IBM Security Z Security

Expand all | Collapse all

2 pass CARLa reaching max 255 newlists

  • 1.  2 pass CARLa reaching max 255 newlists

    Posted Mon December 07, 2020 10:29 AM
    Hi Folks,

    I'm looking for some assistance with a piece of CARLa.
    It is reaching the max of 255 merged newlists and I'm wondering is there another/better way of doing this .
    The filter on the ACL needs to stay in place i.e. the DEFINE

    Carla I have is as follows:
    print dd=ckr2pass nopage
    newlist outlim=1
    sortlist "mergelist"
    newlist type=sensdsn nodup
    select sensitivity='APF lib+lnk'
    select sensitivity='APF library'
    select sensitivity='APF linklst'
    select sensitivity='APF LPAlist'
    select sensitivity='APF LPA+Lnk'
    select sensitivity='Linklist'
    select sensitivity='LPA+APF Lnk'
    select sensitivity='LPA+Linklist'
    select sensitivity='LPA list'
    sortlist,
    "newlist type=racf nopage dd=ckrcmd" /,
    "define #ACL1 subselect ACL(id=GROUPa,GROUPb) access>=UPDATE)" /,
    "select class=dataset bestmatch='" | dsn(0) | "'," /,
    "           ACL(id=​GROUPa,GROUPb) access>=UPDATE) AUDITS=NONE" /,
    "sortlist complex "' | dsn(0) | "'(44) AUDITS profile(45) #ACL1"
    Newlist outlim=1
    sortlist "endmerge"​

    Error messages:
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1278
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1283
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1288
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1293
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1298
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1303
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1308
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1313
    CKR0398 12 Maximum of 255 merged NEWLISTs exceeded before blanks " #ACL1 subselect " at CKR1CKR line 1318
    CKR0000 12 CKRCARLA terminated due to input errors

    ​Many thanks

    ------------------------------
    Marie Butler
    ------------------------------


  • 2.  RE: 2 pass CARLa reaching max 255 newlists

    Posted Tue December 08, 2020 03:25 AM
    Edited by Rob van Hoboken Fri December 11, 2020 10:14 AM
    Hi Marie
    Your CARLa code looks like you need to list (APF) data sets where one of these groups has UPDATE ability, and logging has been disabled. 
    Now, if you did not have to list the dsname, but only the profile, you could use RACF_ACCESS, and its built-in support to identify the dangerous (privilege) access:

    newlist type=racf_access
      s priv_senstype=apf* access<>qualown id=(groupa,groupb) :audits=none
      summary profile * id access count(nd)

    RACF_ACCESS generates one observation for each permit on each profile, so you can use SELECT to single out the ID and ACCESS values, instead of using SUBSELECT in the RACF newlist type.  It also correlates the profiles with sensitive data set information from the CKFREEZE through field PRIV_SENSTYPE.  I used SUMMARY to create one section for each profile, but you could remove the * and the summary will be flattened as a result.

    If you want the DSNAME instead of the profile, change your query like so:

    newlist type=racf_access
      s priv_senstype=apf* access<>qualown id=(groupa,groupb) :audits=none
      summary resource * id access count(nd)

    This prints all data sets protected by these profiles, so you will see more than just the APF data sets.  Oh, I listed only the main APF sensitivities, you could extend the list by writing the selection as

    priv_senstype=(apf*,lpa*,linklist)

    By the way, switching off success auditing on APF (system) data sets is not a great idea.  Sure, it reduces the number of SMF records written for the huge number of updates (not!) to system data sets, but it removes accountability of system changes.  All of the security standard require audit trails for such.  zSecure's audit reports will show you which profiles need fixing, for example, AU.V - SENSITIVE or AU.S - RACF Control - SENSITIVE PROF.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 3.  RE: 2 pass CARLa reaching max 255 newlists

    Posted Tue December 08, 2020 03:45 AM
    Edited by Tom Zeehandelaar Tue December 08, 2020 03:58 AM
    Hi Marie,

    one of the documented restrictions of the MERGELIST function is that no more than 255 newlists can be merged. The CARLa Command Reference guide documents it as follows:

    A maximum of 255 NEWLISTs are supported between a MERGELIST/ENDMERGE pair. If more NEWLISTs
    are required, consider dividing them over two or more MERGELIST/ENDMERGE pairs. There is only one
    MERGELIST level; that is, MERGELISTs cannot be nested.

    My question: do you actually require that a single report is generated that reports ACCESS>=UPDATE to all APF, LPA, and linklist data sets in the interrogated system(s), or would it also be acceptable to produce separate reports for sensitive data sets? If not, you can just remove the MERGELIST and ENDMERGE statements from your code.

    When producing separate reports for data sets is not acceptable/desirable, you can experiment with splitting the job up in two or more MERGELIST/ENDMERGE pairs as our documentation suggests. For example, you can try using 3 jobs that each select 3 of the 9 involved sensitivities.

    Some more notes on your CARLa code:

    • Your code contains 9 SELECT statements why? It would run more efficiently with one select sensitivity=('sensitivity1','sensitivity2', ...)statement.
    • Your statement "newlist type=racf nopage dd=ckrcmd"suppresses page layout (titles, column headers, page numbers) and redirects the output to the CKRCMD work data set. However, your SORTLIST statement does not produce a RACF command. What is your intention here, generating a report or RACF commands? When the goal is to produce a report, you should probably remove the NOPAGE and dd=CKRCMD keywords.   
    • The ACL specification in your DEFINE and SELECT statements " ACL(id=​GROUPa,GROUPb) access>=UPDATE)" lack a "(" and should be coded as " ACL(id=(​GROUPa,GROUPb) access>=UPDATE)"
    I hope this helps.

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------



  • 4.  RE: 2 pass CARLa reaching max 255 newlists

    Posted Fri December 11, 2020 09:52 AM
    Hi Rob and Tom,

    Many thanks for your responses.  Just to give a little more context to what I'm trying to achieve here:
    * I want to specifically look at APF, Linklist and LPA list.
    * I want to check if specific groups are on the access list with UPDATE or ALTER
    * I want to check if the successful audit settings are at level READ
    * And I'd like to see a single report as output

    I tried to use your suggestion Rob and while I like how the output looks, I got unexpected results in that I don't believe I'm seeing the full list (as compared with what is on the system in question).  Even when just listing the parameters for APF/LPA/LINKLIST separately, I still don't get the full expected listing.

    I used the following:
    newlist type=racf_access
    s priv_senstype=(APF*,LPA*,linklist) access<>qualown
    summary profile id access count(nd)

    Why am I not seeing the full list of APF, LPA and linklist dataset profiles in my output when using the above code?

    By the way I'm using zSecure version 2.3 on zOS 2.3.

    Many thanks,
    Marie

    ------------------------------
    Marie Butler
    ------------------------------



  • 5.  RE: 2 pass CARLa reaching max 255 newlists

    Posted Fri December 11, 2020 10:32 AM
    Hi Marie

    The PRIV_SENSTYPE=APF* selection criterium identifies PERMITs that provide privileged access to these sensitive data sets.  For APF data sets that is UPDATE, CONTROL or ALTER (and QUALOWN, but we excluded those already).  READ access is not shown.  If no PERMITs pass the selection, the whole profile is hidden from view. 

    If you find a discrepancy between the output in AU.S - MVS Extended - Sensitive - SENRAPF, and the output of RACF_Access, you could open a Case and send the two reports to L2 support.

    ------------------------------
    Rob van Hoboken
    ------------------------------