OA43532: ZSECURE AUDIT EXTENSIONS FOR GUARDIUM VA.

A fix is available

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • zSecure Audit extensions for Guardium VA.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED: Users of zSecure Audit for RACF planning to  *
    *                 use the software to provide input for        *
    *                 advanced auditing of the DB2 environment     *
    *                 using IBM InfoSphere Guardium Vulnerability  *
    *                 Assessment (Guardium VA).                    *
    ****************************************************************
    * PROBLEM DESCRIPTION: New function to prepare the data for    *
    *                      Guardium VA.                            *
    ****************************************************************
    * RECOMMENDATION: Apply the PTF provided and review the        *
    *                 attached documentation.                      *
    ****************************************************************
    zSecure Audit can be used to provide input for advanced auditing
    of the DB2 environment using IBM InfoSphere Guardium
    Vulnerability Assessment (Guardium VA). The solution for this
    APAR provides the samples and the documentation for this new
    feature.
    

Problem conclusion

  • zSecure Admin has been enhanced, so it can be used to provide
    input for advanced auditing of the DB2 environment using IBM
    InfoSphere Guardium Vulnerability Assessment (Guardium VA).
    -
    PLEASE NOTE the following documentation changes for the manual
    Security zSecure CARLa-Driven Components Version 2.1.0
    Installation and Deployment Guide (SC27-5638-00)
    -
    Added a new chapter as follows:
    
    Chapter 17. Data preparation for Guardium VA
    
    
     zSecure Audit can be used to provide input for advanced
     auditing of your DB2 environment using IBM InfoSphere Guardium
     Vulnerability Assessment (Guardium VA). Information about the
     RACF protection of DB2 objects and information about users and
     groups is loaded into DB2 tables for Guardium VA usage. This
     information is especially relevant if you use RACF groups as
     DB2 AUTHID or use the RACF Access Control Module DSNX@XAC.
     Guardium VA expects the data about a specific DB2 subsystem
     to be available in that DB2 subsystem itself. This allows
     directly combining the information from the DB2 catalog with
     the security information provided by zSecure. To load the data
     in a DB2 subsystem, zSecure provides examples in SCKRSAMP. If
     you want to modify and use these examples, copy them to another
     data set. Because the SCKRSAMP data set is SMP/E controlled,
     future updates might overwrite your modifications.
    
     After completing these steps, and loading the appropriate DB2
     tables you can benefit from the enhanced RACF information. In
     Guardium VA, you can use the Guardium VA Assessment Tests that
     have names starting with zSecure.
    
     Steps for creating zSecure data for use by Guardium VA
     ======================================================
    
     To create and manage a DB2 database that contains the zSecure
     provided data to Guardium VA, you must:
    
     1. Create one or more DB2 databases.
     2. Create one or more DB2 table spaces.
     3. Create DB2 tables.
     4. Load data into the tables.
    
     The first three steps are the initial setup of the database.
     These steps are required only once, when you first initialize
     the data manager. After the tables are established, you can
     LOAD data into the DB2 database repeatedly. For example, you
     can refresh data each day. This is left up to the installation.
     At any time, you can delete your current table data. You can
     also manage these tables using regular DB2 utilities and SQL
     statements. The following sections describe the samples that
     can be used to create and load zSecure data for use by Guardium
     VA.
    
     Because the example jobs directly interact with a local DB2
     subsystem, they must be run on each system. Use of remote input
     sources or processing multiple systems in a single run is not
     supported. Before running any of these jobs, ensure that the
     zSecure configuration (aka C2R$PARM member) has been
     customized using the correct values. You also need to replace
     occurrences of !! by the correct level of DB2 in use, and the
     value !DSN! by the name of your DB2 subsystem. The provided
     example jobs use the SCKRSAMP data set. Change the name to the
     data set that you used for your modified copy of the example
     members.
    
     The DB2 steps use the standard DSNUTILB Utility program and the
     DSNTEP2 productivity-aid example program. These two utility
     programs must be available and bound for the DB2 subsystem. For
     information on the installation of the DSNTEP2 sample program
     see the section "Productivity-aid sample programs" in "DB2 for
     z/OS Utility Guide and Reference".
    
     The DB2 schema name used for this application is CKADBVA and
     all table names start with CKA. The schema name and the table
     names cannot be modified.
    
     The example jobs provided are:
    
      CKAJVA00
      --------
       A DB2 database names a collection of table spaces. The
       example job CKAJVA00 creates a database in DB2 to contain the
       tablespace and tables. The job must be run by a user with
       sufficient DB2 authorization to create a DB2 database.
       Because Guardium VA expects the information about a DB2
       subsystem to be available in tables inside the DB2 subsystem,
       the CKAJVA00 job must be run on each system that you want to
       analyze using Guardium VA.
    
       The database is created using available defaults:
    
        CREATE DATABASE CKADBVA;
    
       The name of the database can be changed to match your
       installation standards.
    
      CKAJVA01
      --------
       A table space is one or more data sets in which one or more
       tables are stored. The example job CKAJVA01 has two steps.
       The first step drops the tables and tablespace, and the
       second step creates the tablespace and tables. The first time
       you run this job, the DROP step that drops the objects ends
       with return code 8. You can ignore this error. Alternatively,
       you can edit the job to run only the CREATE step. The job
       must be run by a user with sufficient DB2 authorization to
       drop and create these objects in the DB2 database that was
       created in example CKAJVA00. Because Guardium VA expects the
       information about a DB2 subsystem to be available in tables
       inside the DB2 subsystem, the CKAJVA01 job must be run on
       each system that you want to analyze using Guardium VA.
    
       The tablespace is created using available defaults:
    
        CREATE TABLESPACE CKADBVA in CKADBVA;
    
       You might need to specify allocation related keywords to
       assign the correct storagegroup, or to increase available
       space for the tables, for example:
    
        USING STOGROUP <storagegroup>
        PRIQTY 20000
    
       A sample of the creation of a table and its index in the
       tablespace:
    
        CREATE TABLE CKADBVA.CKA_OS_GROUP (
             COMPLEX                CHAR(8)    NOT NULL,
             GROUP                  CHAR(8)    NOT NULL,
             ADDITIONAL_INFO        VARCHAR(256) ,
             PRIMARY KEY (COMPLEX,GROUP)
             )
             in  CKADBVA.CKADBVA;
        CREATE UNIQUE INDEX CKADBVA.IDX_CKA_OS_GROUP ON
               CKADBVA.CKA_OS_GROUP(COMPLEX, GROUP);
    
       After creation of the tables and indexes, GRANT statements
       are issued to allow user SQLQUARD (the Guardium VA SQL ID)
       SELECT authority on the tables. For example:
    
        GRANT SELECT ON CKADBVA.STATUS TO SQLGUARD;
    
       The name of the tablespace can be changed to match your
       installation standards. The schema name and table names
       cannot be modified.
    
      CKAJVA99
      --------
       This job also has two steps. The first step is a CKFCOLL step
       that collects the information from the DB2 catalog tables
       into a CKFREEZE data set. The second step uses CKRCARLA to
       create the JCL and input for a second job. By default, the
       second job is immediately submitted for execution. The second
       job has steps for each DB2 subsystem. It uses CKRCARLA to
       create an input file specific for a particular DB2 subsystem
       and uses DSNUTILB to load the file in that DB2 subsystem. It
       also contains some SQL steps for simple postprocessing of the
       data. These steps are repeated for each DB2 subsystem. It is
       possible to update job CKAJVA99 to include or exclude
       specific DB2 subsystems. This can be done using a CARLa
       SELECT or EXCLUDE statement at the indicated line. In that
       case, the generated job only contains steps for the selected
       DB2 subsystems. The CKAJVA99 job must be run by a user with
       sufficient DB2 authorization to LOAD and UPDATE the DB2
       tables.
    
       If you have multiple releases of DB2 active, you need to
       create an instance of this job for each release. The STEPLIB
       DD statements must reflect the correct DB2 level for each
       release. In this situation, you must also use the sample
       SELECT or EXCLUDE statements to limit the DB2 subsystems to
       those matching the release of the STEPLIB libraries.
    
       By default, the job that is generated by CKAJVA99 is
       immediately submitted for execution. If you want to first
       look at the generated job, you can redirect the output from
       DDNAME STAGE2 to either a data set or to SYSOUT.
    
       The LOAD statements used to load the tables include keywords
       that reflect the static nature of the data, and that allow
       repeated loading of the tables. The relevant keywords are:
    
        LOAD DATA
             REPLACE
             REUSE
             LOG    NO
             NOCOPYPEND
    
       For more information on the meaning of these keywords, see
       the DB2 for z/OS Utility Guide and Reference.
    
     The example jobs use as input the following members in
     SCKRSAMP:
    
      CKAVA000
      --------
       This member contains the CARLa ALLOC statements required to
       specify the RACF input source and the CKFREEZE data set.
    
      CKAVA001
      --------
       This member contains the CARLa statements used to create user
       and group information records and the normal (non-effective)
       format of the DB2-object access matrix.
    
      CKAVA002
      --------
       This member contains the CARLa statements used to create the
       effective format of the DB2-object access matrix.
    
      CKAVALD0
      --------
       This member contains SQL LOAD statements to load the DB2
       tables.
    
      CKAVASQ0
      --------
       This member contains SQL statements for required simple
       post-processing of the normal format access matrix.
    
      CKAVASQ1
      --------
    
       This member contains SQL statements for required simple
       post-processing of the effective format access matrix.
    
      CKAVASQ9
      --------
       This member contains SQL statements for recording the status
       of the loading process.
    
     The DB2 functions use the standard DSNUTILB Utility program and
     the DSNTEP2 productivity-aid example program. These two utility
     programs must be available and bound for use. For more
     information on DB2 and the utilities see:
    
      - DB2 for z/OS Utility Guide and Reference
      - DB2 for z/OS SQL Reference
      - DB2 for z/OS Administration Guide
    210Y
    CKAJVA00
    CKAJVA01
    CKAJVA99
    CKAVALD0
    CKAVASQ0
    CKAVASQ1
    CKAVASQ9
    CKAVA000
    CKAVA001
    CKAVA002
    

Temporary fix

Comments

APAR Information

  • APAR number

    OA43532

  • Reported component name

    ZSEC BASE,ADMIN

  • Reported component ID

    5655T0100

  • Reported release

    210

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    YesSpecatt / New Function

  • Submitted date

    2013-10-08

  • Closed date

    2013-10-14

  • Last modified date

    2013-11-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    UA71059

Modules/Macros

  •    CKAJVA00 CKAJVA01 CKAJVA99 CKAVALD0 CKAVASQ0
    CKAVASQ1 CKAVASQ9 CKAVA000 CKAVA001 CKAVA002
    

Fix information

  • Fixed component name

    ZSEC BASE,ADMIN

  • Fixed component ID

    5655T0100

Applicable component levels

  • R210 PSY UA71059

       UP13/10/22 P F310

Fix is available

  • Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.



Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security zSecure Admin
zSecure Admin

Software version:

210

Reference #:

OA43532

Modified date:

2013-11-04

Translate my page

Machine Translation

Content navigation