Configuring IBM RACF that uses audit scripts to integrate with IBM QRadar
IBM® QRadar® uses scripts to audit events from IBM RACF® installations, which are collected by using the Log File protocol.
Procedure
- Download the qexracf_bundled.tar.gz from the IBM support website.
- On a Linux®-based
operating system, use the following command to extract the file:
tar -zxvf qexracf_bundled.tar.gzThe following files are contained in the archive:
- qexracf_jcl.txt
- qexracfloadlib.trs
- qexracf_trsmain_JCL.txt
- Load the files onto the IBM mainframe
by using any terminal emulator file transfer method.
Upload the qexracf_trsmain_JCL.txt and qexracf_jcl.txt files by using the TEXT protocol.
Upload the QexRACF loadlib.trs file by using binary mode and append to a preallocated data set. The QexRACF loadlib.trs file is a tersed file that contains the executable (the mainframe program QEXRACF).
When you upload the .trs file from a workstation, preallocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144. The file transfer type must be binary mode and not text.
- Customize the qexracf_trsmain_JCL.txt file
according to your installation-specific requirements.
The qexracf_trsmain_JCL.txt file uses the IBM utility Trsmain to decompress the program that is stored in the QexRACF loadlib.trs file.
The following is an example of the qexracf_trsmain_JCL.txt file includes the following code:
//TRSMAIN JOB (yourvalidjobcard),Q1labs, // MSGCLASS=V //DEL EXEC PGM=IEFBR14 //D1 DD DISP=(MOD,DELETE),DSN=<yourhlq>.QEXRACF.TRS // UNIT=SYSDA, // SPACE=(CYL,(10,10)) //TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK' //SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA) //INFILE DD DISP=SHR,DSN=<yourhlq>.QEXRACF.TRS //OUTFILE DD DISP=(NEW,CATLG,DELETE), // DSN=<yourhlq>.LOAD, // SPACE=(CYL,(10,10,5),RLSE),UNIT=SYSDA //You must update the file with your installation specific information for parameters, such as, jobcard, data set naming conventions, output destinations, retention periods, and space needs.
The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the QEXRACF program as a member.
- You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in the LINKLST. The program does not require authorization.
- When the upload is complete, copy the program to an existing link listed library or add a STEPLIB DD statement that has the correct dataset name of the library that will contain the program.
- The qexracf_jcl.txt file is a text
file that contains a sample JCL deck to provide you with
the necessary JCL to run the IBM IRRADU00
utility. This allows QRadar to
obtain the necessary IBM RACF events. Configure the job
card to meet your local standards.
An example of the qexracf_jcl.txt file has the following code.
//QEXRACF JOB (<your valid jobcard>),Q1LABS, // MSGCLASS=P, // REGION=0M //* //*QEXRACF JCL version 1.0 April 2009 //* //************************************************************* //* Change below dataset names to sites specific datasets names * //************************************************************* //SET1 SET SMFOUT='<your hlq>.CUSTNAME.IRRADU00.OUTPUT', // SMFIN='<your SMF dump ouput dataset>', // QRACFOUT='<your hlq>.QEXRACF.OUTPUT' //************************************************************* //* Delete old datasets * //************************************************************* //DEL EXEC PGM=IEFBR14 //DD2 DD DISP=(MOD,DELETE),DSN=&QRACFOUT, // UNIT=SYSDA, // SPACE=(TRK,(1,1)), // DCB=(RECFM=FB,LRECL=80) //************************************************************* //* Allocate new dataset *//************************************************************* //ALLOC EXEC PGM=IEFBR14 //DD1 DD DISP=(NEW,CATLG),DSN=&QRACFOUT, // SPACE=(CYL,(1,10)),UNIT=SYSDA, // DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144) //************************************************************ //* Execute IBM IRRADU00 utility to extract RACF smf records * //************************************************************* //IRRADU00 EXEC PGM=IFASMFDP //SYSPRINT DD SYSOUT=* //ADUPRINT DD SYSOUT=* //OUTDD DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG), // DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960), // UNIT=SYSALLDA //SMFDATA DD DISP=SHR,DSN=&SMFIN //SMFOUT DD DUMMY //SYSIN DD *INDD(SMFDATA,OPTIONS(DUMP)) OUTDD(SMFOUT,TYPE(30:83)) ABEND(NORETRY) USER2(IRRADU00) USER3(IRRADU86) /* //EXTRACT EXEC PGM=QEXRACF,DYNAMNBR=10, // TIME=1440 //*STEPLIB DD DISP=SHR,DSN= <the loadlib containing the QEXRACF program if not in LINKLST> //SYSTSIN DD DUMMY //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //RACIN DD DISP=SHR,DSN=&SMFOUT //RACOUT DD DISP=SHR,DSN=&QRACFOUT // //************************************************************* //* FTP Output file from C program (Qexracf) to an FTP server * //* QRadar will go to that FTP Server to get file * //* Note you need to replace <user>, <password>,<serveripaddr>* //* <THEIPOFTHEMAINFRAMEDEVICE> and <QEXRACFOUTDSN> * //************************************************************* //*FTP EXEC PGM=FTP,REGION=3800K //*INPUT DD * //*<FTPSERVERIPADDR> //*<USER> //*<PASSWORD> //*ASCII //*PUT '<QEXRACFOUTDSN>' /<THEIPOFTHEMAINFRAMEDEVICE>/<QEXRACFOUTDSN> //*QUIT //*OUTPUT DD SYSOUT=* //*SYSPRINT DD SYSOUT=* //* //* - After the output file is created, you must send this file
to an FTP server. This action ensures that every time you run the utility, the output file is sent to a specific FTP server for processing at the end of the script. If the z/OS® platform is configured to serve files through FTP or SFTP, or allow SCP, then no interim server is needed and QRadar can pull those files directly from the mainframe. If an interim FTP server is needed, QRadar requires a unique IP address for each IBM RACF log source or they are joined as one system.