IBM Security Z Security

 View Only
  • 1.  Command Verifier Profile Translation

    Posted Tue July 21, 2020 02:58 PM
    Edited by Adam Klinger Wed July 22, 2020 07:46 AM
    Greetings -- is there anything in Command Verifier which could assist us with the below?

    We see commands executed with for example Class OPERCMDS Profile MVS.VARY*.** but in instances where we see a profile ending in "*.**" would like to change it to "*" so for example the above would be OPERCMDS MVS.VARY*

    So we'd want a command like this:

    RDEFINE OPERCMDS MVS.VARY*.** UACC(NONE) AUDIT(ALL(READ))

    To be executed as this:

    RDEFINE OPERCMDS MVS.VARY* UACC(NONE) AUDIT(ALL(READ))

    Same with PERMIT, RALTER, etc.

    Is there any sort of Policy Profile we can set up to automatically handle this?

    I couldn't find anything, possibly going from * to *.** but not in this direction.

    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: Command Verifier Profile Translation

    Posted Wed July 22, 2020 11:39 AM

    There is currently no policy to manipulate the profile name. There are policies to manipulate all types of aspects of the profile, but the profile name itself is not affected.
    BTW: I'm unsure why you wouldn't want to use consistent (EGN-style) patterns. For general resources, ABC*.** and ABC* protect exactly the same set of resources. You can define both, and that might be confusing. You can probably prevent creation of *.** profiles, by defining a naming convention policy that ends in *+.++    My preference would be to disallow the single asterisk at the end, probably by explicitly allowing *+.++ and disallowing *+



    ------------------------------
    Guus Bonnes
    ------------------------------