IBM Security Z Security

 View Only
  • 1.  Access Monitor dataset profile records

    Posted Mon February 08, 2021 02:16 PM
    Using ZSECURE 2.4.0 on z/OS 2.3:  Is there no way to get dataset information from access monitor records?

    For example, user ABCD has UPDATE access to rule SYS3.VENDOR.**

    I want create a more restrictive rule for  APF library SYS3.VENDOR.APFLIB, which currently is protected by the above rule.

    Before I do so, I want to determine if user ABCD has ever updated this APF library, so I can anticipate any issues this might cause for them.

    Access Monitor option 3 (Permit Usage) will list all historic instances of user ABCD successfully accessing the above dataset profile with UPDATE.

    But is there no way to drill down and determine WHICH actual datasets user ABCD successfully accessed with UPDATE?

    Or do I go back to SMF records?

    Thank you in advance.

    ------------------------------
    David Malbuff
    ------------------------------


  • 2.  RE: Access Monitor dataset profile records

    Posted Mon February 08, 2021 04:11 PM
    For this I'd say use Access Monitor option 1 (Access), specifying the SAF resource class "DATASET" and SAF resource name "SYS3.VENDOR.APFLIB".

    If you instead wanted to look at this from the RACF profiles perspective , you could key in "SYS3.VENDOR.**" for the "RACF match on" field and leave the "SAF resource name" empty.

    AM.3 is a summarization so I've found it more useful for ACL / Profile clean-up 




    ------------------------------
    Adam Klinger
    ------------------------------



  • 3.  RE: Access Monitor dataset profile records

    Posted Mon February 08, 2021 04:54 PM
    Thanks! I keep forgetting option 1 allows wild card characters and blanks in the Userid field. Don't know why, I must have a mental block about that!   It works fine.  Thanks again.

    ------------------------------
    David Malbuff
    ------------------------------



  • 4.  RE: Access Monitor dataset profile records

    IBM Champion
    Posted Tue February 09, 2021 09:25 AM
    Edited by Rob van Hoboken Tue February 09, 2021 09:27 AM
    If you put a / in front of "Further selection" you can limit the reported users/resources to update or more:

    Action against resource  Intended access                   Result
        Define               >  1   1. Read                    /  Success
        Delete                      2. Update                     No profile
        Addvol                      3. Control                    Not authorized
        Chgvol                      4. Alter                      Other

    and when you add a / in front of "Show simulated fields", it finds the group(s) that match both the user's connect groups and the data set's profile with the intended access or more.  Look for this info at the end of the details panel (keep drilling down through the summary levels).  This may help you spot the minimum number of groups to put on the ACL of your new profiles.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 5.  RE: Access Monitor dataset profile records

    Posted Wed February 17, 2021 12:59 PM
    THANK YOU to Adam and to Rob for reminding me how to do this basic stuff.  And of course now that I have been reminded how to do this, it has spawned another weird issue.

    I'm trying to determine how best to change UACC=READ on our VTAMLST dataset per an audit recommendation. So I ran Access Monitor against the VTAMLST dataset to see who's been using it. A series of TSO ID's and STC ID's were reported.

    But our VTAM started task, which runs under userid $NET, did not show up in the access list.

    This obviously can't be right, so in Access Monitor option 1, I requested all accesses (since 1/1/2021) for userid $NET.  It read thousands of AM records and came back with "Nothing selected".  How is that possible?

    This is the output from the started task, we all can see it reads VTAMLST at startup on January 17:
     
    ---- SUNDAY, 17 JAN 2021 ----
    IEF695I START NET WITH JOBNAME NET IS ASSIGNED TO USER $NET   <====
    $HASP373 NET STARTED
    IEF403I NET - STARTED - TIME=00.39.10
    IST116I MEMBER ATCSTR00 NOT FOUND ON VTAM DEFINITION LIBRARY
    IST054I ATCSTR00 IN VTAMLST NOT FOUND - START PROCESSING CONTINUES    <====

    Why then is access monitor not reporting ANY historical access at all for this critical system task? Should I be reporting this as a product issue?

    Thanks in advance.

    ------------------------------
    David Malbuff
    ------------------------------



  • 6.  RE: Access Monitor dataset profile records

    Posted Wed February 17, 2021 04:57 PM
    One thing I'd check is if your Access Monitor STC is starting before the "NET" Started Task -- sounds like it may be not if you are seeing no records at all. 

    Ideally you want the Access Monitor STC to come up as early as possible in the IPL process to capture maximum data. Keep in mind that there will still be things like JES2 it cannot start before.

    ------------------------------
    Adam Klinger
    ------------------------------



  • 7.  RE: Access Monitor dataset profile records

    Posted Thu February 18, 2021 05:00 PM
    Thank you--- once again we see that I hang out in this forum to ask questions with answers that ought to be obvious to me.  No, C2PACMON is started way bac in the pack, NET is already active and has already done its read of VTAMLST.  DUH!  I'll take a look at our auto ops and see if they can be shuffled around.  Thanks again!

    ------------------------------
    David Malbuff
    ------------------------------



  • 8.  RE: Access Monitor dataset profile records

    IBM Champion
    Posted Thu February 18, 2021 06:56 AM
    Edited by Rob van Hoboken Thu February 18, 2021 06:58 AM
    David,
    when you say "thousands of AM records," did you select the daily consolidated data sets reaching back into January?  Or did you include a monthly consolidated data set?  You must have ACCESS events to report about, by allocating ACCESS data sets for the time span when events (could) have occurred.
    Beside the lag of data collection around IPL time, there are also PRIVILEGED started tasks that hide activity.
    Note,  AM.9 offers scripted CLEANUP functions to replace access via UACC or ID(*) with a (new) CONNECT group and PERMITs.

    ------------------------------
    Rob van Hoboken
    ------------------------------