IBM Security Z Security

 View Only

 Checking definitions in CKACUST(ACPCNFG)

Jump to  Best Answer
Peter Buckley's profile image
Peter Buckley posted Tue February 11, 2025 05:24 AM

Hi,

As part of the CIS 1.1. Compliance Standard, customers need to define specific sensitive resources in ACPCNFG.

To help with this, I've written a control which checks for matching sensitive datasets, and fails if none exist. However, I'd also like to be able to check if the resource has been defined in ACPCNFG, even if there is no matching dataset. For example, a GTF Trace may be run only rarely, if ever, so no trace datasets may exist. But it would be good to check if a covering definition has been made in ACPCNFG.

I've had a few attempts to write something for this, but I'm obviously missing something. Could you help?

Thanks,

Tom Zeehandelaar's profile image
Tom Zeehandelaar posted Wed February 12, 2025 08:14 AM  Best Answer

Hi Pete, 

oh I see, you want to verify whether the sensitivity type GTFtrace_ is configured with a SIMULATE statement in customization member ACPCNFG. That will not work in a SENSDSN domain. The count_GTFtrace counter that you use will only count the number of sensitive data sets that are matched by the SIMULATE statement (if any) that you defined in member ACPCNFG. But it does not count the number of SIMULATE statements for sensitivity type GTFtrace_ that are stored in member ACPCNFG.
If that is your goal, you probably need to define a custom NEWLIST type for customization member ACPCNFG that then can be used to verify that this member contains one or more SIMULATE statements with SENSITIVITY=GTFtrace_.

You can then define a separate CONTROL or RULE in control CIS-OS-2.1.13 that uses your custom NEWLIST type to test that member ACPCNFG indeed contains a SIMULATE statement for sensitivity GTFtrace_ (and other configurable sensitivity types that you also might want to check). 

However, there's also an alternative to using a SIMULATE statement in member ACPCNFG to configure the resource name(s) or mask(s) that your company uses for these sensitive resources. It uses configurable assertions instead of SIMULATE statements (in ACPCNFG) that you can view and edit from the zSecure User Interface. Let me elaborate. 

Suppose that you want to define or check the current specifications of configurable sensitivity types for the z/OS RACF CIS Benchmark standard. 
You can use option AU.R.C, for Configure, and tag the options "z/OS RACF CIS Benchmark" and "Configuration of resource names for domain sensitivities".

                         zSecure - Audit - Configure           1.4 s CPU, RC=0
Command ===> _________________________________________________________________
                                                                              
Specify evaluation standards to configure:                                    
_  z/OS RACF/ACF2/TSS STIG             _  z/OS Products STIGs                 
_  z/OS RACF/ACF2 PCI-DSS              /  z/OS RACF CIS Benchmark             
_  z/OS Db2 CIS Benchmark              _  z/OS zSecure extra                  
                                                                              
                                                                              
                                                                              
Specify configuration options:                                                
_  Standard definition and configuration                                      
   _  Assertable goals only                                                   
/  Configuration of resource names for domain sensitivities                   
_  Configuration of user and group IDs in domain allowlist members            
_  Configuration of information in domain lookup members                      
_  Configuration of information in domain long lookup members                 
_  Configuration of auxiliary CARLa statements in domain configuration

When you press Enter, this selection produces a report of the configurable sensitivity types that are associated to the controls that are part of the z/OS RACF CIS Benchmark standard.

                                                        7 s elapsed, 1.4 s CPU 
Configuration of resource names for domain sensitivities                       
Command ===> _________________________________________________ Scroll===> CSR  
                                                12 Feb 2025 13:57              
   Sensitivity Cfg Exp Class    Sensitive resource type                        
__ Exit_       Cfg Exp DATASET  Libraries (not APF, LPA, LINKLIST) that contain
__ FTPCC_      Cfg     DATASET  Data sets that store FTP control cards         
__ GTFtrace_   Cfg     DATASET  GTF trace data sets                            
__ InstallLib_ Cfg Exp DATASET  System-level product installation libraries    
__ ICSFinst_   Cfg     DATASET  ICSF installation data sets                    
__ IRRPWREX_   Cfg     DATASET  Data set that contains the RACF password exit I
__ MCATBATjob_ Cfg     DATASET  Data sets with jobs that can be run by MCATBAT 
__ PROP_UIDs_  Cfg Exp PROPCNTL Job scheduler and MUSASS IDs that can submit jo
__ RACFdump_   Cfg     DATASET  Dumps of the RACF database                     
__ SystemDUMP_ Cfg     DATASET  Data sets that store system dumps              
__ SystBackup_         DATASET  Data sets that store system backups            
__ SMFdmp_bkp_ Cfg     DATASET  Data sets that store dumped or backup SMF recor
__ SMS_ACS_            DATASET  DFSMS control data sets                        
__ SMSbackups_         DATASET  DFSMS ACDS and COMMDS backup data sets         
__ UNIXstepll_ Cfg     DATASET  Step libraries in the z/OS UNIX step libraries 
******************************* Bottom of Data ********************************

As you can see, this report contains a Cfg column that indicates whether a configurable sensitivity type is currently configured or that this  configuration is missing (when the Cfg column is blank). In addition, the column Exp reports when the current configuration specification is expired and needs to be re-asserted. 

You can use action command E, for Edit, and press Enter to view and maintain the configuration specification of a sensitivity type, for example GTFtrace_.

Command ===> ________________________________________________ Scroll ===> CSR  
****** ***************************** Top of Data ******************************
=NOTE= GTF trace data sets                                                     
=NOTE= Enter max 20 GTFtrace_ resource names either as full names,             
=NOTE= or as EGN DATASET masks starting with at least 3 characters.            
=NOTE= Use END or SAVE to save in configuration assertion.                     
000001 SYS1.TRACE                                                              
****** **************************** Bottom of Data ****************************

Using configurable assertions instead of SIMULATE statements allows you to use this report to verify if sensitivity type GTFtrace_ is defined or missing. And you can use it also for all other configurable sensitivity types that the z/OS RACF CIS Benchmark supports. 

HTH

Tom Zeehandelaar's profile image
Tom Zeehandelaar posted Tue February 11, 2025 06:45 AM

Hi Pete, 

in general, when you write custom controls that contain a domain that does not yield any goal test objects, this custom control does not produce output in the standard STDGOALS report, but in the STDRULES report, you will find the control as a 100% compliant control with zero (0) goal test objects. 

Thus, when your system does not contain sensitive data sets with sensitivity type GTFtrace, and your simulate statement for sensitivity type GTFtrace_ in CKACUST member ACPCNFG does not match any existing data set either, the control is automatically suppressed from report STDGOALS as you have probably experienced. 

                 zSecure Display Selection                         Line 1 of 3 
Command ===> _________________________________________________ Scroll===> CSR  
                                                                               
  Name     Summary Records Title                                               
s STDRULES       1       1 Standard control compliance summary                 
_ STDTYPES       1       2 Standard object type compliance summary             
_ STDGOALS       0       0 Standard compliance goal                            
******************************* Bottom of Data ********************************

And when you access report STDRULES, it shows:

                 Standard control compliance summary               Line 1 of 1 
Command ===> _________________________________________________ Scroll===> CSR  
                                                10 Feb 2025 23:45              
   Complex  Ver     Pr Standards                                               
   NMPIPL87                    1                                               
   Standard         Pr Controls  Version                                       
   RACF_zOS_CIS                1 1.1.0                                         
   Control          Pr Cm% NS ObjGoal Comply NonCom Unkn Caption               
__ CIS-OS-2.1.13       100          0      0      0    0 SYSx.TRACE protected  
******************************* Bottom of Data ********************************

When you want to customize control CIS-OS-2.1.13 to produce output in the STDGOALS report when no GTF Trace data sets exist on the evaluated system, you could experiment with adding a not-applicable (N/A) rule in the control that triggers a "Not applicable" result for this control in report STDGOALS when the number of data sets found with sensitivity types GTFtrace and GTFtrace_ is zero (0). 

The concept of how this can be done is documented here: https://www.ibm.com/docs/en/szs/3.1.0?topic=standard-uniqueness-test-within-domain-summary-count

For inspiration, you could browse CIS 1.1 control CIS-OS-2.4.12 (SCKRCARL member CKAHR24C) that contains a similar implementation that generates an N/A result when no libraries (other than APF, LPA, and LINKLIST) that contain exit modules are found, on the evaluated system. Note that the counter named "count_EXIT_libs" that is used in the domain summary  is predefined in SCKRCARL member C2RH@DEF.

I hope this helps.

Peter Buckley's profile image
Peter Buckley posted Tue February 11, 2025 08:27 AM

Thanks Tom, but that's not what I'm trying to achieve.

I'm happy for CIS-OS-2.1.13 to be N/A if there are no GTFtrace_ datasets.
I'm happy for CIS-OS-2.1.13 to execute the control if there are GTFtrace_ datasets.
I want to check if GTFtrace_ has been defined in ACPCNFG, to cater for future runs of GTF. If there aren't any datasets right now, that's no problem. It's the definition that I'm trying to trap. If there is no definition, I want the goal to be non-compliant.

I'm already using :

DOMAIN GTFtrace_count,                                  
 DESC("GTF Trace datasets"),                            
 SELECT(sensdsn),                                       
 SUMMARY(sensdsn(system complex ver count_GTFtrace)),   
 SENSTYPE(GTFtrace_),                                   
 CONFIG(ACPCNFG)              

followed by a rule with test:

TEST GTFtrace_defined sensdsn>0 

This gives me a  compliant result if the datasets exist, a non-compliant result if they don't exist. It cannot tell me if GTFtrace_ has been defined (but currently has no applicable datasets).

It seems to me that this should be possible, but I've failed to crack it!

                

Peter Buckley's profile image
Peter Buckley posted Fri February 14, 2025 11:12 AM

Hi Tom,

That's clear enough, thanks. I had hoped that there was some generic way to check if a sensitivity type had a defined value, but now I know that it's a blind alley.

I'm aware of configurable assertions, but had tended to steer clear, preferring CKACUST members. My customers already get confused with assertions and overrides for goals. Are configurable assertions the preferred method going forward?

Meanwhile, I'll rethink my approach and issue some revised instructions for our customers.

Thank you.

Tom Zeehandelaar's profile image
Tom Zeehandelaar posted Mon February 17, 2025 02:53 AM

Hi Peter, 

I would not state that configurable assertions is the preferred way, as using simulate statements to populate configurable sensitive resources for zSecure compliance evaluations also works just as well as you experience. 

However, from our experience, we learned that several of our customers often struggle with the syntax of the CARLa programming language and prefer using a UI supported method to browse and maintain their sensitive resource configuration settings. Using configurable assertions compared to SIMULATE statements in member ACPCNFG has the advantages that an assertion record also stores information about who entered the assertion, the start date, who provided the evidence for the assertion, a reason/description, and an optional end date for the assertion. Adding an end date enables customers to enforce a policy that configurable assertions must be periodically re-asserted e.g. yearly or every 2 or 3 years to ensure that the configurable assertions are still actual.
In addition, you can use the report that I included in my previous response to verify the current status of the configurable assertions. Thus, in my opinion, the use of configurable assertions has more capabilities than the SIMULATE statements in CKACUST member ACPCNFG.

Related Content