How can I use Compliance Event Manager to track Security Administration INFOSTG record changes such as a GSO CLASMAP or SAFDEF record?

Document ID : KB000013104
Last Modified Date : 14/02/2018
Show Technical Document Details
Question:

How can I use Compliance Event Manager to track Security Administration INFOSTG record changes such as a GSO CLASMAP or SAFDEF record?

Answer:

The OTHERADMIN event can be used to track logonid changes with the Alert, Warehouse or Logger components.

A Policy Statement for the Other Administration events can be created. Test Conditions can be used against the following fields:

 Command
 Date
 Day
 ESM
 Infostorage
 Key
 Jobname
 Operation
 SYSID
 SYSPLEX
 Source
 Time
 Userid

The fields that are returned are as follow.

 Category
 Command
 Date
 DATE_UTC
 ESM  
 Event
 Jobname
 Key
 Length
 Operation
 Policy UUID
 Record Length
 Source
 SYSID
 SYSPLEX
 Time
 Userid
 Version

For Example:

Security administrator logonid SEC0001 INSERTs a GSO CLASMAP record into the INFOSTG database.

LOGONID SEC0001(with SECURITY Privilege) logs on to TSO

Command issued from  TSO:

ACF
SET CONTROL(GSO)
insert clasmap.cevm RESOURCE(xcemxx) RSRCTYPE(xxx)

Compliance Event Manager Policy Administration Event fields returned:

Category: OTHERADMIN
Command: insert clasmap.cevm RESOURCE(xcemxx) RSRCTYPE(xxx)
Date: 09-Feb-2017
DATE_UTC: Thursday
ESM : ACF2
Event: OTHERADMIN
Jobname: SEC0001
Key: CGSOSYS8    CLASMAP.CEVM
Length: 214
Operation: INSERT
Policy UUID: 588499fe-6183-41d1-ba9a-fd9e8daeb112
Record Length: 214
Source: A99KO888
SYSID: SYS8
SYSPLEX: MINIPLEX
Time: 16:17:21
Userid: SEC0001
Version: 1