IBM Security Z Security

Hello,

We are running the CICS Compliance Standard, so all tests are severity Medium, as expected. However, our auditors would like to make some controls and tests High severity, so I have been trying to use SITE_SEVERITY.

Code section:
limit standard=(RACF_zOS_CIS(current))                      
i m=c2rh@  nodup n /* All standards */                      
SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.7)
SITE_SEVERITY 3 standard(RACF_zOS_CIS),                     
  Rule(1.CONSOLE_active) Control(CIS-OS-1.2.7)              
  
This is followed by CKALSTDS, CKALSTDT and CKALSTD.
Then there are 3 type=compliance newlists to report:
1) Controls, 2) Assertions and Overrides, 3) All non-compliant tests.

I see that overriding the SITE_SEVERITY this way does not change the Audit Priority. Is this as expected? 
(SITE_SEVERITY with COMPLEX does change Audit Priority correctly, as per the manual.)

Compliance newlist #1 entry for for control CIS-OS-1.2.7 shows Priority=20 and SITE_SEVERITY=High for control CIS-OS-1.2.7, so SITE_SEVERITY is accepted.
Compliance newlist #3 entry for 1.CONSOLE_active shows Priority=20, Complex_severity=Medium, Site_severity=<blank>, Rule_severity=Medium. So both SITE_SEVERITY statements are apparently being ignored. 

Please could you advise where I'm going wrong?

Thank you,

When I run that query I see in the SYSPRINT:

CKR3276 04 SITE_SEVERITY RULE "1.CONSOLE_active" in CONTROL "CIS-OS-1.2.7" not found  at SYSIN line 18

I guess you pasted the GOAL / TEST name instead of the RULE name onto the RULE parameter ...

Hello,

We are running the CICS Compliance Standard, so all tests are severity Medium, as expected. However, our auditors would like to make some controls and tests High severity, so I have been trying to use SITE_SEVERITY.

Code section:
limit standard=(RACF_zOS_CIS(current))                      
i m=c2rh@  nodup n /* All standards */                      
SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.7)
SITE_SEVERITY 3 standard(RACF_zOS_CIS),                     
  Rule(1.CONSOLE_active) Control(CIS-OS-1.2.7)              
  
This is followed by CKALSTDS, CKALSTDT and CKALSTD.
Then there are 3 type=compliance newlists to report:
1) Controls, 2) Assertions and Overrides, 3) All non-compliant tests.

I see that overriding the SITE_SEVERITY this way does not change the Audit Priority. Is this as expected? 
(SITE_SEVERITY with COMPLEX does change Audit Priority correctly, as per the manual.)

Compliance newlist #1 entry for for control CIS-OS-1.2.7 shows Priority=20 and SITE_SEVERITY=High for control CIS-OS-1.2.7, so SITE_SEVERITY is accepted.
Compliance newlist #3 entry for 1.CONSOLE_active shows Priority=20, Complex_severity=Medium, Site_severity=<blank>, Rule_severity=Medium. So both SITE_SEVERITY statements are apparently being ignored. 

Please could you advise where I'm going wrong?

Thank you,

Thanks Hans, I really should have spotted that silly mistake.

Correcting it partially resolves the issue.

So in our revised test, the site severity overrides are like this:

SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.5)                
SITE_SEVERITY 3 standard(RACF_zOS_CIS) Rule(CONSOLE_class_settings)  Control(CIS-OS-1.2.7)                

and the results are:

So specifying STANDARD+CONTROL+RULE results in the SITE_SEVERITY being accepted, and the Audit Priority reduced to 10 - All as expected.

However specifying STANDARD+CONTROL has no apparent effect. There is no error message.

The online manual says: "This form of the SITE_SEVERITY statement is characterized by the use of the STANDARD keyword. It also requires either the RULE or the CONTROL (or RULE_SET) keyword to be specified. This keyword identifies the rule or rule-set, within the standard, for which the severity is to be replaced by the indicated severity."

It appears that both the RULE and the CONTROL are always required, in fact. Is this the case, or another error on my part?

Thanks,

When I run that query I see in the SYSPRINT:

CKR3276 04 SITE_SEVERITY RULE "1.CONSOLE_active" in CONTROL "CIS-OS-1.2.7" not found  at SYSIN line 18

I guess you pasted the GOAL / TEST name instead of the RULE name onto the RULE parameter ...

Hello,

We are running the CICS Compliance Standard, so all tests are severity Medium, as expected. However, our auditors would like to make some controls and tests High severity, so I have been trying to use SITE_SEVERITY.

Code section:
limit standard=(RACF_zOS_CIS(current))                      
i m=c2rh@  nodup n /* All standards */                      
SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.7)
SITE_SEVERITY 3 standard(RACF_zOS_CIS),                     
  Rule(1.CONSOLE_active) Control(CIS-OS-1.2.7)              
  
This is followed by CKALSTDS, CKALSTDT and CKALSTD.
Then there are 3 type=compliance newlists to report:
1) Controls, 2) Assertions and Overrides, 3) All non-compliant tests.

I see that overriding the SITE_SEVERITY this way does not change the Audit Priority. Is this as expected? 
(SITE_SEVERITY with COMPLEX does change Audit Priority correctly, as per the manual.)

Compliance newlist #1 entry for for control CIS-OS-1.2.7 shows Priority=20 and SITE_SEVERITY=High for control CIS-OS-1.2.7, so SITE_SEVERITY is accepted.
Compliance newlist #3 entry for 1.CONSOLE_active shows Priority=20, Complex_severity=Medium, Site_severity=<blank>, Rule_severity=Medium. So both SITE_SEVERITY statements are apparently being ignored. 

Please could you advise where I'm going wrong?

Thank you,

I guess we broke that support with the multi-standard support :-(
Please open a case to get a fix.

Thanks Hans, I really should have spotted that silly mistake.

Correcting it partially resolves the issue.

So in our revised test, the site severity overrides are like this:

SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.5)                
SITE_SEVERITY 3 standard(RACF_zOS_CIS) Rule(CONSOLE_class_settings)  Control(CIS-OS-1.2.7)                

and the results are:

So specifying STANDARD+CONTROL+RULE results in the SITE_SEVERITY being accepted, and the Audit Priority reduced to 10 - All as expected.

However specifying STANDARD+CONTROL has no apparent effect. There is no error message.

The online manual says: "This form of the SITE_SEVERITY statement is characterized by the use of the STANDARD keyword. It also requires either the RULE or the CONTROL (or RULE_SET) keyword to be specified. This keyword identifies the rule or rule-set, within the standard, for which the severity is to be replaced by the indicated severity."

It appears that both the RULE and the CONTROL are always required, in fact. Is this the case, or another error on my part?

Thanks,

When I run that query I see in the SYSPRINT:

CKR3276 04 SITE_SEVERITY RULE "1.CONSOLE_active" in CONTROL "CIS-OS-1.2.7" not found  at SYSIN line 18

I guess you pasted the GOAL / TEST name instead of the RULE name onto the RULE parameter ...

Hello,

We are running the CICS Compliance Standard, so all tests are severity Medium, as expected. However, our auditors would like to make some controls and tests High severity, so I have been trying to use SITE_SEVERITY.

Code section:
limit standard=(RACF_zOS_CIS(current))                      
i m=c2rh@  nodup n /* All standards */                      
SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.7)
SITE_SEVERITY 3 standard(RACF_zOS_CIS),                     
  Rule(1.CONSOLE_active) Control(CIS-OS-1.2.7)              
  
This is followed by CKALSTDS, CKALSTDT and CKALSTD.
Then there are 3 type=compliance newlists to report:
1) Controls, 2) Assertions and Overrides, 3) All non-compliant tests.

I see that overriding the SITE_SEVERITY this way does not change the Audit Priority. Is this as expected? 
(SITE_SEVERITY with COMPLEX does change Audit Priority correctly, as per the manual.)

Compliance newlist #1 entry for for control CIS-OS-1.2.7 shows Priority=20 and SITE_SEVERITY=High for control CIS-OS-1.2.7, so SITE_SEVERITY is accepted.
Compliance newlist #3 entry for 1.CONSOLE_active shows Priority=20, Complex_severity=Medium, Site_severity=<blank>, Rule_severity=Medium. So both SITE_SEVERITY statements are apparently being ignored. 

Please could you advise where I'm going wrong?

Thank you,

Thank you again. I've raised a case now.

Meanwhile, my STANDARD+CONTROL+RULE SITE_SEVERITY statements are sitting nicely in C2RH@IDF and meeting the requirement.

I guess we broke that support with the multi-standard support :-(
Please open a case to get a fix.

Thanks Hans, I really should have spotted that silly mistake.

Correcting it partially resolves the issue.

So in our revised test, the site severity overrides are like this:

SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.5)                
SITE_SEVERITY 3 standard(RACF_zOS_CIS) Rule(CONSOLE_class_settings)  Control(CIS-OS-1.2.7)                

and the results are:

So specifying STANDARD+CONTROL+RULE results in the SITE_SEVERITY being accepted, and the Audit Priority reduced to 10 - All as expected.

However specifying STANDARD+CONTROL has no apparent effect. There is no error message.

The online manual says: "This form of the SITE_SEVERITY statement is characterized by the use of the STANDARD keyword. It also requires either the RULE or the CONTROL (or RULE_SET) keyword to be specified. This keyword identifies the rule or rule-set, within the standard, for which the severity is to be replaced by the indicated severity."

It appears that both the RULE and the CONTROL are always required, in fact. Is this the case, or another error on my part?

Thanks,

When I run that query I see in the SYSPRINT:

CKR3276 04 SITE_SEVERITY RULE "1.CONSOLE_active" in CONTROL "CIS-OS-1.2.7" not found  at SYSIN line 18

I guess you pasted the GOAL / TEST name instead of the RULE name onto the RULE parameter ...

Hello,

We are running the CICS Compliance Standard, so all tests are severity Medium, as expected. However, our auditors would like to make some controls and tests High severity, so I have been trying to use SITE_SEVERITY.

Code section:
limit standard=(RACF_zOS_CIS(current))                      
i m=c2rh@  nodup n /* All standards */                      
SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.7)
SITE_SEVERITY 3 standard(RACF_zOS_CIS),                     
  Rule(1.CONSOLE_active) Control(CIS-OS-1.2.7)              
  
This is followed by CKALSTDS, CKALSTDT and CKALSTD.
Then there are 3 type=compliance newlists to report:
1) Controls, 2) Assertions and Overrides, 3) All non-compliant tests.

I see that overriding the SITE_SEVERITY this way does not change the Audit Priority. Is this as expected? 
(SITE_SEVERITY with COMPLEX does change Audit Priority correctly, as per the manual.)

Compliance newlist #1 entry for for control CIS-OS-1.2.7 shows Priority=20 and SITE_SEVERITY=High for control CIS-OS-1.2.7, so SITE_SEVERITY is accepted.
Compliance newlist #3 entry for 1.CONSOLE_active shows Priority=20, Complex_severity=Medium, Site_severity=<blank>, Rule_severity=Medium. So both SITE_SEVERITY statements are apparently being ignored. 

Please could you advise where I'm going wrong?

Thank you,

The APAR number for this problem is OA66925

Thank you again. I've raised a case now.

Meanwhile, my STANDARD+CONTROL+RULE SITE_SEVERITY statements are sitting nicely in C2RH@IDF and meeting the requirement.

I guess we broke that support with the multi-standard support :-(
Please open a case to get a fix.

Thanks Hans, I really should have spotted that silly mistake.

Correcting it partially resolves the issue.

So in our revised test, the site severity overrides are like this:

SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.5)                
SITE_SEVERITY 3 standard(RACF_zOS_CIS) Rule(CONSOLE_class_settings)  Control(CIS-OS-1.2.7)                

and the results are:

So specifying STANDARD+CONTROL+RULE results in the SITE_SEVERITY being accepted, and the Audit Priority reduced to 10 - All as expected.

However specifying STANDARD+CONTROL has no apparent effect. There is no error message.

The online manual says: "This form of the SITE_SEVERITY statement is characterized by the use of the STANDARD keyword. It also requires either the RULE or the CONTROL (or RULE_SET) keyword to be specified. This keyword identifies the rule or rule-set, within the standard, for which the severity is to be replaced by the indicated severity."

It appears that both the RULE and the CONTROL are always required, in fact. Is this the case, or another error on my part?

Thanks,

When I run that query I see in the SYSPRINT:

CKR3276 04 SITE_SEVERITY RULE "1.CONSOLE_active" in CONTROL "CIS-OS-1.2.7" not found  at SYSIN line 18

I guess you pasted the GOAL / TEST name instead of the RULE name onto the RULE parameter ...

Hello,

We are running the CICS Compliance Standard, so all tests are severity Medium, as expected. However, our auditors would like to make some controls and tests High severity, so I have been trying to use SITE_SEVERITY.

Code section:
limit standard=(RACF_zOS_CIS(current))                      
i m=c2rh@  nodup n /* All standards */                      
SITE_SEVERITY 1 standard(RACF_zOS_CIS) Control(CIS-OS-1.2.7)
SITE_SEVERITY 3 standard(RACF_zOS_CIS),                     
  Rule(1.CONSOLE_active) Control(CIS-OS-1.2.7)              
  
This is followed by CKALSTDS, CKALSTDT and CKALSTD.
Then there are 3 type=compliance newlists to report:
1) Controls, 2) Assertions and Overrides, 3) All non-compliant tests.

I see that overriding the SITE_SEVERITY this way does not change the Audit Priority. Is this as expected? 
(SITE_SEVERITY with COMPLEX does change Audit Priority correctly, as per the manual.)

Compliance newlist #1 entry for for control CIS-OS-1.2.7 shows Priority=20 and SITE_SEVERITY=High for control CIS-OS-1.2.7, so SITE_SEVERITY is accepted.
Compliance newlist #3 entry for 1.CONSOLE_active shows Priority=20, Complex_severity=Medium, Site_severity=<blank>, Rule_severity=Medium. So both SITE_SEVERITY statements are apparently being ignored. 

Please could you advise where I'm going wrong?

Thank you,