IBM Security Z Security

Expand all | Collapse all

Coding Compliance ASSERT rules

Jump to Best Answer
  • 1.  Coding Compliance ASSERT rules

    Posted 7 days ago
    Just trying to utilise the new assertion function in zSecure Compliance and I cannot work out how to use it.  Maybe I've missed a great 'how to' guide somewhere!

    One of our technical rules is "The RACF subsystem address space must generate a real-time alert when deactivated".  zSecure does not have the information to test compliance so somebody must assert this is true (or not).  How do I add tests like this so they show up as an assertion (e.g. in zSecure 2.3.1 AU.R.C option)? 

    Any sample code, or pointers to helpful documentation, would be appreciated.

    ------------------------------
    Andrew Cameron-Heffer
    ------------------------------


  • 2.  RE: Coding Compliance ASSERT rules
    Best Answer

    Posted 7 days ago
    Hi Andrew
    Look at one of the STIG compliance tests that zSecure cannot determine, for example, ZCTMR040 about Control-M options.  The CARLa is in member CKAGCM40:

    RULE ZCTMR040_sec_params DOMAIN(Systems) SET(ZCTMR040),
    DESC("The DEFMCHKM, SECTOLM, RACJCARD, MSUBCHK security parameters and
    the definition mode (DFMM01, DFMM02, DFMM08) for the corresponding secu
    rity module (CTMSE01, CTMSE02, CTMSE08) for Control-M must be properly s
    pecified.")
    TEST 1.Assert_sec_params ASSERT,
    DESC("Assert that the DEFMCHKM parameter is set to $$CTMEDM, the SECT
    OLM and the MSUBCHK parameters are set to NO, the RACJCARD RACF job card
    parameter is set to U, and that the definition mode (DFMM01, DFMM02, DF
    MM08) for the corresponding security module (CTMSE01, CTMSE02, CTMSE08)
    is set to EXTEND.")
    ENDRULE

    So your code would need (within a RULE context)

    TEST Alert_Issued ASSERT DESC('Verify that a real-time alert is configured and activated')

    ------------------------------
    Rob van Hoboken
    ------------------------------



  • 3.  RE: Coding Compliance ASSERT rules

    Posted 7 days ago
    Thank you Rob.  I knew it had to be simple but I couldn't see an example in the manuals.  Adding a new test using the ASSERT keyword worked as designed.

    I did have issues getting the assert datasets allocated properly.  But it all worked once I realised I needed all three keywords in the "DSNPREF=your.prefix SAVE POSTPONE" statement.

    ------------------------------
    Andrew Cameron-Heffer
    ------------------------------