IBM Support

zSecure Reporting - USS extended ACL entries reporting

Troubleshooting


Problem

Steps to use zSecure CARLa to report on USS extended ACL entries that are permitted to non-existing userids and groups.

Resolving The Problem

IBM zSecure does not currently support using a sub-selecting on field UNIX_ACL, so it will be necessary to use a 2-pass CARLa approach for this report.

Remember that USS resources owned by UID's and/or GID's that no longer exist can be easily reported with our standard reports UIDNOUSR and GIDNOGRP. These reports are generated via AU.S - RACF resources - UNDEFINED IDS.

The first step runs a newlist type=unix that writes all files, directories and links that currently have any extended ACL (access acl, file default acl or directory default acl) entry to a work dataset with type, pathname and Unix_ACL details.

In the second step the only records selected are those with unix resources where the string "-undef-" appears in the first 7 positions of field Unix_ACL and position 11 contains a "+" indicating that it concerns an extended ACL entry.

Here is an example job that reports the Undefined extended ACL entries:

//USSACL JOB Add a valid jobcard here!
//GETFILES EXEC PGM=CKRCARLA,REGION=64M
//* Adjust the following library name
//STEPLIB DD DISP=SHR,DSN=CKR.CKR230.SCKRLOAD
//SYSPRINT DD SYSOUT=*
//* Use a recent CKFREEZE
//CKFREEZE DD DISP=SHR,DSN=my.CKFREEZE
//USSFILES DD DISP=(NEW,PASS),SPACE=(CYL,(100,50),RLSE),
// DSN=&&USSFILES,RECFM=VB,LRECL=200
//SYSIN DD *

alloc type=ckfreeze dd=ckfreeze
alloc type=racf backup active
suppress msg=(72,73)
newlist type=unix nopage retain dd=ussfiles
select (extended_acl or file_default_acl or directory_default_acl)
sortlist type(1) abs_pathname(150) unix_acl(34)

//REPORT EXEC PGM=CKRCARLA,REGION=64M
//* Adjust the following library name
//STEPLIB DD DISP=SHR,DSN=CKR.CKR230.SCKRLOAD
//USSFILES DD DISP=(OLD,PASS),DSN=&&USSFILES
//SYSPRINT DD SYSOUT=*
//REPORT DD SYSOUT=*
//SYSIN DD *

deftype type=#ussfile
alloc type=#ussfile dd=ussfiles
define type=#ussfile #type('T') as substr(record,1,1)
define type=#ussfile #filename('File/directory/link name'),
as substr(record,3,150)
define type=#ussfile #unix_acl('Unix ACL'),
as substr(record,154,34)

newlist type=#ussfile dd=report ll=190,
title="Extended ACL permits to undefined Users(UID's)/Groups(GID's)",
empty="No permits found to undefined Users(UID's)/Groups(GID's)"
select substr(#unix_acl,1,7)='-undef-' substr(#unix_acl,11,1)='+'
sortlist #type(1) #filename(150) #unix_acl(34)

Warning: please be aware that the field abs_pathname can be 1024 characters long. To reduce the required space for the work dataset USSFILES in this job, a length of 150 characters has been defined. On our test system this did not cause any truncations, but on other installations the length of the fields "abs_pathname" (Step GETFILES) and "#filename" (Step REPORT) may have to be extended.

[{"Product":{"code":"SSPQTM","label":"IBM Security zSecure Admin"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21267678

Page Feedback