Hi Brent,
- Does IBM have a definition to what the zSecure Trusted Report is?
Roughly translated a trusted report shows an overview of users that have one or multiple (indicated by # of reasons) or access path(s) that allows them to update resources that are part of the Trusted Computing Base (TCB) and thus can potentially change security settings/configurations or bypass security measures. For example, users that have SPECIAL, OPERATIONS, UID(0), or UPDATE or higher access to an APF-authorized library are considered 'Trusted users' in this context. This terminology should not be mixed up with the TRUSTED attribute of a started task user, although trusted started task users are considered to be a trusted user in a zSecure Trusted Report. But note that the reverse statement that all trusted users are assigned the TRUSTED attribute is not true.
The idea is that using the 'Trusted report', you can review whether the reported trust reasons for the users that are reported align with their current job role. Be aware, that it is impossible design a system that does not have any 'trusted users' reported. Your company will employ security administrators, DB admins, auditors, systems programmers, etc. etc. that need certain trusted access to perform their normal work. As a general rule of the thumb, the trusted report should not report any users that are not involved in z/OS system management in one way or another. And from the remaining trusted users, you can review whether their reported trust reasons correspond with their job role. If not, the trust reasons that do not align with their job role should be removed.
- Is there a table or the like as to what is "Trusted".
To my knowledge there's no table that documents which privileges and access level to sensitive resources are considered to be "Trusted" access. The audit concern description and the details in the trusted report can be used to review/diagnose why a certain access is reported as a trust reason and what is the actual source of this access, e.g. possession of a privilege, an UPDATE or higher access to a sensitive resource the user has through a permit, a group connection, or general access (by means of WARNING mode, UACC, ID(*), or global access table).
- Is there a way to add/remove things from the trusted report.
Remove: Yes, in principle that is possible. You can add an EXCLUDE SENSITIVIY=(list of sensitivity types that you want to exclude from the report) statement. Or for example when you add a statement like:
EXCLUDE SENSITIVITY=:prmlib or SENSITIVITY=:loadlb
The trusted report will skip reporting all sensitivities that show the strings 'prmlib' and 'loadlb' in the sensitivity column.
Add: No. I cannot think of a way to add site defined sensitivity types to the zSecure trusted analysis.
I hope you find this information useful.
------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM
------------------------------
Original Message:
Sent: Fri September 13, 2024 09:05 AM
From: Brent Brimacomb
Subject: zSecure Trusted Report Questions
A couple of questions I looked in the document but didn't find clear answers:
- Does IBM have a definition to what the zSecure Trusted Report is?
- Is there a table or the like as to what is "Trusted".
- Is there a way to add/remove things from the trusted report.
- Particularly backups. Maybe *.BKUP on the end of a DSN that is considered "Trusted". The backup contains the same data.
Thank you,
Brent Brimacomb
Wells Fargo
------------------------------
Brent Brimacomb
------------------------------