IBM Security Z Security

 View Only

  • 1.  Splunk and MQ Profiles

    Posted Mon March 06, 2023 01:21 PM

    Good Day

    We have Setup SPLUNK Using Z/secure Alert to extract our RACF Logs – All going good so far

    We have a new alert coming up from MQ. The MQ Profile is looking for access (SYSTEM.COMMAND profile) Before we grant the required access. We  would like to see why is this access required

    The user ID is C2PUSER and this is  related to C2POLICE Started Task . This user id is looking for this access to the  MQ Profile

    We just need to ascertain why before we grant the required access.

    Any assistance is appreciated.




    ------------------------------
    Prakash Lalaram
    ------------------------------


  • 2.  RE: Splunk and MQ Profiles

    Posted Tue March 07, 2023 03:24 AM

    Hello Prakash,

    Regarding the C2POLICE (zSecure Alert) started task and access for an MQ related resource; do you mean you see violations for C2PUSER for MQQUEUE class resources ssid.SYSTEM.COMMAND.INPUT and ssid.SYSTEM.COMMAND.REPLY.MODEL?

    If so, I suggest you open a case with zSecure support because the default parameters for zSecure Alert's internal CKFCOLL execution specify MQ=N, so no MQ information will be collected.

    (Background: If you have extended monitoring alerts active in your alert configuration, C2POLICE will execute zSecure Collect program CKFCOLL on a regular basis to be able to trigger alerts when selected changes are detected between CKFREEZE instances. However the default parameters for that internal CKFCOLL execution specify MQ=N, so no MQ information will be collected, and therefore no MQ authorizations should be required.)

    Regards, Mike



    ------------------------------
    Mike Riches
    ------------------------------

    Original Message


  • 3.  RE: Splunk and MQ Profiles

    Posted Tue March 07, 2023 04:30 AM

    Classification: Internal

     

    Good Day

     

    Many thanks Mike – Your input is appreciated

     

    We will look at the below and then raise a ticket with Z/secure Support

     

    Regards

     

    http://media.riyadbank.com/images/emaillogo.png

    Prakash Lalaram
    Security Operations Section
    Tel.:+966-11-204-6600 Ext.: 2235
    v-prakash.lalaram@riyadbank.com


    For clean environment, please avoid unnecessary printing.

     




    Original Message


  • 4.  RE: Splunk and MQ Profiles

    Posted Tue March 07, 2023 05:58 AM

    Hi Prakash,

    As Guus and Rob mentioned, if this is in fact related to C2PCOLL and not C2POLICE, please see the link from my original post for "MQ authorizations" which will take you to the documentation.

    Regards, Mike



    ------------------------------
    Mike Riches
    ------------------------------

    Original Message


  • 5.  RE: Splunk and MQ Profiles

    Posted Tue March 07, 2023 04:04 AM

    In addition to what Mike said, there is also an external call to the CKFCOLL program. And that is via the separate started task called C2PCOLL. If your violations are coming out of that task, then it's kind of expected. The default for the MQ parameter in that instance is MQ=Y. The reason for that is that some customers wanted to write their own alerts that needed that information. 
    There are two solutions if indeed the violations are coming out of the C2PCOLL STC
    - Copy the SCKRCARL(C2PXCOLL) member to a private (non-smpe) library, and specify it in the //SYSIN in the C2PCOLL procedure.
       Next, update the copy, and include the keyword MQ=N
    - Alternative is to give the userid access as documented in the section "Authorizations for collecting Db2, IBM MQ, and UNIX data" in chapter 'zSecure Collect for z/OS" in the "zSecure Admin and Audit for RACF" manual. (there's a whole bunch of authorizations).



    ------------------------------
    Guus Bonnes
    ------------------------------

    Original Message


  • 6.  RE: Splunk and MQ Profiles

    IBM Champion
    Posted Tue March 07, 2023 04:09 AM

    If the alerts are issued for the C2PCOLL started task, which runs with user id C2PSUSER, then this is the daily FULL collection of CKFREEZE.  You could check section "Authorizations for collecting Db2, IBM MQ, and UNIX data" in the zSecure User Reference Manual, Chapter 14 (zSecure Collect for z/OS).



    ------------------------------
    Rob van Hoboken
    ------------------------------

    Original Message