IBM Security Z Security

Trying to think out of the box to resolve a situation that I am having with the migration from TSS to RACF, and to use Command Verifier to help in the effort.

TSS has 2 SUSPEND attributes called ASUSPEND and PSUSPEND.   ASUSPEND is when an administrator suspends the User ID, and PSUSPEND is when the USER ID is suspended for excessive password violations.    With RACF we can not tell why the User ID was REVOKED.   Was it due to excessive password violations or due to some administrative function.   Our helpdesk does not want to RESUME a User ID if it was REVOKED due to some administrative process (i.e. on leave, termination).

It was suggested by IBM to create a new field in CSDATA that would allow us to place an indicator if the User ID was revoked for some administrative process.   I am fine with that approach, but my concern is keeping the field maintained.    How can I ensure that the field is added and removed consistently and not rely on a person to properly maintain that field.

Is there a way in command verifier that if it detects a ALU userid REVOKE coming from certain administrators that it could also add ADMREVOK(YES) to he User ID as well.   Same with a ALU userid RESUME to remove the ADMREVOK field.    Thoughts? Concerns?

Another thought would be if Command Verifier could detect the counter for invalid passwords reaching the threshold to may be set PSWDREV(Y).   Right now the counter resets to zero when the User ID is revoked.



------------------------------
Linnea Sullivan
------------------------------

At the time that the userid gets revoked, Command Verifier doesn't get called. There is nothing that CV can do at that time. For all the administrative commands, CV is called, and it  can keep track of the actions. In fact that's what it already does in the command audit trail (CAT). There is an "record" that the user was revoked/resumed by the named administrator.  No need to explicitly set a CSDATA field,
although the command-replacement function could be used to do that (even selectively for selected administrators).
Processing the revoke action by RACF itself (inactive or invalid pwd/phr) requires SMF processing (or maybe RACINIT exit) to detect the event, and set some flags in the user profile. There is no ready made implementation for that. You could postprocess SMF in a batch job and generate appropriate commands to set a CSDATA or USRDATA field. The problem is the time between the event, and the postprocessing: you might be looking at already obsolete data.

------------------------------
Guus Bonnes
------------------------------

Original Message:
Sent: Thu March 04, 2021 11:12 AM
From: Linnea Sullivan
Subject: Command Verifier Post Processing of Commands

Trying to think out of the box to resolve a situation that I am having with the migration from TSS to RACF, and to use Command Verifier to help in the effort.

TSS has 2 SUSPEND attributes called ASUSPEND and PSUSPEND.   ASUSPEND is when an administrator suspends the User ID, and PSUSPEND is when the USER ID is suspended for excessive password violations.    With RACF we can not tell why the User ID was REVOKED.   Was it due to excessive password violations or due to some administrative function.   Our helpdesk does not want to RESUME a User ID if it was REVOKED due to some administrative process (i.e. on leave, termination).

It was suggested by IBM to create a new field in CSDATA that would allow us to place an indicator if the User ID was revoked for some administrative process.   I am fine with that approach, but my concern is keeping the field maintained.    How can I ensure that the field is added and removed consistently and not rely on a person to properly maintain that field.

Is there a way in command verifier that if it detects a ALU userid REVOKE coming from certain administrators that it could also add ADMREVOK(YES) to he User ID as well.   Same with a ALU userid RESUME to remove the ADMREVOK field.    Thoughts? Concerns?

Another thought would be if Command Verifier could detect the counter for invalid passwords reaching the threshold to may be set PSWDREV(Y).   Right now the counter resets to zero when the User ID is revoked.



------------------------------
Linnea Sullivan
------------------------------

Hi Linnea

Command Verifier has a concept of command replacement, or in this case command completion, controlled through C4R.command.=PSTCMD.keyword profiles.  A profile C4R.ALTUSER.=PSTCMD.RESUME could be used to define a post command like ALTUSER xxx CSDATA(NOPSWDREV)) and a PERMIT READ/UPDATE/CONTROL on this profile  would cause the post command to be executed.  NONE prevents the post command.

You could use zSecure Alert to set the PSWDREV field, for example to the date when the user got revoked.  Look at alert 1104.  This trigger on EVENT=RACINIT qualifier 7, the SMF record RACF issues when the number of incorrect passwords exceeds the SETROPTS threshold.  zSecure Alert has an Action Command option, where you compose your 'ALTUSER' user 'CSDATA(PSWDREV(' | date time ')' command.  The C2POLICE user ID must have FIELD level access to set the field, of course.

In olden days, RACF installations also used the concept of Hard revoke and Soft resume.  This is implemented in zSecure Admin with CKGRACF SCHEDULES.  The security officer that wants to block a user issues CKGRACF USER xxxx SCHEDULE BLOCKED NOW REASON "Security incident" or goes through the panels to generate this (e.g. RA.U, MS "manage schedules" line command).  The Admins use RA.H "Helpdesk" to issue a CKGRACF USER xxx RESUME command to resume a user.  If the user has a SCHEDULE blocking the RESUME, they get a nice little message.  

------------------------------
Rob van Hoboken
------------------------------

Original Message:
Sent: Thu March 04, 2021 11:12 AM
From: Linnea Sullivan
Subject: Command Verifier Post Processing of Commands

Trying to think out of the box to resolve a situation that I am having with the migration from TSS to RACF, and to use Command Verifier to help in the effort.

TSS has 2 SUSPEND attributes called ASUSPEND and PSUSPEND.   ASUSPEND is when an administrator suspends the User ID, and PSUSPEND is when the USER ID is suspended for excessive password violations.    With RACF we can not tell why the User ID was REVOKED.   Was it due to excessive password violations or due to some administrative function.   Our helpdesk does not want to RESUME a User ID if it was REVOKED due to some administrative process (i.e. on leave, termination).

It was suggested by IBM to create a new field in CSDATA that would allow us to place an indicator if the User ID was revoked for some administrative process.   I am fine with that approach, but my concern is keeping the field maintained.    How can I ensure that the field is added and removed consistently and not rely on a person to properly maintain that field.

Is there a way in command verifier that if it detects a ALU userid REVOKE coming from certain administrators that it could also add ADMREVOK(YES) to he User ID as well.   Same with a ALU userid RESUME to remove the ADMREVOK field.    Thoughts? Concerns?

Another thought would be if Command Verifier could detect the counter for invalid passwords reaching the threshold to may be set PSWDREV(Y).   Right now the counter resets to zero when the User ID is revoked.



------------------------------
Linnea Sullivan
------------------------------