You can use option AU.R.E to report your compliance against one or more standards at the same
time. You can also report on multiple complexes at the same time. If you are analyzing large
systems, then the number of concurrent analyses might be limited by the amount of memory that is
available to your TSO user ID (REGION session parameter).
On the main AU.R menu, type E on the Option line and press
Enter. Figure 1 is
displayed:
Figure 1. AU.R.E - Audit Compliance Evaluation menu
Menu Options Info Commands Setup
-------------------------------------------------------------------------------
zSecure Admin+Audit for RACF - Audit - Evaluate
Command ===> ________________________________________________________________
Specify evaluation standards to run:_ z/OS RACF STIG v6 _ z/OS RACF STIG v8
_ z/OS Products STIG _ z/OS RACF PCI-DSS
_ z/OS RACF GSD _ z/OS zSecure extraEvaluate rules applicable to systems that fit the following criteria
Complex . . . . . . . . ________ (complex or filter)
System . . . . . . . . ________ (system or filter)
Compliance result selection
_ Compliant _ Non-compliant _ Overridden _ Unknown
_ Assertions due in __ (number of days)
Output/run options
_ Show differences _ Add object type summary
_ Print format Send as e-mail
Background run Include test details Narrow print
Note: When local standards are defined in option Setup - Standards (SE.C), these
standards are automatically included to the Specify evaluation standards to
run section of the AU.R.E panel.
Perform the following steps:
Select the standard or standards that you want to verify against:
z/OS RACF STIG v6
Security Technical Implementation Guide for IBM z/OS RACF version 6.x published by the US Defense
Information Systems Agency (DISA-STIG)
z/OS RACF STIG v8
Security Technical Implementation Guide for IBM z/OS RACF version 8.x published by the US Defense
Information Systems Agency (DISA-STIG)
z/OS Products STIG
Security Technical Implementation Guide for z/OS products for RACF published by the US
Defense Information Systems Agency (DISA-STIG)
z/OS RACF PCI-DSS
Payment Card Industry Data Security Standard
z/OS RACF GSD
IBM standard often employed in outsourcing (ISeC / GSD331)
z/OS zSecure extra
The main purpose of zSecure extra is to implement controls (or rule sets) that are similar to
STIG controls but are about a different software product. Examples of the purpose of using
zSecure extra controls is evaluating tape management or coupling facility
structures configuration and settings.
You can limit your report by selecting a Complex or
System name or filter to be used.
Select one or more compliance result options:
Compliant includes all compliant goal test
results. If this field is tagged (with a /), the goal details in STDGOALS
include compliant goal tests resulting from the selected standard evaluation. Unless you select one
of the other result selections, only compliant results are shown.
Non-compliant includes all non-compliant
goal test results. If this field is tagged (with a /), the goal details in STDGOALS include non-compliant goal tests resulting from the selected standard evaluation.
Unless you select one of the other result selections, only non-compliant results are shown.
Overrides includes all compliant or non-compliant test that are set to
produce a fixed result.
Unknown includes all unknown goal test results. A goal test
result is unknown when there is no calculated goal test results and the goal has no valid assertion.
Unless you select one of the other result selections, only unknown results are shown.
Assertions includes all tests that require an assertion;
that is, no assertion record was found, or the assertion has expired or has been retracted. You can
include the tests with assertions that will expire within nn number of days, by
filling in this number in the Assertions due in __ (number of days)
field.
If you do not select a compliance result option, all compliance results are
reported.
To include an Object type summary in the STDGOALS display
report, select Add object type summary. This option shows an extra summary
level that shows the newlist types that the evaluated object types belong to. The advantage of
including this summary level is that the statistics about the test objects from different newlist
types are no longer counted in one statistic. For example, tests of ACL entries and tests of the
profile settings are no longer counted in one statistic but produce separate statistics. These
separate statistics more accurately report how many ACL entries and profiles are tested in the
subject control.
To compare the evaluation outcome of two input sets, select Show
differences. See Compare processing for setting up the input
sets, and selecting which compare outcomes you want to see. Using the default compare options, with
an older input set allocated as compare baseline and a newer one allocated normally, selecting
Show differences will give a quick overview of all evaluation results that
changed between the creation of the input sets.
Note: The same compliance rules are run and the same
assertions are used for both input sets. This is not a comparison between the evaluated results from
the previous run against a later run. Selecting this option will only show the compliance result
differences, due to a change in the system data.
To receive a printed report or email, select Print format; otherwise, the
report is shown in display format. To receive email, also select Send as
e-mail; the report is sent in either MIME/HTML or plain text, or as an attachment. To
limit the width of the page to 79 chars (regardless of the actual print file record length), also
select Narrow print.
With Print format selected,
two reports are produced: the compliance control summary and the compliance statistics for the
tested objects. If you also select Include test details, an additional report
is produced: each individual control on a separate page.
Without Print
format selected, three standard reports are displayed:
The STDRULES: Standard compliance summary shows the
compliance control summary. This management summary can help to determine control compliance status
or improvement.
The STDTYPES: Standard object type compliance summary shows the
compliance statistics for tested objects. This management summary can help to determine object types
compliance status or improvement.
The STDGOALS: Standard compliance goal test results shows the
object test results sorted by control name. Non-compliant goal test results are sorted above
compliant goal test results. These detailed compliance goal test results can help to determine what
actions to take for which resources in order to improve the compliance status. Exempted objects are sorted at the bottom of the goal test results.
You can use the display format to zoom in across the following levels:
Security complex level: shows the standards tested for each security database and systems
related to that database.
Control level: shows the number of non-compliant objects per control.
Object level.
Individual goal test result overview level: allows asserting or overriding of the goal.
Detail level: shows the goal test results and configuration members. This level also allows
asserting or overriding of the goal.
Press Enter to generate the requested reports.
As an example, if you select STIG and no other options, the following (sample) panel is
displayed: Figure 2. AU.R.E - Evaluate Display Selection panel
zSecure Suite Display Selection Line 1 of 3
Command ===> _______________________________________________________ Scroll===> CSRName Summary Records Title
_ STDRULES 1 384 Standard control compliance summary
_ STDTYPES 1 32 Standard object type compliance summary
_ STDGOALS 1 86876 Standard compliance test
******************************* Bottom of Data *******************************