IBM Security Z Security

 View Only
  • 1.  Using AU Report ACP00060 CKAGC060

    Posted Fri November 17, 2023 05:30 PM

    Hello xChange!

    The AU compliance test for ACP00110 is exactly what I need for a report request from mgmt.  I would also like to include in the generated report the AUDIT flags.  Here's a sample of the report currently:

    C O M P L I A N C E   T E S T   R E S U L T S   complex TPX      standard ZOS_EVALUATE                         
    Rule set ACP00110      LINKLIST libs protected
    Access to LINKLIST libraries must be restricted.
    20 Non-Compliant object UTWX  SYS600 Dataset AOS3.** AOS3.LINKLIB
       Non-Compliant test 1f.UACC_READ Universal access (UACC) READ must be audited.
       Didn't find compliant value: sensdsn.RACF_UACC=NONE
       Actual value: READ

    Is there a way to include what the AUDIT flags are for the indicated dataset in this report?  

    Thanks for your help!



    ------------------------------
    Lynn Gilson
    Lynn
    ------------------------------


  • 2.  RE: Using AU Report ACP00060 CKAGC060

    Posted Fri November 17, 2023 05:32 PM

    ...  for ACP00110 CKAGC110   :-)



    ------------------------------
    Lynn Gilson
    Lynn
    ------------------------------



  • 3.  RE: Using AU Report ACP00060 CKAGC060

    Posted Mon November 20, 2023 04:59 AM
    Edited by Tom Zeehandelaar Mon November 20, 2023 05:00 AM

    Hi Lynn,

    judged by the sample output that you have included, it seems that you are using the "Print format" option from the output and run options of the zSecure UI. 

    The way, I see it, is that the settings of the audit flags are already included in the compliance results, so I do not really understand the reason for your question.

    One of the domains in control CKAGC100 selects all names of the libraries that must be tested for general access and log settings. Then, in the RULE that is named ACP00110_log, the control tests the log settings of the best matching DATASET profiles for these libraries with GOAL/TEST checks that are coded in an imbed member that is named CKAISDLU. 

    This member contains the following 3 goal tests:

    • TEST 2a.no_logflags_exist - When no protecting profile is defined for a library that is found in the LINKLIST, this test will be included in your compliance output explaining that your RACF database lacks a DATASET profile that protects this LINKLIST library.
    • TEST 2b.audit_fail - When a best matching DATASET profile does exist for this LINKLIST library, this GOAL/TEST verifies that access failures are logged from READ level up. Our compliance output reports that the FAILED audit setting is tested for the value READ, and the "Actual value" shows the failed log setting that is found in your RACF database for this profile.
    • TEST 2c.audit_success - When a DATASET profile does exist for this LINKLIST library, this GOAL/TEST verifies that access successes are logged from UPDATE level up. Our compliance output reports that the SUCCESS audit setting is tested for the values READ or UPDATE to be compliant, and the "Actual value" shows the setting that is found in your RACF database for this profile. When it reports blank, this indicates that no SUCCESS logging is currently requested for successful access to data sets that are protected by this profile.

    Here's a sample of output that I am getting on one of my test systems:

    Compliant test 2b.audit_fail All failed READ and higher access attempts must be logged. 
    Found compliant value: sensdsn.RACF_AUDITF=READ                                         
    Actual value: READ                                                                      

    Non-Compliant test 2c.audit_success All successful UPDATE and higher access attempts must be logged.
    Didn't find compliant value: sensdsn.RACF_AUDITS=(READ,UPDATE)                                      
    Actual value:                                                                                       

    So the way that I see it, the AUDIT flags are already included in your output. Am I missing something?

    I hope this helps.



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 4.  RE: Using AU Report ACP00060 CKAGC060

    Posted Mon November 20, 2023 01:18 PM
    Hi Tom,
    Thanks very much for your reply.  Yes, I think so too that the 'audit' flags are included in the report.  I was anticipating the internal/external audit company representative's review and possible questions to see exactly what the audit flag is set to in a different 'view'.  Maybe as in the UI view as one can list the 'DATASET'profile in the panel: 
    Safeguards                                                        Other permissions                    
    Erase on scratch                          No                 Allow all accesses    WARNING    No     
    Audit access success/failures U R                Universal access authority         READ   
    Global audit success/failures                             Resource level                               0     
    User to notify of violation  
    I was thinking I might be able to bring this view into the CKAISDLU test somehow.  I think the report is sufficient and will relay your review of what the test performs for us already, as-is.   
    Thanks again for help.  
    Lynn
     


    ------------------------------
    Lynn Gilson
    Lynn
    ------------------------------



  • 5.  RE: Using AU Report ACP00060 CKAGC060

    Posted Tue November 21, 2023 03:09 AM

    Hi Lynn,

    please be aware that when you run the display version of the CKAGC110 control in the zSecure UI, you can access the involved DATASET profile definitions directly from your compliance results. 

    For example, when I run control CKAGC110 with option AU.R.S or AU.R.T on my system with display mode and I zoom into the STDTESTS report, I can access the GOAL/TEST details with line command "S".

                     Standard compliance test                                                                            Line 31 of 87
    Command ===>                                                                                                       Scroll===> CSR 
                                                                                                                                      
       Complex  Ver  Pr Standards NonComp Unknown Exm Sup                                                                             
       NMPIPL87      20         1       1                                                                                             
       Standard      Pr Rule sets NonComp Unknown Exm Sup Version                                                                     
       RACF_STIG     20         1       1                 "1.00"                                                                      
       Rule set      Pr Objects   NonComp Unknown Exm Sup Description                                                                 
       ACP00110      20        87      68                 Access to LINKLIST libraries must be restricted.                            
       Non Unk Exm Class    System   Type    VolSer Resource                                                                          
    s  Non         Dataset  ZS14             COMN01 COMMON.LINKLIB                                                                    
       Non         Dataset  ZS14             G3102D CSF.SCSFSTUB                                                                      

    And then, you can use line command "S" again to access the GOAL/TEST details of one of the tests that are performed for the DATASET profile. Then, you can use F8 a couple of times to scroll down to the "Class Profile key" section. There, you can use line command "P", for "Show profile".

                     Standard compliance test 2c.audit_success                                                           Line 47 of 77 
    Command ===>                                                                                                       Scroll===> CSR  
    ACP00110      LINKLIST libs protected                                                                                              
                                                                                                                                       
                                                                                                                                       
      Resource location                                                                                                                
      Complex name                  NMPIPL87 Complex severity (importance) Medium                                                      
      System name                   ZS14     Profile or data set type                                                                  
      Volume serial key             COMN01                                                                                             
      Test domain newlist type      sensdsn                                                                                            
                                                                                                                                       
      Class    Profile key                                                                                                             
    p DATASET  COMMON.*.**                                                                                                             

    That action shows the profile settings of the involved DATASET profile that you are referring to:

    Safeguards                             Other permissions                     
    Erase on scratch              No       Allow all accesses    WARNING No      
    Audit access success/failures   R      Universal access authority    READ    
    Global audit success/failures          Resource level                 0      
    User to notify of violation                                                  
    Days protection provided #                                                     

    Is that what you are looking for?                                               



    ------------------------------
    Tom Zeehandelaar
    z/OS Security Enablement Specialist - zSecure developer
    IBM
    ------------------------------



  • 6.  RE: Using AU Report ACP00060 CKAGC060

    Posted Tue November 21, 2023 11:13 AM

    Yep, beautiful, thanks much Tom!  These audits that companies perform and coordinate thru the company Security team have items that are operating system related.  So, they request the SysProg to perform the test or gather the information.  The ACP00060 070 110 tests are great!  It gives one the entire list of libraries since the last IPL and can produce the 'background' listing or the 'foreground' dynamic displays.  That DATASET Profile is really nice to have in the foreground display.  With the 'background' batch prints we use the SNMP feature to deliver the report to our personal, secured Mailbox.  From there we can 'save as' a .txt file or a .pdf file on the LAN.  This is how the auditors get the reports.  Since zSecure provides so much already in the AU.R from ACP00060 070 110 that I think it is sufficient.  Sometimes I think the auditors do not have experience with ZOS so simply 'read the book' or 'worksheet' description for what they're supposed to look for to check off their box  -  in the case of these audit items, AUDIT(ALL(READ)) or AUDIT(ALL(UPDATE)) in the simplist form.  That was my anticipation of what they may ask for.  But, with your description of what the test does and provides already in the 'background' print form I think it is sufficient. 

    Many thanks for your kind analysis and explanation of the report and how it tests (goals) these elements of ZOS operating system components. 

    Much thanks!

    Lynn  

     



    ------------------------------
    Lynn Gilson
    Lynn
    ------------------------------