Table of Event Codes and Event Code Qualifiers
This table describes the SMF80EVT (event code) and SMF80EVQ (event code qualifier) fields.
There are exceptions for event code 1 (logon/logoff): event qualifier codes 8, 12, 13, and 40 are not violations or warnings.
For event codes 8 through 25, an event code qualifier of 1 indicates
one of the following:
- The command user is not RACF-defined.
- The command user is not authorized to change the requested profiles on the RACF® database.
- The command user does not have sufficient authority for any of the operands on the command.
Event code qualifiers of 3 and 4 apply to the ADDSD, ALTDSD, and DELDSD commands. They indicate whether the retrieval of the data set affected by the SECLABEL change was successful (3) or not (4).
Note: The event code qualifier is 0 if the recorded event is not a
violation or a warning.
For detailed descriptions of the SMF event code qualifiers, refer to Event Code Qualifiers.
Event
1( 1): LOGON, (X)AUTOLOG, or password validation by REQUEST=VERIFY(X)
or DIAGNOSE 0x88
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
| 0( 0) | Successful Initiation | 20,46,47,49,53,55, 443 |
| 1( 1) | Invalid password | |
| 2( 2) | Invalid group | |
| 3( 3) | Invalid OIDCARD | |
| 4( 4) | Invalid terminal/console | |
| 5( 5) | Invalid application | |
| 6( 6) | Revoked user attempting access | |
| 7( 7) | User ID automatically revoked because of excessive password and password phrase attempts | |
| 8( 8) | Successful termination | |
| 9( 9) | Undefined user ID | |
| 10( A) | Insufficient security label authority | |
| 11( B) | Not authorized to security label | |
| 12( C) | Successful RACINIT initiation | |
| 13( D) | Successful RACINIT delete | |
| 14( E) | System now requires more authority | |
| 15( F) | Remote job entry - job not authorized | |
| 16(10) | SURROGAT class is inactive | |
| 17(11) | Submitter is not authorized by user | |
| 18(12) | Submitter not authorized to security label | |
| 19(13) | User is not authorized to job | |
| 20(14) | WARNING - Insufficient security label authority | |
| 21(15) | WARNING - security label missing from user, job or profile | |
| 22(16) | WARNING - not authorized to security label | |
| 23(17) | Security labels not compatible | |
| 24(18) | WARNING - security labels not compatible | |
| 25(19) | Current PASSWORD has expired | |
| 26(1A) | Invalid new PASSWORD | |
| 27(1B) | Verification failed by installation | |
| 28(1C) | Group access has been revoked | |
| 29(1D) | OIDCARD is required | |
| 30(1E) | Network job entry - job not authorized | |
| 31(1F) | Warning - unknown user from trusted node propagated | |
| 32(20) | Successful initiation using PassTicket | |
| 33(21) | Attempted replay of PassTicket | |
| 35(23) | User automatically revoked because of inactivity | |
| 36(24) | Password phrase is not valid | |
| 37(25) | New password phrase is not valid | |
| 38(26) | Current password phrase has expired | |
| 40(28) | SUCCESSM - Successful Multi-Factor Authentication | |
| 41(29) | INVMFA - Failed Multi-Factor Authentication | |
| 42(2A) | MFAUNAVL - Multi-Factor Authentication unavailable |
Event
2( 2): RESOURCE ACCESS (detected by RACHECK request and DIRAUTH
function, and VMXEVENT auditing)
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
0( 0)
|
Successful access | 1, 3, 4, 5, 15, 16, 17, 20, 33, 38, 46, 48, 49, 51, 53, 54, 55 (see Notes 1 and 2) |
1( 1)
|
Insufficient authority | |
2( 2)
|
Profile not found - RACFIND specified on macro | |
3( 3)
|
Access permitted due to warning | |
4( 4)
|
Failed due to PROTECTALL | |
5( 5)
|
WARNING issued due to PROTECTALL | |
6( 6)
|
Insufficient CATEGORY/SECLEVEL | |
7( 7)
|
Insufficient security label authority | |
8( 8)
|
WARNING - security label missing from job, user, or profile | |
9( 9)
|
WARNING - insufficient security label authority | |
10( A)
|
WARNING - Data set not cataloged | |
11( B)
|
Data set not cataloged | |
12( C)
|
Profile not found - required for authority checking | |
13( D)
|
WARNING - insufficient CATEGORY/SECLEVEL |
Note 1: The SMF80DTP value 4 (access authority allowed)
can be less than the SMF80DTP value 3 (access authority requested)
in two cases:
- When RACF authorizes access to a user who requested access to a database because the user has the OPERATIONS attribute.
- When the RACHECK request exit routine returns a return code of 12, which indicates that the request should be granted.
Note 2: The SMF80DTP value of 16 appears only when the RACHECK request received an old volume (OLDVOL) as input. The value of 33 appears when a generic profile is used.
Event
3( 3): ADDVOL/CHGVOL (detected by RACDEF request TYPE=ADDVOL or CHGVOL)
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
0( 0)
|
Successful processing of new volume | 1, 4, 5, 15, 16, 17, 33, 38, 44, 46, 49, 53, 55 (see Note) |
1( 1)
|
Insufficient authority (DATASET only) |
Note: The SMF80DTP value of 16 appears only when the RACHECK request received an old volume (OLDVOL) as input. The value of 33 appears when a generic profile is used.
Event
4( 4): RENAME RESOURCE (detected by RACDEF request TYPE=DEFINE or
NEWNAME
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
0( 0)
|
Successful rename | 1, 2, 5, 15, 17, 33, 38, 44, 46, 49, 53, 55 |
1( 1)
|
Invalid group | |
2( 2)
|
User not in group | |
3( 3)
|
Insufficient authority | |
4( 4)
|
Resource name already defined | |
5( 5)
|
User not defined to RACF | |
6( 6)
|
Resource not protected | |
7( 7)
|
WARNING - resource not protected | |
8( 8)
|
User in second qualifier is not RACF-defined |
Note: In cases where the RACDEF request is used to rename a resource (SMF80EVT=4), the data type 33 relocate section can hold a generic resource name that is either the old or the new name, or it can hold the generic profile that protects the old or the new name.
Event 5( 5): DELETE RESOURCE (detected by RACDEF
request TYPE=DELETE or DELETE)
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
0( 0)
|
Successful scratch | 1, 5, 15, 17, 33, 38, 44, 46, 49, 53, 55 |
1( 1)
|
Resource not found | |
2( 2)
|
Invalid volume identification (DATASET only) |
Event
6( 6): DELETE 1 VOLUME OF MULTIVOLUME RESOURCE (detected by RACDEF
request TYPE=DELETE)
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
0( 0)
|
Successful deletion | 1, 5, 8, 15, 17, 38, 44, 46, 49, 53, 55 |
Event
7( 7): DEFINE RESOURCE (detected by RACDEF request TYPE=DEFINE)
| Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|
0( 0)
|
Successful definition | 1, 5, 15, 17, 18, 19, 33, 38, 40, 44, 46, 49, 53, 55 |
1( 1)
|
Group undefined | |
2( 2)
|
User not in group | |
3( 3)
|
Insufficient authority | |
4( 4)
|
Resource name already defined | |
5( 5)
|
User not defined to RACF | |
6( 6)
|
Resource not protected | |
7( 7)
|
WARNING - resource not protected | |
8( 8)
|
WARNING - security label missing from job, user, or profile | |
9( 9)
|
WARNING - insufficient security label authority | |
10( A)
|
User in second qualifier is not RACF-defined |
| EVENT Dec(Hex) | Command | Code Qualifier Dec(Hex) | Description | Relocate type sections (Possible SMF80DTP Values) |
|---|---|---|---|---|
| 8( 8) | ADDSD | 0( 0) | No violations detected | 6, 7, 10, 13, 33, 38, 40, 44, 49, 50, 51, 53, 55, 62, 63 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a security label change | |||
| 4( 4) | Error during retrieval of data set names affected by a security label change | |||
| 9( 9) | ADDGROUP | 0( 0) | No violations detected | 6, 7, 37, 38, 44, 49, 53, 55, 63 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 10( A) | ADDUSER | 0( 0) | No violations detected | 6, 7, 8, 28, 37, 38, 40, 44, 49, 53, 55, 440 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 11( B) | ALTDSD | 0( 0) | No violations detected | 6, 7, 10, 11, 33, 38, 40, 41, 44, 49, 50, 51, 53, 55, 62, 63 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 12( C) | ALTGROUP | 0( 0) | No violations detected | 6, 7, 37, 38, 44, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 13( D) | ALTUSER | 0( 0) | No violations detected | 6, 7, 8, 28, 37, 38, 40, 41, 44, 49, 53, 55, 440 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 14( E) | CONNECT | 0( 0) | No violations detected | 6, 38, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 15( F) | DELDSD | 0( 0) | No violations detected | 6, 38, 49, 50, 51, 53, 55, 62, 63 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 16(10) | DELGROUP | 0( 0) | No violations detected | 6, 38, 44, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 17(11) | DELUSER | 0( 0) | No violations detected | 6, 38, 44, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 18(12) | PASSWORD | 0( 0) | No violations detected | 6, 38, 44, 49, 53 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 19(13) | PERMIT (including PERMFILE and PERMDIR) | 0( 0) | No violations detected | 6, 9, 12, 13, 14, 17, 26, 38, 39, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 20(14) | RALTER (including ALTFILE and ALTDIR) | 0( 0) | No violations detected | 6, 7, 9, 10, 11, 17, 24, 25, 29, 33, 38, 40, 41, 44, 49, 50, 51, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 21(15) | RDEFINE (including ADDFILE and ADDDIR) | 0( 0) | No violations detected | 6, 7, 9, 17, 24, 29, 33, 38, 40, 44, 49, 50, 51, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 22(16) | RDELETE (including DELFILE and DELDIR) | 0( 0) | No violations detected | 6, 9, 17, 38, 44, 49, 50, 51, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 23(17) | REMOVE | 0( 0) | No violations detected | 6, 17, 38, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 24(18) | SETROPTS | 0( 0) | No violations detected | 6, 21, 22, 23, 27, 32, 34, 35, 36, 42, 43, 44, 45, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 25(19) | RVARY | 0( 0) | No violations detected | 6, 27, 30, 31, 49, 53, 55 |
| 1( 1) | Insufficient authority (no update to RACF database) | |||
| 2( 2) | Keyword violations detected (partial update to RACF database) | |||
| 3( 3) | Successful retrieval of data set names affected by a SECLABEL change | |||
| 4( 4) | Error during retrieval of data set names affected by a SECLABEL change | |||
| 26(1A) | APPC SESSION ESTABLISHMENT | 0( 0) | Partner verification was successful | 1, 17, 33, 38, 49, 53, 55 |
| 1( 1) | Session established without verification | |||
| 2( 2) | Local LU key will expire in <= 5 days | |||
| 3( 3) | Partner LU access has been revoked | |||
| 4( 4) | Partner LU key does not match this LU key | |||
| 5( 5) | Session terminated for security reason | |||
| 6( 6) | Required SESSION KEY not defined | |||
| 7( 7) | Possible security attack by partner LU | |||
| 8( 8) | SESSION KEY not defined for partner LU | |||
| 9( 9) | SESSION KEY not defined for this LU | |||
| 10( A) | SNA security-related protocol error | |||
| 11( B) | Profile change during verification | |||
| 12( C) | Expired SESSION KEY | |||
| 27(1B) | GENERAL | 0( 0)
⋮ 99(63) |
General purpose auditing
These qualifiers are installation defined. |
17, 46, 49, 53, 55 |
| 28(1C) | DIRECTORY SEARCH | 0( 0) | Access allowed | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 291, 295, 297, 298, 299, 307, 308, 309, 310 |
| 1( 1) | Not authorized to search directory | |||
| 29(1D) | CHECK ACCESS TO DIRECTORY | 0( 0) | Access allowed | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 297, 298, 299, 307, 308, 309, 310 |
| 1( 1) | Caller does not have requested access authority | |||
| 30(1E) | CHECK ACCESS TO FILE | 0( 0) | Access allowed | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 267, 268, 269, 270, 298, 299, 307, 308, 309, 310 |
| 1( 1) | Caller does not have requested access authority | |||
| 31(1F) | CHAUDIT | 0( 0) | File's audit options changed | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 292, 293, 294, 307, 308, 309, 310 |
| 1( 1) | Caller does not have authority to change user audit options of specified file | |||
| 2( 2) | Caller does not have authority to change auditor audit options | |||
| 33(21) | CHMOD | 0( 0) | File's mode changed | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 289, 290, 296, 307, 308, 309, 310 |
| 1( 1) | Caller does not have authority to change mode of specified file | |||
| 34(22) | CHOWN | 0( 0) | File's owner or group owner changed | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 280, 281, 307, 308, 309, 310 |
| 1( 1) | Caller does not have authority to change owner or group owner of specified file | |||
| 36(24) | EXEC WITH SETUID/SETGID | 0( 0) | Successful change of UIDs and GIDs | 17, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 275, 276, 277, 280, 281 |
| 1( 1) | Caller does not have access to the appropriate EXEC.Uuid profile in the VMPOSIX class. This qualifier is only relevant to z/VM®. On z/OS®, there are no failure cases. | |||
| 2( 2) | Caller does not have access to the appropriate EXEC.Ggid profile in the VMPOSIX class. This qualifier is only relevant to z/VM. On z/OS, there are no failure cases. | |||
| 41(29) | LINK | 0( 0) | New link created | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 270, 299, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 42(2A) | MKDIR | 0( 0) | Directory successfully created | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 290, 296, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 43(2B) | MKNOD | 0( 0) | Successful creation of a node | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 290, 296, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 45(2D) | OPEN (NEW FILE) | 0( 0) | File successfully created | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 290, 296, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 47(2F) | RENAME | 0( 0) | Rename successful | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 270, 271, 278, 279, 299, 302, 307, 308, 309, 310, 311, 312, 313, 314 |
| * | Failures logged as directory search or check access event types | |||
| 48(30) | RMDIR | 0( 0) | Successful RMDIR | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 49(31) | SETEGID | 0( 0) | Successful change of effective GID | 17, 256, 257, 258, 259, 260, 261, 262, 275, 276, 277, 281 |
| 1( 1) | Not authorized to SETEGID | |||
| 50(32) | SETEUID | 0( 0) | Successful change of effective UID | 17, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 280 |
| 1( 1) | Not authorized to SETEUID | |||
| 51(33) | SETGID | 0( 0) | Successful change of GIDs | 17, 256, 257, 258, 259, 260, 261, 262, 275, 276, 277, 281 |
| 1( 1) | Not authorized to SETGID | |||
| 52(34) | SETUID | 0( 0) | Successful change of UIDs | 17, 256, 257, 258, 259, 260, 261, 262, 272, 273, 274, 280 |
| 1( 1) | Not authorized to SETUID | |||
| 53(35) | SYMLINK | 0( 0) | Successful SYMLINK | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 297, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 54(36) | UNLINK | 0( 0) | Successful UNLINK | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 302, 307, 308, 309, 310 |
| * | Failures logged as directory search or check access event types | |||
| 56(38) | CHECK FILE OWNER | 0( 0) | User is the owner | 17, 256, 257, 258, 259, 260, 261, 262, 263, 264, 265, 266, 307, 308, 309, 310 |
| 1( 1) | User is not the owner |