IBM Security Z Security

 View Only
  • 1.  C2PCOLL and CKFREEZE Access Requirements

    IBM Champion
    Posted Thu February 25, 2021 07:54 AM
    Access Monitoring is showing access attempts by C2PCOLL and CKFREEZE at ALTER level to PARMLIB and APF libraries. I assume this is caused by attempts to list RACF information on these datasets. Unfortunately, someone in the past thought they needed ALTER access and permitted it. I now need to remove the unnecessary permissions but not the permissions they actually need. I haven't figured out a way to differentiate between an Access Monitor ALTER-level access event resulting from actual access versus one for just listing RACF information. I could resort to assigning them UAUDIT to determine their access needs but for a number of reasons prefer not to do so at this time. Thus far, I haven't been able to determine which manual has information about their setup and access needs. Kindly tell me where I would find such information? TIA

    ------------------------------
    Robert Hansel
    President and Lead RACF Specialist
    RSH Consulting, Inc.
    Cambridge MA
    6179698211
    ------------------------------


  • 2.  RE: C2PCOLL and CKFREEZE Access Requirements

    Posted Fri February 26, 2021 12:55 AM
    Robert,

    Using AM.1, typically the related entries appear as below so excluding the AccRC > 4 (or only including < 8)

    Occurrence Profile key used            
          6476 SYS1.PARMLIB                
    Occurrence Intent   Type   RetAll AccRC
           231 ALTER    Auth   RetAll     8

    ​Also help on the RetAll

    CARLa field        : REQ_STATUS_ACCESS                                   
    Newlist type       : ACCESS                                              
    Header default     : RetAll                                              
    Field prefix header: Retrieval of access allowed                         
                                                                             
    This flag field (YES/NO) shows whether the RACROUTE REQUEST=AUTH was used
    with the STATUS=ACCESS option. STATUS=ACCESS means that the INTENT is set
    to ALTER, and that the final reason code as provided to the caller       
    reflects the allowed access of the user. The return code as shown by     
    zSecure uses the regular return code for the access intent ALTER.        
                                                                             
    The field is only present in AUTH records.                               

    Tri issuing a LISTDSD for the SYS1.PARMLIB and review the result.

    Regards

    Brian


    ------------------------------
    Brian Mills
    ------------------------------



  • 3.  RE: C2PCOLL and CKFREEZE Access Requirements

    IBM Champion
    Posted Fri February 26, 2021 03:23 AM
    Edited by Rob van Hoboken Fri February 26, 2021 03:27 AM
    In Addition to what Brian already pointed out, AM.1 offers a "Further selection" checkbox, that pops up a panel where you can exclude (or select) events that have this "Retrieval of access allowed" attribute.  CKFCOLL collects "access of the current user" by means of STATUS=ACCESS with an intended access of ALTER for DATASETS, other zSecure components use this for XFACILIT profiles, some z/OS components check FACILITY, MQADMIN, CICS classes, etc.

    AM.1 also boasts a selection "Use of commands to display or manage profiles" to help find/exclude alleged ALTER access due to LISTDSD or RLIST command.

    ------------------------------
    Rob van Hoboken
    ------------------------------