Privilege Level for IBM Z/OS Security Server RACF 2.x/3.x

What tools are needed to perform authenticated compliance scans for z/OS?  

Compliance scans require that the ZOAU package be installed on the z/OS target system(s). In addition, Qualys will leverage SSH to connect to z/OS and use the operating system shell.

What privileges are needed for authenticated compliance scans for z/OS?  

To perform authenticated scans of z/OS, the account used for scanning must have the following privileges and attributes: 

1. ROAUDIT is the minimum privilege.
2. A shell assigned to the account (for example, /bin/sh).
3. TSO available to the account.

How can I test privileges? 

Connect to the target system using an SSH tool and the compliance scan account, then execute the following command:

tsocmd "SETROPTS LIST"

 

QSCANPC:/u/qscanpc: >tsocmd "SETROPTS LIST"

SETROPTS LIST

IKJ56644I NO VALID TSO USERID, DEFAULT USER ATTRIBUTES USED

ATTRIBUTES = INITSTATS WHEN(PROGRAM -- BASIC) NOSAUDIT NOCMDVIOL NOOPERAUDIT

STATISTICS = DATASET DASDVOL GDASDVOL GTERMINL OPERCMDS TAPEVOL TERMINAL

AUDIT CLASSES = NONE

ACTIVE CLASSES = DATASET USER GROUP ACCTNUM AIMS APPL CBIND CDT CIMS CONSOLE

                 CSFKEYS CSFSERV DASDVOL DIGTCERT DIGTRING DIMS DSNR EJBROLE

                 FACILITY FIELD GCSFKEYS GDASDVOL GEJBROLE GIMS GSDSF

                 GXCSFKEY GXFACILI GZMFAPLA JESJOBS JESSPOOL LDAP OPERCMDS

                 PERFGRP PTKTDATA PTKTVAL RIMS SDSF SERVAUTH SERVER STARTED

                 SURROGAT TIMS TSOAUTH TSOPROC UNIXPRIV WBEM XCSFKEY XFACILIT

                 ZMFAPLA ZMFCLOUD

GENERIC PROFILE CLASSES =  DATASET ACCTNUM ACICSPCT AIMS APPL CCICSCMD

                           CONSOLE CSFKEYS CSFSERV DASDVOL DCICSDCT DSNR

                           EJBROLE FACILITY FCICSFCT FIELD FIMS GMBR JCICSJCT

                           JESJOBS JESSPOOL LDAP MCICSPPT MGMTCLAS NODES

                           NODMBR OIMS OPERCMDS PCICSPSB PERFGRP PIMS

                           PMBR PROPCNTL PTKTDATA PTKTVAL RCICSRES SCDMBR

                           SCICSTST SDSF SERVAUTH SERVER SIMS STARTED

                           STORCLAS SURROGAT TAPEVOL TCICSTRN TERMINAL

                           TIMS TSOAUTH TSOPROC VMBATCH VMBR VMCMD VMMDISK

                           VMNODE VMRDR VXMBR XCSFKEY XFACILIT ZMFAPLA

 

If you receive an output, the account is setup properly. If you receive an error or no output, the account is not setup properly or the TSO command tools are not loaded on the target.

Steps to create a user on the system to Scan

Log in on RACF server using the following command:

ssh <username>@1XX.XX.XXX.XX2 -p <port>

QSCANPC:/u/qscanpc: >tsocmd "ADDUSER SCANNER1 Password(<password>)"

Log in to the system using the newly created user ID and change the password (recommended for first-time logins to the system).

To assign a user attribute to a user-id:

QSCANPC:/u/qscanpc: >tsocmd "ALTUSER SCANNER1 ROAUDIT"

The ROAUDIT attribute can be assigned only by a user who has the SPECIAL attribute, and a SPECIAL user can execute any RACF command.

Sample authentication record:

<SSH2>
    <RECORD>
        <AUTH_ID>MTQzOTkx</AUTH_ID>
        <AUTH_NAME>VGFyZ2V0X3R5cGVfSW50ZXJhY3RpdmVfYXV0aA==</AUTH_NAME>
        <IP_RANGE>IP_ADDRESS</IP_RANGE>
        <USERNAME>base64_encoded_username</USERNAME>
        <TARGET_TYPE>Wk9TX1JBQ0ZfMg==</TARGET_TYPE>
        <USERPASS>
            <PW_INFO>
                <PASSWORD>base64_encoded_password</PASSWORD>
            </PW_INFO>
        </USERPASS>
        <PASSWORD2>
            <PW_INFO>
                <PASSWORD></PASSWORD>
            </PW_INFO>
        </PASSWORD2>
    </RECORD>
</SSH2>

To access the target type, navigate to Scans > Authentication > New > Operating Systems > Unix.

CA Certificates

CIS Requirement - CIS IBM z/OS V2R5 RACF - 1.2.12.

Ensure that no expired digital certificates are used.

ROAUDIT is not able to get the output for the command (DPID: 830992/CID: 30605).

To remediate this issue, refer to the following steps:

1. Run with admin/ibmuser user (or any user with SPECIAL permission) to grant CONTROL Access permission to IRR.DIGTCERT.LIST Facility (eg: SCANNER1) (Note: we will be reading data only, no UPDTAE/ALTER operation will be performed)
   tsocmd "PERMIT IRR.DIGTCERT.LIST CLASS(FACILITY) ID(SCANNER1) ACCESS(CONTROL)"
tsocmd "SETROPTS RACLIST(FACILITY) REFRESH"
2. Login with SCANNER1 and validate the command output:
   tsocmd "RACDCERT CERTAUTH LIST"
   
   The following is displayed:
   
   SCANNER1:/u: >tsocmd "RACDCERT CERTAUTH LIST"
RACDCERT CERTAUTH LIST
IKJ56644I NO VALID TSO USERID, DEFAULT USER ATTRIBUTES USED
    

   Digital certificate information for CERTAUTH:
   
   Label: Verisign Class 3 Primary CA
Certificate ID: 2QiJmZmDhZmjgeWFmYmiiYeVQMOTgaKiQPNA15mJlIGZqEDDwUBA
Status: NOTRUST
Start Date: 1996/01/28 19:00:00 
End Date:   2028/08/01 18:59:59
Serial Number:
    >70BAE41D10D92934B638CA7B03CCBABF<
Issuer's Name:
>OU=Class 3 Public Primary Certification Authority.O=VeriSign, Inc..C=<
>US<
Subject's Name:
>OU=Class 3 Public Primary Certification Authority.O=VeriSign, Inc..C=<
>US<
Signing Algorithm: md2RSA
Key Type: RSA
Key Size: 1024
Private Key: NO
Certificate Fingerprint (SHA256):
E7:68:56:34:EF:AC:F6:9A:CE:93:9A:6B:25:5B:7B:4F:
AB:EF:42:93:5B:50:A2:65:AC:B5:CB:60:27:E4:4E:70

Ring Associations:
*** No rings associated ***

Opercmd Command Prerequisites for Minimum-Privilege Users (Without System-Wide Modifications)

Create a home directory for the Scan User and give appropriate permissions to the user.

mkdir /u/SCANNER1
chown -R SCANNER1 /u/SCANNER1

 

Update the OMVS information for the scan user. 

tsocmd "ALTUSER SCANNER1 NAME('Scan User') OMVS(HOME('/u/SCANNER1') PROGRAM('/bin/sh'))"

 

To make opercmd persistent update the ~/.profile file for scan user with the following variables:

export ZOAU_HOME=/VERSYSB/usr/lpp/IBM/zoautil
export PATH=$ZOAU_HOME/bin:$PATH
export LIBPATH=$ZOAU_HOME/lib:$LIBPATH
export _BPXK_AUTOCVT=ON

 

To make the changes effective in current login, source the profile file from user's home directory

. ~/.profile

 

Give permission to MVS display (OPERCMD Class) and GROUP.ISFOPER (SDSF Class) resources:

tsocmd "PERMIT MVS.DISPLAY.* CLASS(OPERCMDS) ID(SCANNER1) ACCESS(READ)" && tsocmd "SETROPTS RACLIST(OPERCMDS) REFRESH"
tsocmd "PERMIT GROUP.ISFOPER.* CLASS(SDSF) ID(SCANNER1) ACCESS(READ)" && tsocmd "SETROPTS RACLIST(SDSF) REFRESH"

 

If the Class or Resource is not available by default it can be created with following steps: 

# Define the class (if not already defined)
tsocmd "RDEFINE RACF OPERCMDS UACC(NONE)"
tsocmd "RDEFINE RACF SDSF UACC(NONE)"

# Activate the class
tsocmd "SETROPTS CLASSACT(OPERCMDS)"
tsocmd "SETROPTS CLASSACT(SDSF)"

# Then refresh RACLIST if using
tsocmd "SETROPTS RACLIST(OPERCMDS) REFRESH"
tsocmd "SETROPTS RACLIST(SDSF) REFRESH"

# Define the resource profile
tsocmd "RDEFINE OPERCMDS MVS.DISPLAY.* UACC(NONE)"
tsocmd "RDEFINE SDSF GROUP.ISFOPER.* UACC(NONE)"

# Then grant permissions
tsocmd "PERMIT MVS.DISPLAY.* CLASS(OPERCMDS) ID(SCANNER1) ACCESS(READ)"
tsocmd "PERMIT GROUP.ISFOPER.* CLASS(SDSF) ID(SCANNER1) ACCESS(READ)"

# Refresh RACLIST
tsocmd "SETROPTS RACLIST(OPERCMDS) REFRESH"
tsocmd "SETROPTS RACLIST(SDSF) REFRESH"

# Check if class is active
tsocmd "SETROPTS LIST"

# validate the profile
tsocmd "RLIST OPERCMDS MVS.DISPLAY.* ALL"
tsocmd "RLIST SDSF GROUP.ISFOPER.* ALL"

 

If you can run command and get the output as given as follows, your setup is completed.

SCANNER1:/u/SCANNER1: >opercmd "D PPT"

S0W1      2025212  08:50:11.64             ISF031I CONSOLE SCANNER1 ACTIVATED

S0W1      2025212  08:50:11.64            -D PPT

S0W1      2025212  08:50:11.64             IEF386I 08.50.11 DISPLAY PPT 636

                                           Parmlib Values

                                           PgmName  NC NS PR ST ND BP Key 2P 1P NP NH CP DA PA

                                           CBROAM    .  Y  .  Y  .  .  5   .  .  .  .  .  .  .

                                           CSQXJST   .  .  .  .  .  .  8   .  .  .  .  .  .  .

....

....

....

....