IBM Security Z Security

 View Only
  • 1.  zSecure 2.4.0 CARLA errors.

    Posted Sun April 11, 2021 02:00 PM

    Hi,

     

    I installed zSecure 2.4.0. I am trying Work with CARLa queries and libraries. But unfortunately, I am receiving errors. How can I resolve these problems? I applied to IBM Security zSecure

    Messages Guide IBM SC27-5643-  but I couln't solve these problems.

    I would thank it if you could help me solve the problems.

    Regards,

    My inputs are:

       Active backup RACF data base and live SMF data sets                 selected 

       'VBT1 input files'                                                 selected 

       CKFREEZE input files                                               selected 

       'CARLA'                                                            selected 

    My unload and ckfreeze data sets:

     

    Data set with unload from RACF database, use UNLOAD as last qualifier       

     Unload . . . . . . 'VBT.ZSECURE.SVBT1.CKRUNL'                              

                                                                                 

    I/O configuration file, use CKFREEZE as last qualifier                       

     Ckfreeze . . . . . 'VBT.ZSECURE.SVBT1.CKFREEZE'                            

                                                                                 

    Description for this set of input files                                     

     Description  . . . 'CARLA'                                                 

    example:

    I want to run IBM.ZSEC24.SCKRCARL(CKADFDIC)

    Purpose: SMF record detail information: ICF Catalogs  

    I received the following error.

    CKR0403 12 LIKELIST must refer to a previously defined NEWLIST type=smf NAME= parameter                 

    And I run another job:

    IBM.ZSEC24.SCKRCARL(CKAGC110)

    * Purpose: This member checks the compliance requirements of         

    *          RACF STIG control - ACP00110.                             

    CKR0981 12 Invalid CKRINPCMD ÜRULE_SET        Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of word ÜACP00110 DESC(ÜUÜ at CKRCMDV line 27      

    CKR0981 12 Invalid CKRINPCMD ÜMUST            Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of word Übe restricted toÜ at CKRCMDV line 28      

    CKR0981 12 Invalid CKRINPCMD ÜONLY            Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of text Ü.Ü),Ü at CKRCMDV line 29                  

    CKR0981 12 Invalid CKRINPCMD ÜCAPTION         Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(ÜUpdate+alter oÜ at CKRCMDV line 30 

    CKR0981 12 Invalid CKRINPCMD ÜDOMAIN          Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of word ÜLINKLIST_PERMITSÜ at CKRCMDV line 32      

    CKR0988 12 Syntax error: Ü)Ü expected instead of word at Üracf_access(clasÜ on CKRCMDV line 34                            

    CKR0983 12 Expecting primary command list separator/terminator instead of word Üracf_access(clasÜ at CKRCMDV line 34      

    CKR0981 12 Invalid CKRINPCMD ÜPRIV_SENSTYPE   Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü=:('lnk','link')Ü at CKRCMDV line 35 

    CKR0981 12 Invalid CKRINPCMD ÜACCESS          Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü=(UPDATE,CONTROLÜ at CKRCMDV line 36 

    CKR0981 12 Invalid CKRINPCMD ÜID              Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of operator Ü<>('-UACC-'c))Ü at CKRCMDV line 37    

    CKR0984 12 Invalid primary command list element type delimiter Ü),Ü at CKRCMDV line 38                                    

    CKR0981 12 Invalid CKRINPCMD ÜWHITELIST       Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(SYSPAUDT,TSTCAUÜ at CKRCMDV line 39 

    CKR0981 12 Invalid CKRINPCMD ÜRULE            Ü                                                                           

    CKR0983 12 Expecting primary command list separator/terminator instead of word ÜACP00110_permitÜ at CKRCMDV line 41   

    CKR0981 12 Invalid CKRINPCMD ÜSET             Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(ACP00110),Ü at CKRCMDV line 42            

    CKR0981 12 Invalid CKRINPCMD ÜDESC            Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(ÜThe ACP data sÜ at CKRCMDV line 43       

    CKR0981 12 Invalid CKRINPCMD ÜCESS            Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of word Üto only z/OS sysÜ at CKRCMDV line 44            

    CKR0981 12 Invalid CKRINPCMD ÜUSERS           Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of text Ü.Ü)Ü at CKRCMDV line 45                         

    CKR0981 12 Invalid CKRINPCMD ÜTEST            Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of word Üa.2.update_sysp,Ü at CKRCMDV line 46            

    CKR0981 12 Invalid CKRINPCMD ÜRACF_ACCESS     Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(id:populate_stiÜ at CKRCMDV line 47       

    CKR0981 12 Invalid CKRINPCMD ÜDESCRIPTION     Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(ÜSystems prograÜ at CKRCMDV line 48       

    CKR0981 12 Invalid CKRINPCMD ÜOTHERWISE       Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(,Ü at CKRCMDV line 49                     

    CKR0981 12 Invalid CKRINPCMD ÜTEST            Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of word Üa.2.access_tstc,Ü at CKRCMDV line 50            

    CKR0981 12 Invalid CKRINPCMD ÜRACF_ACCESS     Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(id:populate_stiÜ at CKRCMDV line 51       

    CKR0981 12 Invalid CKRINPCMD ÜDESCRIPTION     Ü                                                                                 

    CKR0983 12 Expecting primary command list separator/terminator instead of delimiter Ü(ÜTrusted starteÜ at CKRCMDV line 52       

                      

        

     

     

    iyi çalışmalar, saygılar / Regards

    ________________________________________________

    Kayhan TANRIVERİR
    Senior Systems Programmer & Consultant

    VBT Bilgi Teknolojileri A.Ş

    www.vbt.com.tr   
     
     

     

     

     



  • 2.  RE: zSecure 2.4.0 CARLA errors.

    Posted Mon April 12, 2021 02:15 AM
    Edited by Jeroen Tiggelman Mon April 12, 2021 02:52 AM

    Hi Kayhan,

    FTR, it looks to me as if the last qualifier of your UNLOAD file is CKRUNL, but as long as you have it correctly identified as type UNLOAD that should be fine.

    It appears that in both problem cases you are reporting you are trying to run a CARLa script intended to be used in the context of other CARLa as a stand-alone script instead.

    Observation 1 - CKR0403 issued when running SCKRCARL(CKADFIC)

    CKADFDIC is a standard layout; the name stands for CKA = zSecure Audit, D = Display, F = SMF, DIC = Details about ICF Catalogs. It is intended to be used to report details about SMF record types 60, 61, 65, and 66. It is typically embedded from the user interface EV (events) menu. In the user interface you can fill in several panels to specify selection and exclusion criteria, then the records you selected are formatted using this layout, insofar those records have the intended record types.

    On the CARLa script level, this means that the user interface generates a dummy report to represent your selection criteria and then calls this script, and this script links to the dummy report to apply the selection and then restricts the selection further to the record types it supports. It does so with the following select statement:
    s listlike=smfsel type=(60 61 65 66) .

    Here, S is an abbreviation for SELECT, while LIKELIST is the keyword that links the selection for this report to another, earlier report. It expects this earlier report to be called SMFSEL. If you run this report while the earlier report has not been defined, you get a CKR0403 to inform you that the earlier report is missing and therefore it is not possible to apply the selection as requested.

    In the User Reference Manual for zSecure Audit you can find the section "SMF reporting using predefined CARLa scripts" in the chapter about SMF. The subsection "Using record display scripts for interactive reporting" explains that you should create a selection report SMFSEL before imbedding one of these scripts.

    Furthermore, in the CARLa Command Reference there is a subsection "Selecting based on previously defined criteria (LIKELIST)" in the description of the SELECT and EXCLUDE commands. Among other things, this observes "If you run such a configurable report without supplying a preceding, appropriately named NEWLIST selection statement, a CKR0403 syntax error occurs. Instead of adding the NEWLIST statement, you can also add a SUPPRESS MSG=403 command."

    The Messages Guide explains "If you suppress this message all LIKELIST clauses which do not refer to a preceding NEWLIST select all records."

    So basically you have two options, either add the SUPPRESS statement, or add a selection NEWLIST with a NAME=SMFSEL parameter before you include this script. I did not completely understand how you were running the script, but from the interface you can likely use SETUP PREAMBLE (SE.3) to include CARLa statements before the main query.


    Observation 2 - Syntax errors when running SCKRCARL(CKAGC110)

    CKAGC110 is a RACF STIG compliance control, CKA = zSecure Audit (for RACF[1]), G = STIG, and C110 identifies the control (C = ACP, this is ACP0110). These scripts are intended to be imbedded from the AU.R (rule-based compliance reporting) menu.

    On the CARLa level, these members provide only the statements for the compliance control itself, typically starting with RULE_SET. The RULE_SET primary command is only valid within a STANDARD. The CKAG@6 member of SCKRCARL can be used to run the full STIG 6.xx standard. (If you are current on maintenance with 2.4, this would be version 6.47.) If you look in the member, you will see that it starts with something like:
    STANDARD RACF_STIG ver(6.47) ESM(RACF),
    then imbeds the individual controls, and then ends with something like:

     /*SUPPRESS existing RULEs or RULE_SETs and add site customized ones */
     I m=ckag@ins DD=CKA@CUST                                 
    ENDSTANDARD                                                            

    Which shows you that you can use STANDARD and ENDSTANDARD around an I(MBED) statement for the member if you want to run only one control.

    However, it might be easier to use the interface. You can go to AU.R.S (Subsets),  S(elect) STIG, S(elect) ACP, and R(un) ACP0110. Or you can go to AU.R.T (Test rule), and specify CKAGC110  for Standard STIG, ESM RACF and then 1. Evaluate.

    [1] STIG controls for ACF2 have a C2A prefix, for Top Secret they have a CKT prefix, and shared ones have a C2R prefix.


    I hope this helps.

    Best regards,



    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: zSecure 2.4.0 CARLA errors.

    IBM Champion
    Posted Mon April 12, 2021 03:11 AM
    Edited by Rob van Hoboken Mon April 12, 2021 03:37 AM
    Hi Kayhan
    SE.1 should be used for input files with DATA (security databases, zSecure UNLOAD, CKFREEZE, SMF, deftype files) but not for CARLa and CAKACUST/V libraries.
    To specify CARLa and CKACUST/V libraries you can use SE.8.
    To specify and run members from CARLa libraries you use CO.1.

    If you want to run member CKADFDIC, you go to CO.1, you select the entry DD:CKRCARLA with a E line command, you locate member CKADFDIC and you enter a G or R line command.  This will give you the same error messages that Jeroen told you about, because the CKADF and CKALF members are mostly meant to be run from the EV application.  You can simulate the EV application by:

    - in CO.1 you enter an S line command in front of DD:CKRCARLA, this marks the standard library as your default library.
    - in CO.C you write your own CARLa program like so

    newlist type=smf  name=smfsel outlim=0
      sortlist type
    imbed m=CKADFDIC

    For STIG control members it is more complicated.  These require (a lot of) extra CARLa commands to set up the Rule Based STANDARD environment and reporting.
    If you know your member name (CKAGC110) go to AU.R.T (test member) and enter the member name.
    If you like the report, you can use the Print format and Background run options to generate JCL.

    In general, you can inspect the CARLa code that zSecure panels used to show the last report as follows.  Exit the report output by pressing F3 until you reach the panel where you can specify search criteria and parameters.  Enter RESULTS in the command line.  Enter an E in front of the entry COMMANDS.
    For printable reports you already enter the RESULTS panel after closing the REPORT data set, so you can select COMMANDS directly.
    In zSecure installations with the latest PTFs, you can also try to jump to last commands by typing =CO.L in the command line and pressing Enter.
    Once you see the CARLa commands, you can save these in a member of a private (or shared) PDS.  Specify the PDS name in SE.1, enter an E in front, and you can re-run your reports with the line command R in front of the member name.

    ------------------------------
    Rob van Hoboken
    ------------------------------