OA43532: ZSECURE AUDIT EXTENSIONS FOR GUARDIUM VA.

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• zSecure Audit extensions for Guardium VA.
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: Users of zSecure Audit for RACF planning to  *
  *                 use the software to provide input for        *
  *                 advanced auditing of the DB2 environment     *
  *                 using IBM InfoSphere Guardium Vulnerability  *
  *                 Assessment (Guardium VA).                    *
  ****************************************************************
  * PROBLEM DESCRIPTION: New function to prepare the data for    *
  *                      Guardium VA.                            *
  ****************************************************************
  * RECOMMENDATION: Apply the PTF provided and review the        *
  *                 attached documentation.                      *
  ****************************************************************
  zSecure Audit can be used to provide input for advanced auditing
  of the DB2 environment using IBM InfoSphere Guardium
  Vulnerability Assessment (Guardium VA). The solution for this
  APAR provides the samples and the documentation for this new
  feature.
  

Problem conclusion

• zSecure Admin has been enhanced, so it can be used to provide
  input for advanced auditing of the DB2 environment using IBM
  InfoSphere Guardium Vulnerability Assessment (Guardium VA).
  -
  PLEASE NOTE the following documentation changes for the manual
  Security zSecure CARLa-Driven Components Version 2.1.0
  Installation and Deployment Guide (SC27-5638-00)
  -
  Added a new chapter as follows:
  
  Chapter 17. Data preparation for Guardium VA
  
  
   zSecure Audit can be used to provide input for advanced
   auditing of your DB2 environment using IBM InfoSphere Guardium
   Vulnerability Assessment (Guardium VA). Information about the
   RACF protection of DB2 objects and information about users and
   groups is loaded into DB2 tables for Guardium VA usage. This
   information is especially relevant if you use RACF groups as
   DB2 AUTHID or use the RACF Access Control Module DSNX@XAC.
   Guardium VA expects the data about a specific DB2 subsystem
   to be available in that DB2 subsystem itself. This allows
   directly combining the information from the DB2 catalog with
   the security information provided by zSecure. To load the data
   in a DB2 subsystem, zSecure provides examples in SCKRSAMP. If
   you want to modify and use these examples, copy them to another
   data set. Because the SCKRSAMP data set is SMP/E controlled,
   future updates might overwrite your modifications.
  
   After completing these steps, and loading the appropriate DB2
   tables you can benefit from the enhanced RACF information. In
   Guardium VA, you can use the Guardium VA Assessment Tests that
   have names starting with zSecure.
  
   Steps for creating zSecure data for use by Guardium VA
   ======================================================
  
   To create and manage a DB2 database that contains the zSecure
   provided data to Guardium VA, you must:
  
   1. Create one or more DB2 databases.
   2. Create one or more DB2 table spaces.
   3. Create DB2 tables.
   4. Load data into the tables.
  
   The first three steps are the initial setup of the database.
   These steps are required only once, when you first initialize
   the data manager. After the tables are established, you can
   LOAD data into the DB2 database repeatedly. For example, you
   can refresh data each day. This is left up to the installation.
   At any time, you can delete your current table data. You can
   also manage these tables using regular DB2 utilities and SQL
   statements. The following sections describe the samples that
   can be used to create and load zSecure data for use by Guardium
   VA.
  
   Because the example jobs directly interact with a local DB2
   subsystem, they must be run on each system. Use of remote input
   sources or processing multiple systems in a single run is not
   supported. Before running any of these jobs, ensure that the
   zSecure configuration (aka C2R$PARM member) has been
   customized using the correct values. You also need to replace
   occurrences of !! by the correct level of DB2 in use, and the
   value !DSN! by the name of your DB2 subsystem. The provided
   example jobs use the SCKRSAMP data set. Change the name to the
   data set that you used for your modified copy of the example
   members.
  
   The DB2 steps use the standard DSNUTILB Utility program and the
   DSNTEP2 productivity-aid example program. These two utility
   programs must be available and bound for the DB2 subsystem. For
   information on the installation of the DSNTEP2 sample program
   see the section "Productivity-aid sample programs" in "DB2 for
   z/OS Utility Guide and Reference".
  
   The DB2 schema name used for this application is CKADBVA and
   all table names start with CKA. The schema name and the table
   names cannot be modified.
  
   The example jobs provided are:
  
    CKAJVA00
    --------
     A DB2 database names a collection of table spaces. The
     example job CKAJVA00 creates a database in DB2 to contain the
     tablespace and tables. The job must be run by a user with
     sufficient DB2 authorization to create a DB2 database.
     Because Guardium VA expects the information about a DB2
     subsystem to be available in tables inside the DB2 subsystem,
     the CKAJVA00 job must be run on each system that you want to
     analyze using Guardium VA.
  
     The database is created using available defaults:
  
      CREATE DATABASE CKADBVA;
  
     The name of the database can be changed to match your
     installation standards.
  
    CKAJVA01
    --------
     A table space is one or more data sets in which one or more
     tables are stored. The example job CKAJVA01 has two steps.
     The first step drops the tables and tablespace, and the
     second step creates the tablespace and tables. The first time
     you run this job, the DROP step that drops the objects ends
     with return code 8. You can ignore this error. Alternatively,
     you can edit the job to run only the CREATE step. The job
     must be run by a user with sufficient DB2 authorization to
     drop and create these objects in the DB2 database that was
     created in example CKAJVA00. Because Guardium VA expects the
     information about a DB2 subsystem to be available in tables
     inside the DB2 subsystem, the CKAJVA01 job must be run on
     each system that you want to analyze using Guardium VA.
  
     The tablespace is created using available defaults:
  
      CREATE TABLESPACE CKADBVA in CKADBVA;
  
     You might need to specify allocation related keywords to
     assign the correct storagegroup, or to increase available
     space for the tables, for example:
  
      USING STOGROUP <storagegroup>
      PRIQTY 20000
  
     A sample of the creation of a table and its index in the
     tablespace:
  
      CREATE TABLE CKADBVA.CKA_OS_GROUP (
           COMPLEX                CHAR(8)    NOT NULL,
           GROUP                  CHAR(8)    NOT NULL,
           ADDITIONAL_INFO        VARCHAR(256) ,
           PRIMARY KEY (COMPLEX,GROUP)
           )
           in  CKADBVA.CKADBVA;
      CREATE UNIQUE INDEX CKADBVA.IDX_CKA_OS_GROUP ON
             CKADBVA.CKA_OS_GROUP(COMPLEX, GROUP);
  
     After creation of the tables and indexes, GRANT statements
     are issued to allow user SQLQUARD (the Guardium VA SQL ID)
     SELECT authority on the tables. For example:
  
      GRANT SELECT ON CKADBVA.STATUS TO SQLGUARD;
  
     The name of the tablespace can be changed to match your
     installation standards. The schema name and table names
     cannot be modified.
  
    CKAJVA99
    --------
     This job also has two steps. The first step is a CKFCOLL step
     that collects the information from the DB2 catalog tables
     into a CKFREEZE data set. The second step uses CKRCARLA to
     create the JCL and input for a second job. By default, the
     second job is immediately submitted for execution. The second
     job has steps for each DB2 subsystem. It uses CKRCARLA to
     create an input file specific for a particular DB2 subsystem
     and uses DSNUTILB to load the file in that DB2 subsystem. It
     also contains some SQL steps for simple postprocessing of the
     data. These steps are repeated for each DB2 subsystem. It is
     possible to update job CKAJVA99 to include or exclude
     specific DB2 subsystems. This can be done using a CARLa
     SELECT or EXCLUDE statement at the indicated line. In that
     case, the generated job only contains steps for the selected
     DB2 subsystems. The CKAJVA99 job must be run by a user with
     sufficient DB2 authorization to LOAD and UPDATE the DB2
     tables.
  
     If you have multiple releases of DB2 active, you need to
     create an instance of this job for each release. The STEPLIB
     DD statements must reflect the correct DB2 level for each
     release. In this situation, you must also use the sample
     SELECT or EXCLUDE statements to limit the DB2 subsystems to
     those matching the release of the STEPLIB libraries.
  
     By default, the job that is generated by CKAJVA99 is
     immediately submitted for execution. If you want to first
     look at the generated job, you can redirect the output from
     DDNAME STAGE2 to either a data set or to SYSOUT.
  
     The LOAD statements used to load the tables include keywords
     that reflect the static nature of the data, and that allow
     repeated loading of the tables. The relevant keywords are:
  
      LOAD DATA
           REPLACE
           REUSE
           LOG    NO
           NOCOPYPEND
  
     For more information on the meaning of these keywords, see
     the DB2 for z/OS Utility Guide and Reference.
  
   The example jobs use as input the following members in
   SCKRSAMP:
  
    CKAVA000
    --------
     This member contains the CARLa ALLOC statements required to
     specify the RACF input source and the CKFREEZE data set.
  
    CKAVA001
    --------
     This member contains the CARLa statements used to create user
     and group information records and the normal (non-effective)
     format of the DB2-object access matrix.
  
    CKAVA002
    --------
     This member contains the CARLa statements used to create the
     effective format of the DB2-object access matrix.
  
    CKAVALD0
    --------
     This member contains SQL LOAD statements to load the DB2
     tables.
  
    CKAVASQ0
    --------
     This member contains SQL statements for required simple
     post-processing of the normal format access matrix.
  
    CKAVASQ1
    --------
  
     This member contains SQL statements for required simple
     post-processing of the effective format access matrix.
  
    CKAVASQ9
    --------
     This member contains SQL statements for recording the status
     of the loading process.
  
   The DB2 functions use the standard DSNUTILB Utility program and
   the DSNTEP2 productivity-aid example program. These two utility
   programs must be available and bound for use. For more
   information on DB2 and the utilities see:
  
    - DB2 for z/OS Utility Guide and Reference
    - DB2 for z/OS SQL Reference
    - DB2 for z/OS Administration Guide
  210Y
  CKAJVA00
  CKAJVA01
  CKAJVA99
  CKAVALD0
  CKAVASQ0
  CKAVASQ1
  CKAVASQ9
  CKAVA000
  CKAVA001
  CKAVA002
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UA71059

Modules/Macros

•    CKAJVA00 CKAJVA01 CKAJVA99 CKAVALD0 CKAVASQ0
  CKAVASQ1 CKAVASQ9 CKAVA000 CKAVA001 CKAVA002
  

Fix information

• Fixed component name

  ZSEC BASE,ADMIN

• Fixed component ID

  5655T0100

Applicable component levels

• R210 PSY UA71059

     UP13/10/22 P F310

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.