List of Contributions

Rob van Hoboken

Contact Details

My Content

1 to 20 of 50+ total
Posted By Rob van Hoboken Jul 3, 2020 5:43 AM
Found In Egroup: IBM Security Z Security
\ view thread
Job C2PJRECI in the CKRJOBS (and SCKRSAMP) data set can be used to print the Selected state of alerts in a named configuration, the report is going to be emailed to the recipient who is on the Who list of any of the alerts. ------------------------------ Rob van Hoboken ----------------------------- ...
Posted By Rob van Hoboken Jul 3, 2020 5:39 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi Adam SMF_SECTION12_INDEX was designed to process "12 byte" triplets, as found in SMF types 120 and 123. The older SMF_SECTION field is meant for triplets where the count and length values are 2 byte in length. Both fields expect to find a 12 (or 8) byte triplet containing the offset to the first ...
Posted By Rob van Hoboken Jun 22, 2020 4:21 AM
Found In Egroup: IBM Security Z Security
\ view thread
You could imagine an RFE to prevent obvious recursive calls. But other than that your recourse is to execute the original ALTUSER RESUME command (delete C4R.ALTUSER.=REPLACE.RESUME) and omit the RESUME keyword from the PRECMD string. ------------------------------ Rob van Hoboken ------------------ ...
Posted By Rob van Hoboken Jun 22, 2020 4:15 AM
Found In Egroup: IBM Security Z Security
\ view thread
Whereas it is true, as Davide pointed out, the IP address of the end-user is known only to the front-end web site, and not passed into the mainframe Shadow Region or LDAP, you could set up a custom defined alert to be, at least, aware or increasing numbers of incorrect passwords. zSecure Alert comes ...
Posted By Rob van Hoboken Jun 22, 2020 3:52 AM
Found In Egroup: IBM Security Z Security
\ view thread
When you specified a RACFVARS name in the profile key of your XFACILIT C4R.JESSPOOL.ID.&RACLNDE.** policy profile, the values stored as members of the RACFVARS profile were used to build the RACLISTed image of the XFACILT profile (as you would expect). So in effect you were creating nn profiles ...
Posted By Rob van Hoboken Jun 17, 2020 6:04 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi Linnea I assume you were using a DEFTYPE file with user ID and corresponding CSDATA value, and a look-up from ACL? ACL is actually not (just) the user ID, but a structure of information. Even when you modify ACL into ACL(ACLID) or ACL(RESOLVE,ACLID), internally it still is not the 8 byte field that ...
Posted By Rob van Hoboken Jun 16, 2020 9:21 AM
Found In Egroup: IBM Security Z Security
\ view thread
Sorry to rain on your parade, but the CAT based reporting also doesn't printing CSDATA fields. The only ways to get CSDATA is with a NEWLIST TYPE=RACF; SELECT SEGMENT=CSDATA, or exporting the CSDATA fields with method (1), reading these with a DEFTYPE in a follow-up step and using lookup. - ...
Posted By Rob van Hoboken Jun 16, 2020 5:36 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi Linnea No doubt, you found out there is no DEFDATE/CREADATE field in the application segments, so RACF does not keep track of the date when a (TSO, OMVS, etc) segment was created. If you have zSecure Command Verifier installed, you can activate the Command Audit Trail (CAT) for RACF commands that ...
Posted By Rob van Hoboken Jun 12, 2020 4:18 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi Adam CKGRACF supports 2 types of commands (we could even increase this number by going into details, but lets stick with 2): RACF commands, execute through the CKGRACF CMD EXEC, CKGRACF CMD ASK or CKGRACF CMD REQ functions. These execute the commands with some level of parameter validation and, ...
Posted By Rob van Hoboken Jun 11, 2020 3:26 AM
Found In Egroup: IBM Security Z Security
\ view thread
There are some details about RACF_ACCESS I forgot to mention. RACF_ACCESS can be a life saver when you have to report profiles at the access list entry level, and in compliance reporting. There are extra fields and field values that you can find documented in the Syntax manual (and with the IN.D menu ...
Posted By Rob van Hoboken Jun 10, 2020 3:16 AM
Found In Egroup: IBM Security Z Security
\ view thread
I agree with Jeroen, a whole new approach is needed, one where individual PERMITs are available as selectable entries. CARLa offers such a data store: RACF_ACCESS. Next we have to find the highest value of a field in two similar entries, that is the SUMMARY statistic MAX. Putting these together we get: ...
Posted By Rob van Hoboken Jun 8, 2020 3:17 AM
Found In Egroup: IBM Security Z Security
\ view thread
Hi Peter zSecure Alert is (by definition) a real-time messaging tool, that is to say, SMF and WTO/SYSLOG messages are collected during a (configurable) interval of 60 seconds, processed to identity sequences during this (and an optional additional averaging ) interval and, when specified thresholds are ...
Posted By Rob van Hoboken Jun 3, 2020 12:53 PM
Found In Egroup: IBM Security Z Security
\ view thread
Some users forget to specify the P in the PPARM keyword of C2POLICE: //C2POLICE PROC REGSIZE=256M, Region for zSecure Alert // CONFIG=C2R$PARM, Configuration member //* TCPDATA=TCPDATCP, TCPIP DATA membername if SYSTCPD is used // PPARM=C2PDFLP, C2POLICE parameter member <setname>P // PRTOUT=A, ...
Posted By Rob van Hoboken Jun 3, 2020 12:48 PM
Found In Egroup: IBM Security Z Security
\ view thread
C2PAMCON is the lightning fast consolidation, using merge sort principles. It does not allow modification of the key values, so C2PAMMAP is not included. You will have to use a job that calls C2PAMCMP to apply conversion rules from C2PAMMAP, filtering rules using C2PAMJOB, C2PAMPCL and C2PAMRCL, and ...
Posted By Rob van Hoboken Jun 2, 2020 10:32 AM
Found In Egroup: IBM Security Z Security
\ view thread
The general zSecure database reader currently doesn't issue locks on the RACF database. Not for reports, not for unloads. Unless you (try to) add a DD with DISP=OLD, the allocation is always in SHR (non-exclusive) state. You can do the same things from the primary (ALLOC TYPE=RACF ACTIVE) or the duplex ...
Posted By Rob van Hoboken May 28, 2020 3:56 AM
Found In Egroup: IBM Security Z Security
\ view thread
The Installation and Deployment manual does not mention it, but the User Reference Manual describes sample job SCKRSAMP(C2RJXUNL) to unload (or dump) CKXLOG logstreams. I agree, that is a set-up task you would expect in the installation manual (or at the very least some mention). The CARLa program in ...
Posted By Rob van Hoboken May 25, 2020 5:13 AM
Found In Egroup: IBM Security Z Security
\ view thread
Briefly stated: zSecure can do reporting from an archived copy of your active RACF database, or from the zSecure specific UNLOAD, but not from an UNLOAD created with IRRDBU00. In the zSecure specific UNLOAD, (encrypted) password and other hidden fields are replaced with ********. The IRRDBU00 unload ...
Posted By Rob van Hoboken May 25, 2020 4:58 AM
Found In Egroup: IBM Security Z Security
\ view thread
You can find DB2 reporting of RACF profiles (using IRRDBU00) documented here , and printing SMF records (via IRRADU00) documented here . ------------------------------ Rob van Hoboken ------------------------------
Posted By Rob van Hoboken May 25, 2020 4:49 AM
Found In Egroup: IBM Security Z Security
\ view thread
If the sysprogs (and other privileged IDs) can be identified by (any of) their connect groups, you could use these in the alert skeleton. First add a SIMULATE command to tell Alert which group(s) you are going to use: SIMULATE PRIV_USER_GROUPS=(DB2ADMIN,ZOSTEAM) and then use these in the SELECT command: ...
Posted By Rob van Hoboken May 21, 2020 11:40 AM
Found In Egroup: IBM Security Z Security
\ view thread
If your user ids are in a specific part of the group tree, you can also experiment with the group tree report in RA.3.8, from an UNLOAD. Click on "include users/subgroups" for best effect. ------------------------------ Rob van Hoboken ------------------------------