zSecure Reporting - USS extended ACL entries reporting

Technote (troubleshooting)


Problem(Abstract)

Steps to use zSecure CARLa to report on USS extended ACL entries that are permitted to non-existing userids and groups.

Resolving the problem

We currently do not support sub-selecting on field UNIX_ACL, so you will have to use a 2-pass CARLa approach for this report.

Remember that USS resources owned by UID's and/or GID's that no longer exist can be easily reported with our standard reports UIDNOUSR and GIDNOGRP. These reports are generated via AU.S - RACF resources - UNDEFINED IDS.

The first step runs a newlist type=unix that writes all files, directories and links that currently have any extended ACL (access acl, file default acl or directory default acl) entry to a work dataset with type, pathname and Unix_ACL details.

In the second step the only records selected are those with unix resources where the string "-undef-" appears in the first 7 positions of field Unix_ACL and position 11 contains a "+" indicating that it concerns an extended ACL entry.

Here is an example job that reports the Undefined extended ACL entries:

// <-- Add a valid jobcard here!
//GETFILES EXEC PGM=CKRCARLA,REGION=64M
//STEPLIB DD DISP=SHR,DSN=CKR.CKR210.SCKRLOAD <-- Adjust library name here!
//SYSPRINT DD SYSOUT=*
//CKFREEZE DD DISP=SHR,DSN=my.CKFREEZE <-- A recent CKFREEZE dsn here!
//USSFILES DD DISP=(NEW,PASS),SPACE=(CYL,(100,50),RLSE),
// DSN=&&USSFILES,RECFM=VB,LRECL=200
//SYSIN DD *

alloc type=ckfreeze dd=ckfreeze
alloc type=racf backup active
suppress msg=(72,73)
newlist type=unix nopage retain dd=ussfiles
select (extended_acl or file_default_acl or directory_default_acl)
sortlist type(1) abs_pathname(150) unix_acl(34)

//REPORT EXEC PGM=CKRCARLA,REGION=64M
//STEPLIB DD DISP=SHR,DSN=CKR.CKR210.SCKRLOAD <-- Adjust library name here!
//USSFILES DD DISP=(OLD,PASS),DSN=&&USSFILES
//SYSPRINT DD SYSOUT=*
//REPORT DD SYSOUT=*
//SYSIN DD *

deftype type=#ussfile
alloc type=#ussfile dd=ussfiles
define type=#ussfile #type('T') as substr(record,1,1)
define type=#ussfile #filename('File/directory/link name'),
as substr(record,3,150)
define type=#ussfile #unix_acl('Unix ACL'),
as substr(record,154,34)

newlist type=#ussfile dd=report ll=190,
title="Extended ACL permits to undefined Users(UID's)/Groups(GID's)",
empty="No permits found to undefined Users(UID's)/Groups(GID's)"
select substr(#unix_acl,1,7)='-undef-' substr(#unix_acl,11,1)='+'
sortlist #type(1) #filename(150) #unix_acl(34)

Warning: please be aware that the field abs_pathname can be 1024 characters long. To reduce the required space for the work dataset USSFILES in this job, a length of 150 characters has been defined. On our system this did not cause any truncations, but on other installations the length of the fields "abs_pathname" (Step GETFILES) and "#filename" (Step REPORT) may have to be extended.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Security zSecure Admin

Software version:

1.12, 1.13.0, 1.13.1, 2.1

Operating system(s):

z/OS

Software edition:

Enterprise

Reference #:

1267678

Modified date:

2014-02-25

Translate my page

Machine Translation

Content navigation