Technote (troubleshooting)
Problem(Abstract)
Steps to use zSecure CARLa to report on USS extended ACL entries that are permitted to non-existing userids and groups.
Resolving the problem
We currently do not support sub-selecting on field UNIX_ACL, so you will have to use a 2-pass CARLa approach for this report.
Remember that USS resources owned by UID's and/or GID's that no longer exist can be easily reported with our standard reports UIDNOUSR and GIDNOGRP. These reports are generated via AU.S - RACF resources - UNDEFINED IDS.
The first step runs a newlist type=unix that writes all files, directories and links that currently have any extended ACL (access acl, file default acl or directory default acl) entry to a work dataset with type, pathname and Unix_ACL details.
In the second step the only records selected are those with unix resources where the string "-undef-" appears in the first 7 positions of field Unix_ACL and position 11 contains a "+" indicating that it concerns an extended ACL entry.
Here is an example job that reports the Undefined extended ACL entries:
// <-- Add a valid jobcard here!
//GETFILES EXEC PGM=CKRCARLA,REGION=64M
//STEPLIB DD DISP=SHR,DSN=CKR.CKR1D0.SCKRLOAD <-- Adjust library name here!
//SYSPRINT DD SYSOUT=*
//CKFREEZE DD DISP=SHR,DSN=my.CKFREEZE <-- A recent CKFREEZE dsn here!
//USSFILES DD DISP=(NEW,PASS),SPACE=(CYL,(100,50),RLSE),
// DSN=&&USSFILES,RECFM=VB,LRECL=200
//SYSIN DD *
alloc type=ckfreeze dd=ckfreeze
alloc type=racf backup active
suppress msg=(72,73)
newlist type=unix nopage retain dd=ussfiles
select (extended_acl or file_default_acl or directory_default_acl)
sortlist type(1) abs_pathname(150) unix_acl(34)
//REPORT EXEC PGM=CKRCARLA,REGION=64M
//STEPLIB DD DISP=SHR,DSN=CKR.CKR1D0.SCKRLOAD <-- Adjust library name here!
//USSFILES DD DISP=(OLD,PASS),DSN=&&USSFILES
//SYSPRINT DD SYSOUT=*
//REPORT DD SYSOUT=*
//SYSIN DD *
deftype type=#ussfile
alloc type=#ussfile dd=ussfiles
define type=#ussfile #type('T') as substr(record,1,1)
define type=#ussfile #filename('File/directory/link name'),
as substr(record,3,150)
define type=#ussfile #unix_acl('Unix ACL'),
as substr(record,154,34)
newlist type=#ussfile dd=report ll=190,
title="Extended ACL permits to undefined Users(UID's)/Groups(GID's)",
empty="No permits found to undefined Users(UID's)/Groups(GID's)"
select substr(#unix_acl,1,7)='-undef-' substr(#unix_acl,11,1)='+'
sortlist #type(1) #filename(150) #unix_acl(34)
Warning: please be aware that the field abs_pathname can be 1024 characters long. To reduce the required space for the work dataset USSFILES in this job, a length of 150 characters has been defined. On our system this did not cause any truncations, but on other installations the length of the fields "abs_pathname" (Step GETFILES) and "#filename" (Step REPORT) may have to be extended.
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Security | Tivoli zSecure Admin | 1.10, 1.11 |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.