Hi,

I require some assitance with ooverriding the RACF_ZOS_STIG V8.10 rule RACF-US-000150 (BPXPRMxx sec params) and replace a couple of tests with "local" variants. Previously the same overrides and tests were done for RACF_ZOS_STIG V6.43 rule ZUSS0012 (BPXPRMxx sec params).

Using option AU.R.E, selecting z/OS RACF STIG v6 and z/OS RACF STIG v8, the STDGOALS output for each of the above rules produced the expected result. However the STDRULES output for the RACF-US-000150 rule was not as expected. There were two entries for RACF-US-000150, one for the "local" tests and the other for the existing rule. I expected that there would be one entry.

The imbed for the member is 

The se@@u150 member is

TIA

Brian

------------------------------
Brian Mills
------------------------------

Hi Tom, the syntax documentation of STANDARD tells us that the name defined on a RULE_SET must be unique within its context, but can be duplicated within different STANDARDs or VERSIONs. 

In the new syntax (2022), all names defined for DEF_REF, DEF_STD, DOMAIN, RULE, CONTROL or RULE_TEST, and GOAL or TEST must be unique within their context.

• A CONTROL/RULE_SET name can be part of multiple STANDARD and VERSION statements.

The Summary line in Brian's screen shot shows that the STANDARD and VERSION are identical, so it should be impossible for the RULE_SET to be shown twice.

It looks like the new syntax parser does not detect the first specification of the RULE_SET, and does not merge the 2nd specification into the 1st (which would be my preferred behavior), or flag the new specification down as syntax error (which would prevent local customization of goals/tests).

------------------------------
Rob van Hoboken
------------------------------

Tom and Ron

Thanks for your replies. Would it be best to open a case with support?

For completeness I will include the equivalent V6 details for Control ZUSS0012. The V6 result is what I was expecting for the V8 control RACF-US-000150.

STDRULES

STDGOALS - The results for each version is what I expected to see.

SE@@ZU12

sese@@u150

Regards

Hi Tom, the syntax documentation of STANDARD tells us that the name defined on a RULE_SET must be unique within its context, but can be duplicated within different STANDARDs or VERSIONs. 

In the new syntax (2022), all names defined for DEF_REF, DEF_STD, DOMAIN, RULE, CONTROL or RULE_TEST, and GOAL or TEST must be unique within their context.

• A CONTROL/RULE_SET name can be part of multiple STANDARD and VERSION statements.

The Summary line in Brian's screen shot shows that the STANDARD and VERSION are identical, so it should be impossible for the RULE_SET to be shown twice.

It looks like the new syntax parser does not detect the first specification of the RULE_SET, and does not merge the 2nd specification into the 1st (which would be my preferred behavior), or flag the new specification down as syntax error (which would prevent local customization of goals/tests).

------------------------------
Rob van Hoboken
------------------------------

Hi Brian,

Rob demonstrated that there is a bug in the current processing, and development has opened a Bug ZSEC-14450 for it. Without further action, that will probably get fixed sometime, but the thread above shows that there can be discussion as to what the most appropriate fix would be. Rob thinks merging the controls would be preferable. To have the program behave as documented, a syntax error would be appropriate. I think that you want the original functionality back of suppressing the supplied rule and replacing it with a local one. Overall, my current thinking is that merging is the thing that absolutely should not happen to avoid confusion as to what is being tested and that a syntax error is appropriate when the specification is ambiguous like that as a first-order improvement, and that we should see how to restore the option of replacing a rule on the next level (assuming for now that that was intended behavior, I did not verify that yet; if not, that would be a discussion point).

[I am positive we had an intended facility for suppressing rules from a standard, and also an option for you to add new rules; what I don't immediately recall is if we would allow the same name, and when I think about it I am not convinced it is particularly desirable.]

By default a fix would make it into our main release level at some point. If you would want to be sure of a fix on your current release level, it would be appropriate to request an APAR for that purpose via a Case. That also tells us that this really bugs you and that we should give this Bug priority. (Furthermore, the APAR would tell other clients that looked for known problems that this one exists.) It would also give us a clear formal communication path. :-)

Regards,

Tom and Ron

Thanks for your replies. Would it be best to open a case with support?

For completeness I will include the equivalent V6 details for Control ZUSS0012. The V6 result is what I was expecting for the V8 control RACF-US-000150.

STDRULES

STDGOALS - The results for each version is what I expected to see.

SE@@ZU12

sese@@u150

Regards

Hi Tom, the syntax documentation of STANDARD tells us that the name defined on a RULE_SET must be unique within its context, but can be duplicated within different STANDARDs or VERSIONs. 

In the new syntax (2022), all names defined for DEF_REF, DEF_STD, DOMAIN, RULE, CONTROL or RULE_TEST, and GOAL or TEST must be unique within their context.

• A CONTROL/RULE_SET name can be part of multiple STANDARD and VERSION statements.

The Summary line in Brian's screen shot shows that the STANDARD and VERSION are identical, so it should be impossible for the RULE_SET to be shown twice.

It looks like the new syntax parser does not detect the first specification of the RULE_SET, and does not merge the 2nd specification into the 1st (which would be my preferred behavior), or flag the new specification down as syntax error (which would prevent local customization of goals/tests).

------------------------------
Rob van Hoboken
------------------------------

Hi Brian,

Rob demonstrated that there is a bug in the current processing, and development has opened a Bug ZSEC-14450 for it. Without further action, that will probably get fixed sometime, but the thread above shows that there can be discussion as to what the most appropriate fix would be. Rob thinks merging the controls would be preferable. To have the program behave as documented, a syntax error would be appropriate. I think that you want the original functionality back of suppressing the supplied rule and replacing it with a local one. Overall, my current thinking is that merging is the thing that absolutely should not happen to avoid confusion as to what is being tested and that a syntax error is appropriate when the specification is ambiguous like that as a first-order improvement, and that we should see how to restore the option of replacing a rule on the next level (assuming for now that that was intended behavior, I did not verify that yet; if not, that would be a discussion point).

[I am positive we had an intended facility for suppressing rules from a standard, and also an option for you to add new rules; what I don't immediately recall is if we would allow the same name, and when I think about it I am not convinced it is particularly desirable.]

By default a fix would make it into our main release level at some point. If you would want to be sure of a fix on your current release level, it would be appropriate to request an APAR for that purpose via a Case. That also tells us that this really bugs you and that we should give this Bug priority. (Furthermore, the APAR would tell other clients that looked for known problems that this one exists.) It would also give us a clear formal communication path. :-)

Regards,

Tom and Ron

Thanks for your replies. Would it be best to open a case with support?

For completeness I will include the equivalent V6 details for Control ZUSS0012. The V6 result is what I was expecting for the V8 control RACF-US-000150.

STDRULES

STDGOALS - The results for each version is what I expected to see.

SE@@ZU12

sese@@u150

Regards

Hi Tom, the syntax documentation of STANDARD tells us that the name defined on a RULE_SET must be unique within its context, but can be duplicated within different STANDARDs or VERSIONs. 

In the new syntax (2022), all names defined for DEF_REF, DEF_STD, DOMAIN, RULE, CONTROL or RULE_TEST, and GOAL or TEST must be unique within their context.

• A CONTROL/RULE_SET name can be part of multiple STANDARD and VERSION statements.

The Summary line in Brian's screen shot shows that the STANDARD and VERSION are identical, so it should be impossible for the RULE_SET to be shown twice.

It looks like the new syntax parser does not detect the first specification of the RULE_SET, and does not merge the 2nd specification into the 1st (which would be my preferred behavior), or flag the new specification down as syntax error (which would prevent local customization of goals/tests).

------------------------------
Rob van Hoboken
------------------------------

Hi Brian,

Rob demonstrated that there is a bug in the current processing, and development has opened a Bug ZSEC-14450 for it. Without further action, that will probably get fixed sometime, but the thread above shows that there can be discussion as to what the most appropriate fix would be. Rob thinks merging the controls would be preferable. To have the program behave as documented, a syntax error would be appropriate. I think that you want the original functionality back of suppressing the supplied rule and replacing it with a local one. Overall, my current thinking is that merging is the thing that absolutely should not happen to avoid confusion as to what is being tested and that a syntax error is appropriate when the specification is ambiguous like that as a first-order improvement, and that we should see how to restore the option of replacing a rule on the next level (assuming for now that that was intended behavior, I did not verify that yet; if not, that would be a discussion point).

[I am positive we had an intended facility for suppressing rules from a standard, and also an option for you to add new rules; what I don't immediately recall is if we would allow the same name, and when I think about it I am not convinced it is particularly desirable.]

By default a fix would make it into our main release level at some point. If you would want to be sure of a fix on your current release level, it would be appropriate to request an APAR for that purpose via a Case. That also tells us that this really bugs you and that we should give this Bug priority. (Furthermore, the APAR would tell other clients that looked for known problems that this one exists.) It would also give us a clear formal communication path. :-)

Regards,

Tom and Ron

Thanks for your replies. Would it be best to open a case with support?

For completeness I will include the equivalent V6 details for Control ZUSS0012. The V6 result is what I was expecting for the V8 control RACF-US-000150.

STDRULES

STDGOALS - The results for each version is what I expected to see.

SE@@ZU12

sese@@u150

Regards

Hi Tom, the syntax documentation of STANDARD tells us that the name defined on a RULE_SET must be unique within its context, but can be duplicated within different STANDARDs or VERSIONs. 

In the new syntax (2022), all names defined for DEF_REF, DEF_STD, DOMAIN, RULE, CONTROL or RULE_TEST, and GOAL or TEST must be unique within their context.

• A CONTROL/RULE_SET name can be part of multiple STANDARD and VERSION statements.

The Summary line in Brian's screen shot shows that the STANDARD and VERSION are identical, so it should be impossible for the RULE_SET to be shown twice.

It looks like the new syntax parser does not detect the first specification of the RULE_SET, and does not merge the 2nd specification into the 1st (which would be my preferred behavior), or flag the new specification down as syntax error (which would prevent local customization of goals/tests).

------------------------------
Rob van Hoboken
------------------------------