IBM Security Z Security

 View Only
  • 1.  Access Monitor and UACC cleanup

    Posted Mon December 13, 2021 05:50 AM

    Hi,

    I'm trying to get rid of UACC permissions.

    While doing analysis using either AM.9.4 or following carla, The result will not include all UACC exploiters, specially in CICS and SERVAUTH classes.

    Any suggestions how to get more precise results?

    newlist type=ACCESS nopage nodup retain
    select class=SERVAUTH sim_via=UACC,
    rectype=(auth,fast) access_result=("00"x)
    sortlist sim_profile userid userid:dfltgrp intent
    summary sim_profile


    ------------------------------
    Jyri Tamminen
    ------------------------------


  • 2.  RE: Access Monitor and UACC cleanup

    Posted Tue December 14, 2021 03:55 AM
    Hi Jyri,

    I cannot see anything wrong in your CARLa code to report successful SERVAUTH resource access events that were allowed by the UACC setting at the time of the event. 
    Running some experiments with both option AM.9.4 and the CARLa that you included on one of our development systems appears to produce consistent results for me.

    On what grounds do you conclude that the reports do not include all UACC exploiters in the CICS and SERVAUTH classes?
    And a second question is, can you verify whether the historic UACC setting of the concerning CICS and SERVAUTH resources as stored in the ACCESS record differs from the UACC setting in the RACF input source (active primary, unload, copy) that you are using, that might explain the missing entries that you expected to be reported?

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------



  • 3.  RE: Access Monitor and UACC cleanup

    Posted Tue December 14, 2021 06:11 AM

    Hi Tom,

    And thanks for checking my carla.

    Founded the issue hard way, converted accessess to acl based on report and removed UACC. -> Log full of ICH408I:s..

    Yesterday and today we did more testings in team and some of us got different results with theyr JCL's. It seems like that AM report is really picky with Freeze file. One Freeze for Sysplex is not enough, there must be separate freeze file from every lpar. Then it founds missing users/accesses.

    In report I was using active primary racfdb, and resources were rather fresh, defined like 2-3 weeks ago. Access monitor data is merged from lpar-daily files to one sysplex wide monthly and yearly file every night.



    ------------------------------
    Jyri Tamminen
    ------------------------------



  • 4.  RE: Access Monitor and UACC cleanup

    Posted Tue December 14, 2021 09:49 AM
    ACCESS and RACF_ACCESS newlist types are picky about the SYSTEM name in ACCESS records and presence of a matching CKFREEZE file.  CKFREEZE records contain class options (SETROPTS information) that zSecure needs to determine the profiles used for access checking.  Without CKFREEZE it would not be sure about SIM_PROFILE and other SIM fields.
    You can tell zSecure to make do with the CKFREEZE, even if it is not from the right system add a SIMULATE ACCESS_FALLBACK_DEFAULT command (in your CARLa or in the SETUP PREAMBLE for ISPF sessions).

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: Access Monitor and UACC cleanup

    Posted Wed December 15, 2021 02:30 AM

    Hi Rob,

    Thanks for tip. That makes sense, and with that keyword report displays all occurances with one freeze only. So problem solved.



    ------------------------------
    Jyri Tamminen
    ------------------------------