CARLa programming how was it again? 2013 IBM Corp.

Transcription

1 CARLa programming how was it again? Tom Zeehandelaar zsecure enablement specialist Jeroen Tiggelman Software Development/L3 Manager zsecure

2 Agenda Various lookup types supported in CARLa Subselecting repeat group values Compare connections of Universal groups Report orphan extended UNIX ACL entries

3 CARLa lookup types Object property lookup implicit/cross-segment lookup Annotate report with information that is stored in another segment of the profiles that you process Object property lookup is supported for newlist types SMF, RACF, TRUSTED, and REPORT_SCOPE only Cross-profile lookup explicit/id lookup Annotate report with information that is stored in other profiles than the ones that you select Cross-newlist lookup class/system/setropts lookup Annotate report with information that is produced by another NEWLIST type than the one that you use External data set lookup deftype lookup Annotate report with information that is stored in an external data set that is stored on your z/os system

4 Cross-segment lookup example 1 Report information from TSO and OMVS segments when you select the BASE segment only newlist type=racf select class=user segment=base cggrpct>0 sortlist key(8,"userid") name :tlsize :tmsize :uid(10)

5 Cross-segment lookup example 2 Report information from BASE segment while you select the TSO segment only newlist type=racf select class=user segment=tso mask=crmc* sortlist key(8,"userid") :name tlsize tmsize

6 Object property lookup example 1 Annotate your SMF report with information from RACF resource profile when you process SMF records newlist type=smf nodup select exists(profile) class=opercmds sortlist resource(29) profile(29) :uacc :warning, :auditlvl :owner

7 Object property lookup example 2 Annotate your TRUSTED report with information from user IDs stored in the RACF database newlist type=trusted, tt='trusted userid with RACF system-wide privileges' select sensitivity=privilege sortlist userid :name :revoke(hb,1) :revoke_inactive('i',hb,1), :protected(hb,1) :uid(7) :dfltgrp userid_privilege

8 Cross-profile lookup example 1 Report information from User profiles while you select Group profiles only newlist type=racf select class=group segment=base key=sysaudit sortlist key(8,"group") instdata(25) userid userid:name

9 Cross-profile lookup example 2 Use cross-profile lookup in both the SELECT and SORTLIST statement newlist type=racf empty="no dataset profiles found!", title="dataset profiles owned by CRMD users" select class=dataset segment=base owner:dfltgrp=crmd sortlist key(20) uacc audit gaudit owner owner:name This CARLa program reads RACF input source twice! This is not supported when you use an active RACF db

10 Cross-newlist lookup example 1 Include settings from the Class Descriptor Table in your resource profile report newlist type=racf tt='profiles defined in the XFACILIT class', t='xfacilit class settings from CDT -> ' select class=xfacilit segment=base sortlist 'Dflt RC:'(t) class:class.class.dfltrc(1,t), ', Active:'(t) class:class.class.active(t), ', Logoptions:'(t) class:class.class.logopt(t), ', Audit:'(t) class:class.class.audit(t), key owner uacc acl

11 Cross-newlist lookup example 2 Use settings from the Class Descriptor Table in select statement of your scope report sup reason=(uacc id(*) global warning noprof grpaudit grpoper grpspec, owner pwdchange selfcon alter-m ckgracmap ckgracdcert ckgowner create) newlist type=report_scope tt='user authorization for id ', t='direct or indirect permits for inactive general resource classes', st='verify if permits must be removed or class must be active', empty='no permissions to inactive classes found' select class:class.class.active=no sortlist id(p,tt) id:name(p,tt) class key(nd), proftype(1) key("profile name") access_via_when report scope=tomzeeh

12 Deftype lookup example Include address from external data set in your user ID overview report deftype type=# define type=# #user as word(record,1,';') define type=# #address(' address',25) as word(record,2,';') alloc type=# dsn='tomzeeh. .adresses' newlist type=racf select exists(key:# .#user.#address) segment=base sortlist key('userid',8) name revoke(hb,6) special(hb,1), operations(hb,1) auditor(hb,1), key:# .#user.#address

13 Agenda Various lookup types supported in CARLa Subselecting repeat group values Compare connections of Universal groups Report orphan extended UNIX ACL entries

14 RACF repeat groups Field or group of fields that can store multiple values within a single RACF profile For example, a user profile can contain multiple connect group names All repeat groups include a counter that shows how many repeat group entries exist The following repeat groups can exists User profiles: connect groups, class authorities, user data entries Group profiles: connected users, subgroups, user data entries Resource profiles: ACL, CACL, member list (grouping class resources), volser (discrete data set profiles), user data entries

15 If any repeat group entry matches profile is selected Select group profiles where a pertinent user ID is connected shows all repeat group entries in the report newlist type=racf t='groups that user ZPU001 is connected to' select class=group segment=base userid=zpu001 sortlist key(8,'group') instdata(36) aclcnt('connects',8), connects

16 Report on specific repeat groups entries only The SUBSELECT function can be used to filter which repeat group entries you want to include in your report You must specify the repeat group entries that you want to include in the SUBSELECT clause The execution of the SUBSELECT function repeat group output from the final report suppresses The SUBSELECT clause does not influence which profiles are selected, this is determined by the SELECT statement that must be specified separately The SUBSELECT function is supported for ACL, CONNECTS, USR fields, and CUSTOM data

17 SUBSELECT CONNECTS example 1 Show group profiles where a pertinent user ID is connected - show only those entries newlist type=racf t='groups that user CRMBTZ1 is connected to' define #tz1con subselect connects(user=crmbtz1) select class=group segment=base userid=crmbtz1 sortlist key(8,'group') instdata(36) aclcnt('connects',8), #tz1con

18 SUBSELECT CONNECTS example 2 Show group profiles only where one or more user IDs are connected with a group authority that exceeds USE newlist type=racf t='groups with group authorities>use' define #grpauth subselect connects(grpauth>use) select class=group segment=base useracs>use sortlist key(8,'group') instdata(36) aclcnt('connects',8), #grpauth

19 SUBSELECT ACL example 1 Show resource profiles only where ID * is permitted on the ACL or CACL newlist type=racf t='resource profiles with permit to ID(*)' define #idstar('id(*)',7,aclaccess) subselect acl(id='*') select class=(dataset,general) segment=base acl(id='*') sortlist class key(30,'resource profile') owner uacc #idstar

20 SUBSELECT ACL example 2 Show resource profiles only where IBMUSER is permitted on the ACL or CACL with access>read newlist type=racf, t='resource profiles with permit that exceeds READ for IBMUSER' define #stripacl('ibmuser',7,aclaccess) subselect, acl(id=ibmuser access>read) select class=(dataset,general) segment=base acl(id=ibmuser access>read) sortlist class key(30,'resource profile') aclcnt owner uacc #stripacl

21 Summary of ACL and CONNECTS field names you can use in SELECT and SUBSELECT statements ACL Selection on SUBSELECT SELECT SUBSELECT SELECT Access level ACCESS USERACS Group id GROUP USERID GROUP USERID User id USER USERID USER USERID ACL ID ID USERID Connects Connect auth GRPAUTH USERACS Alternatively, for SELECT ACL, you can use ACL(ID=<id> ACCESS=<access>) to ensure that the ID and ACCESS tested belong to the same ACL entry

22 SUBSELECT (C)ACL example 3 Show resource profiles only where conditional program access is permitted for program CKRCARLa newlist type=racf t='conditional CKRCARLA program access' define #progaccs subselect acl(whenprof=ckrcarla) select class=dataset field=program scan=ckrcarla sortlist key(35) #progaccs

23 SUBSELECT (C)ACL example 4 Supported ACL formats can be used on the SUBSELECT variables as usual newlist type=racf t='conditional CKRCARLA program access' define #progaccs(explode) subselect acl(whenprof=ckrcarla) select class=dataset field=program scan=ckrcarla sortlist key(35) #progaccs

24 SUBSELECT User data (USR) example Report user profiles only when they store a User data entry for category or PHONE newlist type=racf define # (30,' address',usrdata) subselect, usr(usrnm= ) define #phone(15,'phone number',usrdata) subselect, usr(usrnm=phone) select class=user segment=base (usrnm= or usrnm=phone) sortlist key(8,'userid') name # #phone

25 SUBSELECT Custom data (custom_data) example Report user profiles only when they store a value for a specific Custom Data field newlist type=racf, tt='userids with custom data entry for Badge number' define #badge('badge Nr',8,csvalue) subselect, custom_data(cskey=badgenr) select class=user segment=csdata cskey=badgenr sortlist key(8,'userid') :name :dfltgrp #badge

26 Agenda Various lookup types supported in CARLa Subselecting repeat group values Compare connections of Universal groups Report orphan extended UNIX ACL entries

27 Comparing connections of Universal groups Customer system contains multiple Universal groups Customer wants to compare the user IDs that are connected to these Universal groups Problem: Universal group profiles in RACF do not contain the list of connected users with NORMAL connection GRPAUTH=USE No group attributes (group special, group operations, group auditor) No future revoke and resume date for the connection No ADSP and GRPACC attributes Function RA.3.G Compare users does not support this situation

28 Step 1: Collect detailed connect information First you must collect the full connection details for Universal groups with CARLa and write the output to a work data set Output contains a list of all user IDs that are connected to a Universal group //TOMZEEHA JOB,'TOM ZEEHANDELAAR',NOTIFY=&SYSUID,MSGCLASS=V // JCLLIB ORDER=CKR.V1R13M1.SCKRPROC //GETCONS EXEC C2RC //CONNS DD DISP=(NEW,PASS),SPACE=(TRK,1),DSN=&&CONNS, // RECFM=VB,LRECL=20,BLKSIZE=2400 //SYSIN DD DATA,DLM='##' alloc type=racf backup complex=demo newlist type=racf nopage retain dd=conns select class=group segment=base universal sortlist key(8) connects(8,universal) ##

29 Step 2: Produce report from work data set Use of Universal groups is useful if it is expected that the future number of connections exceeds 5957 Report shows users that are not connected to all Universal groups //REPORT EXEC C2RC //CONNS DD DISP=(OLD,PASS),DSN=&&CONNS //SYSIN DD DATA,DLM='##' deftype type=$univcon alloc type=$univcon dd=conns def type=$univcon $group(8,'group') as substr(record,1,8) def type=$univcon $user(8,'userid') as substr(record,10,8) def type=$univcon $connect_g1("studuniv",8) boolean, where $group=studuniv def type=$univcon $connect_g2("crmauniv",8) boolean, where $group=crmauniv def type=$univcon $connect_g3("crmaunif",8) boolean, where $group=crmaunif newlist type=$univcon dd=ckreport, tt='differences in UNIVERSAL group connections' sum $user count(<3,nd) $connect_g1 $connect_g2 $connect_g3 ##

30 Compare Universal group connect differences output The report shows a column for all Universal groups that are defined in the RACF database Users that are connected to (in this case) all three Universal groups are suppressed by count(<3,nd) filter Each report row contains a user ID that is connected to only one or two of the existing Universal groups

31 Agenda Various lookup types supported in CARLa Subselecting repeat group values Compare connections of Universal groups Report orphan extended UNIX ACL entries

32 UNIX Systems Services (USS) Mandatory part of all z/os systems USS is more and more used to support business sensitive or critical processes Besides the File Security Packet (FSP), optionally, access can be permitted with extended ACLs When user IDs or groups that are permitted on these extended ACLs are deleted, these extended ACL entries become orphans when they are not deleted as well When a pertinent user ID or group is redefined, automatically these orphan extended ACL entries are revived

33 Step 1: Collect all UNIX extended ACL information Use CKFREEZE data set generated with parm UNIX=Y Write UNIX object and ACL details to work data set for files and directories with extended ACLs //TOMZEEHA JOB,'TOM ZEEHANDELAAR',NOTIFY=&SYSUID,MSGCLASS=V // JCLLIB ORDER=CKR.V1R13M1.SCKRPROC //GETPERM EXEC C2RC //SYSPRINT DD SYSOUT=* //CKFREEZE DD DISP=SHR,DSN=PMI.CKFREEZE //USSFILES DD DISP=(NEW,PASS),SPACE=(CYL,(10,5),RLSE), // DSN=&&USSFILES,RECFM=VB,LRECL=200 //SYSIN DD * alloc type=ckfreeze dd=ckfreeze alloc type=racf backup active suppress msg=(72,73) newlist type=unix nopage retain dd=ussfiles select (extended_acl or file_default_acl or directory_default_acl) sortlist type(1) abs_pathname(50) unix_acl unix_default_acl, unix_fdefault_acl

34 Step 2: Report UNIX ACLs with orphan entries (1/2) DEFTYPE and ALLOCATE the work data set DEFINE the appropriate variables //REPORT EXEC C2RC //USSFILES DD DISP=(OLD,PASS),DSN=&&USSFILES //SYSPRINT DD SYSOUT=* //REPORT DD SYSOUT=* //SYSIN DD * deftype type=#ussfile alloc type=#ussfile dd=ussfiles define type=#ussfile #type('t',1) as substr(record,1,1) define type=#ussfile #filename('file/directory/link name',50), as substr(record,3,50) define type=#ussfile, #unix_acl('unix (directory or file dflt) ACL',34), as substr(record,54,34) define type=#ussfile #unix_default_acl(34), as substr(record,89,34) define type=#ussfile #unix_fdefault_acl(34), as substr(record,124,34)

35 Step 2: Report UNIX ACLs with orphan entries (2/2) Report the orphan access ACL, directory default ACL, and file default ACL entries Use MERGELIST/ENDMERGE to produce a single report mergelist newlist type=#ussfile dd=report, tt="extended ACL permits to undefined Users(UIDs)/Groups(GIDs)", empty="no permits found to undefined Users(UIDs)/Groups(GIDs)" select substr(#unix_acl,1,7)='-undef-' substr(#unix_acl,11,1)='+' sortlist #type(1) #filename #unix_acl newlist type=#ussfile dd=report select substr(#unix_default_acl,1,7)='-undef-', substr(#unix_default_acl,11,1)='+' sortlist #type(1) #filename #unix_default_acl newlist type=#ussfile dd=report select substr(#unix_fdefault_acl,1,7)='-undef-', substr(#unix_fdefault_acl,11,1)='+' sortlist #type(1) #filename #unix_fdefault_acl endmerge

36 Report UNIX ACLs with orphan entries example Report shows all file, directory, and link names that have the orphan UNIX extended ACL entries Label -undef- means that the pertinent UID/GID is unknown + Access ACL entry d+ Directory default ACL entry f+ File default ACL entry Cleanup Remove the reported extended ACL entries Reassign the pertinent UID/GID values to appropriate profile

37 Comments or questions?