Original Message:
Sent: Tue November 21, 2023 07:59 AM
From: Tom Zeehandelaar
Subject: zSecure Audit STIG assertion - is there a method to automate this process
Peter,
zSecure is already aware of the value of SSLKEYR, that you refer to, when a keying is configured, this information is stored in the CKFREEZE data set that is allocated to your session/batch job. The rule that is named "ZWMQ0012_digtcert" contains a GOAL/TEST named "1.SSLKEYR_value_exists" that reports compliant when zSecure finds any value stored in field SSLKEYR of newlist type MQ_REGION. In that case, the GOAL/TEST named "1.Assert_no_MQSeries_com ASSERT" will not be needed and is automatically suppressed from the output for this control.
However, that still does not allow us to fully automate the check for the Issuer's name of the certificate that a MQ channel uses. Thus, the GOAL/TEST "2.Assert_issuer_name ASSERT" will still need to be asserted for each defined MQ channel.
Also, you probably want to include the BY(....) ENDDATE(...) and COMMENT('description or reference to where the evidence for the research into the approved Issuer's name is stored') parameters in the automated assert commands that you want to generate.
- You use the BY parameter to store the name of the person that performed the research for the assertion.
- The ENDDATE parameter must indicate when the assertion expires and needs to be re-asserted. Most companies might have a policy that states that assertions need to be re-asserted every 1,2, - 5 years!
- The COMMENT parameter can be used to explain that the MQ channel uses a certificate with an approved Issuer's name or point to a location where more detailed information regarding the investigation into Issuer names is stored/accessible for the auditors.
- The user ID that runs the assertion is automatically stored in field ASSERT_RECORDER of an assertion. Any user with sufficient authorization to your prefix.AUTOMATE.ASSERT data sets can issue the command.
Note on my previous response, I did not mean that the output of the 'non zSecure command' needs to be validated. What I meant to explain it that prior to generating these compliant assert commands for the digital certificates that MQ channels use with a batch job, someone from the organization first needs to factually check that the Issuer's name on the certificates that MQ channels use, is indeed approved by the organization.
I hope you find this additional explanation helpful.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Tue November 21, 2023 06:25 AM
From: peter leaper
Subject: zSecure Audit STIG assertion - is there a method to automate this process
Thanks Tom, and yes acknowledged that the output from a non zSecure command must be validated first.
The next problem is assigning responsibility for a. Who issues the command to generate the output b. Who takes the responsibility for the actual assert from "a".
TY!
------------------------------
peter leaper
Original Message:
Sent: Tue November 21, 2023 04:44 AM
From: Tom Zeehandelaar
Subject: zSecure Audit STIG assertion - is there a method to automate this process
As indicated/illustrated by Rob van Hoboken in the previous response, the assert commands can be automatically generated and run for your customer's MQ channels.
However, please be aware that this batch assertion job must only be used when the actual investigation/research (into the Issuer's name of the MQ channel certificates in use) is performed that successfully verified that the Issuer's name of the digital certificates that the MQ channels use is indeed approved by your organization. Otherwise, this batch process completely defeats the purpose of these assertions in the first place.
Just my 2 cents.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Mon November 20, 2023 12:44 PM
From: peter leaper
Subject: zSecure Audit STIG assertion - is there a method to automate this process
Hi
My client is working with zSecure 5655-N17 IBM Security zSecure Audit for RACF 2.5.0
We have a number of STIG Checks to a. Verify as compliant with non zSecure commands b. If compliant manually flag via A(ssert)
As the number of entries are in the hundreds, rather than using the ISPF interface to Assert these entries, is there a method
that can be automated (i.e. Run in Batch) Two of the relevant STIGs are ZWMQ0012 & ZWMQ0014 (Digital certs and CNF check).
I have read the very useful document Making zSecure and STIG work with your installation security policy (ibm.com) but was wondering if
there was a method to run in batch, passing the ASSERT value and updating the zSecure Assert data set ?
Many thanks
------------------------------
peter leaper
------------------------------