 9151 Boulevard 26 * N. Richland Hills * TX 76010 > (817) 255-3225 phone * > john.mck...@healthmarkets.com * www.HealthMarkets.com > > Confidentiality Notice: This e-mail message may contain confidential or > proprietary information. If you are not the intended recipient, please > contact the sender by reply e-mail and destroy all copies of the original > message. HealthMarkets(r) is the brand name for products underwritten and > issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake > Life Insurance Company(r), Mid-West National Life Insurance Company of > TennesseeSM and The MEGA Life and Health Insurance Company.SM > > >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] >> On Behalf Of Scott Ford >> Sent: Tuesday, November 06, 2012 6:17 PM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: Re: Who changed the mount attrib of a zFS? >> >> Roger, >> >> No problem, so that leaves an Operator or someone authorized to issue >> the command. >> Another possibility would be a software product, maybe. >> >> If you have you sys logs you could try to find who issued the command >> >> Scott ford >> www.identityforge.com >> >> Tell me and I'll forget; show me and I may remember; involve me and >> I'll understand. - Chinese Proverb >> >> >> On Nov 6, 2012, at 3:26 PM, Roger Lowe wrote: >> >>> Scott, >>> I should have been a little more clear on my original post - >>> the BPXRMxx parmlib member has the file being mounted in RW mode, but >>> somehow during normal operations, the file mount attribute got >> changed >>> from RW to R. I can't use the SMF Type 92 records as they are >>> currently not being recorded :( I have also looked at the Type 80 >>> records and RACF Event Codes 44 and 55 (Mount and UnMount) but that >>> has also been unsuccessful >>> >>> Roger >>> >>> On Tue, 6 Nov 2012 10:21:29 -0500, Scott Ford >> wrote: >>> >>>> Roger, >>>> >>>> If Its the member of parmlib, look at the security subsystems >>>> definitions for that library, I.e.; DATASET >>>> >>>> Scott ford >>>> www.identityforge.com >>>> >>>> Tell me and I'll forget; show me and I may remember; involve me and >>>> I'll understand. - Chinese Proverb >>>> >>>> >>>> On Nov 5, 2012, at 8:50 PM, Roger Lowe >> wrote: >>>> >>>>> Hi, >>>>> is there an easy way to identify who might have changed the MOUNT >> attribute of a zFS from RW to R? >>>>> >>>>> Thanks, Roger >>>>> >>>>> --- >> - >>>>> -- For IBM-MAIN subscribe / signoff / archive access instructions, >>>>> send email to lists...@listserv.ua.edu with the message: INFO >>>>> IBM-MAIN >>> - >> - >>> For IBM-MAIN subscribe / signoff / archive access instructions, send >>> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, send >> email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Who changed the mount attrib of a zFS?
Which "log"? And what is the source of the command? I can do an UNMOUNT in TSO (interactive or batch) to remount a filesystem to READ. I can also do a "chmount" command from a UNIX shell session (interactive or batch) to do the same. I don't think either of these commands writes to the z/OS SYSLOG or the UNIX syslog daemon (assuming the OP is running it). -- John McKown Systems Engineer IV IT Administrative Services Group HealthMarkets(r) 9151 Boulevard 26 * N. Richland Hills * TX 76010 (817) 255-3225 phone * john.mck...@healthmarkets.com * www.HealthMarkets.com Confidentiality Notice: This e-mail message may contain confidential or proprietary information. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. HealthMarkets(r) is the brand name for products underwritten and issued by the insurance subsidiaries of HealthMarkets, Inc. -The Chesapeake Life Insurance Company(r), Mid-West National Life Insurance Company of TennesseeSM and The MEGA Life and Health Insurance Company.SM > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] > On Behalf Of Scott Ford > Sent: Tuesday, November 06, 2012 6:17 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Who changed the mount attrib of a zFS? > > Roger, > > No problem, so that leaves an Operator or someone authorized to issue > the command. > Another possibility would be a software product, maybe. > > If you have you sys logs you could try to find who issued the command > > Scott ford > www.identityforge.com > > Tell me and I'll forget; show me and I may remember; involve me and > I'll understand. - Chinese Proverb > > > On Nov 6, 2012, at 3:26 PM, Roger Lowe wrote: > > > Scott, > >I should have been a little more clear on my original post - > > the BPXRMxx parmlib member has the file being mounted in RW mode, but > > somehow during normal operations, the file mount attribute got > changed > > from RW to R. I can't use the SMF Type 92 records as they are > > currently not being recorded :( I have also looked at the Type 80 > > records and RACF Event Codes 44 and 55 (Mount and UnMount) but that > > has also been unsuccessful > > > > Roger > > > > On Tue, 6 Nov 2012 10:21:29 -0500, Scott Ford > wrote: > > > >> Roger, > >> > >> If Its the member of parmlib, look at the security subsystems > >> definitions for that library, I.e.; DATASET > >> > >> Scott ford > >> www.identityforge.com > >> > >> Tell me and I'll forget; show me and I may remember; involve me and > >> I'll understand. - Chinese Proverb > >> > >> > >> On Nov 5, 2012, at 8:50 PM, Roger Lowe > wrote: > >> > >>> Hi, > >>> is there an easy way to identify who might have changed the MOUNT > attribute of a zFS from RW to R? > >>> > >>> Thanks, Roger > >>> > >>> --- > - > >>> -- For IBM-MAIN subscribe / signoff / archive access instructions, > >>> send email to lists...@listserv.ua.edu with the message: INFO > >>> IBM-MAIN > > - > - > > For IBM-MAIN subscribe / signoff / archive access instructions, send > > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Who changed the mount attrib of a zFS?
Roger, No problem, so that leaves an Operator or someone authorized to issue the command. Another possibility would be a software product, maybe. If you have you sys logs you could try to find who issued the command Scott ford www.identityforge.com Tell me and I'll forget; show me and I may remember; involve me and I'll understand. - Chinese Proverb On Nov 6, 2012, at 3:26 PM, Roger Lowe wrote: > Scott, >I should have been a little more clear on my original post - the > BPXRMxx parmlib member has the file being mounted in RW mode, but somehow > during normal operations, the file mount attribute got changed from RW to R. > I can't use the SMF Type 92 records as they are currently not being recorded > :( > I have also looked at the Type 80 records and RACF Event Codes 44 and 55 > (Mount and UnMount) but that has also been unsuccessful > > Roger > > On Tue, 6 Nov 2012 10:21:29 -0500, Scott Ford wrote: > >> Roger, >> >> If Its the member of parmlib, look at the security subsystems definitions >> for that library, I.e.; DATASET >> >> Scott ford >> www.identityforge.com >> >> Tell me and I'll forget; show me and I may remember; involve me and I'll >> understand. - Chinese Proverb >> >> >> On Nov 5, 2012, at 8:50 PM, Roger Lowe wrote: >> >>> Hi, >>> is there an easy way to identify who might have changed the MOUNT >>> attribute of a zFS from RW to R? >>> >>> Thanks, Roger >>> >>> -- >>> For IBM-MAIN subscribe / signoff / archive access instructions, >>> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Who changed the mount attrib of a zFS?
W dniu 2012-11-06 21:26, Roger Lowe pisze: Scott, I should have been a little more clear on my original post - the BPXRMxx parmlib member has the file being mounted in RW mode, but somehow during normal operations, the file mount attribute got changed from RW to R. I can't use the SMF Type 92 records as they are currently not being recorded :( I have also looked at the Type 80 records and RACF Event Codes 44 and 55 (Mount and UnMount) but that has also been unsuccessful It was ADMIN! Yes, I mean it. Only few trusted persons should have such privilege. While it's nice to get the information from soem log, it would be even better to narrow the list of authorized personnel. -- Radoslaw Skorupka Lodz, Poland -- Treść tej wiadomości może zawierać informacje prawnie chronione Banku przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie lub inne działanie o podobnym charakterze jest prawnie zabronione i może być karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku. This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive. BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax +48 (22) 829 00 33, www.brebank.pl, e-mail: i...@brebank.pl Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2012 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.410.984 złotych. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Who changed the mount attrib of a zFS?
Scott, I should have been a little more clear on my original post - the BPXRMxx parmlib member has the file being mounted in RW mode, but somehow during normal operations, the file mount attribute got changed from RW to R. I can't use the SMF Type 92 records as they are currently not being recorded :( I have also looked at the Type 80 records and RACF Event Codes 44 and 55 (Mount and UnMount) but that has also been unsuccessful Roger On Tue, 6 Nov 2012 10:21:29 -0500, Scott Ford wrote: >Roger, > >If Its the member of parmlib, look at the security subsystems definitions for >that library, I.e.; DATASET > >Scott ford >www.identityforge.com > >Tell me and I'll forget; show me and I may remember; involve me and I'll >understand. - Chinese Proverb > > >On Nov 5, 2012, at 8:50 PM, Roger Lowe wrote: > >> Hi, >> is there an easy way to identify who might have changed the MOUNT >> attribute of a zFS from RW to R? >> >> Thanks, Roger >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Who changed the mount attrib of a zFS?
Roger, If Its the member of parmlib, look at the security subsystems definitions for that library, I.e.; DATASET Scott ford www.identityforge.com Tell me and I'll forget; show me and I may remember; involve me and I'll understand. - Chinese Proverb On Nov 5, 2012, at 8:50 PM, Roger Lowe wrote: > Hi, > is there an easy way to identify who might have changed the MOUNT attribute > of a zFS from RW to R? > > Thanks, Roger > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Who changed the mount attrib of a zFS?
Hi, is there an easy way to identify who might have changed the MOUNT attribute of a zFS from RW to R? Thanks, Roger -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
