IBM Security Z Security

 View Only
  • 1.  Command Verifier controlling the contents of the OMVS Segment

    Posted Thu July 08, 2021 03:02 PM
    From looking at the Command Verifier Manual, I did not see where I can control the contents of the fields HOME and PROGRAM.    I want the HOME directory in most cases to be /u/USERID and PROGRAM to be /bin/sh    But I have some administrators that keep deviating from that approach.    I was hoping to use Command Verifier to prevent those administrators from incorrectly populating the fields.

    I used access monitor data to "watch" me change some OMVS Segments but I did not see any C4R resources that indicated the HOME  or PROGRAM fields.

    Could I set up a post process that if these admins added or altered the HOME or PROGRAM, that I could enter an ALTUSER command to set the fields the way I wanted?     My only concern would be the HOME directory since it is /u/USERID, not sure how to code the APPLDATA for that one.

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Command Verifier controlling the contents of the OMVS Segment

    Posted Fri July 09, 2021 02:40 AM
    RACF has some native functions to help address this issue: look at BPX.NEXT.USER facility class profile and BPXMODEL template user.
    ADDUSER BPXMODEL NAME('OMVS model user profile')
       OMVS(HOME('/u/&RACUID') PROGRAM('/bin/sh'))
       NOPASSWORD RESTRICTED
    Define BPX.UNIQUE.USER profile in the FACILITY class and specify the name of the model profile in the APPLDATA field.
    Example:
    RDEFINE FACILITY BPX.UNIQUE.USER APPLDATA('BPXMODEL')
    This is all explained here https://www.ibm.com/docs/en/zos/2.4.0?topic=aauitus-steps-automatically-assigning-unique-ids-through-unix-services

    ------------------------------
    philippe richard
    IBM Systems Lab Services
    ibm france
    montpellier
    ------------------------------



  • 3.  RE: Command Verifier controlling the contents of the OMVS Segment

    Posted Mon July 12, 2021 03:21 AM
    Indeed, we never got any requirements (and there is also no real security issue) for the home and program fields. Using an =PSTCMD would be a good solution, were it not that RACF translates the APPLDATA to all-uppercase.   Otherwise APPLDATA like  "ALTUSER &PROFILE OMVS(HOME('/u/&PROFILE'))"  would have worked.
    To get something in CV, you'd need to go the RFE route :-(  Either for some control on the user specified value for HOME, or for handling the APPLDATA to allow lowercase chars in the =PSTCMD.

    ------------------------------
    Guus Bonnes
    ------------------------------



  • 4.  RE: Command Verifier controlling the contents of the OMVS Segment

    Posted Tue July 13, 2021 03:31 PM
    You may find these queries useful.. They will adjust/report on any undesired OMVS segment as you described. You could run these periodically as an "after the fact" cleanup while you wait for an RFE to be fullfilled. 

    PROGRAM will be checked for '/bin/sh'
    HOME will be checked for '/u/USERID' (USERID is upper case - Linnea has confirmed this privately)


    Newlist type=racf nopage dd=cmdout name=badprog
    Select class=user segment=omvs
    Exclude program='/bin/sh'
    Exclude key=(id1,id2,id3) /* ignore these */
    Sortlist "alu" key(0) "OMVS(PROGRAM('/bin/sh'))",
    "/* was" program(0) "*/"


    Newlist type=racf nopage dd=cmdout name=badhome
    Select class=user segment=omvs
    Exclude substr(home,1,3)='/u/' substr(home,4)==key
    Exclude key=(id1,id2,id3) /* ignore these */
    Sortlist "alu" key(0) "OMVS(HOME('/u/" | key(0) | "'))",
    "/* was" home(0) "*/"


    Newlist type=racf,
    T='Users with unexpected PROGRAM or HOME that were adjusted',
    empty='OK.. All OMVS segments were as expected'
    Select likelist=badprog
    Select likelist=badhome
    Sortlist key(8,'Userid') :name home program

    ------------------------------
    Simon Dodge
    ------------------------------