Reports based on the SMF data unload utility (IRRADU00)
The following reports are based on the output of IRRADU00. You
can find a sample of each report in SYS1.SAMPLIB.
Name | Description | Value |
---|---|---|
ACD$ | Users who are using automatic command direction | Identifies users who are using the RACF® remote sharing facility for automatic command direction |
CADU | Count of the IRRADU00 records | Shows the number of SMF-recorded events |
CCMD | Count of commands issued (by user) | Shows the command activity for a specific user |
ECD$ | Users who are directing commands explicitly | Identifies users who are using the RACF remote sharing facility to explicitly direct commands by specifying "AT(node.user_ID)" |
LOGB | Users who log on with LOGON BY, a VM facility | Identifies users who are logging on as other users |
LOGF | Users with excessive incorrect passwords | Identifies users who have exceeded a "bad password" threshold. This threshold is independent of the SETROPTS PASSWORD(REVOKE(nn)) value |
OPER | Accesses allowed because the user has OPERATIONS | Identifies users with the OPERATIONS attribute |
PWD$ | Users who are using password synchronization | Identifies users who are using the RACF remote sharing facility |
RACL | RACLINK audit records | Identifies users who are using the RACF remote sharing facility |
RINC | RACF class initialization information | Shows the status of RACF classes at RACF initialization |
SELU | All audit records for a specific user | Reports on all audited events for a user |
SPEC | Accesses allowed because the user has SPECIAL | Identifies users with the SPECIAL attribute |
TRMF | Excessive incorrect passwords from terminals | Identifies intruders who are attempting to guess passwords but are moving from one ID to another to avoid the revocation of user IDs |
VIOL | Access violations | Identifies failed events |
WARN | Accesses allowed due to WARNING mode profiles | Identifies events that are allowed but which you might want to prevent in the future |