Hi Lynn,
please be aware that when you run the display version of the CKAGC110 control in the zSecure UI, you can access the involved DATASET profile definitions directly from your compliance results.
For example, when I run control CKAGC110 with option AU.R.S or AU.R.T on my system with display mode and I zoom into the STDTESTS report, I can access the GOAL/TEST details with line command "S".
Standard compliance test Line 31 of 87
Command ===> Scroll===> CSR
Complex Ver Pr Standards NonComp Unknown Exm Sup
NMPIPL87 20 1 1
Standard Pr Rule sets NonComp Unknown Exm Sup Version
RACF_STIG 20 1 1 "1.00"
Rule set Pr Objects NonComp Unknown Exm Sup Description
ACP00110 20 87 68 Access to LINKLIST libraries must be restricted.
Non Unk Exm Class System Type VolSer Resource
s Non Dataset ZS14 COMN01 COMMON.LINKLIB
Non Dataset ZS14 G3102D CSF.SCSFSTUB
And then, you can use line command "S" again to access the GOAL/TEST details of one of the tests that are performed for the DATASET profile. Then, you can use F8 a couple of times to scroll down to the "Class Profile key" section. There, you can use line command "P", for "Show profile".
Standard compliance test 2c.audit_success Line 47 of 77
Command ===> Scroll===> CSR
ACP00110 LINKLIST libs protected
Resource location
Complex name NMPIPL87 Complex severity (importance) Medium
System name ZS14 Profile or data set type
Volume serial key COMN01
Test domain newlist type sensdsn
Class Profile key
p DATASET COMMON.*.**
That action shows the profile settings of the involved DATASET profile that you are referring to:
Safeguards Other permissions
Erase on scratch No Allow all accesses WARNING No
Audit access success/failures R Universal access authority READ
Global audit success/failures Resource level 0
User to notify of violation
Days protection provided #
Is that what you are looking for?
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------
Original Message:
Sent: Mon November 20, 2023 01:18 PM
From: Lynn Gilson
Subject: Using AU Report ACP00060 CKAGC060
Hi Tom,
Thanks very much for your reply. Yes, I think so too that the 'audit' flags are included in the report. I was anticipating the internal/external audit company representative's review and possible questions to see exactly what the audit flag is set to in a different 'view'. Maybe as in the UI view as one can list the 'DATASET'profile in the panel:
Safeguards Other permissions
Erase on scratch No Allow all accesses WARNING No
Audit access success/failures U R Universal access authority READ
Global audit success/failures Resource level 0
User to notify of violation
I was thinking I might be able to bring this view into the CKAISDLU test somehow. I think the report is sufficient and will relay your review of what the test performs for us already, as-is.
Thanks again for help.
Lynn
------------------------------
Lynn Gilson
Lynn
Original Message:
Sent: Mon November 20, 2023 04:59 AM
From: Tom Zeehandelaar
Subject: Using AU Report ACP00060 CKAGC060
Hi Lynn,
judged by the sample output that you have included, it seems that you are using the "Print format" option from the output and run options of the zSecure UI.
The way, I see it, is that the settings of the audit flags are already included in the compliance results, so I do not really understand the reason for your question.
One of the domains in control CKAGC100 selects all names of the libraries that must be tested for general access and log settings. Then, in the RULE that is named ACP00110_log, the control tests the log settings of the best matching DATASET profiles for these libraries with GOAL/TEST checks that are coded in an imbed member that is named CKAISDLU.
This member contains the following 3 goal tests:
- TEST 2a.no_logflags_exist - When no protecting profile is defined for a library that is found in the LINKLIST, this test will be included in your compliance output explaining that your RACF database lacks a DATASET profile that protects this LINKLIST library.
- TEST 2b.audit_fail - When a best matching DATASET profile does exist for this LINKLIST library, this GOAL/TEST verifies that access failures are logged from READ level up. Our compliance output reports that the FAILED audit setting is tested for the value READ, and the "Actual value" shows the failed log setting that is found in your RACF database for this profile.
- TEST 2c.audit_success - When a DATASET profile does exist for this LINKLIST library, this GOAL/TEST verifies that access successes are logged from UPDATE level up. Our compliance output reports that the SUCCESS audit setting is tested for the values READ or UPDATE to be compliant, and the "Actual value" shows the setting that is found in your RACF database for this profile. When it reports blank, this indicates that no SUCCESS logging is currently requested for successful access to data sets that are protected by this profile.
Here's a sample of output that I am getting on one of my test systems:
Compliant test 2b.audit_fail All failed READ and higher access attempts must be logged.
Found compliant value: sensdsn.RACF_AUDITF=READ
Actual value: READ
Non-Compliant test 2c.audit_success All successful UPDATE and higher access attempts must be logged.
Didn't find compliant value: sensdsn.RACF_AUDITS=(READ,UPDATE)
Actual value:
So the way that I see it, the AUDIT flags are already included in your output. Am I missing something?
I hope this helps.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Original Message:
Sent: Fri November 17, 2023 05:31 PM
From: Lynn Gilson
Subject: Using AU Report ACP00060 CKAGC060
... for ACP00110 CKAGC110 :-)
------------------------------
Lynn Gilson
Lynn
Original Message:
Sent: Fri November 17, 2023 05:29 PM
From: Lynn Gilson
Subject: Using AU Report ACP00060 CKAGC060
Hello xChange!
The AU compliance test for ACP00110 is exactly what I need for a report request from mgmt. I would also like to include in the generated report the AUDIT flags. Here's a sample of the report currently:
C O M P L I A N C E T E S T R E S U L T S complex TPX standard ZOS_EVALUATE
Rule set ACP00110 LINKLIST libs protected
Access to LINKLIST libraries must be restricted.
20 Non-Compliant object UTWX SYS600 Dataset AOS3.** AOS3.LINKLIB
Non-Compliant test 1f.UACC_READ Universal access (UACC) READ must be audited.
Didn't find compliant value: sensdsn.RACF_UACC=NONE
Actual value: READ
Is there a way to include what the AUDIT flags are for the indicated dataset in this report?
Thanks for your help!
------------------------------
Lynn Gilson
Lynn
------------------------------