IBM Security Z Security

 View Only
  • 1.  Modify Alert Logon of a userid with UID(0)

    Posted Tue September 21, 2021 03:14 PM
    Hello. I am trying to see if it is possible to have IDs excluded from the Alert 1103.

    I see in Alert 1120 that there is an option to exclude IDs but looking at the skeleton I am not sure where the field c2pexcm is stored.

    )DEFAULT )&?!<|>
    exclude user=(,
    <&c2pexcm0,|>
    <&c2pexcm1,|>
    <&c2pexcm2,|>
    <&c2pexcm3,|>
    <&c2pexcm4,|>
    <&c2pexcm5,|>
    <&c2pexcm6,|>
    <&c2pexcm7,|>
    <&c2pexcm8,|>
    <&c2pexcm9,|>
    )

    ------------------------------
    Joseph Armas
    ------------------------------


  • 2.  RE: Modify Alert Logon of a userid with UID(0)

    Posted Tue September 21, 2021 04:00 PM
    Hi Joseph,

    The ISPF variables C2PEXCM* are set in panel SCKRPLIB(C2PP3ZAF), which is shown in the Alert book in the section "Major administrative activity (1120 & 2120) configuration".

    1120 is a "configurable alert" -- it shows a "Y" below the "C" of the "CA" column of the overview of the alerts in its alert category, documented as "Flag indicating whether this alert allows configuration to reflect items such as installation-specific names. When the alert is selected, a panel is displayed so that configuration can be performed. See "Predefined alert configuration" on page nnn."

    1103 is not a "configurable alert".

    To get something "like 1103" with a customization "like 1120" you would probably need to set up an installation-defined alert. Presumably you could start with "C"(opy) on 1103 and then add a panel name in option "Panel name . . . . . ________________ (Panel for additional customization) " where you might want a set of variables that is distinct from the ones for 1120 and 2120. (Note: Setting up installation-defined alerts is not completely trivial. Note: I did not try this now.)

    ( And if you would very much want a customization for 1103 "out of the box" sometime in future, you could of course raise a Request For Enhancement. )

    I hope this helps.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------



  • 3.  RE: Modify Alert Logon of a userid with UID(0)

    IBM Champion
    Posted Wed September 22, 2021 04:01 AM
    Edited by Rob van Hoboken Wed September 22, 2021 04:01 AM
    Actually, customization fields like C2PEXCM0..9 are stored separately for each alert (number), in entries of the recipients table in C2PCUST.  So the fields that you might add into a (user defined) copy of the C2PS1103 skeleton can be C2PEXCM0..9, and that means you could reuse panel C2PP3ZAF as the customization panel of your new, user defined alert.

    To set the recipients panel name, you edit the alert parameters for a user defined alert, using the E line command.  Then enter the panel name in the panel field.

    To call up the customization panel (and fill in user IDs), enter an E line command in front of the alert (standard or user defined), and next select "Customize alert selection list".

    I agree with Jeroen, an RFE to provide SELECT/EXCLUDE panel(s) for ALL alerts would be a good next step.  Please be sure to specify WHICH (SMF, or lookup from RACF/ACF2) fields you would like to use in your excludes.

    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 4.  RE: Modify Alert Logon of a userid with UID(0)

    Posted Thu October 07, 2021 01:30 PM
    I have made a copy of the alert and tried to include the panel without any IDs being excluded.
    When running tests, the custom alert was not triggered but the standard alert did show a hit. I am not sure how the panel is stopping the alert from working.

    On the edit panel for the custom alert, I tried to edit the "Specify action command" as there is a EXCLUDE option to input user IDs. After making the change and including an ID, I verify and refresh the Alert configuration but the exclude does not stay. For the syntax I tried "EXCLUDE USER=ABCD" and "USER=ABCD". Is there something I am doing wrong here?

    I will be opening up a RFE to have this option included on all Alerts.

    ------------------------------
    Joseph Armas
    ------------------------------



  • 5.  RE: Modify Alert Logon of a userid with UID(0)

    Posted Tue October 26, 2021 06:17 AM
    Hi joseph,

    to come back to your original question i created a user alert based on 1103 and used the customization panel from 1120 (it contains a command selection too but i dont use the variables that parts sets). And for me it works.

    So my definition looks like this

    Menu Options Info Commands Setup
    -------------------------------------------------------------------------------
    zSecure Suite - Setup - Alert
    Command ===>

    Description . . . . Logon of a userid with UID(0) (Unix superuser)
    Member prefix . . . REN
    Alert id . . . . . . 4103 Severity . . . . . . I (D, I, W, E or S)
    Data source . . . . SMF (SMF/WTO/other newlist type)
    Extended Monitoring N (Y/N)
    Parameters . . . . .
    Panel name . . . . . C2PP3ZAF (Panel for additional customization)

    Allowable destination types
    / E-mail / Cellphone / SNMP / WTO / QRadar Unix syslog / ArcSight
    Action command

    Optional actions
    Change data source filter: SMF type 30(1)
    Customize alert selection list
    Specify action command
    View/edit alert skeleton RENS4103

    and the select/exclude like this

    000037 )IM C2PSGNEW
    000038 define worktype as smf_field(18,4) where type=30
    000039 select event=racinit(0) user:unix_uid=0,
    000040 likelist=recent,
    000041 (worktype=TSO or
    000042 (worktype=OMVS user==jobname))
    000043 )DEFAULT )&?!<|>
    000044 exclude user=(,
    000045 <&c2pexcm0,|>
    000046 <&c2pexcm1,|>
    000047 <&c2pexcm2,|>
    000048 <&c2pexcm3,|>
    000049 <&c2pexcm4,|>
    000050 <&c2pexcm5,|>
    000051 <&c2pexcm6,|>
    000052 <&c2pexcm7,|>
    000053 <&c2pexcm8,|>
    000054 <&c2pexcm9,|>
    000055 )
    000056 )DEFAULT )&?!¢}~

    Hope this helps.

    FYI the "<" and ">" around those variable names makes sure that a line is only inserted if that variable isnt empty. Simply specifying  &c2pexcm1 will work too except that you would get a few lines with only a comma as a continuation sign.

    cheers

    rene

    ------------------------------
    RENE van TIL
    ------------------------------