IBM Security Z Security

Hi Grateful for any suggestions on the subject of zOS Privileged Human UserIds.
I am trying to establish what alerts to track the activity of zOS Privileged Userids.
The categories are zOS, DB2, CICS and IMS 'system programmers', i.e. UserIds with
the ability to 'Change the System(s) Configuration'.
Alert 1102, logon with emergency User ID, seems to be able to cater for only ten entries ...
So if I wish to track 40 / 50 UserIds (zOS, DB2, CICS, IMS Sysprogs), I suppose I will
have to copy alert 1102 to a new custom alert, but that will only give me the capability
to track another 10? So is it a question of having to copy Alert 1102 to 4/5 new alerts
to cover the total Sysprog UserId population of @40 UserIds ?

interested though in what types of tracking other Sites do for zOS Human Privileged UserIds,
I posted this on Listserv RACF, more appropriate here ! Thanks

------------------------------
PPL
------------------------------

Hi Peter, 

please be aware that the standard Alert 1102 supports the use of wild cards ( "*" and "%"")  in the zSecure Alert User Interface. Therefore, when your company uses a naming convention scheme for Privileged Human UserIds, you should be able to address many more UserIds by applying the appropriate wild cards in the ten supported panel entries.

Then, when that suggestion still does not suffice for your business case, indeed you can decide to copy Alert 1102 to define a custom alert. However, in my opinion, there is no need to take multiple copies. After copying Alert 1102 to a installation-defined alert, you should be authorized to use line command E (for Edit) against your custom version of Alert 1102. 
That action shows a follow on alert configuration panel that shows an option that is named "View/edit alert skeleton C2PS%%%" (where %%%% represents the alert ID that you assigned to your custom alert). When you select that option, you can view and, if applicable, edit the CARLa script that the alert uses. 
When you scroll down, you encounter the part where the supported panel entries for Alert 1102 are picked up:

)DEFAULT )&?!<|>         
        likelist=recent, 
        user=(,          
         <&c2peeus0,|>   
         <&c2peeus1,|>   
         <&c2peeus2,|>   
         <&c2peeus3,|>   
         <&c2peeus4,|>   
         <&c2peeus5,|>   
         <&c2peeus6,|>   
         <&c2peeus7,|>   
         <&c2peeus8,|>   
         <&c2peeus9,|>   
        )                ​

Here, you can either replace or add hard coded names (or filters) of the UserIds that your company wants to monitor.
I hope that this answers your question sufficiently.

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
Delft
+31643351728
------------------------------

Original Message:
Sent: Sat May 23, 2020 07:36 PM
From: peter leaper
Subject: zOS Privileged Human UserIds. How to setup custom zSecure Alerts

Hi Grateful for any suggestions on the subject of zOS Privileged Human UserIds.
I am trying to establish what alerts to track the activity of zOS Privileged Userids.
The categories are zOS, DB2, CICS and IMS 'system programmers', i.e. UserIds with
the ability to 'Change the System(s) Configuration'.
Alert 1102, logon with emergency User ID, seems to be able to cater for only ten entries ...
So if I wish to track 40 / 50 UserIds (zOS, DB2, CICS, IMS Sysprogs), I suppose I will
have to copy alert 1102 to a new custom alert, but that will only give me the capability
to track another 10? So is it a question of having to copy Alert 1102 to 4/5 new alerts
to cover the total Sysprog UserId population of @40 UserIds ?

interested though in what types of tracking other Sites do for zOS Human Privileged UserIds,
I posted this on Listserv RACF, more appropriate here ! Thanks

------------------------------
PPL
------------------------------

If the sysprogs (and other privileged IDs) can be identified by (any of) their connect groups, you could use these in the alert skeleton.  First add a SIMULATE command to tell Alert which group(s) you are going to use:

SIMULATE PRIV_USER_GROUPS=(DB2ADMIN,ZOSTEAM)

and then use these in the SELECT command:

SELECT LIKELIST=RECENT PRIV_USER_GROUPS=ZOSTEAM  ......

Instead of specifying the list of (privileged) user IDs in each alert, you could also write them in a member of the C2PCUST data set, similar to the (CKACUST) whitelist members that we use for STIGs.  Suppose you create a member SYSPROG, and each line contains one user id.

Then in member C2PXINIT you add

deftype type=_config_sysprog
alloc type=_config_sysprog dsn=&C2PCUSTS.(sysprog)
define type=_config_sysprog id(8) as word(record,1),
   where substr(record,1,1)<>"*"

In the alert skeletons you write

SELECT LIKELIST=RECENT EXISTS(USERID:_config_sysprog.id.id)  ......

------------------------------
Rob van Hoboken
------------------------------