IBM Security Z Security

 View Only
  • 1.  Command verifier, =NOCHANGE profile with multiple levels

    Posted Thu September 23, 2021 09:51 AM

    Hi,

    There is need to "lock down" multiple levels on system.

    I'm wondering is it possible to use C4R.DATASET.=NOCHANGE.** APPLDATA('LEVEL=99') functionality to solve issue:

    Like C4R.DATASET.=NOCHANGE.** APPLDATA('LEVEL=99, 44,32')

    Already tested racfvars in  C4R.DATASET.=NOCHANGE.&locked APPLDATA('LEVEL=99') and

    C4R.DATASET.=NOCHANGE.** APPLDATA('LEVEL=&locked').

    No luck..

    Any tips?

    br,

    -- Jyri



    ------------------------------
    Jyri Tamminen
    ------------------------------


  • 2.  RE: Command verifier, =NOCHANGE profile with multiple levels

    Posted Fri September 24, 2021 04:13 AM
    Edited by Rob van Hoboken Fri September 24, 2021 04:14 AM
    Hi Jyri
    The LEVEL keyword accepts only 1 value, and this must match (exactly) the LEVEL value in the DATASET profile.  The only solution today is to create several =NOCHANGE policy profiles with different filters to match the DATASET profiles for a specific LEVEL value.
    Extending the interpretation of LEVEL= is RFE territory.  You might suggest that level is changed to hierarchical (selecting all DATASET profiles with a LEVEL value GREATER THAN OR EQUAL that policy level), or accepting a list of values.  Your choice.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: Command verifier, =NOCHANGE profile with multiple levels

    Posted Fri September 24, 2021 05:44 AM

    Thanks Rob for your answer.
    I did more investigations and manages to lock most of profiles.
    But it seems that I need to open PMR anyway.

    In case there is Generic fully qualified profile, C4R.DATASET.=NOCHANGE.dsname will not be effective, even without Level.

    For example: DATASET SYS1.LPAR.LINKLIB (G), profile C4R.DATASET.=NOCHANGE.SYS1.** <- this will lock all SYS1.** or SYS1.LPAR.** dataset profiles but not fully qualified profile. Also C4R.DATASET.=NOCHANGE.SYS1.LPAR.LINKLIB doesn't bite.

    I'm using zSecure 2.4.0



    ------------------------------
    Jyri Tamminen
    ------------------------------



  • 4.  RE: Command verifier, =NOCHANGE profile with multiple levels

    Posted Mon September 27, 2021 03:44 AM
    Hi Jyri,
    Please ensure you have APAR(PTF) OA61301(UJ05659) applied.
    Regards, Mike

    ------------------------------
    Mike Riches
    ------------------------------



  • 5.  RE: Command verifier, =NOCHANGE profile with multiple levels

    Posted Mon September 27, 2021 08:59 AM
    Edited by Guus Bonnes Mon September 27, 2021 08:59 AM
    You might want to have a look at APAR OA61301.
    Mike beat me... :-(
    ------------------------------
    Guus Bonnes
    ------------------------------