IBM Security Z Security

Expand all | Collapse all

zSecure CARLa: Checking WHEN(PROGRAM) Permits

  • 1.  zSecure CARLa: Checking WHEN(PROGRAM) Permits

    Posted Tue March 02, 2021 10:57 AM
    Greetings, I have gone down the path of using CARLa to check WHEN(PROGRAM) Permits, with the goals of checking things such as:
    • Ensuring the PROGRAM specified on the permit actually exists somewhere on the system
    • Ensuring the Dataset(s) the PROGRAM reside(s) in are defined as members in the RACF PROGRAM class

    Starting down this path I didn't find anything under the RE.P.P panels along this lines, so I went to see what I could do with CARLa. First, I wanted to capture all WHEN(PROGRAM) Permits in RACF using something like:
    newlist type=racf nodup  pl=0 nopage header=column retain
    define sub_acl                subselect acl(whenclass(PROGRAM))
    select segment=base                     acl(whenclass(PROGRAM))
    
    sortlist,
       class,
       profile,
       sub_acl("ACL Type",8),
       sub_acl("ACL ID",aclid),
       sub_acl("Access",aclaccess),
       sub_acl("Via",aclvia,0)​

    This displayed data similar to the below for the "ACL ID", "Access" and "Via" fields:

    ACL ID                   Access                     Via
    ADAM(PROGRAM=GOODPROG)   ALTER,PROGRAM=GOODPROG     ADAM   PROGRAM  GOODPROG​


    However, is there a way in CARLa to only return the "GOODPROG" program name? I have been able to send this to an output dataset then reading it in again with a custom deftype, and 2-Pass newlist type=r_pgm CARLa to find the related dataset names the modules reside in, but this is far from ideal.

    Appreciate any guidance, especially if something similar to this already exists that I'm overlooking in the "AU" Audit checks available.

    ------------------------------
    Adam Klinger
    ------------------------------


  • 2.  RE: zSecure CARLa: Checking WHEN(PROGRAM) Permits

    Posted Tue March 02, 2021 11:35 AM
    Edited by Tom Zeehandelaar Tue March 02, 2021 11:36 AM
    Hi Adam,

    that was a good hunch that you had when mentioning that something similar might be already existing in "AU". In the Audit Verify (AU.V) panel, you can find 3 Verify options that are related to PROGRAMs. These options might be of your interest to investigate first for your current challenge reporting about conditional program permits.
    1. Verify PADS: Checks that programs that are used in conditional permissions have a matching profile in the PROGRAM class. A PROGRAM profile is a prerequisite for a conditional program permission to work.
    2. Verify Program: Checks that the library names that are stored in the member list of PROGRAM class profiles are actually found in your allocated CKFREEZE data set.
    3. Verify Pgm exists: Checks that the load module is indeed stored as a member in the libraries stored in the PROGRAM profiles.
    All these 3 Verify options, if applicable, can generate proposed commands to fix inconsistencies that are encountered. Note that these commands must be carefully reviewed before running them! Most often also other commands can be run to make the involved RACF definitions consistent again. E.g. when no matching PROGRAM is found for a conditional PROGRAM permission, you might decide to remove that permit (as it will not work anyway). However, on the other hand, you might also decide to define the required matching PROGRAM profile instead. 

    You can find out more background information about the generated commands that the Verify functions produce in the "MESSAGES VERIFY" section of the SYSPRINT work data sets after running an Audit Verify function.

    HTH, regards Tom

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------



  • 3.  RE: zSecure CARLa: Checking WHEN(PROGRAM) Permits

    Posted Tue March 02, 2021 11:59 AM
    Thanks Tom! For some reason I glossed over AU.V.. the answer to the CARLa question would be interesting nonetheless :)

    Options "2" and "3" seem to behave as expected however attempting Option "1" returned 0 results selected, yet in my own analysis using the above r_pgm methodology I found several instances of the related datasets missing from the PROGRAM class, so it seems I may need to take a deeper look at "VERIFY PADS"  and/or open a Case.

    ------------------------------
    Adam Klinger
    ------------------------------



  • 4.  RE: zSecure CARLa: Checking WHEN(PROGRAM) Permits

    Posted Tue March 02, 2021 01:37 PM
    Hi Adam,

    I think that you might have defined a catchall profile (e.g. **, or *) in the PROGRAM class that will fit any program names that are used in conditional PROGRAM permissions. Can you verify that?
    If that is the case, you might want to specify an exclude statement e.g. in Setup Preamble (option SE.3) when running :
    exclude class=PROGRAM key=**
    That might show conditional PROGRAM permits where the PROGRAM name is not matched by a more specific PROGRAM and therefore end ups being covered by the catchall PROGRAM class profile.

    HTH Tom

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------