1

I'm trying to write a script that would query specific resource profiles in a RACF class and later do a bit of logic to match a few things - not relevant.

The problem is that when I issue the command below I get the AUDIT TRAIL on the terminal. The script is meant to just return a 1 or a 0. All the logic works as it should but when I run the script I get the whole AUDIT TRAIL from RACF and at the bottom the result.

    y = outtrap('resourceAccess.')
        address tso 'RLIST CLASSX CLASSX.RESOURCE.LIST'
    y = outtrap('off')

I already tried to create another outtrap after the one above with no success.

Is there a way to remove that AUDIT TRAIL bit?

starball
  • 20,030
  • 7
  • 43
  • 238
Jarek Brocki
  • 129
  • 1
  • 9
  • Can you share an example of what you want eliminated? When I execute that command I do not see an audit trail just `AUDITING -------- FAILURES(READ) ` – Hogstrom Mar 07 '22 at 19:39
  • @Hogstorm For obvious reasons I can't paste in the actual thing but I mocked up below what it looks. Using a different product than IBMs zSecure but here is more info -> [link](https://www.ibm.com/docs/en/szs/2.2?topic=effects-command-audit-trail) `COMMAND AUDIT TRAIL -------------------- 22001 01:00 XXXXXX PERMIT BPX.CONSOLE ID(XXXXXX) ACCESS( +READ) CLASS(FACILITY)` So to be exact my REXX output is like this : `COMMAND AUDIT TRAIL -------------------- 22001 01:00 XXXXXX PERMIT BPX.CONSOLE ID(XXXXXX) ACCESS( +READ) CLASS(FACILITY) 1 ***` – Jarek Brocki Mar 07 '22 at 22:23
  • Any reason why you can't just strip that bit off in your Rexx? – Steve Ives Mar 09 '22 at 10:40
  • @SteveIves That is my original question - how ? This isn't a part of any of my objects that I catch via outtrap(). It's not landing in the resourceAccess. array. The COMMAND AUDIT TRAIL is ran after every RACF query command(LU, LG, RL) at out installation but for some reason it looks like it's displayed after the RL command(in my case) is finished and the outtrap is closed. I've tried to lay down another outtrap at the end of the script but it also didn't catch the AUDIT TRAIL. – Jarek Brocki Mar 09 '22 at 10:44
  • @JarekBrocki Sorry - I misunderstood and thought you were asking how to prevent it from appearing in the first place. I'll post an answer below. – Steve Ives Mar 09 '22 at 10:49

1 Answers1

2

It's possible that those lines of text are being issued in such a way that they cannot be trapped using outtrap and are instead being placed on the external data queue (EDQ) and then echoed to the terminal when the REXX exits. ACF2 does this with all output, making trapping command responses a bit tricky.

Try this:

/* Trap command response*/
y = outtrap('temp.')
    address tso 'RLIST CLASSX CLASSX.RESOURCE.LIST'
y = outtrap('off')

/* Display anything put onto the EDQ */
do queued()
   pull line
   say line
end

Old answer: If the output you are getting matches what's in the IBM docs you linked to (https://www.ibm.com/docs/en/szs/2.2?topic=effects-command-audit-trail), then what you need to do is after to have trapped the output, simply discard the first 2 lines, (which should be):

Command Audit Trail for USER IBMUSER

(one line of text and a blank line).

You could do this as follows:

y = outtrap('temp.')
    address tso 'RLIST CLASSX CLASSX.RESOURCE.LIST'
y = outtrap('off')

/* Copy from the 3rd command response line into our 'real' response var */
do tempIndex = 3 to temp.0
   desiredIndex = tempIndex - 2
   resourceAccess.desiredIndex = temp.tempIndex
end
resourceAccess.0 = temp.0 - 2 /* Set number of lines */
Steve Ives
  • 7,894
  • 3
  • 24
  • 55
  • The problem is that the COMMAND AUDIT TRAIL is not populated via outtrap to resourceAccess. array in my code - it's nowhere to be found. It only appears when I run it from an interactive session. If I run it via batch there isn't a COMMAND AUDIT TRAIL in the output. – Jarek Brocki Mar 09 '22 at 14:08
  • I'm confused - why are you asking to remove the 'AUDIT TRAIL' line if this line is not being returned to your code? Can you edit your question to show what you ARE getting and what you WANT to get. – Steve Ives Mar 09 '22 at 14:55
  • Are you saying that the command response comes back to the REXX but you then get 'AUDIT TRAIL' displayed on the terminal? I don't; have RACF here so can't reproduce your issue. – Steve Ives Mar 09 '22 at 14:59
  • "Are you saying that the command response comes back to the REXX but you then get 'AUDIT TRAIL' displayed on the terminal?" - exactly! – Jarek Brocki Mar 09 '22 at 19:21
  • @Jarek I've updated my answer - no guarantee it'll work but it worked for a similar issue I had trapping ACF2 output. – Steve Ives Mar 11 '22 at 11:34
  • Still not what I asked for. So to explain better. I catch whatever I need in my outtrap and parse it how I want it via REXX - that part is solid. The problem I have that is the Vanguard Policy Manager or the Vanguard Alert has a feature that it displays a COMMAND AUDIT TRAIL everytime a RACF list command is issued. The problem is that it seems that this is done right after the command is ran and the outtrap is closed - but at the same time another outtrap is not catching this bit. It's like this runs outside my REXX script but uses the same terminal to display it. – Jarek Brocki Mar 14 '22 at 18:47
  • @Jarek. As I said, I had a similar-looking issue with ACF2 in that the command response cannot be trapped via `outtrap.` because it goes to the EDQ. But you've obviously confirmed that the 'AUDIT TRAIL' message is not on the EDQ and as I don't have RACF I can't reproduce the problem. Sorry for trying to help. – Steve Ives Mar 15 '22 at 09:18
  • I've managed to work around this invoking the REXX via Ansible(weirdly enouth using the zos_command module gave the same results) using the command module and moving the REXX into a USS directory. WIth this the script simply returns a 1 or a 0. Anyhow I will contact the vendor of our security manager product(not the ESM) to see if there is a way to remove the profile command history for certain service IDs that are used to run such scripts. – Jarek Brocki Mar 15 '22 at 20:15
  • Contacted Vanguard and as suspected it's from their Policy Manager tool. There is a RACF profile associated to access to receive the COMMAND AUDIT TRAIL - I removed the access to the serviceID I use in the REXX script and tadam! All works as expected. – Jarek Brocki Mar 15 '22 at 21:40