IBM Security Z Security

 View Only

  • 1.  Cmd Verifier - =CTLSPEC problem

    Posted Mon August 08, 2022 05:59 AM
    Hello,
    (zSecure 2.4 and 2.5)
    Recently I have noticed a strange behaviour of my tech. user - it has "UPDATE" access to C4R.ALTUSER.=CTLSPEC (the Controlled Temporary system-level attribute) - if I understand correctly to operate with that control-SPECIAL I have to defined the right C4R.XXXX.YYY profiles+permits which will allow some particular actions ? If I wouldn't define any additional profiles the command-actions of my tech. user will be not possible (with violations on XFACILITY -

    "Resource access (Failure:Profile required and not found) "

    ?) nad nothing in RACF DB will be done ?
    Currently I can see that violations on the XFACILIT class but my tech. user is able to run with some ALTERUSER cmds on the RACF objects like:

    "ALTUSER A11111 NAME('TEST TEST')"

    with success (- no Racf xfacilit profile like: C4R.USER.NAME.BGROUP.A11111 - or similar more generic)

    Did it work as designed ? or the CTLSPECIAL requite the addition XFACILIT profiles ?

    Which could have caused racf to allow this operation ? (no grp-special, no 

    Thx for any info.
    Sławomir Bujniak
     


    ------------------------------
    Regards
    Sławomir Bujniak
    ------------------------------


  • 2.  RE: Cmd Verifier - =CTLSPEC problem

    IBM Champion
    Posted Mon August 08, 2022 10:14 AM
    Edited by Rob van Hoboken Mon August 08, 2022 10:16 AM
    Controlled temporary special requires that each parameter specified by the user (that can be protected) is protected by an XFACILIT rule.  Check Figure 12 "Policy profiles used to determine whether Controlled Temporary system-level attributes can be assigned" at or around page 52 for the list of resources that must be protected.
    The resource you mentioned (C4R.USER.NAME.BGROUP.A11111) suggests that the techuser wanted to change the NAME field of user ID A11111, which is owned by BGROUP.  By defining, e.g., C4R.USER.NAME.B*.*, you would allow them to change the name of any user ID owned by a group that starts with a B.
    Parameters that are mapped to unprotected resource names are denied for controlled temporary special, unless command verifier has no support for the parameter in the first place.

    ------------------------------
    Rob van Hoboken
    ------------------------------