Hello All,

I would like to confirm that when using zSecure Audit (v2.5.0) for ACF2, that the allowlist members still require each specific ID to be listed? It has been quite some time since I've looked at this, and I didn't see anything in the documentation, but would like to know if UID masks might now be supported?

I tried supplying a UID mask and none of the IDs that should match it were marked compliant upon my re-evaluation.

Thanks in advance,
Matt

Hi Matt

The STIGs typically don't refer to GROUPs or UIDs but instead say you have to specify a list of user IDs.  And the tools used by STIG reports rely (largely) on newlist type=trusted, which identifies user ID.

But it is not difficult to write CARLa that writes all the user IDs that match a (a list of) UID masks to each of the allowlist members.  In fact, I did just that several years ago implementing STIG reporting at an ACF2 site.

Hello Rob,ure 

I read with interest this entry and noticed your comment - 'In fact, I did just that several years ago implementing STIG reporting at an ACF2 site.'  Could you elaborate on that?  Is there a service or feature that can be obtained to 'implement STIG reporting at an ACF2 site'?  We had a meeting with our IBM reps on zSecure and they said they do not offer any such service.  Is the service on offered in the EU or by you and a private company?  I need all the details for doing this for a client site.  

Many thanks!

Lynn Gilson

Hey Lynn

This must have been back in 2018 or 2019, so don't hold me to the details.  We built one batch job, say PREPCUST, that had to be run before the (daily) STIG job.  PREPCUST took a PDS with member names identical to the CKACUST members that it had to prep.  Each of those members had a CARLa prgram to select LIDs relevant to the CKACUST member, and generate the LID/user ID into a ddname.

Take CKACUST member SYSPAUDT, the list of user IDs who perform system programming tasks.  I assume you have a position in the UID string to single out system programmers, yes? Lets say SYSPROG in pos 5.  So the generator for this member looks like

newlist type=run nopage dd=SYSPAUDT outlim=1
  sortlist '* generated' datetime 'by job' jobname 'user' userid
newlist type=acf2_lid nopage dd=SYSPAUDT
  select uid='****SYSPROG -'a
  sortlist LID

Next you compose JCL for PREPCUST with a DD name and a SYSIN concatenation for each member you need to prepare:

// SET PREPCODE='pds with carla members'
//PREPCUST EXEC C2RC
//SYSIN    DD *
 alloc type=acf2 backup
 include dd=geners
//GENERS   DD DISP=SHR,DSN=&PREPCODE(SECAAUDT)
//         DD DISP=SHR,DSN=&PREPCODE(SYSPAUDT)
//SECAAUDT DD DISP=SHR,DSN=&CKACUST(SECAAUDT)
//SYSPAUDT DD DISP=SHR,DSN=&CKACUST(SYSPAUDT)
//

------------------------------
Rob van Hoboken
------------------------------