Hi team,
Hope you are all well. We're currently attempting to implement zSecure STIG health checks across our ACF2 and RACF environments.
My intention is when the compliance batch jobs run, it will produce a tab separated summary report and detailed test result report. On our test ACF2 system I am getting an enormous amount of data in the detailed test report (1.6m rows). From what I can see most of the volume comes from situations where it is checking IDs against many similarly named resources. In the below example the data is taken from the resource field of the detailed test report, for each RQM ID there are approx 1000 rows like below just for this control.
ACF2-JS-000050 Security JES2 spool resources IBM z/OS JES2 spool resources must be controlled in accordance with security requirements.
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000110.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000111.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000112.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000113.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000114.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000115.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQI$@1.WQICTL1.STC00235.D0000127.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000107.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000108.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000113.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000118.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000123.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000124.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000125.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000126.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000127.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000128.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000129.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
RQMP2U A R JES2KTST.WQII2.WQIDB11A.JOB00333.D0000130.? JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW
Is there anyway you can think of that I can reduce the size of my report without losing the meaningful information I require (eg. ID RQMP2U has non-compliant access via rule JES2****.- UID(**2**RQM) SERVICE(READ) ALLOW))?
For your reference the CARLA is below. Thanks very much for any suggestions you have.
ALLOC TYPE=OUTPUT DD=SHCOWN
DEFTYPE TYPE=$cntrlown
ALLOC TYPE=$cntrlown DD=SHCOWN
DEFINE TYPE=$cntrlown rulenm(20,CHAR) AS WORD(RECORD,1)
DEFINE TYPE=$cntrlown cntrlown(20,CHAR) AS WORD(RECORD,2)
n type=compliance name=check name=LSTGOALS required,
prefixlen=0 prefixsep=' ' header=tsvt dd=rptfull
exclude ifdefined(COMPLIANCE_EXCLUDE)
define flg_compliant min(goal_compliant)
define flg_compliant2 boolean where goal_compliant=yes
define flg_noncomply boolean where goal_noncompliant=yes,
not(rule_exempt=yes)
define flg_undecided boolean where,
not(goal_compliant or goal_noncompliant or,
(not(goal_assert_expired) and,
(goal_assert_as='compliant'c or,
goal_assert_as='noncompliant'c)) or,
rule_exempt or control_not_applicable)
define flg_base boolean where goal_base_field<>' '
define flg_object('object',6,hb) boolean where exists(class)
define highprio('Pri',2,dec$blank,bw) max(auditpriority)
define flg_result_no("Didn't find",hb) boolean where,
(goal_test_result=no not(goal_assert_expired))
define once(0 hb ' ' noretain) TRUE /* literal to be printed once */
define once_no_assert(0 hb ' ' noretain) TRUE where not(goal_assert)
define flg_asserted('Asserted as',11,cond) true where,
goal_assert and exists(goal_assert_as)
define flg_same_ovr('Also set',8,cond) true where,
exists(goal_assert_recorder) and,
not(goal_assert) and not(goal_override)
sortlist,
complex('System',0),
standard(0),
standard_version("Ver",0),
:system.unload_datetime(18),
system:system.system.collect_datetime(18),
control(0),
control:$cntrlown.rulenm.cntrlown("Owner"),
control_caption(0),
control_desc(0),
auditpriority(0),
flg_noncomply(nd),
flg_compliant2('Compliance State',STR$BLANK('Compliant'),0) |,
flg_noncomply('',STR$BLANK('Non-Compliant'),0) |,
flg_undecided('',STR$BLANK('Undecided'),0) |,
control_not_applicable('',STR$BLANK('N/A'),0) |,
goal_assert_expired('',STR$BLANK(' Expired'),0) |,
rule_exempt('',STR$BLANK('Exempt'),0),
goal(0),
goal_desc(0),
:class(nd),
system(0),
proftype(0),
volser_key(0),
class(0),
:profile(0),
resource(0),
goal_test_result(hb,'Found',0),
goal_override(12,'Overridden'),
flg_same_ovr("Overidden State"),
flg_asserted('Asserted'),
goal_assert_as('Assert State',0),
goal_assert_expired('Assert Expired',0),
goal_assert_enddate('Expire Date',9),
goal_assert_recorder('Asserted ID',0),
goal_assert_by('Assert by',0),
goal_assert_comment('Assert Comment',0),
suppress('Suppressed',0) suppress_reason(0)
------------------------------
Nathan Shrive
------------------------------