IBM Security Z Security

Security for Z

Join this online user group to communicate across Z Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  CKFREEZE B37 to use for Audit Compliance

    Posted Wed March 08, 2023 12:40 PM

    Hello everyone. I'm trying to perform the first setup of the CKFREEZE (full) to be used with the Audit Compliance Evaluate (AU.R.E) function, but he goes in B37.  I state that it is a very, very, big environment.... Then I tried tuning the parameters in the sysin, in order to have the best compromise with the requested disk space. The scope is to use it with the Audit Compliance Evaluate (AU.R.E) function

    These are the used parameters:

    I specified CAT=yes instead of CAT=MCAT  because of a previous error reported in this msg :

    "CKR2226 16 CKFREEZE SYA0 too incomplete for requested report - CKR1CF01 PXS2EP X 400ZSEC.PE000.BLU.AUDIT.CKFREEZE 

               shr CAT<>YES"

     

    Thanks in advance for any help !



    ------------------------------
    Luigi Perrone
    ------------------------------


  • 2.  RE: CKFREEZE B37 to use for Audit Compliance

    Posted Thu March 09, 2023 03:04 AM

    Hi Luigi, 

    to me, the B37 outcome seems to indicate that the space that you have allocated for the CKFREEZE data set is not sufficient to store all information that the zSecure Collect attempts to extract about your system environment. Thus, in my opinion, increasing the allocated space for the CKFREEZE data set is a more logical action to resolve the issue. 

    According to the documentation in chapter zSecure Collect for z/OS of the URM, your action to specify CAT=YES instead of CAT=MCAT seems to collect more rather than less information to store in the CKFREEZE data set. 
    In my opinion, you should disable the collection of certain information that is not used for compliance evaluations. For example, not collecting IMS (IMS=NO) and Db2 (DB2=NO) subsystem information for which currently there are no compliance rules defined. I am not an zSecure Collect expert, but probably many other COLLECT parms can be disabled to reduce the amount of collected information for your CKFREEZE data set. 

    However, in my opinion, increasing the space for the CKFREEZE data set is the most logical action. Then, that CKFREEZE data can also be used for all other purposes other than compliance evaluation runs.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------

    Original Message


  • 3.  RE: CKFREEZE B37 to use for Audit Compliance

    Posted Thu March 09, 2023 03:18 AM
    Edited by Rob van Hoboken Thu March 09, 2023 03:25 AM

    You could just analyze the CKFREEZE data set (even when CKFCOLL ended with B37), so see how many records there were (from each record type), and how much space each record type takes.  To do this, create a set of input files in SE.1 with just this CKFREEZE in it.  Issue the L line command in front of the dsname in this set.  It gives you a list of record type + the space needed for each record type.  If you see the biggest contributors, and like Tom suggested, you believe it is not relevant to your report, you could figure out how to suppress it.  Like.... when DB2 object information is the biggest in MBs, use DB2CAT=N.

    On occasion I had systems with excessive numbers of UNIX files, and had to specify UNIX=NO.

    When you look at the SYSPRINT from CKFCOLL, and you find there are oodles of volumes with only application data sets... you could use the X=VOL=vvvvvv to specify the start of volser names to exclude.  See the CKFCOLL command reference in the URM.

    Or you could create a really small CKFREEZE using SHARED=NO,CAT=YES and see where this gets you.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 4.  RE: CKFREEZE B37 to use for Audit Compliance

    Posted Thu March 09, 2023 03:24 AM
    Edited by Rob van Hoboken Thu March 09, 2023 03:24 AM

    Also, the installation and deployment manual has some ideas: https://www.ibm.com/docs/en/szs/2.5.0?topic=deployment-troubleshooting-large-size-ckfreeze-data-sets

    SMS compression has been shown to reduce the CKFREEZE size significantly.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: CKFREEZE B37 to use for Audit Compliance

    Posted Mon March 13, 2023 09:46 AM

    Hi Luigi, I recall getting this when setting up our CKFREEZE as we were collecting DB2 data. I had to add the DSNOUT as referenced in the Admin and Audit user reference manual. 

    DSNOUT
    A work file that contains the Db2 records unloaded by DSNUTILB for each table.
    This file has a record format of VB, record length of 23472, and blocksize of 23476.
    If the DSNOUT DD is not specified in the JCL, zSecure allocates it with SPACE=(23476,
    (300,300),RLSE), which is 10 cylinders primary and secondary space.
    When running the collect, if you receive the error message CKF580I and the DSNPRT output indicates
    a B37 abend, modify the JCL to include a DSNOUT with the appropriate space parameters to unload
    your Db2 tables.

    This may not be your issue but it is worth a try. 

    Thanks, Donna Welshons 



    ------------------------------
    Donna Welshons
    ------------------------------

    Original Message


Related Content