IBM Security Z Security

 View Only

  • 1.  Capturing Data from CKGRACF Commands

    Posted Thu October 06, 2022 06:08 PM
    We use Command Logger to capture the RACF Commands that was issued along with the ticket / description provided by the administrator.   I incorrectly assumed that on the ISPF panels that even though there may be prompts on the ISPF screen for ticket/description that Command Logger was recording CKGRACF commands.

    So I set up some carla to select the CKGRACF Commands:


    So if I issued a command like this:

    In the SMF data the CKGRACF Command and the REASON all appear in the LOGSTR field.   Example:
    CKGRACF CMD AT 06Oct2022 EXECUTE REASON('ART REQUEST: N/A - TEST CKGRACF COMMAND AUDITING') PERMIT 'RB106.ISPPROF*.**' CLASS(DATASET) ID(PWSYN01) ACCESS(READ)

    How can I parse the LOGSTR field to separate the COMMAND from the REASON?   Since both values can be variable in length, not sure how to select those pieces of data?    

    Thanks

    ------------------------------
    Linnea Sullivan
    ------------------------------


  • 2.  RE: Capturing Data from CKGRACF Commands

    Posted Fri October 07, 2022 10:25 AM
    Hi Linnea,

    I think the primary construction to deal with variable data like that is the PARSE function on DEFINE.

    If your REASONs to do not contain closing brackets, you could use the following DEFINE to get to the PERMIT:

    def q as parse(parse(logstr,"reason("),") ")

    Where you first select the rest of the string after "reason(", and then cut off the first part of that up to and including the closing bracket and blank.

    (If you need to parse inside the reason string, this might get annoying because of variations.)

    I hope this begins to help.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


  • 3.  RE: Capturing Data from CKGRACF Commands

    IBM Champion
    Posted Fri October 07, 2022 10:51 AM
    Edited by Rob van Hoboken Fri October 07, 2022 10:51 AM

    As Jeroen pointed out, the PARSE function can be used if there is a unique leader and a unique terminator of your search target.  When the terminator is missing, all data until the end of the field is copied.  So you could use these commands to remove the REASON parameter and the quotes and parentheses.  You could also find the start of the RACF command, but note that LOGSTR has a limited length so not all parameter of the RACF command may be captured.

    def $reason as parse(logstr, "reason('", "') ")
    def $command as parse(logstr, "') ")


    ------------------------------
    Rob van Hoboken
    ------------------------------


  • 4.  RE: Capturing Data from CKGRACF Commands

    Posted Tue October 18, 2022 03:07 PM
    So the parse works as long as the administrator provides a reason.   When the reason is not provided the contents of LOGSTR changes and no data is put in the $REASON or $COMMAND fields.

    Examples:
    CKGRACF CMD AT 18Oct2022 EXECUTE PERMIT 'RB106.ISPPROF*.**' ID(PWSYN01) DELETE

    CKGRACF CMD AT 18Oct2022 EXECUTE REASON('TEST CKGRACF CMD REPORTING') PERMIT 'RB106.ISPPROF*.**' CLASS(DATASET) ID(PWSYN01) ACCESS(READ)

    I don't see anyway to parse out a $COMMAND since there is nothing unique to search for in the LOGSTR.

    Allow me to look at this from a different angle.   With CKXLOGID there are controls on whether to require the Command Logger data.   Are there any controls that would require the administrator to provide a reason for a CKGRACF command?

    Is this something a RFE might be needed to improve the CKGRACF reporting capabilities?

    ------------------------------
    Linnea Sullivan
    ------------------------------

    Original Message


  • 5.  RE: Capturing Data from CKGRACF Commands

    Posted Wed October 19, 2022 09:42 AM
    Hi Linnea, What I would do here is have 2 separate queries, one for those that contain 'REASON(' using the fields defined as you show , and another for those without 'REASON(' that uses another defined field that is the text that follows EXECUTE such as def $cmdNoReason as parse(logstr, "EXECUTE")

    This Select for your 1st query will be for those with a REASON:
    Newlist .... name=query1
    def $command as parse(logstr, ") ")
    Select logstr=:'REASON('
    Sortlist ... $command. ...

    Whereas this select for your 2nd query will be for those without a REASON
    Newlist .....
    def $cmdNoReason as parse(logstr, "EXECUTE")
    Exclude logstr=:'REASON(' /* or use: exclude likelist=query1 */
    Sortlist ... $cmdNoReason ...


    If you need the output records interleaved in same order they came in as, then use MERGELIST. .... ENDMERGE. around the block of the two queries

    ------------------------------

    Simon Dodge
    ------------------------------

    Original Message


  • 6.  RE: Capturing Data from CKGRACF Commands

    Posted Wed October 19, 2022 11:22 AM
    Simon, that worked great.

    Still looking to see if there is a way to "require" the administrator to provide a reason, similar to the controls around ckxlogid.

    ------------------------------
    Linnea Sullivan
    ------------------------------

    Original Message


  • 7.  RE: Capturing Data from CKGRACF Commands

    Posted Wed October 19, 2022 12:11 PM
    Hi Linnea,

    I believe such a control is not currently available out of the box. If you require that, you should probably consider an RFE.

    Regards,

    ------------------------------
    Jeroen Tiggelman
    Software Development and Level 3 Support Manager IBM Security zSecure Suite
    IBM
    Delft
    ------------------------------

    Original Message


  • 8.  RE: Capturing Data from CKGRACF Commands

    Posted Wed October 19, 2022 12:45 PM
    Hi Linnea, Best I can offer for your immediate deployment is an "after the fact" report of CKGRACF commands without a REASON , perhaps as an email to the security engineering manager ?

    Newlist type=smf tt='Summary of CKGRACF commands with missing REASON',
                st='Corp policy xyz requires REASON to be specified for all security admin commands'
    Select logstr=:CKGRACF
    Exclude logstr=:'REASON('
    Summary userid count('CKGRACF', 8)

    ------------------------------
    Simon Dodge
    ------------------------------

    Original Message


  • 9.  RE: Capturing Data from CKGRACF Commands

    Posted Fri October 07, 2022 01:39 PM
    Thanks that helped a lot.

    ------------------------------
    Linnea Sullivan
    ------------------------------

    Original Message