IBM Security Z Security

 View Only
Expand all | Collapse all

zSecure Alerts - How to get an alert when a userid from a specific group get revoked

  • 1.  zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Fri June 25, 2021 02:01 PM
    Hello all,
    Is there a way to generate a zSecure Alert when an userid with a specific default group (or a default group beginning with the same letters) is REVOKED by an ALU RACF command?
    Thanks in advance by any help that you can give me,

    ------------------------------
    Regards
    Jack Zukt
    ------------------------------


  • 2.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Mon June 28, 2021 04:11 AM
    Hi Jack,

    Alert 1105 (System authority granted) contains the following selection code (in SCKRSLIB(C2PS1105)):
    select likelist=recent event=(adduser(0,2),altuser(0,2)),
    racfcmd_keywords_eff=(SPECIAL,OPERATIONS,AUDITOR,ROAUDIT,CLAUTH)

    This does a primary selection on particular EVENTs for the ADDUSER and ALTUSER  (or ALU for short) commands that it limits to certain event qualifiers (0 and 2) for each of those events. Event qualifier 0 means that the issued command completed normally, qualifier 1 means there was a violation (so the requested update did not really happen) and qualifier 2 means that there were some issues with some of the keywords of the command, so it was not fully performed as requested (but a partial update might have been done, so the event could still be relevant). BTW, these event qualifiers can be found in a table in the RACF Macros and Interfaces book, chapter on SMF records, section for record type 80.

    It furthermore restricts the selection to the cases where the effective keywords (meaning that there was no problem with them) included at least one of certain values that the alert is looking for.

    So for starters I think you might use a selection on EVENT=ALTUSER(0,2) RACFCMD_KEYWORDS_EFF=REVOKE to find ALU REVOKEs that were actually applied to the RACF database.

    That leaves the question of how to restrict it to user IDs with a specific default group.

    The target user ID of the RACF command can be found in the RACFCMD_USER field.

    So I think the restriction might be RACFCMD_USER:DFLTGRP=<group specification, which could be ABC*>

    FTR, I did not test this.

    I hope this helps.


    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue June 29, 2021 02:31 AM

    Hi Jeroen,

    Thanks for your answer

    I am going to try it



    ------------------------------
    Jack Zukt
    ------------------------------



  • 4.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Mon July 26, 2021 10:04 AM
    Hi Jeroen,

    I finally had the opportunity to test your suggestion. Unfortunately it seems that using the RACFCMD_USER:DFLTGRP does not work. The alert validation process runs without errors but the REVOKE command is not intercepted. If I remove it I will get an alert for any REVOKE that is issued; however, with it, it does not work.
    Jack





  • 5.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Mon July 26, 2021 04:42 PM
    Hi jake,

    i tried jeroen's suggestion and for me it works.  What i usually do when i create alerts i first just try the CARLa itself from zSecure. Just type CARLA on the commandline and paste the CARLa below. With SMF input containing an ALTUSER xxxx REVOKE command and changing the default the default group in the CARLa to your liking it should work.  

    n type=smf
    select event=altuser RACFCMD_USER:dfltgrp=crm*
    sortlist userid(p) / ,
    RACFCMD_USER(p) / ,
    RACFCMD_USER:dfltgrp(p) /,
    recorddesc(p) / / ,
    racfcmd(p)

    which results for me in

    S M F R E C O R D L I S T I N G 26Jul21 21:42 to 26Jul21 21:42

    User
    RACF userid/ACF2 logonid CRMBRT1
    RACF command target user CRMBRT8
    User's default group CRMB
    Description of the record CRMBRT1 RACF ALTUSER success: ALTUSER CRMBRT8

    RACF command ALTUSER
    RACF command CRMBRT8
    RACF command REVOKE

    cheers,

    rene

    ------------------------------
    RENE van TIL
    ------------------------------



  • 6.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 04:45 AM
    Hi Rene,

    Thank you for the suggestion.
    I have tried running that CARLa script.
    If I try it with  just "select event=altuser", I get this:

    S M F   R E C O R D   L I S T I N G   27Jul21 09:16 to 27Jul21 09:16                
    SMF record descriptions                                                            
                                                                                       
    Date      Time  User     Jobname  Description                                      
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC0
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC1
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC2
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC3
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC4
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC5
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC6
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC7
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC8
    27Jul2021 09:16 XXXXXXX  XXXXXXX  RACF ALTUSER success for XXXXXXX: ALTUSER TSTZSEC9

    However, if I add " RACFCMD_USER:dfltgrp=crm*" or " RACFCMD_USER:dfltgrp<>crm*", I get nothing; just the "Nothing selected" on the screen upper right corner.

    Jack





  • 7.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 05:19 AM
    Hi jake,

    can you send me the exact CARLa you used to produce the output you pasted ? The characters CRM in my sample are the first 3 of groups i have on my system. You will have to change that to match your group names. But still the "<>" should have produced something.

    Another way of looking at these SMF records is via the EV.U option. You should be able to find the SMF for the ALTUSER REVOKE there and see if it looks ok.
     
    cheers,
     
    Rene van Til

    Staff Software Engineer
    +31 (0) 20 - 513 6051
    rene_van_til@nl.ibm.com

    Tenzij hierboven anders aangegeven: / Unless stated otherwise above:

    IBM Nederland B.V.

    Gevestigd te Amsterdam

    Inschrijving Handelsregister Amsterdam Nr. 33054214





  • 8.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 05:50 AM
    Hi Rene

    This is the CARLa that gave those results

    Enter GO or RUN to execute commands, SUB or SUBMIT to generate batch job
    CREATE or REPLACE to save these commands in your own dataset            
    OPTION EMPTYLIST=HIDE REQUIRED                                          
    PRINT DISPLAYTOFILE                                                    
    PRINT NODETAILINHERIT                                                  
    SMFCACHE ON                                                            
    SUPPRESS CKFREEZE                                                      
    N TYPE=SMF NAME=SMFSEL OUTLIM=0 T=:T1 ST=:T2                            
     select event=altuser                                                  
     LIST TYPE                                                              
    mergelist                                                              
                                                                           
     newlist type=smf name=SMFDESC,                                        
             title='SMF record descriptions'                                
       select   likelist=smfsel                                            
       sortlist date(9) time smfdd(nd) recno(nd),              
                user jobname recorddesc                                    
    endmerge                                                                
    suppress ckfreeze                                                      
     smfcache off                                                          
                                                                           


    Using

    select event=altuser RACFCMD_USER:dfltgrp=gxs*
    or
    select event=altuser RACFCMD_USER:dfltgrp<>gxs*

    returns nothing

    Jack





  • 9.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 08:10 AM
    Hi jake
     
    so the only way i can recreate your issue is when i have an unload of another system connected. In that case both "=" and "<>" give me nothing selected.
     
    so does the SMF data come from the same system as the RACF data ?
     
    you can see your inpuy by typing "SYSPRINT" on the commandline after you get the "nothing selected" statement. There should be a few alloc statements in there (somewhere at the top)
     
    can you please paste these ?
     
    cheers,
     
    Rene van Til

    Staff Software Engineer
    +31 (0) 20 - 513 6051
    rene_van_til@nl.ibm.com

    Tenzij hierboven anders aangegeven: / Unless stated otherwise above:

    IBM Nederland B.V.

    Gevestigd te Amsterdam

    Inschrijving Handelsregister Amsterdam Nr. 33054214





  • 10.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    IBM Champion
    Posted Tue July 27, 2021 08:53 AM
    Hi Jack
    zSecure Alert reads the relevant fields from the RACF database at the beginning of each (typically 60 minutes) environment interval, and uses this information until the end of the interval.  This means, if you issue ALTUSER xxx DFLTGRP(ABC) and shortly thereafter ALTUSER xxx REVOKE, the alert still uses the prior value of DFLTGRP, unless an F C2POLICE,REFRESH or a timed environment interval start occurred between the 2 ALTUSER commands.
    You could test this idea by printing the value of racfcmd_user:dfltgrp in your alert message.

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 11.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 10:18 AM
    Hi Rob,

    Thank you for the clarification. Considering the way that I am doing my tests, that can be the glitch.
    I am going to explore that possibility.
    Thanks
    Jack





  • 12.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 09:08 AM
    Hi Jack,  assuming your carla code was activated successfully,  a couple of additional questions come to mind:
    Was it indeed a "RACF command" that issued the revoke, or some other software performing the RACF database update? Note that this is different from revoke due to excessive password violations (different EVENT/EVENTQUAL) 
    Did that user indeed have the expected DFLTGRP as you had coded ? (on the system where the revoke occurred that you expected to be detected)

    ------------------------------
    Simon Dodge
    ------------------------------



  • 13.  RE: zSecure Alerts - How to get an alert when a userid from a specific group get revoked

    Posted Tue July 27, 2021 10:11 AM
    Hi all,
    Thank you very much for all your help.
    Rob's idea was spot on.
    I was testing with a DEFINE/REVOKE/DELETE in quick succession. As per Rob's idea, I issued a F C2POLICE,REFRESH between each command and now I am getting the expected results.
    Thank you all again for your time and suggestions,
    Jack