IBM Security Z Security

 View Only
  • 1.  Sensitive Files - Zalert

    Posted Fri July 16, 2021 02:16 PM

    Hi folks,

     

    It´s possible to insert  UNIX Files into option SE.A.S

     

    If it´s not possible , how can i do to alert updates in UNIX Files ?

     

    Regards,

    Marco

     

     


    "Esta mensagem é destinada exclusivamente para a(s) pessoa(s) a quem é dirigida, podendo conter informação confidencial e legalmente protegida. Se você não for destinatário desta mensagem, desde já fica notificado de abster-se a divulgar, copiar, distribuir, examinar ou, de qualquer forma, utilizar a informação contida nesta mensagem. Caso você tenha recebido esta mensagem por engano, pedimos por favor que responda esse e-mail informando o acontecido e posteriormente, apague-a."

    "This message is intended only for the person to whom it is addressed and may contain confidential and legally protected information. If you are not the addressee of this message, from now on you are already notified to abstain to disclose, copy, distribute, examine or, in any way, use the information contained in this message. If you have received this message in error, please answer this e-mail stating what happened and subsequently delete it."


  • 2.  RE: Sensitive Files - Zalert

    IBM Champion
    Posted Mon July 19, 2021 04:50 AM
    Edited by Rob van Hoboken Mon July 19, 2021 04:50 AM
    Hi Marco
    SE.A.S (Sensitive Data Sets) has no support for UNIX file names.  This option is used to edit the SENSxxxx members (and SEN2xxxx for ACF2) in C2PCUST, where you customize the user IDs, group names or UID strings that are supposed to READ or WRITE specific data set names.  Not UNIX files.

    You would have to create an installation defined alert to monitor access to UNIX files.  However, you can use an existing alert skeleton as a template.  I remember that alert 1401 was a good starting point.  You would use the C line command to copy the skeleton (C2PS1401) into a new alert, e.g., 4401.  You would have to modify the SELECT command in the skeleton and add a selection something like

    UNIX_PATHNAME=(,
    '/etc/hosts',
    '/etc/services',
    )

    You should also verify that there are SMF records that log the required access, either by activating SMF 92 subtype 10 and 11, or by issuing a UNIX audit command on the files you wish to track.  You can use zSecure Audit reports (option EV.F) to inspect these SMF records and find out relevant CARLa field names for use in your installation defined alert.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: Sensitive Files - Zalert

    Posted Tue July 20, 2021 06:45 AM

    Thanks Rob, i i´ll run your ideia.

     

    Enviado do Email para Windows 10

     






  • 4.  RE: Sensitive Files - Zalert

    Posted Fri July 30, 2021 11:13 AM

    Hi, Rob,

    I elaborated an alert as you said, but it's not working, am I missing something ?

     

    )DEFAULT )&?!¢}~                                                          

    )CM    

    )SETF C2PXNAME = &STR(Access_UNIX)                                        

    )SETF C2PXMSG = &STR('UNIX Sensitive Access Files'                     ?  

      '('(V) |(V) unix_access_intent(0,V) |(V))                            ?  

    'by'(V) user(0,V) 'on' /(WTO) unix_pathname(0))                           

    )SETF C2PXDES = &STR('Sensitive UNIX file')                               

    )CM Pass one query                                                        

    )SEL &C2PEPASS = Y                                                        

    )ENDSEL                                                                    

    )CM Alert condition                                                       

    )SEL &C2PEPASS = N                                                        

    )IM C2PSGNEW                                                              

    select unix_function=(open) descriptor(success),                      

            likelist=recent,                                               

            Unix_filename=('/u/A28192/pagent.conf'),                       

            Unix_pathname=('/u/A28192/')                                    

    )CM EMAIL sortlist                                                     

    )SEL &C2PERCTP = MAIL                                                  

     sortlist,                                                             

      recno(nd),                                                           

    )IM C2PSFMSG                                                       

       / '   Alert id        &c2pemem.',                               

       / '   Date and time'(18) date(9) time(11),                       

       / '   Path'(18,noretain) Unix_filename(0,wrap),                 

       / '   Access type'(18) event,                                   

       / '   Intended access'(18)  unix_access_intent(0) ,             

       / '   User'(18) user(8) name,                                    

       / '   Job name'(18) jobname,                                    

       / '   System ID'(18) system,                                    

       / '   Source terminal'(18,ne) terminal,                         

       / '   Source (IPv4)'(18,ne) terminal(0,hextoip),                

       / '   Source user'(18,ne) utoken_source_userid,                 

       / '   Source node'(18,ne) utoken_source_system,                 

       / /                                                             

    )ENDSEL                                                            

    )CM SNMP sortlist                                               

    )SEL &C2PERCTP = SNMP                                            

     sortlist,                                                      

      recno(nd),                                                    

      '&c2pemem.' /,                                                

      'eventIntegral',                                               

    )IM C2PSFMSG                                                    

      'eventWhen' datetime(datetimezone,0) /,                       

      'onWhatUNIX-PATHNAME' Unix_filename(0,hor) /,                 

      'whatEVENT' event(0) /,                                        

      'onWhatUNIX-ACCESS-INTENT'  unix_access_intent(0)  /,         

      'onWhatUNIX-ACCESS-ALLOWED' unix_access_allowed(0) /,         

      'whoUSERID' userid(0) /,                                      

      'whoNAME' name(0) /,                                           

      'whatJOBNAME' jobname(0) /,                                   

      'fromWhereTERMINAL' terminal(0) /,                            

      'fromWhereSRCIP' terminal(0,hextoip) /,                       

      'fromWhereUSER' utoken_source_userid /,                       

      'fromWhereSYSTEM' utoken_source_system /,                      

      'whereSYSTEM' system(0)                                        

    )ENDSEL                                                          

    )CM WTO sortlist                                                 

    )SEL &C2PERCTP = WTO                                             

     sortlist,                                                       

      recno(nd),                                                     

    )IM C2PSFMSG                                                     

    )ENDSEL                                                          

    )CM Action command                                               

    )IM C2PSACTX                                                     

    )IM C2PSACTS                                                     

    )ENDSEL                                                          






  • 5.  RE: Sensitive Files - Zalert

    IBM Champion
    Posted Fri July 30, 2021 12:02 PM
    Edited by Rob van Hoboken Fri July 30, 2021 12:04 PM
    in UNIX parlance, PATHNAME refers to the whole, long file name, including the directories that lead to the file.  FILENAME is the last part of the pathname.  You would probably use

    Unix_pathname=('/u/A28192/pagent.conf'c), 

    The c suffix enforces case specific matching, omitting c makes zSecure uppercase both values before compare.

    Normally, SMF 80 (where these fields are found) does not contain the directory information, but only the filename part and the inode (number).  zSecure calculates the pathname by looking up inode in the CKFREEZE, and finding the corresponding directories.

    But, as I pointed out, you should also verify that auditing is requested for this file, and SMF records are generated.  Check this using EV.F, using the same CKFREEZE that you use in C2POLICE.

    ------------------------------
    Rob van Hoboken
    ------------------------------