1103_superuser_logon- Monitor zSecure alerts from Kafka for logon of a user with uid(0)

Synopsis

This rulebook monitors RACF whenever a user ID with UNIX uid 0 is used to logon to TSO or OMVS. The event generated by zSecure is alert C2P1103I and delivered through Kafka.

When the alert is received, the rulebook launches the configured AAP job template to perform the response workflow.

Unlike rulebooks that use multi event correlation, this rulebook uses a single event condition. Each zSecure alert in this family is self-contained, so no corroborating event is required and no timeout is needed.

Rulebook

- name: Rule to handle alert 1103 - Logon of a user with uid(0)
  hosts: all
  sources:
    - name: kafka
      ansible.eda.kafka:
        topic: "{{ kafka_topic }}"
        host: "{{ kafka_host }}"
        port: "{{ kafka_port }}"
        security_protocol: "{{ security_protocol }}"
        ssl_cafile: "{{  cafile}}"
        check_hostname: true

      filters:
        - ibm.ibm_eda_zos.security_alerts:
            event_source: "kafka"

  rules:
    - name: "Handle alert 1103 - Logon of a user with uid(0)"
      condition: event.body.alert_code == "C2P1103I"
      action:
        run_workflow_template:
          name: EDA Alert 1103 Response Workflow
          organization: "Default"

Parameters

Sources

kafka

Connects to a Kafka broker to consume zSecure alert messages.

topic

The Kafka topic name that carries zSecure alerts.

required:

True

type:

str

host

The Kafka broker hostname or IP address.

required:

True

type:

str

port

The Kafka broker port number.

required:

True

type:

int

security_protocol

The security protocol for the Kafka connection. Common values are SSL and PLAINTEXT.

required:

True

type:

str

ssl_cafile

Path to the CA certificate file used for SSL/TLS verification.

required:

True (when using SSL)

type:

str

check_hostname

Enable SSL hostname verification.

required:

True (default)

type:

Boolean

Filters

ibm.ibm_eda_zos.security_alerts

Filter plugin that parses and structures zSecure alert messages from Kafka events. Without this filter the rulebook condition will not match because the alert code field will not exist in the raw payload.

event_source

Specifies the source type of the event stream.

required:

True

type:

str

choices:

kafka

Rules

Handle alert 1103 – Logon of a user with uid(0)

Alert codes monitored:

  • C2P1103I: zSecure alert a user ID with UNIX uid 0 is used to logon to TSO or OMVS.

This rule uses a single event condition that matches the alert code:

event.body.alert_code == "C2P1103I"

The rule fires immediately when any one incoming event satisfies the condition. There is no correlation window because each zSecure alert is self-contained and no second event is required.

Launches the AAP workflow template ‘EDA Alert 1103 Response Workflow’ in the Default organization. The matched event is passed to the workflow template through ansible_eda.event. The response performed by the workflow template is documented on the corresponding playbook page in this collection.

Event structure

Event (C2P1103I)

{
  "body": {
    "alert_code": "C2P1103I",
    "alert_message": "C2P1103I Superuser USER123 logon to TSO",
    "hostname": "ZSYS01",
    "target_user": "USER123",
    "timestamp": "2024-01-15T10:30:00Z"
  },
  "meta": {
    "received_at": "2024-01-15T10:30:01Z"
  }
}

Event body fields

  • alert_code: the zSecure alert code (C2P1103I).

  • alert_message: descriptive message about the unknown user logon.

  • hostname: the z/OS system where the event occurred.

  • target_user: the user ID affected by the change.

  • timestamp: ISO 8601 timestamp of the alert.

Variables

When you activate the rulebook in Ansible Automation Platform, the following variables are defined:

kafka_topic: "zsecure-alerts"
kafka_host: "kafka.example.com"
kafka_port: 9093
security_protocol: "SSL"
cafile: "/path/to/ca-cert.pem"

Examples

Example 1: Basic Activation

Create a rulebook activation in Ansible Automation Platform with the following activation variables:

kafka_topic: "zsecure-security-alerts"
kafka_host: "kafka-broker.company.com"
kafka_port: 9093
security_protocol: "SSL"
cafile: "/etc/kafka/certs/ca-cert.pem"

Example 2: Testing the Rule

To test the rulebook, publish a sample event to your Kafka topic.

Publish a C2P1103I event:

echo '{
  "body": {
    "alert_code": "C2P1103I",
    "alert_message": " C2P1103I Superuser USER123 logon to TSO ",
    "hostname": "ZSYS01",
    "target_user": " USER123",
    "timestamp": "2024-01-15T10:30:00Z"
  },
  "meta": { "received_at": "2024-01-15T10:30:01Z" }
}' | kafka-console-producer \
     --broker-list kafka-broker:9093 \
     --topic zsecure-alerts

Notes

  • The rulebook runs continuously, monitoring the Kafka topic for new events.

  • Each event is processed independently. There is no correlation window or timeout.

  • Ensure that you have installed the zsecure filter plugin in the decision environment for the condition to evaluate correctly.

  • Before you activate the rulebook, ensure that the referenced AAP work template exists.

  • System clocks should be synchronised between Kafka, AAP and z/OS for accurate event timestamps.

Troubleshooting

Rulebook not triggering

  • Verify whether the C2P1103I events are being published to Kafka.

  • Verify whether the event format matches the expected structure.

  • Verify whether the alert code field is present and exactly matches.

  • Review activation logs for errors.

Events not matching

  • Enable verbose logging in activation settings.

  • Verify whether the alert code field value is exact (case sensitive).

  • Verify whether that the filter plugin is parsing events correctly.

See also