IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
My client is working with zSecure 5655-N17 IBM Security zSecure Audit for RACF 2.5.0
We have a number of STIG Checks to a. Verify as compliant with non zSecure commands b. If compliant manually flag via A(ssert)
As the number of entries are in the hundreds, rather than using the ISPF interface to Assert these entries, is there a method
that can be automated (i.e. Run in Batch) Two of the relevant STIGs are ZWMQ0012 & ZWMQ0014 (Digital certs and CNF check).
I have read the very useful document Making zSecure and STIG work with your installation security policy (ibm.com) but was wondering if
there was a method to run in batch, passing the ASSERT value and updating the zSecure Assert data set ?
The ASSERT command is documented here. You can use it in a CARLa program to fill an ASSERT data set referenced with an ALLOC command:
// EXEC C2RC//ASSERTS DD DISP=SHR,DSN=prefix.AUTOMATE.ASSERT//SYSIN DD *alloc type=assert save dd=assertsassert rule(zwmq0012) ... version(1) class(..) resource(..) as(compliant)
add the required parameters and repeat for as many assert commands as you need. Select the AUTOMATE.ASSERT data set as input in SE.1 using type=assert. If the job complains about having no list/sortlist/display command, add a dummy newlist like
newlist type=systemlist system
Many thanks Rob, that should do the trick. Question: zSecure is a privileged Id but I guess it cannot issue the MQ Command "DISPLAY QMGR SSLKEYR"
in this case to check SSLKEYR has been coded correctly. Maybe one day it might be enabled to do so and the assert process not required anymore ?
Or maybe I am missing something ?
The zSecure User Reference Manual shows how zSecure Collect must be authorized to retrieve MQ (and other) configuration information. This will be stored in CKFCOLL data sets (configuration snapshots) for (later) analysis.
As indicated/illustrated by Rob van Hoboken in the previous response, the assert commands can be automatically generated and run for your customer's MQ channels.
However, please be aware that this batch assertion job must only be used when the actual investigation/research (into the Issuer's name of the MQ channel certificates in use) is performed that successfully verified that the Issuer's name of the digital certificates that the MQ channels use is indeed approved by your organization. Otherwise, this batch process completely defeats the purpose of these assertions in the first place.
Just my 2 cents.
------------------------------Tom Zeehandelaarz/OS Security Enablement Specialist - zSecure developerIBM------------------------------
Thanks Tom, and yes acknowledged that the output from a non zSecure command must be validated first.
The next problem is assigning responsibility for a. Who issues the command to generate the output b. Who takes the responsibility for the actual assert from "a".
------------------------------Tom Zeehandelaarz/OS Security Enablement Specialist - zSecure developerIBMOriginal Message:Sent: Mon November 20, 2023 12:44 PMFrom: peter leaperSubject: zSecure Audit STIG assertion - is there a method to automate this process
zSecure is already aware of the value of SSLKEYR, that you refer to, when a keying is configured, this information is stored in the CKFREEZE data set that is allocated to your session/batch job. The rule that is named "ZWMQ0012_digtcert" contains a GOAL/TEST named "1.SSLKEYR_value_exists" that reports compliant when zSecure finds any value stored in field SSLKEYR of newlist type MQ_REGION. In that case, the GOAL/TEST named "1.Assert_no_MQSeries_com ASSERT" will not be needed and is automatically suppressed from the output for this control.
However, that still does not allow us to fully automate the check for the Issuer's name of the certificate that a MQ channel uses. Thus, the GOAL/TEST "2.Assert_issuer_name ASSERT" will still need to be asserted for each defined MQ channel.
Also, you probably want to include the BY(....) ENDDATE(...) and COMMENT('description or reference to where the evidence for the research into the approved Issuer's name is stored') parameters in the automated assert commands that you want to generate.
Note on my previous response, I did not mean that the output of the 'non zSecure command' needs to be validated. What I meant to explain it that prior to generating these compliant assert commands for the digital certificates that MQ channels use with a batch job, someone from the organization first needs to factually check that the Issuer's name on the certificates that MQ channels use, is indeed approved by the organization.
I hope you find this additional explanation helpful.
Thank you Tom, for the clarification(s),