Using zSecure I can report on RACF permission changes whether they be from RACF Commands or CKGRACF commands.
Has anyone developed a report that would show permission changes in UNIX objects?    

Background:  Today we are a TSS environment using the HFSSEC class to control access to UNIX files, directories etc.   So naturally under TSS I could report on permission changes in UNIX.    If we had access issues, I could go back to see if someone made access changes causing the issue.

Now that we are migrating to RACF, is there a way to show permission changes in native UNIX?    If we experienced an access issue how could I look to see that access bits were changed that may be causing the issue?

Thanks

------------------------------
Linnea Sullivan
------------------------------

A member of my team was able to develop some Carla today looking at the UNIX_FUNCTION field.     You may ignore my request.
If anyone is interested this is the CARLA he put together to show permission changes in the UNIX environment.

OPTION EMPTYLIST=HIDE REQUIRED
 n type=smf n=smfsel outlim=0
S,
 ((unix_pathname>" " or type=92))
 list type
 mergelist
 n type=smf tt="zSecure Suite file system events",,
    ,
     st="Event log records for all Unix files"
 s likelist=SMFSEL unix_function=(chmod,chown,setfacl) desc=success
 Sortlist datetime(nd) system(nd) smfdd(nd) recno(nd) userid(nd),
 datetime(19) system userid jobname terminal recorddesc
 endmerge

------------------------------
Linnea Sullivan
------------------------------

Original Message:
Sent: Tue February 11, 2020 08:45 AM
From: Linnea Sullivan
Subject: zSecure Admin for RACF: Report of UNIX Object Permission Changes

Using zSecure I can report on RACF permission changes whether they be from RACF Commands or CKGRACF commands.
Has anyone developed a report that would show permission changes in UNIX objects?    

Background:  Today we are a TSS environment using the HFSSEC class to control access to UNIX files, directories etc.   So naturally under TSS I could report on permission changes in UNIX.    If we had access issues, I could go back to see if someone made access changes causing the issue.

Now that we are migrating to RACF, is there a way to show permission changes in native UNIX?    If we experienced an access issue how could I look to see that access bits were changed that may be causing the issue?

Thanks

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea,

Good to hear your team found a solution by applying the UNIX_FUNCTION selection to what appears to be a generated general UNIX event selection from option EV.F.

The general selection here is for SMF record type 92 or any SMF events that fill in UNIX_PATHNAME (which can occur in type 92, 42 subtype 26, 80, 83 subtype 6, some subtypes of 118 and 119, and the ACF2 type).

The additional selection limits that to the events with the specified UNIX_FUNCTIONs that were successful. UNIX_FUNCTION can occur in type 80, 42 subtype 26, and the ACF2 record type; DESC can occur in type 14, 15, 30, 80, and 83. So effectively, this will select only a subset of type 80 (RACF processing) records.

The MERGELIST... ENDMERGE construct allows specifying multiple queries and collating them together; in this case you have only one real query, so it is not really required.

The query could be trimmed down to:

OPTION EMPTYLIST=HIDE REQUIRED
n type=smf tt="zSecure Suite file system events",
     st="Event log records for all Unix files"
 s  unix_function=(chmod,chown,setfacl) desc=success
 Sortlist datetime(nd) system(nd) smfdd(nd) recno(nd) userid(nd),
 datetime(19) system userid jobname terminal recorddesc

BTW, the OPTIONs specify that the report is not listed in the print summary in the SYSPRINT when no events are selected, and that a ISPF message"Nothing selected" is issued [when run in the foreground] in that case.

Regards,

Jeroen

P.S. This solution of course requires that the relevant SMF events are always logged.

P.P.S. Another tidbit that might come in handy sometime is that you can select the subset of events from type 80 (RACF processing) that relate to UNIX by using the value ALLOMVS.

An example can be found in SCKRCARL(CKQLEEF), that is, the event feed to QRadar SIEM:
select likelist=SMFSEL type=80 event=ALLOMVS

------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------

Original Message:
Sent: Tue February 11, 2020 02:44 PM
From: Linnea Sullivan
Subject: zSecure Admin for RACF: Report of UNIX Object Permission Changes

A member of my team was able to develop some Carla today looking at the UNIX_FUNCTION field.     You may ignore my request.
If anyone is interested this is the CARLA he put together to show permission changes in the UNIX environment.

OPTION EMPTYLIST=HIDE REQUIRED
 n type=smf n=smfsel outlim=0
S,
 ((unix_pathname>" " or type=92))
 list type
 mergelist
 n type=smf tt="zSecure Suite file system events",,
    ,
     st="Event log records for all Unix files"
 s likelist=SMFSEL unix_function=(chmod,chown,setfacl) desc=success
 Sortlist datetime(nd) system(nd) smfdd(nd) recno(nd) userid(nd),
 datetime(19) system userid jobname terminal recorddesc
 endmerge

------------------------------
Linnea Sullivan

Original Message:
Sent: Tue February 11, 2020 08:45 AM
From: Linnea Sullivan
Subject: zSecure Admin for RACF: Report of UNIX Object Permission Changes

Using zSecure I can report on RACF permission changes whether they be from RACF Commands or CKGRACF commands.
Has anyone developed a report that would show permission changes in UNIX objects?    

Background:  Today we are a TSS environment using the HFSSEC class to control access to UNIX files, directories etc.   So naturally under TSS I could report on permission changes in UNIX.    If we had access issues, I could go back to see if someone made access changes causing the issue.

Now that we are migrating to RACF, is there a way to show permission changes in native UNIX?    If we experienced an access issue how could I look to see that access bits were changed that may be causing the issue?

Thanks

------------------------------
Linnea Sullivan
------------------------------

Hi Linnea
Using SMF to track changes in UNIX file is good.  An alternative approach is the "Show differences" function in zSecure Audit.

You need a CKFREEZE snapshot made before the change and one made after.  Many installations use GDG to keep, eg., 5 most recent CKFREEZE and UNLOAD data sets, others use the date of the snapshot as one of the qualifiers of dsname, and create catalog aliases to map names like RECENT0, RECENT1, RECENT2.... to the most recent ones.

In SE.1 you use the C (compare baseline) to select the before snapshot and S (select) for the after snapshot.  Then you go to RE.U.F (Unix - Filesystem reports) and select the "Show differences" output option.  This compares the files and identifies changes in file attributes.  I did a chmod and a setfacl command yesterday, and this is the result of "Show differences":

Count FS mount point
    2 /SYSTEM/etc
Comp T FileMode  + apsl AuF Owner   Group Relative pathname (within FS)
CHG  - rw-rw-r--   --s- fff ADM@SRV OMVS  log
CHG  - rwx------ + --s- fff ADM@SRV OMVS  temp.inet
******************************* Bottom of Data ********************************

In other words, 2 changes were found in the /etc directory, one on the file log that is currently readable for anyone, and another on the temp.inet file which currently has an ACL (the + sign).  Selecting each of these lines shows the field that was changed:

Changes
ATTR(rw-rw----->rw-rw-r--)

the ATTR field went from 660 to 664, and

Changes
EXTENDED_ACL(->+)

an extended ACL was added.  You can inspect the ACL in the detail panel.

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Tue February 11, 2020 08:45 AM
From: Linnea Sullivan
Subject: zSecure Admin for RACF: Report of UNIX Object Permission Changes

Using zSecure I can report on RACF permission changes whether they be from RACF Commands or CKGRACF commands.
Has anyone developed a report that would show permission changes in UNIX objects?    

Background:  Today we are a TSS environment using the HFSSEC class to control access to UNIX files, directories etc.   So naturally under TSS I could report on permission changes in UNIX.    If we had access issues, I could go back to see if someone made access changes causing the issue.

Now that we are migrating to RACF, is there a way to show permission changes in native UNIX?    If we experienced an access issue how could I look to see that access bits were changed that may be causing the issue?

Thanks

------------------------------
Linnea Sullivan
------------------------------

Hi Rob,

Comparing status snapshots to find differences is generally an excellent approach.

Specifically for UNIX it can in some cases take a few steps to zoom in and understand the real change, as the processing is comparatively complex. It is for example possible for the ATTR of a file to change, without there being any change in the file system that contains that file. This is because ATTR represents the effective access level, and this also takes the path up to the file into account, as well as the attributes of the file system. For example, if a file system that was mounted in read-write mode gets unmounted and re-mounted in a read-only mode, the ATTR might well change because of that. If you want to inspect changes in the file system itself only, the PHYSICAL_ATTR field would more directly represent the File Security Package of the specific file.

In the RE.U.F detail display,
- ATTR is shown in the "System view of file" section as "File access attributes", and
- PHYSICAL_ATTR is shown in the "Physical file attributes" section as "Physical access attributes".

Note that "Show differences" uses the default compare options, which will compare ATTR but not PHYSICAL_ATTR. (This is to avoid cluttering the display with duplicate changes; anyway, the fact that no change is listed for PHYSICAL_ATTR does not imply there was no change!)

------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------

Original Message:
Sent: Wed February 12, 2020 05:13 AM
From: Rob van Hoboken
Subject: zSecure Admin for RACF: Report of UNIX Object Permission Changes

Hi Linnea
Using SMF to track changes in UNIX file is good.  An alternative approach is the "Show differences" function in zSecure Audit.

You need a CKFREEZE snapshot made before the change and one made after.  Many installations use GDG to keep, eg., 5 most recent CKFREEZE and UNLOAD data sets, others use the date of the snapshot as one of the qualifiers of dsname, and create catalog aliases to map names like RECENT0, RECENT1, RECENT2.... to the most recent ones.

In SE.1 you use the C (compare baseline) to select the before snapshot and S (select) for the after snapshot.  Then you go to RE.U.F (Unix - Filesystem reports) and select the "Show differences" output option.  This compares the files and identifies changes in file attributes.  I did a chmod and a setfacl command yesterday, and this is the result of "Show differences":

Count FS mount point
    2 /SYSTEM/etc
Comp T FileMode  + apsl AuF Owner   Group Relative pathname (within FS)
CHG  - rw-rw-r--   --s- fff ADM@SRV OMVS  log
CHG  - rwx------ + --s- fff ADM@SRV OMVS  temp.inet
******************************* Bottom of Data ********************************

In other words, 2 changes were found in the /etc directory, one on the file log that is currently readable for anyone, and another on the temp.inet file which currently has an ACL (the + sign).  Selecting each of these lines shows the field that was changed:

Changes
ATTR(rw-rw----->rw-rw-r--)

the ATTR field went from 660 to 664, and

Changes
EXTENDED_ACL(->+)

an extended ACL was added.  You can inspect the ACL in the detail panel.

------------------------------
Rob van Hoboken

Original Message:
Sent: Tue February 11, 2020 08:45 AM
From: Linnea Sullivan
Subject: zSecure Admin for RACF: Report of UNIX Object Permission Changes

Using zSecure I can report on RACF permission changes whether they be from RACF Commands or CKGRACF commands.
Has anyone developed a report that would show permission changes in UNIX objects?    

Background:  Today we are a TSS environment using the HFSSEC class to control access to UNIX files, directories etc.   So naturally under TSS I could report on permission changes in UNIX.    If we had access issues, I could go back to see if someone made access changes causing the issue.

Now that we are migrating to RACF, is there a way to show permission changes in native UNIX?    If we experienced an access issue how could I look to see that access bits were changed that may be causing the issue?

Thanks

------------------------------
Linnea Sullivan
------------------------------