IBM Security Z Security

 View Only
  • 1.  zSecure Audit STIG assertion - is there a method to automate this process

    Posted Mon November 20, 2023 12:44 PM

    Hi 

    My client is working with zSecure  5655-N17 IBM Security zSecure Audit for RACF 2.5.0

    We have a number of  STIG Checks to a. Verify as compliant with non zSecure commands b. If compliant manually flag via A(ssert)

    As the number of entries are in the hundreds, rather than using the ISPF interface to Assert these entries, is there a method 

    that can be automated (i.e. Run in Batch) Two of the relevant STIGs are ZWMQ0012 & ZWMQ0014 (Digital certs and CNF check).

    I have read the very useful document Making zSecure and STIG work with your installation security policy (ibm.com) but was wondering if 

    there was a method to run in batch, passing the ASSERT value and updating the zSecure Assert data set ? 

    Many thanks 



    ------------------------------
    peter leaper
    ------------------------------


  • 2.  RE: zSecure Audit STIG assertion - is there a method to automate this process

    IBM Champion
    Posted Tue November 21, 2023 04:30 AM

    The ASSERT command is documented here.  You can use it in a CARLa program to fill an ASSERT data set referenced with an ALLOC command:

    // EXEC C2RC
    //ASSERTS DD DISP=SHR,DSN=prefix.AUTOMATE.ASSERT
    //SYSIN DD *
    alloc type=assert save dd=asserts
    assert rule(zwmq0012) ... version(1) class(..) resource(..) as(compliant)

    add the required parameters and repeat for as many assert commands as you need.  Select the AUTOMATE.ASSERT data set as input in SE.1 using type=assert.  If the job complains about having no list/sortlist/display command, add a dummy newlist like

    newlist type=system
    list system



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: zSecure Audit STIG assertion - is there a method to automate this process

    Posted Tue November 21, 2023 06:20 AM

    Many thanks Rob, that should do the trick. Question: zSecure is a privileged Id but I guess it cannot issue the MQ Command "DISPLAY QMGR SSLKEYR"

    in this case to check SSLKEYR has been coded correctly. Maybe one day it might be enabled to do so and the assert process not required anymore ? 

    Or maybe I am missing something ?



    ------------------------------
    peter leaper
    ------------------------------



  • 4.  RE: zSecure Audit STIG assertion - is there a method to automate this process

    IBM Champion
    Posted Tue November 21, 2023 08:20 AM

    The zSecure User Reference Manual shows how zSecure Collect must be authorized to retrieve MQ (and other) configuration information.  This will be stored in CKFCOLL data sets (configuration snapshots) for (later) analysis.



    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 5.  RE: zSecure Audit STIG assertion - is there a method to automate this process
    Best Answer

    Posted Tue November 21, 2023 04:45 AM
    Edited by Wendy Batten Fri December 01, 2023 06:55 AM

    As indicated/illustrated by Rob van Hoboken in the previous response, the assert commands can be automatically generated and run for your customer's MQ channels. 

    However, please be aware that this batch assertion job must only be used when the actual investigation/research (into the Issuer's name of the MQ channel certificates in use) is performed that successfully verified that the Issuer's name of the digital certificates that the MQ channels use is indeed approved by your organization.  Otherwise, this batch process completely defeats the purpose of these assertions in the first place.

    Just my 2 cents. 



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 6.  RE: zSecure Audit STIG assertion - is there a method to automate this process

    Posted Tue November 21, 2023 06:25 AM

    Thanks Tom, and yes acknowledged that the output from a non zSecure command must be validated first. 

    The next problem is assigning responsibility for a. Who issues the command to generate the output b. Who takes the responsibility for the actual assert from "a".

    TY!



    ------------------------------
    peter leaper
    ------------------------------



  • 7.  RE: zSecure Audit STIG assertion - is there a method to automate this process

    Posted Tue November 21, 2023 08:00 AM

    Peter,

    zSecure is already aware of the value of SSLKEYR, that you refer to, when a keying is configured, this information is stored in the CKFREEZE data set that is allocated to your session/batch job. The rule that is named "ZWMQ0012_digtcert" contains a GOAL/TEST named "1.SSLKEYR_value_exists" that reports compliant when zSecure finds any value stored in field SSLKEYR of newlist type MQ_REGION. In that case, the GOAL/TEST named "1.Assert_no_MQSeries_com ASSERT" will not be needed and is automatically suppressed from the output for this control. 

    However, that still does not allow us to fully automate the check for the Issuer's name of the certificate that a MQ channel uses. Thus, the GOAL/TEST "2.Assert_issuer_name ASSERT" will still need to be asserted for each defined MQ channel. 

    Also, you probably want to include the BY(....) ENDDATE(...) and COMMENT('description or reference to where the evidence for the research into the approved Issuer's name is stored') parameters in the automated assert commands that you want to generate. 

    • You use the BY parameter to store the name of the person that performed the research for the assertion. 
    • The ENDDATE parameter must indicate when the assertion expires and needs to be re-asserted. Most companies might have a policy that states that assertions need to be re-asserted every 1,2, - 5 years!
    • The COMMENT parameter can be used to explain that the MQ channel uses a certificate with an approved Issuer's name or point to a location where more detailed information regarding the investigation into Issuer names is stored/accessible for the auditors. 
    • The user ID that runs the assertion is automatically stored in field ASSERT_RECORDER of an assertion. Any user with sufficient authorization to your prefix.AUTOMATE.ASSERT data sets can issue the command. 

    Note on my previous response, I did not mean that the output of the 'non zSecure command' needs to be validated. What I meant to explain it that prior to generating these compliant assert commands for the digital certificates that MQ channels use with a batch job, someone from the organization first needs to factually check that the Issuer's name on the certificates that MQ channels use, is indeed approved by the organization.  

    I hope you find this additional explanation helpful.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 8.  RE: zSecure Audit STIG assertion - is there a method to automate this process

    Posted Wed November 22, 2023 05:17 AM

    Thank you Tom, for the clarification(s), 



    ------------------------------
    peter leaper
    ------------------------------