IBM Security Z Security

Changes in STIG verification members, after the latest SSE

  • 1.  Changes in STIG verification members, after the latest SSE

    Posted Mon May 10, 2021 08:38 AM
    Edited by Rob van Hoboken Mon May 10, 2021 08:42 AM
    Recently, Jeroen announced availability of the most recent Service Stream Enhancement for zSecure 2.4.  In a recent customer project we customized some of the tests in STIG rules, and guess what?  The customized STIG run failed after the SSE was applied.
    As predicted in a Note in the blog, the SSE changed some of the DOMAIN names and our customization referenced those names, see the blog post.  There may also be changes in RULE or TEST names that you rely on in your OVERRIDE and ASSERT commands.

    How do you know when changes in these (internal) names occur, how do you know what part of your STIG customization to fix?

    Create a member LSTLABEL in your CKACUST or your customization CKRCARLA data set, with

    newlist type=standard pl=0
    summary rule_set(13) rule(32) domain(32) test count(nondisplay)

    Next, in AU.R.E, below the selection list with standards, enter the name of this member and select it with a /

    Specify evaluation standards to run:
     / STIG                       PCI-DSS
       GSD                        zSecure extra
    Specify members for other evaluation standards to run:
     / LSTLABEL 

    When you run the evaluation with this additional member name, the values of the labels used in your CARLa members are printed to the report file.  After your checked the STIG results, you will see the RESULTS menu with a selection item REPORT highlighted.  This contains 4 columns with labels.

    You could save this report in a data set STIG.SSE4Q20 before applying the SSE, for example, using the W line command in front of the REPORT item, and run it again after applying the SSE, now to a data set STIG.SSE2Q21.
    Edit the STIG.SSE2Q21 data set, and in the ISPF Edit command line type COMPARE STIG.SSE4Q20.

    ISPF Edit identifies lines that only occur in the older data set with ====== in the line number field.
    You can find these line using LOCATE SPECIAL in the command line.
    New lines are flagged with a label (.OAAAA).  Use LOCATE LABEL to find the next labeled line.

    If you used a DOMAIN, RULE or TEST label that was changed, make a similar change in your standard customization.
    Also, don't forget to re-issue your OVERRIDE and ASSERT line commands.

    Rob van Hoboken