IBM Security Z Security

 View Only
Expand all | Collapse all

zOS Privileged Human UserIds. How to setup custom zSecure Alerts

  • 1.  zOS Privileged Human UserIds. How to setup custom zSecure Alerts

    Posted Sun May 24, 2020 05:47 PM
    Hi Grateful for any suggestions on the subject of zOS Privileged Human UserIds.
    I am trying to establish what alerts to track the activity of zOS Privileged Userids.
    The categories are zOS, DB2, CICS and IMS 'system programmers', i.e. UserIds with
    the ability to 'Change the System(s) Configuration'.
    Alert 1102, logon with emergency User ID, seems to be able to cater for only ten entries ...
    So if I wish to track 40 / 50 UserIds (zOS, DB2, CICS, IMS Sysprogs), I suppose I will
    have to copy alert 1102 to a new custom alert, but that will only give me the capability
    to track another 10? So is it a question of having to copy Alert 1102 to 4/5 new alerts
    to cover the total Sysprog UserId population of @40 UserIds ?

    interested though in what types of tracking other Sites do for zOS Human Privileged UserIds,
    I posted this on Listserv RACF, more appropriate here ! Thanks


    ------------------------------
    PPL
    ------------------------------


  • 2.  RE: zOS Privileged Human UserIds. How to setup custom zSecure Alerts

    Posted Mon May 25, 2020 03:21 AM
    Edited by Tom Zeehandelaar Mon May 25, 2020 03:26 AM
    Hi Peter, 

    please be aware that the standard Alert 1102 supports the use of wild cards ( "*" and "%"")  in the zSecure Alert User Interface. Therefore, when your company uses a naming convention scheme for Privileged Human UserIds, you should be able to address many more UserIds by applying the appropriate wild cards in the ten supported panel entries.

    Then, when that suggestion still does not suffice for your business case, indeed you can decide to copy Alert 1102 to define a custom alert. However, in my opinion, there is no need to take multiple copies. After copying Alert 1102 to a installation-defined alert, you should be authorized to use line command E (for Edit) against your custom version of Alert 1102. 
    That action shows a follow on alert configuration panel that shows an option that is named "View/edit alert skeleton C2PS%%%" (where %%%% represents the alert ID that you assigned to your custom alert). When you select that option, you can view and, if applicable, edit the CARLa script that the alert uses. 
    When you scroll down, you encounter the part where the supported panel entries for Alert 1102 are picked up:
    )DEFAULT )&?!<|>         
            likelist=recent, 
            user=(,          
             <&c2peeus0,|>   
             <&c2peeus1,|>   
             <&c2peeus2,|>   
             <&c2peeus3,|>   
             <&c2peeus4,|>   
             <&c2peeus5,|>   
             <&c2peeus6,|>   
             <&c2peeus7,|>   
             <&c2peeus8,|>   
             <&c2peeus9,|>   
            )                ​

    Here, you can either replace or add hard coded names (or filters) of the UserIds that your company wants to monitor.
    I hope that this answers your question sufficiently.

    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    Delft
    +31643351728
    ------------------------------



  • 3.  RE: zOS Privileged Human UserIds. How to setup custom zSecure Alerts
    Best Answer

    IBM Champion
    Posted Mon May 25, 2020 04:49 AM
    Edited by peter leaper Tue May 26, 2020 02:25 PM

    If the sysprogs (and other privileged IDs) can be identified by (any of) their connect groups, you could use these in the alert skeleton.  First add a SIMULATE command to tell Alert which group(s) you are going to use:

    SIMULATE PRIV_USER_GROUPS=(DB2ADMIN,ZOSTEAM)

    and then use these in the SELECT command:

    SELECT LIKELIST=RECENT PRIV_USER_GROUPS=ZOSTEAM  ......


    Instead of specifying the list of (privileged) user IDs in each alert, you could also write them in a member of the C2PCUST data set, similar to the (CKACUST) whitelist members that we use for STIGs.  Suppose you create a member SYSPROG, and each line contains one user id.

    Then in member C2PXINIT you add

    deftype type=_config_sysprog
    alloc type=_config_sysprog dsn=&C2PCUSTS.(sysprog)
    define type=_config_sysprog id(8) as word(record,1),
       where substr(record,1,1)<>"*"


    In the alert skeletons you write

    SELECT LIKELIST=RECENT EXISTS(USERID:_config_sysprog.id.id)  ......


    ------------------------------
    Rob van Hoboken
    ------------------------------