Recently, Jeroen announced availability of
the most recent Service Stream Enhancement for zSecure 2.4. In a recent customer project we customized some of the tests in STIG rules, and guess what? The customized STIG run failed after the SSE was applied.
As predicted in a Note in the blog, the SSE changed some of the DOMAIN names and our customization referenced those names, see
the blog post. There may also be changes in RULE or TEST names that you rely on in your OVERRIDE and ASSERT commands.
How do you know when changes in these (internal) names occur, how do you know what part of your STIG customization to fix?
Create a member LSTLABEL in your CKACUST or your customization CKRCARLA data set, with
newlist type=standard pl=0
summary rule_set(13) rule(32) domain(32) test count(nondisplay)
Next, in AU.R.E, below the selection list with standards, enter the name of this member and select it with a /
Specify evaluation standards to run:
/ STIG PCI-DSS
GSD zSecure extra
Specify members for other evaluation standards to run:
/ LSTLABEL
When you run the evaluation with this additional member name, the values of the labels used in your CARLa members are printed to the report file. After your checked the STIG results, you will see the RESULTS menu with a selection item REPORT highlighted. This contains 4 columns with labels.
You could save this report in a data set STIG.SSE4Q20
before applying the SSE, for example, using the W line command in front of the REPORT item, and run it again
after applying the SSE, now to a data set STIG.SSE2Q21.
Edit the STIG.SSE2Q21 data set, and in the ISPF Edit command line type COMPARE STIG.SSE4Q20.
ISPF Edit identifies lines that only occur in the older data set with ====== in the line number field.
You can find these line using LOCATE SPECIAL in the command line.
New lines are flagged with a label (.OAAAA). Use LOCATE LABEL to find the next labeled line.
If you used a DOMAIN, RULE or TEST label that was changed, make a similar change in your standard customization.
Also, don't forget to re-issue your OVERRIDE and ASSERT line commands.
------------------------------
Rob van Hoboken
------------------------------