Tolerate z/OS changes in UNIX APF processing: Technote for zSecure TCIM/TSIEM z/OS Agent

Flash (Alert)


Abstract

For APAR OA41101, the behavior of certain z/OS UNIX Services has been changed.

Content

(Please note: The z/OS agent is also known by the name IBM Tivoli Compliance Insight Manager, Tivoli Security Information and Event Manager, and Compliance Insight Manager Enabler for z/OS.)
This will cause a component of the TSIEM z/OS agent that works with zSecure under z/OS to abend with EC6-xxxxC04A.

After application of the PTF for APAR OA41101, trying to use external links to APF authorized programs will lead to the abend. Therefore files with sticky and APF bits turned on must be used now.
The documented solution (as per the details in DOC APAR OA41490) is to make the Owner of the symbolic link CKRCARLx a userid/group that has UID(0).

To implement this solution, change the Owner of &C2EPATH/run/CKRCARLx to a userid/group that has UID(0), using the following command sequence - note the '-h' parameter with the chown command in step 3.: that is required to enable the change without following the symbolic link:

1.Enter OMVS
.
2.cd /u/c2eaudit/actuatr1/run/ <==&C2EPATH/run
.
3. chown -h BPXROOT CKRCARLx
.
STOP THE DAEMON TASK WITH /S C2ECSTOP
THEN START THEM UP AGAIN /S C2EAUDIT

(In the above example, BPXROOT userid has already been defined, has UID(0) and is connected to the original userid's group, so group did not need to be specified.)




An alternate circumvention to using an owner with UID(0) can be implemented using the following instructions:
  1. Enter OMVS.
  2. cd /u/c2eaudit/actuatr1/run/ <==&C2EPATH/run
  3. To show the owning user agent_user_id and group agent_group_id of the files within &C2EPATH/run, carry out the command ls -E
  4. rm CKFCOLL
  5. touch CKFCOLL CKRCARLA CKRCARLX
  6. chmod 1750 CKFCOLL CKRCARLA CKRCARLX
  7. extattr +a CKFCOLL CKRCARLX (do not turn on the APF bit of CKRCARLA here)
  8. chown agent_user_id:agent_group_id CKFCOLL CKRCARLA CKRCARLX for the agent_user_id and agent_group_id that have been determined in step 3 above
  9. ls -E CKFCOLL CKRCARLA CKRCARLX

and also perform the following instructions (do either 3 OR 4 below depending on what you find in step 1):
  1. ls -E CKRCARLx with a lowercase "x" at the end
  2. rm CKRCARLx
  3. If the ls command of step 1 above showed that CKRCARLx was an external link to CKRCARLX (CKRCARLx -> CKRCARLX), then carry out: echo CKRCARLX > CKRCARLx
  4. If on the other hand CKRCARLx was an external link to CKRCARLA (CKRCARLx -> CKRCARLA), then carry out: echo CKRCARLA > CKRCARLx
  5. chmod 750 CKRCARLx
  6. chown agent_user_id:agent_group_id CKRCARLx
  7. ls -E CKRCARLx
  8. cat CKRCARLx

Note: Ensure the FILESYSTEM for the /u/c2eaudit mountpoint, which contains the &C2EPATH/run directory, is MOUNTed with SECURITY and SETUID. If it is mounted with NOSECURITY or NOSETUID the APF extended attribute is not honored and BPXP028I error messages will be seen.

Cross reference information
Segment Product Component Platform Version Edition
Security Tivoli Compliance Insight Manager 8.5
Security Tivoli Security Information and Event Manager 2.0

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Security zSecure Audit

Software version:

1.11, 1.12, 1.13.0, 1.13.1, 2.1

Operating system(s):

z/OS

Reference #:

1626384

Modified date:

2014-07-15

Translate my page

Machine Translation

Content navigation