OA43532: ZSECURE AUDIT EXTENSIONS FOR GUARDIUM VA.
A fix is available
Closed as program error.
zSecure Audit extensions for Guardium VA.
**************************************************************** * USERS AFFECTED: Users of zSecure Audit for RACF planning to * * use the software to provide input for * * advanced auditing of the DB2 environment * * using IBM InfoSphere Guardium Vulnerability * * Assessment (Guardium VA). * **************************************************************** * PROBLEM DESCRIPTION: New function to prepare the data for * * Guardium VA. * **************************************************************** * RECOMMENDATION: Apply the PTF provided and review the * * attached documentation. * **************************************************************** zSecure Audit can be used to provide input for advanced auditing of the DB2 environment using IBM InfoSphere Guardium Vulnerability Assessment (Guardium VA). The solution for this APAR provides the samples and the documentation for this new feature.
zSecure Admin has been enhanced, so it can be used to provide input for advanced auditing of the DB2 environment using IBM InfoSphere Guardium Vulnerability Assessment (Guardium VA). - PLEASE NOTE the following documentation changes for the manual Security zSecure CARLa-Driven Components Version 2.1.0 Installation and Deployment Guide (SC27-5638-00) - Added a new chapter as follows: Chapter 17. Data preparation for Guardium VA zSecure Audit can be used to provide input for advanced auditing of your DB2 environment using IBM InfoSphere Guardium Vulnerability Assessment (Guardium VA). Information about the RACF protection of DB2 objects and information about users and groups is loaded into DB2 tables for Guardium VA usage. This information is especially relevant if you use RACF groups as DB2 AUTHID or use the RACF Access Control Module DSNX@XAC. Guardium VA expects the data about a specific DB2 subsystem to be available in that DB2 subsystem itself. This allows directly combining the information from the DB2 catalog with the security information provided by zSecure. To load the data in a DB2 subsystem, zSecure provides examples in SCKRSAMP. If you want to modify and use these examples, copy them to another data set. Because the SCKRSAMP data set is SMP/E controlled, future updates might overwrite your modifications. After completing these steps, and loading the appropriate DB2 tables you can benefit from the enhanced RACF information. In Guardium VA, you can use the Guardium VA Assessment Tests that have names starting with zSecure. Steps for creating zSecure data for use by Guardium VA ====================================================== To create and manage a DB2 database that contains the zSecure provided data to Guardium VA, you must: 1. Create one or more DB2 databases. 2. Create one or more DB2 table spaces. 3. Create DB2 tables. 4. Load data into the tables. The first three steps are the initial setup of the database. These steps are required only once, when you first initialize the data manager. After the tables are established, you can LOAD data into the DB2 database repeatedly. For example, you can refresh data each day. This is left up to the installation. At any time, you can delete your current table data. You can also manage these tables using regular DB2 utilities and SQL statements. The following sections describe the samples that can be used to create and load zSecure data for use by Guardium VA. Because the example jobs directly interact with a local DB2 subsystem, they must be run on each system. Use of remote input sources or processing multiple systems in a single run is not supported. Before running any of these jobs, ensure that the zSecure configuration (aka C2R$PARM member) has been customized using the correct values. You also need to replace occurrences of !! by the correct level of DB2 in use, and the value !DSN! by the name of your DB2 subsystem. The provided example jobs use the SCKRSAMP data set. Change the name to the data set that you used for your modified copy of the example members. The DB2 steps use the standard DSNUTILB Utility program and the DSNTEP2 productivity-aid example program. These two utility programs must be available and bound for the DB2 subsystem. For information on the installation of the DSNTEP2 sample program see the section "Productivity-aid sample programs" in "DB2 for z/OS Utility Guide and Reference". The DB2 schema name used for this application is CKADBVA and all table names start with CKA. The schema name and the table names cannot be modified. The example jobs provided are: CKAJVA00 -------- A DB2 database names a collection of table spaces. The example job CKAJVA00 creates a database in DB2 to contain the tablespace and tables. The job must be run by a user with sufficient DB2 authorization to create a DB2 database. Because Guardium VA expects the information about a DB2 subsystem to be available in tables inside the DB2 subsystem, the CKAJVA00 job must be run on each system that you want to analyze using Guardium VA. The database is created using available defaults: CREATE DATABASE CKADBVA; The name of the database can be changed to match your installation standards. CKAJVA01 -------- A table space is one or more data sets in which one or more tables are stored. The example job CKAJVA01 has two steps. The first step drops the tables and tablespace, and the second step creates the tablespace and tables. The first time you run this job, the DROP step that drops the objects ends with return code 8. You can ignore this error. Alternatively, you can edit the job to run only the CREATE step. The job must be run by a user with sufficient DB2 authorization to drop and create these objects in the DB2 database that was created in example CKAJVA00. Because Guardium VA expects the information about a DB2 subsystem to be available in tables inside the DB2 subsystem, the CKAJVA01 job must be run on each system that you want to analyze using Guardium VA. The tablespace is created using available defaults: CREATE TABLESPACE CKADBVA in CKADBVA; You might need to specify allocation related keywords to assign the correct storagegroup, or to increase available space for the tables, for example: USING STOGROUP <storagegroup> PRIQTY 20000 A sample of the creation of a table and its index in the tablespace: CREATE TABLE CKADBVA.CKA_OS_GROUP ( COMPLEX CHAR(8) NOT NULL, GROUP CHAR(8) NOT NULL, ADDITIONAL_INFO VARCHAR(256) , PRIMARY KEY (COMPLEX,GROUP) ) in CKADBVA.CKADBVA; CREATE UNIQUE INDEX CKADBVA.IDX_CKA_OS_GROUP ON CKADBVA.CKA_OS_GROUP(COMPLEX, GROUP); After creation of the tables and indexes, GRANT statements are issued to allow user SQLQUARD (the Guardium VA SQL ID) SELECT authority on the tables. For example: GRANT SELECT ON CKADBVA.STATUS TO SQLGUARD; The name of the tablespace can be changed to match your installation standards. The schema name and table names cannot be modified. CKAJVA99 -------- This job also has two steps. The first step is a CKFCOLL step that collects the information from the DB2 catalog tables into a CKFREEZE data set. The second step uses CKRCARLA to create the JCL and input for a second job. By default, the second job is immediately submitted for execution. The second job has steps for each DB2 subsystem. It uses CKRCARLA to create an input file specific for a particular DB2 subsystem and uses DSNUTILB to load the file in that DB2 subsystem. It also contains some SQL steps for simple postprocessing of the data. These steps are repeated for each DB2 subsystem. It is possible to update job CKAJVA99 to include or exclude specific DB2 subsystems. This can be done using a CARLa SELECT or EXCLUDE statement at the indicated line. In that case, the generated job only contains steps for the selected DB2 subsystems. The CKAJVA99 job must be run by a user with sufficient DB2 authorization to LOAD and UPDATE the DB2 tables. If you have multiple releases of DB2 active, you need to create an instance of this job for each release. The STEPLIB DD statements must reflect the correct DB2 level for each release. In this situation, you must also use the sample SELECT or EXCLUDE statements to limit the DB2 subsystems to those matching the release of the STEPLIB libraries. By default, the job that is generated by CKAJVA99 is immediately submitted for execution. If you want to first look at the generated job, you can redirect the output from DDNAME STAGE2 to either a data set or to SYSOUT. The LOAD statements used to load the tables include keywords that reflect the static nature of the data, and that allow repeated loading of the tables. The relevant keywords are: LOAD DATA REPLACE REUSE LOG NO NOCOPYPEND For more information on the meaning of these keywords, see the DB2 for z/OS Utility Guide and Reference. The example jobs use as input the following members in SCKRSAMP: CKAVA000 -------- This member contains the CARLa ALLOC statements required to specify the RACF input source and the CKFREEZE data set. CKAVA001 -------- This member contains the CARLa statements used to create user and group information records and the normal (non-effective) format of the DB2-object access matrix. CKAVA002 -------- This member contains the CARLa statements used to create the effective format of the DB2-object access matrix. CKAVALD0 -------- This member contains SQL LOAD statements to load the DB2 tables. CKAVASQ0 -------- This member contains SQL statements for required simple post-processing of the normal format access matrix. CKAVASQ1 -------- This member contains SQL statements for required simple post-processing of the effective format access matrix. CKAVASQ9 -------- This member contains SQL statements for recording the status of the loading process. The DB2 functions use the standard DSNUTILB Utility program and the DSNTEP2 productivity-aid example program. These two utility programs must be available and bound for use. For more information on DB2 and the utilities see: - DB2 for z/OS Utility Guide and Reference - DB2 for z/OS SQL Reference - DB2 for z/OS Administration Guide 210Y CKAJVA00 CKAJVA01 CKAJVA99 CKAVALD0 CKAVASQ0 CKAVASQ1 CKAVASQ9 CKAVA000 CKAVA001 CKAVA002
Reported component name
Reported component ID
YesSpecatt / New Function
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
CKAJVA00 CKAJVA01 CKAJVA99 CKAVALD0 CKAVASQ0 CKAVASQ1 CKAVASQ9 CKAVA000 CKAVA001 CKAVA002
Fixed component name
Fixed component ID
Applicable component levels
R210 PSY UA71059
UP13/10/22 P F310
Fix is available
Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.