Hi Peter,
As to your query about the TRUSTED report type, I will observe that the AUDITPRIORITY fields across the various report types try to use the same "scale" of priorities. For this particular report type we only document in the CARLa Command Reference: "Contains the audit priority that measures the risk the privilege poses. The value is 40 or higher if the privilege is a major exposure. For example, the user ID value represents some default user anybody can use."
[Possibly your query was meant more specifically about the report selection
called TRUSTED in AU.S RACF user. This is one way of summarizing the generated trust relations.]
If you press PF1 on the column for context sensitive field help, you should see:
This numerical field indicates the relative audit priority. Higher values indicate a higher relative audit priority. Across all NEWLIST types, the value of the audit priority has the following meaning: 40 and up Immediate attention required; system security can be circumvented easily. 20 to 39 Review is required; serious security threats may exist. 10 to 19 Worthy of attention, should time permit. 1 to 9 Informational warnings. 0 No audit concerns identified. It is definitely possible to get values higher than 10 (and indeed, higher than 40).
In some report types, there will be a particular priority for a concern, and if there are multiple concerns, then the priority might be a simple addition of the separate priorities. In other cases, there might be multiple priorities for a concern depending on additional factors. As an example, in the CLASS report type the priorities might be reduced for a class that is not currently active. In some report types the concerns are rather assigned to a band, so that the occurrence of multiple lower ranking concerns does not do a simple addition, so that, say, the occurrence of a lot of priority 5s does not constitute a priority 25, but gets bounded to a maximum of 10 together or something like that. Besides the "zSecure default" policy, you can also instruct the program to follow a particular "Audit policy", meaning that if a setting does not comply with, say, the "C2" protection profile mandates, you will get at least a priority of 40 on account of noncompliance. (There is a checkbox for this on the AU.S panel.)
This option allows you to select the audit policy used to determine the audit concerns and priorities. The zSecure default policy will raise a concern's priority to 40 or more if the system could almost certainly be compromised because of it. The C1 , C2 and B1 selections refer to the DoD orange book standards; these will also set priorities to 40 or more when aviolation of the selected policy is noticed. It is not implied that any violation will be noted. In addition, B1 will generate more audit concerns.This will result in a SIMULATE POLICY statement being added to the generated query.
There is also a SIMULATE sub-command to add resources to sensitive resource reporting. For those you can also indicate the desired audit priority.
To get back to your original query, we do not document explicitly which attributes in RACF [and ACF2] in combination with what other factors lead to which particular audit priority in TRUSTED; so at that level of detail I have to say that this is not an intended programming interface.
The purpose of the audit priorities is to direct the attention of auditors to the most likely problem areas in the protection of your system. In general, you have to look into the details to ascertain exactly what is going on and if that is appropriate.
The meaning of a user being TRUSTED is that they have--or can get--access to the Trusted Computing Base in some fashion. So arguably
any user that shows up is a rather highly privileged id, regardless of the audit priority. If this report produces a very large amount of output, there might be something the matter with the general protection stance of your system. I will note that in the CARLa book, the title of the report type is "TRUSTED: Users that can bypass security".
I do not understand enough about your real business requirement to comment on that directly. :-)
Regards,
--Jeroen
P.S. Orange Book profiles might be a little dated. Besides the status audit approach embedded in AU.S, which tries to give you an overview of all vulnerabilities in your system so that you can look at the most easily exploitable ones first, another modern approach is to implement compliance with a standard. The AU.R option is designed for that. This uses compliance or noncompliance with specific defined rules directly rather than audit priorities to help you find in which areas you might not be where you want to be. If you want you can write your own compliance standard with the power of all the >100 different report types in CARLa to back it. The product also comes with some predefined standards out of the box, and capabilities to extend these with more rules or suppress some in a controlled fashion.
------------------------------
Jeroen Tiggelman
Software Development and Level 3 Support Manager IBM Security zSecure Suite
IBM
Delft
------------------------------
Original Message:
Sent: Fri October 16, 2020 06:27 AM
From: peter leaper
Subject: zSecure Trusted Report
Hi there,
My Query is about the zSecure Trusted report and the reported var of Audit Priority.
The Report is generating values of 1 to 10, 10 being the highest.
1. How are these Values calculated ?
It would seem that the RACF Attributes are used (Systems Special GSpecial etc ) and also
the access to Sensitive Data set resources (APF/LINK Libraries) and general RACF permission authorities
to all resources in all RACF Classes ?
2. Are these values generated as part of the Shipment of zSecure as Default values ?
3 I am thinking of using Priority values of >= 5 as the definitive list of zOS Privi UserIds.
Is this a reliable method in that this would contain UserIds with Higher RACF Attributes and/or
elevated privilege to all Classes / Resources known to RACF ?
4. Is there any Documentation on these values, in that there dies not seem to be any in the zSecure reference manuals,
and 'mixed data' from Google (or Yahoo :-)).
5. Can these values be adjusted by a User, as there may be audit implications if that is the case.
Need to establish a definitive list of Privileged UserIds as 'targets' for a PAM solution.
There is a bit of a debate going on as to whether to use a partially implemented RBAC structure (Role based),
or the zSecure Trusted report(s) as the definitive method.
Grateful for your answer(s)
Peter
------------------------------
peter leaper
------------------------------