Naming convention
As a first classification, the first three characters indicate the component or feature for which the script is intended:
| Prefix | Component or feature |
|---|---|
| CKA | zSecure Audit for RACF® |
| CKG | CKGRACF component zSecure Admin |
| CKQ | zSecure Adapters for SIEM |
| CKR | zSecure Admin |
| CKT | zSecure Audit for Top Secret |
| CKV | zSecure Manager for RACF z/VM® |
| CKX | zSecure Admin Execution Log |
| C2A | zSecure Audit for ACF2 |
| C2P | zSecure Alert |
| C2R | zSecure Visual or zSecure Admin and Audit common |
| C2X | zSecure RACF Exit Activator |
The fourth character represents the type of the script:
| Type code | Use |
|---|---|
| D | Interactive display queries (some can also be used to produce batch reports). |
| G | Members that contain DISA STIG rules. |
| H | Members that contain multi standard syntax DISA STIG rules |
| I | RULE statement imbed members. |
| L | Batch reports (not intended for interactive use). |
| O | Members containing GSD 331 / ISEC rules for systems outsourced to IBM. |
| P | Members containing PCI DSS rules. |
| R | Default layouts for CARLa REPORT commands (backwards compatibility). |
| S | Inclusion members with CARLa DEFINE statements for SMF or other logs. |
| V | Verify commands. |
| X | Used from the IBM Security zSecure ISPF interface. |
| Z | Members that contain zSecure extra rules. |
Naming conventions for DISA STIG SCKRCARL members
The last four characters of the SCKRCARL member are reserved and used to uniquely identify the
controls or rules of a standard. The fifth and sometimes sixth characters identify the kind of rule.
For example, the F in the fifth position of
C%%%Fxxx is used for IFTP0xxx rules (that
is, FTP). Table 3 lists the rule categories.
Besides automating rules from the STIG standard, zSecure also provides extensions to the STIG to test compliance for commercial products not covered by the standard ("STIG plus"). For example, the STIG provides rules for tape management protection for CA-1. zSecure also provides rules for the alternate software package RMM.
STIGv6 and STIGv8 use different rule identifiers (see AU.R.S - Subsets). For the naming STIGv6 naming conventions, see Table 3. For STIGv8 naming conventions, see Table 4.
| Rule Identifier | Category | Category ID |
| AAMV0xxx | Audit Management | M |
| ACF0xxx | CA ACF2 for z/OS | A |
| ACP00xxx | Access Control Program (ACP) | C |
| ICER%0xx | Digital Certificates | DC |
| IFTP0xxx | FTP Server | F |
| ISLG00xx | Syslog daemon | SD |
| ITCP%0xx | TCP/IP stack | TC |
| ITNT00xx | TN3270 Telnet Server | TN |
| IUTN00xx | z/OS UNIX Telnet Server | IU |
| RACF0xxx | IBM Resource Access Control Facility (RACF) | R |
| ZADT%0xx | CA Auditor for z/OS | AU |
| ZAID%0xx | Compuware Abend-AID | AA |
| ZCA1%0xx | CA 1 Tape Management | TM |
| ZCCS%0xx | CA Common Services | CS |
| ZCIC%0xx | IBM Customer Information Control System (CICS) | CI, CC |
| ZCLS%0xx | IBM CL/SuperSession | SS |
| ZCSL%0xx | Catalog Solution | CT |
| ZCTD%0xx | BMC Control-D | CD |
| ZCTM%0xx | BMC Control-M | CM |
| ZCTO%0xx | BMC Control-O | CO |
| ZCTR%0xx | BMC Control-M/Restart | CR |
| ZFDR%0xx | FDR (Fast Dump Restore) | FD |
| ZFEP00xx | Front End Processor (FEP) | FE |
| ZHCD%0xx | IBM Hardware Configuration Definition (HCD) | HD |
| ZHCK%0xx | IBM Health Checker for z/OS | HC |
| ZICS%0xx | IBM Integrated Crypto Service Facility (ICSF) | IC |
| ZIOA%0xx | BMC Integrated Operations Architecture (IOA) used by INCONTROL | OA |
| ZISF%0xx | IBM System Display and Search Facility (SDSF) | SF |
| ZJES00xx | Job Entry Subsystem (JES) | JE |
| ZMIC%0xx | CA MICS Resource Management | MC |
| ZMIM%0xx | CA MIM Resource Sharing | MI |
| ZMVZ%0xx | BMC MainView Systems Management | MV |
| ZNCP%0xx | Quest NC-Pass | NC |
| ZNET%0xx | IBM Z NetView for z/OS | NV |
| ZROS%0xx | Advantage CA-Roscoe | RS |
| ZSMS%0xx | IBM Data Facility Storage Management Subsystem (DFSMS) | SM |
| ZSMT%0xx | IBM Communications Simple Mail Transfer Protocol (CSSMTP) | MT |
| ZSRR%0xx | SRRAUDIT | SR |
| ZSSH00xx | SSH daemon | SH |
| ZTAD%0xx | IBM Tivoli Asset Discovery for z/OS (TADz) | AD |
| ZTDM%0xx | IBM Transparent Data Migration Facility (TDMF) | DM |
| ZTSO%0xx | Time Sharing Option (TSO) | TS |
| ZUSS%0xx | z/OS UNIX System Services (USS) | ZU |
| ZVSSR0xx | Vanguard Security Solutions (VSS) | VS |
| ZVTA%0xx | CA Vtape Virtual Tape System | VA |
| ZVTM00xx | Virtual Terminal Access Method (VTAM) | VT |
| ZWAS00xx | IBM WebSphere Application Server for z/OS (WAS) | WS |
| ZWMQ00xx | IBM MQ for z/OS | WM |
| Rule Identifier | Category | Category ID |
| ACF2-CE | Digital Certificates | CE |
| ACF2-ES | External Security Manager (ESM) ACF2 | E |
| ACF2-FT | FTP Server | F |
| ACF2-IC | z/OS Integrated Crypto Service Facility (ICSF) | IC |
| ACF2-JS | Job Entry Subsystem (JES) | J |
| ACF2-OS | z/OS Audit Management | O |
| ACF2-SH | FTP Server+C6:C17 | SH |
| ACF2-SL | Syslog daemon | SL |
| ACF2-SM | IBM Data Facility Storage Management Subsystem (DFSMS) | SM |
| ACF2-TC | TCP/IP stack | T |
| ACF2-TN | TN32870 Telnet Server | TN |
| ACF2-TS | Time Sharing Option (TSO) | TS |
| ACF2-US | z/OS UNIX System Services (USS) | U |
| ACF2-UT | z/OS UNIX Telnet Server | UT |
| ACF2-VT | Virtual Terminal Access Method (VTAM) | VT |
| RACF-CE | Digital Certificates | CE |
| RACF-ES | External Security Manager (ESM) RACF | E |
| RACF-FT | FTP Server | F |
| RACF-IC | z/OS Integrated Crypto Service Facility (ICSF) | IC |
| RACF-JS | Job Entry Subsystem (JES) | J |
| RACF-OS | z/OS Audit Management | O |
| RACF-SH | FTP Server+C6:C17 | SH |
| RACF-SL | Syslog daemon | SL |
| RACF-SM | IBM Data Facility Storage Management Subsystem (DFSMS) | SM |
| RACF-TC | TCP/IP stack | T |
| RACF-TN | TN32870 Telnet Server | TN |
| RACF-TS | Time Sharing Option (TSO) | TS |
| RACF-US | z/OS UNIX System Services (USS) | U |
| RACF-UT | z/OS UNIX Telnet Server | UT |
| RACF-VT | Virtual Terminal Access Method (VTAM) | VT |
| TSS0-ES | External Security Manager (ESM) TSS | E |
| TSS0-FT | FTP Server | F |
| TSS0-IC | z/OS Integrated Crypto Service Facility (ICSF) | IC |
| TSS0-JS | Job Entry Subsystem (JES) | J |
| TSS0-OS | z/OS Audit Management | O |
| TSS0-SH | FTP Server | SH |
| TSS0-SL | Syslog daemon | SL |
| TSS0-SM | IBM Data Facility Storage Management Subsystem (DFSMS) | SM |
| TSS0-TC | TCP/IP stack | T |
| TSS0-TN | TN32870 Telnet Server | TN |
| TSS0-TS | Time Sharing Option (TSO) | TS |
| TSS0-US | z/OS UNIX System Services (USS) | U |
| TSS0-UT | z/OS UNIX Telnet Server | UT |
| TSS0-VT | Virtual Terminal Access Method (VTAM) | VT |
Naming conventions for GSD members
Every
rule name is specified in the following form: F.x.y.z.w
The member name covers positions F through z. For example, the rule F.1.4.3.1 is in the CKAO143 member.
GSD control identifiers are used to uniquely identify GSD control members. Sometimes several GSD controls are merged into one member when the controls are interrelated and their control IDs exceed 4 characters. In this case, the first four characters of the control ID are used for naming the SCKRCARL member. For example, rules F.1.8.48.1, F.1.8.48.2, F.1.8.48.3, F.1.8.48.4, and F.1.8.48.5 are listed in the control member named CKAO1848.
Naming conventions for PCI-DSS SCKRCARL members
PCI-DSS consists of twelve security requirements. Each requirement further consists of sub-requirements which are uniquely identified by requirement numbers. These requirement numbers are used in the naming of PCI-DSS SCKRCARL members for traceability. In general, PCI requirement X.Y.Z can be found in C%AP%XYZ member. Alphabetic characters are used to count beyond 9. So, for example:
- RACF PCI-DSS v3.2 requirement 8.1.4 can be found in the SCKRCARL member CKAPC814.
- ACF2 PCI-DSS v2.0 requirement 8.5.10 could be found in the SCKRCARL member C2APB85A.
Note that when a version of the PCI-DSS standard gets deprecated by a new one, the related SCKRCARL members are also deprecated and no longer available in zSecure.