IBM Security Z Security

So I've taken a look at the following links:

https://www.ibm.com/support/pages/explanation-how-rrsf-propagates-ckracf-command
https://www.ibm.com/support/pages/rrsfdata-profiles-needed-userdata-update-propagation-ckgracf-commands

The follow-up question I have is how does this come into play with the Command Verifier audit trail since information there is stored in USRDATA? I would think this is a non-concern based on the Command Verifier manual section around RRSFDATA propogation but figured I'd check (possibly updates USRDATA a different way).

For example let's say I have NODEA and NODEB, and issue the following command on NODEA, with a UACC(READ) RRSFDATA class AUTODIRECT.NODEB.USER.APPL profile defined: 

         ckgracf cmd execute altuser Adam revoke

Would in this instance both the Command Verifier audit trail information from NODEA reflect to NODEB, along with the CKGRACF commmand itself being propogated to NODEB?

If the answer is yes, is there a way to ensure the CKGRACF command is progated from NODEA to NODEB but not the USRDATA information generated by the Command Verifier Audit trail? I'd like that to have information for when the command actually executes on NODEB.

Thanks for any clarity here

------------------------------
Adam Klinger
------------------------------

Hi Adam
CKGRACF supports 2 types of commands (we could even increase this number by going into details, but lets stick with 2):

• RACF commands, execute through the CKGRACF CMD EXEC, CKGRACF CMD ASK or CKGRACF CMD REQ functions.  These execute the commands with some level of parameter validation and, in the case of the ASK and REQ verbs, with elevated privileges.  The actual RACF database updates are performed by normal RACF commands that are under scrutiny of Command Verifier (when installed and activated).  RRSF propagates the RACF commands normally. 
  The CKGRACF REFRESH function also executes RACF commands, related to queued CMD ASK and REQ commands.
• CKGRACF native commands, like CKGRACF LIST, CKGRACF USER xxx RESUME PWSET, CKGRACF USRDATA.  These update RACF profiles directly.  No RACF commands are involved, RRSF propagates actions under control of AUTOAPPL, as explained in the 2 URLs you listed.  Command Verifier is not involved.

If a normal RACF command is propagated or directed from NODEA  to NODEB, the command is executed twice: once in the user's address space in NODEA, then again in the RRSF address space in NODEB.  If you have Command Verifier active in both systems, it verifies the command each time and stores Command Audit Trail entries each time, when so directed by the =CMDAUD policy profiles.

------------------------------
Rob van Hoboken
------------------------------

To which I'd like to add that the USRDATA updates made by Command Verifier for the CAT are not independently propagated to other systems. So, the ALTUSER CAT-data on NODEA stays on NODEA, and when the command is propagated to NODEB, CV on NODEB might generate CAT-data (or not, depending on your =CMDAUD profiles on NODEB).

------------------------------
Guus Bonnes
------------------------------

Original Message:
Sent: Fri June 12, 2020 04:17 AM
From: Rob van Hoboken
Subject: CKGRACF Command, Command Verifier Audit Trail, & RRSF Propogation

Hi Adam
CKGRACF supports 2 types of commands (we could even increase this number by going into details, but lets stick with 2):

• RACF commands, execute through the CKGRACF CMD EXEC, CKGRACF CMD ASK or CKGRACF CMD REQ functions.  These execute the commands with some level of parameter validation and, in the case of the ASK and REQ verbs, with elevated privileges.  The actual RACF database updates are performed by normal RACF commands that are under scrutiny of Command Verifier (when installed and activated).  RRSF propagates the RACF commands normally. 
  The CKGRACF REFRESH function also executes RACF commands, related to queued CMD ASK and REQ commands.
• CKGRACF native commands, like CKGRACF LIST, CKGRACF USER xxx RESUME PWSET, CKGRACF USRDATA.  These update RACF profiles directly.  No RACF commands are involved, RRSF propagates actions under control of AUTOAPPL, as explained in the 2 URLs you listed.  Command Verifier is not involved.

If a normal RACF command is propagated or directed from NODEA  to NODEB, the command is executed twice: once in the user's address space in NODEA, then again in the RRSF address space in NODEB.  If you have Command Verifier active in both systems, it verifies the command each time and stores Command Audit Trail entries each time, when so directed by the =CMDAUD policy profiles.

------------------------------
Rob van Hoboken
------------------------------

Thank you! This is what I figured based on the manual, but wanted to verify based on the USRDATA point

------------------------------
Adam Klinger
------------------------------

Original Message:
Sent: Fri June 12, 2020 05:24 AM
From: Guus Bonnes
Subject: CKGRACF Command, Command Verifier Audit Trail, & RRSF Propogation

To which I'd like to add that the USRDATA updates made by Command Verifier for the CAT are not independently propagated to other systems. So, the ALTUSER CAT-data on NODEA stays on NODEA, and when the command is propagated to NODEB, CV on NODEB might generate CAT-data (or not, depending on your =CMDAUD profiles on NODEB).

------------------------------
Guus Bonnes

Original Message:
Sent: Fri June 12, 2020 04:17 AM
From: Rob van Hoboken
Subject: CKGRACF Command, Command Verifier Audit Trail, & RRSF Propogation

Hi Adam
CKGRACF supports 2 types of commands (we could even increase this number by going into details, but lets stick with 2):

• RACF commands, execute through the CKGRACF CMD EXEC, CKGRACF CMD ASK or CKGRACF CMD REQ functions.  These execute the commands with some level of parameter validation and, in the case of the ASK and REQ verbs, with elevated privileges.  The actual RACF database updates are performed by normal RACF commands that are under scrutiny of Command Verifier (when installed and activated).  RRSF propagates the RACF commands normally. 
  The CKGRACF REFRESH function also executes RACF commands, related to queued CMD ASK and REQ commands.
• CKGRACF native commands, like CKGRACF LIST, CKGRACF USER xxx RESUME PWSET, CKGRACF USRDATA.  These update RACF profiles directly.  No RACF commands are involved, RRSF propagates actions under control of AUTOAPPL, as explained in the 2 URLs you listed.  Command Verifier is not involved.

If a normal RACF command is propagated or directed from NODEA  to NODEB, the command is executed twice: once in the user's address space in NODEA, then again in the RRSF address space in NODEB.  If you have Command Verifier active in both systems, it verifies the command each time and stores Command Audit Trail entries each time, when so directed by the =CMDAUD policy profiles.

------------------------------
Rob van Hoboken
------------------------------

Appreciate the thorough explanation! Confirmed my understanding

------------------------------
Adam Klinger
------------------------------

Original Message:
Sent: Fri June 12, 2020 04:17 AM
From: Rob van Hoboken
Subject: CKGRACF Command, Command Verifier Audit Trail, & RRSF Propogation

Hi Adam
CKGRACF supports 2 types of commands (we could even increase this number by going into details, but lets stick with 2):

• RACF commands, execute through the CKGRACF CMD EXEC, CKGRACF CMD ASK or CKGRACF CMD REQ functions.  These execute the commands with some level of parameter validation and, in the case of the ASK and REQ verbs, with elevated privileges.  The actual RACF database updates are performed by normal RACF commands that are under scrutiny of Command Verifier (when installed and activated).  RRSF propagates the RACF commands normally. 
  The CKGRACF REFRESH function also executes RACF commands, related to queued CMD ASK and REQ commands.
• CKGRACF native commands, like CKGRACF LIST, CKGRACF USER xxx RESUME PWSET, CKGRACF USRDATA.  These update RACF profiles directly.  No RACF commands are involved, RRSF propagates actions under control of AUTOAPPL, as explained in the 2 URLs you listed.  Command Verifier is not involved.

If a normal RACF command is propagated or directed from NODEA  to NODEB, the command is executed twice: once in the user's address space in NODEA, then again in the RRSF address space in NODEB.  If you have Command Verifier active in both systems, it verifies the command each time and stores Command Audit Trail entries each time, when so directed by the =CMDAUD policy profiles.

------------------------------
Rob van Hoboken
------------------------------