IBM Security Z Security

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

------------------------------
Joseph Sumi
------------------------------

Hi Joseph, 

I guess you could use CARLa newlist type SENSDSN to produce an overview of APF-authorized data sets with their defined access settings. 

The following sample code might be helpful:

newlist type=sensdsn                                         
select sensitivity=APF*                              
sortlist dsn(30) sensitivity racf_profile(20) racf_acl racf_uacc

This CARLa selects all sensitive data sets where the sensitivity starts with prefix APF. It then reports the name of the APF-authorized data set, the senstivity type, the ACL, and the UACC set on their protecting data set profile. On my test system, it produces something along the lines of:

Notes about the code:

1. I used overriding column lengths for the fields dsn and racf_profile to suppress blanks in my report. But if your systems uses longer data set or profile names, you should remove these length modifiers, otherwise these values will truncate in the report of your system.
2. If you would like to show the effective access list, you can code racf_acl(effective) on the sortlist statement instead of racf_acl.
3. To include the warning attribute setting, you can add the field and RACF_WARN_ONLY to the sortlist statement.
4. Adding field RACF_GLOBAL_ACCESS to the sortlist reports the unlikely case that an APF data set is accessible via a global access checking table. 

I hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue January 23, 2024 01:14 PM
From: Joseph Sumi
Subject: zSecure audit report of APF libraries

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

------------------------------
Joseph Sumi
------------------------------

Hello, thanks for the replies. 

Specifying racf_profile causes an abend0C4 in CKR8Z12. If I take it out, the report is produced with racf_acl and racf_uacc but there is no profile. I'm running 3.1 and current with maint. I could get a dump and call it in.

But overall, i wasn't clear with what I was looking for --- I wanted to produce a daily SMF report based on accesses to the APF libraries without having to specifiy the profiles of each APF library in the job itself. I was thinking the freeze file could be leveraged.....

If that is not possible, the report showing the APF libs with their profiles that you suggested could help but not sure if there is an alternative way past the 0C4 to get the profile.

Thanks.

Hi Joseph, 

I guess you could use CARLa newlist type SENSDSN to produce an overview of APF-authorized data sets with their defined access settings. 

The following sample code might be helpful:

newlist type=sensdsn                                         
select sensitivity=APF*                              
sortlist dsn(30) sensitivity racf_profile(20) racf_acl racf_uacc

This CARLa selects all sensitive data sets where the sensitivity starts with prefix APF. It then reports the name of the APF-authorized data set, the senstivity type, the ACL, and the UACC set on their protecting data set profile. On my test system, it produces something along the lines of:

Notes about the code:

1. I used overriding column lengths for the fields dsn and racf_profile to suppress blanks in my report. But if your systems uses longer data set or profile names, you should remove these length modifiers, otherwise these values will truncate in the report of your system.
2. If you would like to show the effective access list, you can code racf_acl(effective) on the sortlist statement instead of racf_acl.
3. To include the warning attribute setting, you can add the field and RACF_WARN_ONLY to the sortlist statement.
4. Adding field RACF_GLOBAL_ACCESS to the sortlist reports the unlikely case that an APF data set is accessible via a global access checking table. 

I hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue January 23, 2024 01:14 PM
From: Joseph Sumi
Subject: zSecure audit report of APF libraries

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

------------------------------
Joseph Sumi
------------------------------

Yes, abend reports should go to L2 it you can't find the symptoms yet in the APAR database.

Under EV.D there is a selection field Sensitivity where you could enter ":APF", i.e. perform a scan (the colon) for the word APF in all sensitivity types. In CARLa it would be SELECT EXISTS(dsname) SENSITIVITY=:APF INTENT>=UPDATE

Hello, thanks for the replies. 

Specifying racf_profile causes an abend0C4 in CKR8Z12. If I take it out, the report is produced with racf_acl and racf_uacc but there is no profile. I'm running 3.1 and current with maint. I could get a dump and call it in.

But overall, i wasn't clear with what I was looking for --- I wanted to produce a daily SMF report based on accesses to the APF libraries without having to specifiy the profiles of each APF library in the job itself. I was thinking the freeze file could be leveraged.....

If that is not possible, the report showing the APF libs with their profiles that you suggested could help but not sure if there is an alternative way past the 0C4 to get the profile.

Thanks.

Hi Joseph, 

I guess you could use CARLa newlist type SENSDSN to produce an overview of APF-authorized data sets with their defined access settings. 

The following sample code might be helpful:

newlist type=sensdsn                                         
select sensitivity=APF*                              
sortlist dsn(30) sensitivity racf_profile(20) racf_acl racf_uacc

This CARLa selects all sensitive data sets where the sensitivity starts with prefix APF. It then reports the name of the APF-authorized data set, the senstivity type, the ACL, and the UACC set on their protecting data set profile. On my test system, it produces something along the lines of:

Notes about the code:

1. I used overriding column lengths for the fields dsn and racf_profile to suppress blanks in my report. But if your systems uses longer data set or profile names, you should remove these length modifiers, otherwise these values will truncate in the report of your system.
2. If you would like to show the effective access list, you can code racf_acl(effective) on the sortlist statement instead of racf_acl.
3. To include the warning attribute setting, you can add the field and RACF_WARN_ONLY to the sortlist statement.
4. Adding field RACF_GLOBAL_ACCESS to the sortlist reports the unlikely case that an APF data set is accessible via a global access checking table. 

I hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue January 23, 2024 01:14 PM
From: Joseph Sumi
Subject: zSecure audit report of APF libraries

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

------------------------------
Joseph Sumi
------------------------------

Yes, abend reports should go to L2 it you can't find the symptoms yet in the APAR database.

Under EV.D there is a selection field Sensitivity where you could enter ":APF", i.e. perform a scan (the colon) for the word APF in all sensitivity types. In CARLa it would be SELECT EXISTS(dsname) SENSITIVITY=:APF INTENT>=UPDATE

Hello, thanks for the replies. 

Specifying racf_profile causes an abend0C4 in CKR8Z12. If I take it out, the report is produced with racf_acl and racf_uacc but there is no profile. I'm running 3.1 and current with maint. I could get a dump and call it in.

But overall, i wasn't clear with what I was looking for --- I wanted to produce a daily SMF report based on accesses to the APF libraries without having to specifiy the profiles of each APF library in the job itself. I was thinking the freeze file could be leveraged.....

If that is not possible, the report showing the APF libs with their profiles that you suggested could help but not sure if there is an alternative way past the 0C4 to get the profile.

Thanks.

Hi Joseph, 

I guess you could use CARLa newlist type SENSDSN to produce an overview of APF-authorized data sets with their defined access settings. 

The following sample code might be helpful:

newlist type=sensdsn                                         
select sensitivity=APF*                              
sortlist dsn(30) sensitivity racf_profile(20) racf_acl racf_uacc

This CARLa selects all sensitive data sets where the sensitivity starts with prefix APF. It then reports the name of the APF-authorized data set, the senstivity type, the ACL, and the UACC set on their protecting data set profile. On my test system, it produces something along the lines of:

Notes about the code:

1. I used overriding column lengths for the fields dsn and racf_profile to suppress blanks in my report. But if your systems uses longer data set or profile names, you should remove these length modifiers, otherwise these values will truncate in the report of your system.
2. If you would like to show the effective access list, you can code racf_acl(effective) on the sortlist statement instead of racf_acl.
3. To include the warning attribute setting, you can add the field and RACF_WARN_ONLY to the sortlist statement.
4. Adding field RACF_GLOBAL_ACCESS to the sortlist reports the unlikely case that an APF data set is accessible via a global access checking table. 

I hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue January 23, 2024 01:14 PM
From: Joseph Sumi
Subject: zSecure audit report of APF libraries

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

------------------------------
Joseph Sumi
------------------------------

Hello, thanks for the replies. 

Specifying racf_profile causes an abend0C4 in CKR8Z12. If I take it out, the report is produced with racf_acl and racf_uacc but there is no profile. I'm running 3.1 and current with maint. I could get a dump and call it in.

But overall, i wasn't clear with what I was looking for --- I wanted to produce a daily SMF report based on accesses to the APF libraries without having to specifiy the profiles of each APF library in the job itself. I was thinking the freeze file could be leveraged.....

If that is not possible, the report showing the APF libs with their profiles that you suggested could help but not sure if there is an alternative way past the 0C4 to get the profile.

Thanks.

Hi Joseph, 

I guess you could use CARLa newlist type SENSDSN to produce an overview of APF-authorized data sets with their defined access settings. 

The following sample code might be helpful:

newlist type=sensdsn                                         
select sensitivity=APF*                              
sortlist dsn(30) sensitivity racf_profile(20) racf_acl racf_uacc

This CARLa selects all sensitive data sets where the sensitivity starts with prefix APF. It then reports the name of the APF-authorized data set, the senstivity type, the ACL, and the UACC set on their protecting data set profile. On my test system, it produces something along the lines of:

Notes about the code:

1. I used overriding column lengths for the fields dsn and racf_profile to suppress blanks in my report. But if your systems uses longer data set or profile names, you should remove these length modifiers, otherwise these values will truncate in the report of your system.
2. If you would like to show the effective access list, you can code racf_acl(effective) on the sortlist statement instead of racf_acl.
3. To include the warning attribute setting, you can add the field and RACF_WARN_ONLY to the sortlist statement.
4. Adding field RACF_GLOBAL_ACCESS to the sortlist reports the unlikely case that an APF data set is accessible via a global access checking table. 

I hope this helps. 

------------------------------
Tom Zeehandelaar
z/OS Security Enablement Specialist - zSecure developer
IBM

Original Message:
Sent: Tue January 23, 2024 01:14 PM
From: Joseph Sumi
Subject: zSecure audit report of APF libraries

Hello - is there an example of an Audit report to report on the accesses (read and higher) for all the APF libraries active on a system ?

I do not want to extract the APF list from a DSMON listing and then run the audit report. Maybe there is something with a Freeze dataset ?

thanks, Joe

------------------------------
Joseph Sumi
------------------------------