ASSERT

Admin
Visual
IBM Z Security and
Compliance Center
Audit
RACF
Audit
ACF2
Audit
Top Secret
Alert
Adapters
for SIEM
Manager
RACF z/VM
         

The ASSERT command can be used to record the result of a compliance assertion goal (or test) through CARLa. Assertions can also be performed through the user interface (UI), but the ASSERT command allows more flexibility. The syntax is the same as for OVERRIDE (the OVERRIDE command can be used to override a compliance goal test finding).

The results of compliance assertion goal tests are stored in the assertion log file if a SAVE TYPE=ASSERT DD=filename command or an ALLOC TYPE=ASSERT DSNPREF=prefix SAVE command is present. For an interactive UI session, the action command A (Assert) is typically used instead of this command (on newlist types ASSERT, COMPLIANCE, and STANDARD).

There are two variants of syntax:
  1. In the first variant, called a configuration assertion, SENSTYPE, CLASS, and RESOURCE must be specified. It defines which objects must be considered to have the indicated sensitivity type. The RESOURCE parameter can contain a list of resource name patterns, separated by blanks. The patterns are interpreted according to the current OPTION MASKTYPE.
    ASSERT AS(CONFIG) SENSTYPE(type) CLASS=class RESOURCE=mask VERSION(version)  
[BY(name|quotedstring)]  [COMMENT(quotedstring)]
    A more recent configuration assertion replaces any prior assertion for the same senstype.
  2. In the second variant, at minimum, AS and VERSION must be specified. The order of the parameters is irrelevant:
    CONTROL, RULE_SET, RULE, GOAL, TEST
    CONTROL , RULE, and GOAL (or TEST) identify the particular goal for which the assertion is done.
    STANDARD, VERSION
    Document which standard name and version were current when the assertion was done.
    COMPLEX, SYSTEM, CLASS, RESOURCE, PROFTYPE, VOLSER_KEY
    Identify the object for which the assertion is done.
    ASSERT [{GOAL|TEST}(name)] [{CONTROL|RULE_SET}(name)] [RULE(name)] [STANDARD(name)] 
   VERSION(version) [COMPLEX(name)] [SYSTEM(name)] [CLASS(class)] 
   [RESOURCE(resource)][PROFTYPE(proftype)] [VOLSER_KEY(volser)] 
   AS( {RETRACTED|COMPLIANT|NONCOMPLIANT}) [BY(name|quotedstring)] 
   [ENDDATE(date)] [COMMENT(quotedstring)]
    An ASSERT with the same parameters (except for the new AS state) as an older ASSERT statement or assertion record in the assertion files overrides the older state.
The ASSERT command has the following keywords:
AS
The state is being asserted at this time. It can be COMPLIANT, NONCOMPLIANT, or RETRACTED in combination with object identification fields. It can be CONFIG only in combination with a SENSTYPE field.

When you specify AS(RETRACT), it retracts only a prior assertion with exactly the same object and goal identification fields.

CLASS
The class of the object that the assertion applies to. It is part of the object identification fields COMPLEX SYSTEM CLASS RESOURCE PROFTYPE VOLSER_KEY. If omitted, it applies to all objects that satisfy the other object identification fields of the command.
COMMENT
A string to add to the assertion as a clarification; for example, the name of an internal procedure document, a URL, or an explanation of how the assertion was performed.
COMPLEX
The name of the complex (set of systems sharing a security database) where the object must reside. It is part of the object identification fields COMPLEX SYSTEM CLASS RESOURCE PROFTYPE VOLSER_KEY. If omitted, it applies to all objects that satisfy the other object identification of the command.
CONTROL, RULE_SET
The name of the control that the assertion applies to. It is part of the goal identification fields CONTROL, RULE, and GOAL. If omitted, it applies to all goals that satisfy the other goal identification fields of the command.
ENDDATE
Latest date by which re-assertion is required. It can be omitted.
GOAL, TEST
The name of the goal that the assertion applies to. It is part of the goal identification fields CONTROL, RULE, and GOAL. If omitted, it applies to all goals that satisfy the other goal identification fields of the command.
PROFTYPE
The profile type of the object that the assertion applies to. It is part of the object identification fields COMPLEX SYSTEM CLASS RESOURCE PROFTYPE VOLSER_KEY. If omitted, it applies to all objects that satisfy the other object identification fields of the command.
RESOURCE
The name of the object that the assertion applies to. It is part of the object identification fields COMPLEX SYSTEM CLASS RESOURCE PROFTYPE VOLSER_KEY. If omitted, it applies to all objects that satisfy the other object identification fields of the command. For a configuration assertion, this string can contain a single quoted string that contains a list of resource name masks separated by a blank.
RULE
The name of the rule that the assertion applies to. It is part of the goal identification fields CONTROL, RULE, and GOAL. If omitted, it applies to all goals that satisfy the other goal identification fields of the command.
SENSTYPE
The sensitivity type that an ASSERT AS(CONFIG) applies to. No goal identification parameters are allowed. CLASS and RESOURCE are the only object identification fields that are allowed.
STANDARD
The name of the standard that the goal applies to. It is stored in the assertion record but ignored; an assertion automatically applies to all standards that have matching CONTROL, RULE, and GOAL names.
SYSTEM
The name of the system where the object must reside. It is part of the object identification fields COMPLEX SYSTEM CLASS RESOURCE PROFTYPE VOLSER_KEY. If omitted, it applies to all objects that satisfy the other object identification fields of the command.
VERSION
The version of the standard that the assertion applies to. This records which version of the goal description and rule domain describes what was asserted. This allows you to find assertions that must be redone because the description or rule domain changed.
VOLSER_KEY
The main volume serial of the object that the assertion applies to. It is part of the object identification fields COMPLEX SYSTEM CLASS RESOURCE PROFTYPE VOLSER_KEY. If omitted, it applies to all objects that satisfy the other object identification fields of the command.