How are password threshold exceeded and password suspension events recorded in Compliance Event Manager?

Document ID : KB000047656
Last Modified Date : 14/02/2018
Show Technical Document Details

Question:  

How are password threshold exceeded and password suspension events recorded in CA Compliance Event Manager?

Answer:  

How are password threshold exceeded and password suspension events recorded in CA Compliance Event Manager?

 

ACF2 and Top Secret unsuccessful signon events are recorded as Event Reports Signon/Signoff Events where

the 'Info Code 1' correspond to ACF2 or Top Secret unsuccessful signon codes and messages.

 

There is no administrative command being issued in CA Compliance Event Manager.  What you see is a command
representation of what happened being recorded to the recovery file in case you would have to perform forward
recovery.  Since a real command was not issued it cannot be captured in the account administration tables. The
suspension is the result of a system access signon event that fails with either signon unsuccessful due to either
invalid password or a Password Violation Threshold Exceeded.  

 

If you are recording these type of events, with Top Secret you should see a DRC (Info CODE 1 field) of '01' for
ACID suspended, a DRC code of '09' Password is Incorrect or a DRC of '27'  for Password Violation Threshold
Exceeded.  If you are capturing these events then you can set an Alert for the DRC codes. With ACF2 you should
see Info CODE 1 field 
of '11' for LOGONID lid SUSPENDED, '12' for PASSWORD NOT MATCHED or '13' for LOGONID

lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS. 

 

ACF2 and Top Secret Info Code 1 values and corresponding messages:

 

Top Secret:

Info Code 1 : 01 = TSS0262E ACID IS SUSPENDED

Info Code 1 : 09 = TSS7101E PASSWORD IS INCORRECT

Info Code 1 : 27 = TSS7120E PASSWORD VIOLATION THRESHOLD EXCEEDED

 

ACF2:

Info Code 1 : 11 = ACF01011 LOGONID lid SUSPENDED

Info Code 1 : 12 = ACF01012 PASSWORD NOT MATCHED

 

Info Code 1 : 13 = ACF01013 LOGONID lid SUSPENDED BECAUSE OF PASSWORD VIOLATIONS