IBM Security Z Security

 View Only
  • 1.  CARLa: Hide CSDATA value in RACFCMD field of SMF Report

    Posted Thu March 26, 2020 10:50 AM
    Hello,

    I'm running a simple, standard CARLa report to show RACF commands issued.
    However I now have a requirement to either hide or remove custom data from the ADDUSER and ALTUSER commands, before sending to a new recipient.

    As a simple example, I want to change out put like this:
    ALTUSER USER1 somethingA CSDATA(XA(ITRM3349320)) somethingB
    To either:
    ALTUSER USER1 somethingA CSDATA(***************) somethingB
    Or:
    ALTUSER USER1 somethingA  somethingB

    The first option would be preferable.

    It seems to me that I should be able to do this in some way with the right DEFINE or CONVERSION, or by some manipulation of the RACFCMD field, but the answer escapes me.

    Any help would be appreciated.

    ------------------------------
    Pete Buckley
    ------------------------------


  • 2.  RE: CARLa: Hide CSDATA value in RACFCMD field of SMF Report
    Best Answer

    Posted Thu March 26, 2020 03:58 PM
    Edited by Peter Buckley Fri March 27, 2020 09:41 AM
    Hi Pete,

    I can see the value of hiding the potentially sensitive information in the CSDATA field and I would agree that your preferred option would be the cleanest. To achieve it, I believe you would need to open an RFE.

    The CONVERSION command deals with adjusting qualifiers in a [data set or general resource] name, so does not apply in this context. However, a DEFINE can be used to hide the CSDATA information [that is unlikely to have notable side effects].

    Since you are showing a full command as the start point, I assume your CARLa contains a clause like RACFCMD(HOR WRAP 0).

    RACFCMD is in fact a repeated field. The first value in the field will contain the command (for example ALTUSER), then there will be later values that contain USER1, somethingA, CSDATA(XA(ITRM3349320)) , and somethingB.

    The relevant CSDATA() clauses will always be (full, separate) values. Also, each field will be in its own CSDATA clause [at the moment; this does not constitute a documented interface].

    There are some special fields for RACFCMD to reduce the amount of information, notably RACFCMD_KEYWORDS (this suppresses all values and only leaves keywords like GROUP without telling you which group was connected), and RACFCMD_EFFECTIVE (the latter suppresses the clauses that were in error or ignored and thus not actually executed). However, this is the only special instrumentation that is available in CARLa, otherwise it is "just a regular repeated field".

    That means that the transformation specified in a DEFINE will be applied to each value in the repeated field. (Also note that using WHERE will result in a selection on the record level, and does not allow making changes to a particular value only.)

    So the desired transformation must clip off [at least] the content of the CSDATA() clause without affecting other clauses.

    From there, the solution I came up with is:

    define type=smf racfcmd_sans_csdata as PARSE(racfcmd,,'CSDATA(')

    You print the result like you would RACFCMD itself, with (HOR WRAP 0), to get the full command [without the omitted clauses].

    Like so (for testing purposes):

    n type=smf; s event=allcommands racfcmd_keywords=csdata
    def type=smf racfcmd_sans_csdata(0) as parse(racfcmd,,'CSDATA(')
    sortlist recno racfcmd(hor wrap 0) /,
      'sanitized:'(11) racfcmd_sans_csdata(hor wrap 0) /

    I hope this helps.

    Regards,
    Jeroen

    P.S. Do note that if the clause "CSDATA(" should occur in some other data field (perhaps somewhere between quotes), then the rest of that clause would also be suppressed.

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: CARLa: Hide CSDATA value in RACFCMD field of SMF Report

    IBM Champion
    Posted Fri March 27, 2020 03:22 AM
    Edited by Rob van Hoboken Fri March 27, 2020 03:22 AM
    That's a nice solution, Jeroen. 
    Note how Jeroen used 2 commas in the PARSE function, he asks it to return either
    - the text string BEFORE the CSDATA( string, which would be empty when there is a CSDATA( keyword, or
    - the whole text string when there is no CSDATA( in the keyword.

    Once the newlist has sanitized some SMF records, based on the presence of a CSDATA keyword in the command, the other SMF records should pass through unobstructed.  This can be achieved with the LIKELIST function, like so:

    n type=smf name=sanitize
      define racfcmd_sans_csdata(0) as parse(racfcmd,,'CSDATA(')
      s event=allcommands racfcmd_keywords=csdata
      sortlist recno racfcmd(hor wrap 0) /,
        'sanitized:'(11) racfcmd_sans_csdata(hor wrap 0) /
    n type=smf name=therest
      s event=allcommands not(likelist=sanitize)
      sortlist recno racfcmd(hor wrap 0)

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 4.  RE: CARLa: Hide CSDATA value in RACFCMD field of SMF Report

    Posted Fri March 27, 2020 04:34 AM
    Edited by Jeroen Tiggelman Fri March 27, 2020 04:39 AM
    That's a good way of making sure that other records are not accidentally harmed, Rob.

    I note that in your example the untouched records will show up in a separate report section behind the sanitized ones.

    To keep them into the original order, SORTLIST could be changed to LIST in this example. (Assuming that there was only one input file; but you probably would not want to first see all records with recno 1 from all input files, then all with recno 2 etc. anyway.)

    If for some reason that would not be practical, a MERGELIST could be used, like so:

    MERGELIST name=ALL
    n type=smf name=sanitize
      define racfcmd_sans_csdata(0) as parse(racfcmd,,'CSDATA(')
      s event=allcommands racfcmd_keywords=csdata
      sortlist recno racfcmd(hor wrap 0) /,
        'sanitized:'(11) racfcmd_sans_csdata(hor wrap 0) /
    n type=smf name=therest
      s event=allcommands not(likelist=sanitize)
      sortlist recno racfcmd(hor wrap 0)

    ENDMERGE

    This solution relies on the fact that RECNO determines the right sort order. If you want to print other fields, you can assure the right sort order by prefixing fields that you do not want to print but do want to sort on with the NONDISPLAY (or ND for short) modifier, for example:

    MERGELIST name=ALL
    n type=smf name=sanitize
      define racfcmd_sans_csdata(0) as parse(racfcmd,,'CSDATA(')
      s event=allcommands racfcmd_keywords=csdata
      sortlist smfdd(nd) recno(nd) racfcmd(hor wrap 0) /,
        'sanitized:'(11) racfcmd_sans_csdata(hor wrap 0)
    n type=smf name=therest
      s event=allcommands not(likelist=sanitize)
      sortlist smfdd(nd) recno(nd) racfcmd(hor wrap 0)

    ENDMERGE

    Or if you don't like the order of the SMF input file names and your data is all from the same timezone, you could use DATETIME(ND) instead.

    If you want the RACFCMD data on its own line in a larger report, you could also use the following trick to get the output from a single SORTLIST:

    newlist type=smf
    select event=allcommands
    define racfcmd_sans_csdata(0 wrap hor) as parse(racfcmd,,'CSDATA('),
    where racfcmd_keywords=csdata
    define racfcmd_untouched(0 wrap hor) as racfcmd where
    not(racfcmd_keywords=csdata)
    sortlist datetime(nd) recno(nd) ' '(ne) / ' '(1 ne) racfcmd_untouched,
    / ' '(1 ne) racfcmd_sans_csdata


    This uses the NE (or NOTEMPTY) modifier to suppress empty lines, so only one of the two RACFCMD lines is actually printed. (I am using the blank literal to provide indent. If you change the 1 to some other number, you get another number of blanks. This gets you two blanks because you also get a separator blank, which could be suppressed with a pipe (|) character to request column concatenation.)

    (The first line could contain anything, here I am actually also suppressing it entirely, because it is now always empty.)

    Be sure to specify not(racfcmd_keywords=csdata) as the complementary clause, meaning that NONE of the keyword values in the repeated field is CSDATA. Note that racfcmd_keywords<>csdata would be requesting that ANY of the keyword values was not CSDATA, which is not the complement of the other clause.

    (Another trick sometimes used is concatenating complementary fields with overriding length 0 on a SORTLIST with the pipe character to only see one instance, but this does not work in this case because of the WRAP modifier.)

    Have fun!

    JJW

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 5.  RE: CARLa: Hide CSDATA value in RACFCMD field of SMF Report

    Posted Fri March 27, 2020 09:42 AM
    Thank you both for a nice, simple solution, and for all the additional helpful advice.

    I was tempted not  to reply for a few days, to see what other goodies you might share!

    ------------------------------
    Peter Buckley
    ------------------------------