410 likes | 440 Views
Dive into the strengths of CARLa Audit Report Language as a powerful data extraction tool for creating reports, TSO commands, ISPF displays, XML documents, CSV files, and more. Learn about format changes, special output formats, and tricks for manipulating data lengths effectively.
E N D
Mark S Hahn, Level 2 Technical Support, zSecure August 18, 2008 The Many Faces of CARLa Data
CARLa’s strengths • CARLa – CARLa Audit Report Language • Powerful data extraction tool • From select ESM data sets, SMF, CKFREEZE, user-defined data it • Creates reports, TSO commands, ISPF displays, XML documents, CSV files and more USER ESM SMF FREEZE CKRCARLA XML W7 CSV TSO Reports
Dozens of formats • Reference: LIST family of commands • Implicit / Explicit • Page Layouts not covered (e.g. CONDPAGE, KEY, NOMODIFY) • Format changes do not affect the value (contents) • Length changes can affect format • Exploitable / tricky applications • Special output formats useful in building TSO commands named ‘$xxx’ • fieldname(length,format,modifier,‘header’…)
What are some fields? • Date / Time • Local variations • Text (userid, resource names, pathnames) • Upper / lower case? • Binary • Storage addresses • Flags • IP addresses • Octets • zOS UNIX directory entries
Tricks with length • Length can change the data format • LJDATE DD MMM YYYY • LJDATE(5) DDMMM • LJDATE(8) DDMMMYY Newlist Type=racf Outlim=10 Select class=user ljdate>today-35 Sortlist key(8,'user') ljdate '|' ljdate(5) '|‘ , ljdate(8) user LastUseDate LastU LastUseD AXRSTC 25 Jun 2008 | 25Jun | 25Jun08 IBMWROB 24 Jul 2008 | 24Jul | 24Jul08 IBMWSC2 25 Jun 2008 | 25Jun | 25Jun08 IBMXDV1 23 Jun 2008 | 23Jun | 23Jun08
More tricks with length • Length(1) • Only the first character • Very valuable where “real estate” scarce: RA.U display used multiple places • SOA: Security-Operations-Auditor • Used with | to prevent spaces between fields (SOA v S O A) Users like IBMX* 25 Jul 2008 00:46 User Complex Name DfltGrp Owner RIRP SOA gC LCX Grp IBMXAHI DEMO ADAM HEWITT IBMX IBMX I S X 2 IBMXAH2 DEMO ADAM HEWITT IBMX IBMX RI A X 2 IBMXCICS DEMO TEST CICS IBMX IBMX RI X 2 IBMXCV1 DEMO CHRIS A. VAN DAM IBMX IBMX O X 2
Use of LEN(0) • Length(0) • Truncate trailing spaces after last non-blank character • Creating reports without excessive blanks • Creating commands
NonDisplay (ND) • Hides the data • Still control field in SORTLIST • Useful for such as sortlist DATE(ND) userid , TIME(ND) eventdescto sort by date, userid and time … but doesn’t take up space to display date and time
Sort – redundant fields S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 User Sys Date Time User Event description IBMWINT EENZ 8 Jul 2008 20:33 IBMWINT Racinit (Success:Successful initiation) IBMWSCH EEND 8 Jul 2008 20:50 IBMWSCH Racinit (Success:Successful initiation) IBMXHG1 EENA 8 Jul 2008 21:57 IBMXHG1 Racinit (Success:Successful initiation) IBMXHG1 EENA 8 Jul 2008 22:00 IBMXHG1 Racinit (Success:Successful termination STRTASK EENA 8 Jul 2008 20:33 STRTASK Racinit (Success:Successful termination NEWLIST TYPE=SMF OUTLIM=5 SELECT EVENT=RACINIT(SUCCESS) SORTLIST USER SYSTEM DATE TIME USER EVENTDESC
Sort – don’t list S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 Sys Date Time User Event description EENZ 8 Jul 2008 20:33 IBMWINT Racinit (Success:Successful initiation) EEND 8 Jul 2008 20:50 IBMWSCH Racinit (Success:Successful initiation) EENA 8 Jul 2008 21:57 IBMXHG1 Racinit (Success:Successful initiation) EENA 8 Jul 2008 22:00 IBMXHG1 Racinit (Success:Successful termination) EENA 8 Jul 2008 20:33 STRTASK Racinit (Success:Successful termination) NEWLIST TYPE=SMF OUTLIM=5 SELECT EVENT=RACINIT(SUCCESS) SORTLIST USER(ND) SYSTEM DATE TIME USER EVENTDESC
Repeating fields • Some fields have repeating values: groups, subgroups, memlist*, acl* • Use FIRSTONLY • Use HORIZONTAL (w/ or w/o 0) • Use WORDWRAP
Using horizontal with members newlist type=racf select class=gcicstrn sortlist class key(16,'trancode') memlst(horizontal(0),wrap) GCICSTRN CAT1 CVMI CTIN CSM5 CSM3 CSM2 CSM1 CSMI CSHR CRTE CPMI CDFS CMAC XPOF XPRT XLOG XSIT XPSP XPED FILE CORE ADYN EZAC CRPM CRPC CRPA CBAM CMSG CIND CSFE DSNC CDBT CDBM CDBI CWTO CAFF CAFB CFSL CLSG CEST CEKL CRTP CPIR CPIQ CPIL CXRE CXCU CWXN CWBG CTSD CSZI CSTP CSTE CSSY CSSX CSQC CSOL CSNE CSNC CSLG CSKP CSHQ CSHA CSGX CSFU CSFR CRSY CRMF CRMD CPLT COVR CMTS CITS CIRR CIOR CIOF CIOD CGRP CFTL CFQS CFQR CFOR CFCL CEX2 CESC CEJR CDTS CDBQ CDBO CDBD CATD CATA GCICSTRN CIC410A.HANS CEMT CEDA
Repeating fields newlist type=racf outlim=1 select class=dataset segment=base mask=SYS1.** sortlist key(8,'user') aclcnt acl newlist type=racf outlim=1 select class=dataset segment=base mask=SYS1.** sortlist key(8,'user') aclcnt acl(firstonly) P R O F I L E L I S T I N G 23 Jul 2008 01:15 user Perms User Access ACL id When SYS1.ACD 5 -group- ALTER SYS1 -group- ALTER SYSPROG -group- READ IBMW CRMQARUN NONE CRMQARUN - any - READ * P R O F I L E L I S T I N G 23 Jul 2008 01:15 user Perms User Access ACL id When SYS1.ACD 5 -group- ALTER SYS1 Note: These entries are NOT alphabetic – but chronological.
Repeating fields - SORT newlist type=racf outlim=1 select class=dataset segment=base mask=SYS1.** sortlist key(8,'user') aclcnt acl(sort) P R O F I L E L I S T I N G 11 Aug 2008 22:59 user Perms User Access ACL id When SYS1.ACD 5 - any - READ * -group- READ CRMA -group- ALTER SYSPROG -group- ALTER SYS1 CRMQARUN NONE CRMQARUN
Repeating fields newlist type=racf select class=group segment=base key=sys1 sortlist key(8,'group') SUBGRPNM(horizontal) newlist type=racf select class=group segment=base key=sys1 sortlist key(8,'group') SUBGRPNM(0,horizontal) P R O F I L E L I S T I N G 23 Jul 2008 02:37 group SubGroup SYS1 SYSCTLG VSAMDSET CR STCUSER SYSAUTH IMS P R O F I L E L I S T I N G 23 Jul 2008 02:37 group SubGroup SYS1 SYSCTLG VSAMDSET CR STCUSER SYSAUTH IMS DB2 DB2PM QMF
Repeating fields (more) newlist type=racf ll=80 select class=user segment=base sortlist key(8,"User") cggrpct cggrpnm(hor,62,wrap) COMBAT8 1 COMBTGRP CRMAINT 15 CRM CRMA CRMAINTG CRMAWIN CRMB CRMBEPRD CRMBTSUP CRMBZDEV CRMC CRMCNG CRMCXDEL CRMD CRMGRACF C2ESERVG C2RADMIN CRMAROB 17 CRMA CRMARACF CRMB CRMBEPRD CRMBOMVS CRMBTSUP CRMC CRMCNG CRMCXDEL CRMDTEST CRMGRACF CRMQAGID C2ESERVG C2RADMIN C2RSERVG RCOPROB1 ZTKSUPP • In this example • Horizontal, maximum length 62 and wrap on blanks
Flag reporting • Choices • YES/NO • Blank/YES • Blank/NO • Blank/String • Field name • Literal • Matter of preference • Something in every row and column • Blank is okay / text means ‘alert’
Flag reporting • Three choices of output: Header/Blank, YES/NO, or String/Blank • Four states of flags: yes, no, missing and in error • BLANK$HDR – HDR$BLANK • Blank if true or missing – ‘hdr’ if true • ‘Hdr’ if false – blank otherwise • BLANK$NO - YESNO • Blank if true or missing – ‘Yes’ if true • ‘NO’ if false – ‘No’ if false; blank otherwise • BLANK$STR(‘string’) – STR$BLANK(‘string’) • Blank if true or missing – string if true • ‘string’ if false – blanks otherwise • FLAG • ‘Yes’ if true; blanks if false or missing; ‘??’ if error • FLAG2NICE • ‘Yes’ if true, ‘No’ if false, blank if missing, ‘?’ if unintelligible
Flag formatting newlist type=racf outlim=100 select class=user segment=base sortlist key(8,'user') special(4,blank$hdr) special(4,blank$no), special(4,blank$str('SAFE')) , special(4,str$blank('DANGER')) , special(4,hdr$blank) , special(4,flag), special(4,yesno), special(4,flag2nice) P R O F I L E L I S T I N G 11 Aug 2008 22:00 user Spc Spc Spc Spc Spc Spc Spc Spc CRMARO2 Spc No SAFE No No CRMASC2 DANG Spc YES Yes Yes CRMASC3 Spc No SAFE No No CRMBAH2 Spc No SAFE No No
Flag formatting - another newlist type=racf outlim=100 define badguy(hb,3) boolean where class=user special define goodguy(blank$hdr,4) boolean where class=user special select class=user segment=base sortlist key(8,'user') badguy goodguy P R O F I L E L I S T I N G 11 Aug 2008 22:14 user BAD GOOD CRMARO2 GOOD CRMASC2 BAD CRMASC3 GOOD CRMATST GOOD CRMBAHI GOOD CRMBAH2 GOOD CRMBCICS GOOD
Text formatting • ASIS – copy without modification • CHAR – copy without modification, trim trailing blanks • LOWERCASE – all characters translated to lower case letters • UPPERCASE – all characters translated to capital letters * NOTE: trailing blanks and nulls removed for XML output, regardless
Text formatting newlist type=racf outlim=5 select class=user sortlist key('user',8) , key('char',8,char), key('asis',8,asis) , key('upper',8,uppercase) , key('lower',8,lowercase) user char asis upper lower irrmulti irrmulti irrmulti IRRMULTI irrmulti irrsitec irrsitec irrsitec IRRSITEC irrsitec AB5200A AB5200A AB5200A AB5200A ab5200a AB5201A AB5201A AB5201A AB5201A ab5201a AB5240A AB5240A AB5240A AB5240A ab5240a
Date / time formatting • DATETIME • TIME BIN (macro) format DD MMM YYYY HH:MM:SS.CC • DATETIMEZONE • Similar to DATETIME (‘,+/-’HH:MM) • DATE$STR(‘string’) • Format DATE or emit ‘string’ if missing (e.g. ‘NEVER’) • MONTH • Text string: ‘January’ to ‘December’ • MONTHDAY • Numeric (leading blank) day of month ‘ 1’ to ’31’
Sort by date / time S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 Sys Date Time User Event description TEST 8 Jul 2008 20:33 STRTASK Racinit (Success:Successful termination) TEST 8 Jul 2008 20:33 IBMWINT Racinit (Success:Successful initiation) TEST 8 Jul 2008 20:50 IBMWSCH Racinit (Success:Successful initiation) TEST 8 Jul 2008 21:57 IBMXHG1 Racinit (Success:Successful initiation) TEST 8 Jul 2008 22:00 IBMXHG1 Racinit (Success:Successful termination) NEWLIST TYPE=SMF OUTLIM=5 SELECT event=racinit(success) SORTLIST SYSTEM DATE TIME USER EVENTdesc
Lots of date formats Date Time User Event description 8Jul 23:13:31.08 STRTASK Racinit (Success:Successful termination) Date: 8 Jul 2008 DateTime: 8 Jul 2008 $date: 2008-07-08 JulDate: 2008/190 Month: July MonthDay: 8 Year: 2008 WeekDay: Tuesday USDate: 07/08/08 EUDate: 08-07-2008 XSD_DateTime: 2008-07-08T23:13:31.08+ Newlist Type=SMF Outlim=1 Select Event=RACINIT(SUCCESS) Sortlist Date(5) Time(11) User Eventdesc / / , 'Date:' Date(date) / , 'DateTime:' date(datetime) / , '$date:' date($date) / , 'JulDate:' date(juldate) / , 'Month:' date(month) / , 'MonthDay:' date(monthday) / , 'Year:' date(year) / , 'WeekDay:' date(weekday) / , 'USDate:' date(usdate) / , ‘EUDate:' date(eudate) / , 'XSD_DateTime:' datetime(xsd_datetime) Note: Date formatting will shift when length reduced.
Short date / long time S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 Sys Date Time User Event description TEST 8Jul 20:33:40.10 IBMWINT Racinit (Success:Successful initiation) TEST 8Jul 20:50:13.40 IBMWSCH Racinit (Success:Successful initiation) TEST 8Jul 21:57:52.27 IBMXHG1 Racinit (Success:Successful initiation) TEST 8Jul 22:00:35.56 IBMXHG1 Racinit (Success:Successful termination) TEST 8Jul 20:33:23.25 STRTASK Racinit (Success:Successful termination) NEWLIST TYPE=SMF OUTLIM=5 SELECT EVENT=RACINIT(SUCCESS) SORTLIST USER(ND) SYSTEM DATE(5) TIME(11) USER EVENTDESC
IP / PORT • IP • 4 byte IPv4 address (xx.xx.xx.xx) • 16 byte IPv6 address (xx:xx:…) • PORT • Format numeric IP port textually – used with DSTPORT and SRCPORT
Storage addresses / DUMP • ADDRESS • 31 bit address is 8 hex characters • 64 bit address is two 8 hex characters separated by ‘_’ • DUMP • Storage dump format
Dump, Hex and Printable Newlist Type=SMF Outlim=1 Select Event=RACINIT(SUCCESS) Sortlist Date Time User Eventdesc / / , 'Date Dump:' Date(dump) / 'Date Hex:' date(hex) / , 'Date Printable' date(printable) / / , 'User Dump:' user(dump) / 'User Hex:' user(hex) / , 'User Printable' user(printable) S M F R E C O R D L I S T I N G 8Jul08 23:13 to 8Jul08 23:13 Date Time User Event description 8 Jul 2008 23:13 STRTASK Racinit (Success:Successful termination) Date Dump: 0000. 0108190F *....* Date Hex: 0108190F Date Printable .... User Dump: 0000. E2E3D9E3 C1E2D240 *STRTASK * User Hex: E2E3D9E3 C1E2D240 User Printable STRTASK
Another use for DUMP format Newlist type=smf title=‘SMF Dump’ Select type=118 Sortlist date(7) time(5) record(dump) S M F R E C O R D L I S T I N G 11Aug08 19:00 to 11Aug08 22:23 SMF Dump Date Time Record 11Aug08 19:00 0000. 00F80000 5E760068 5EC10108 224FC5C5 *.8..;...;A...|EE* 0010. D5C40000 00000005 00000028 00000044 *ND..............* 0020. 00180001 0000005C 00540001 00000000 *.......*........* 0030. 00000000 000000B0 00380001 000000E8 *.......^.......Y* 0040. 00100001 E3C3D7C9 D7404040 00000026 *....TCPIP ....* 0050. C29910B4 DCF02F06 40000000 01F47132 *Br...0.. ....4..* 0060. 00000000 00000045 00000000 00000000 *................* 0070. 00000000 01F0A31C 00B92AE3 00000000 *.....0t....T....* 0080. 00000000 0000051F 000B3FAF 0003CB30 *................* 0090. 0000051F 00000000 00000000 00000000 *................* 00A0. 00000000 00000800 00000000 00000000 *................* 00B0. 00000004 000001F4 0001D4C0 FFFFFFFF *.......4..M{....* 00C0. 00016C4D 00001AF3 000115C7 00004C24 *..%(...3...G..<.* 00D0. 00000015 010D44C7 00A8F6FF 0000A400 *.......G.y6...u.* 00E0. 00000002 0000E7A6 00D8A4B4 00027132 *......Xw.Qu.....* 00F0. 00000000 00D8F4DF *.....Q4.* 11Aug08 19:07 0000. 005E0000 5E760069 09140108 224FC5C5 *.;..;........|EE*
$xxx Formats • $formats are for TSO commands • $CHAUDIT UNIX file audit flags command format for use with the chaudit command, e.g., ’r=s,w=f,x=sf’ (read successes, write failures, all executions). • $CHMOD UNIX file access flags command format for use with the chmod command, e.g., ’o=,u=rwx,g=rx’ (user read/write/execute, group read/execute, other no access). $RESFLGFormat to print the RESFLG field of a general resource profile for a RDEFINE or RALTER command. • $RETPDThis formats a two byte hexadecimal number as a RACF retention period. This intended for the creation of commands in the DATASET class, in the RETPD field. • Just like ISPF – use “ to enclose ‘ and vice versa e.g. LIST “LD DA(‘” | key(0) | “’)”
$chmod / octal UNIX formats newlist type=unix outlim=500 select type=- sortlist type(1) filename(nd) attr , 'chmod ' attr(4,octal) filename(15), 'chmod ' attr($chmod,15) filename(15) - r-xr-xr-x chmod 0555 mknod chmod a=rx mknod - r-xr-xr-x chmod 0555 mount chmod a=rx mount • r--r--r-- chmod 0444 move_down.gif chmod a=r move_down.gif • r-xr-xr-t chmod 1555 rlogind2 chmod ug=rx,o=rxt rlogind2 Note: formatting adjusted for ease of use
$chaudit / $extattr and more sortlist type(1) filename(nd) attr '(' | attr(4,octal) |, ')' attr($chmod,15) , extattr extattr($extattr,9) , auditflags auditflags($chaudit,9) , uid(5) gid(5) filename T FileMode File FileMode apsl apsl AuF AuF User Group File... - r--r--r-- (0444) a=r --s- +s -apl fff =f 0 0 FOMO... - r-xr--r-- (0544) u=rx,go=r -p-- +p -asl fff =f 0 0 FOMR... - r-xr--r-- (0544) u=rx,go=r -ps- +ps -al fff =f 0 0 FOMR... - r-xr-xr-t (1555) ug=rx,o=rxt -ps- +ps -al fff =f 0 0 FOMR...
UNIX pathnames • Display as much as feasible showing beginning and ending of pathname, omitting middle qualifiers as needed • But don’t go too small (e.g. 10) Pri Absolute 9 /.../aopd 9 /... 9 /... 9 /... 9 /...
UNIX pathnames newlist type=unix outlim=50 select auditpriority>5 sortlist auditpriority type(nd) abs_pathname(25) type(1) , abs_pathname(30) ********************************* Top of Data ***************** U N I X F I L E S 14 Jul 2008 00:07 Pri Absolute pathname T Absolute pathname 9 /V1R8M0/usr/.../bin/aopd - /V1R8M0/usr/.../bin/aopd 9 /V1R8M0/.../bin/aopippdxp - /V1R8M0/usr/.../bin/aopippdxp 9 /V1R8M0/.../bin/aoplpd - /V1R8M0/usr/.../bin/aoplpd 9 /V1R8M0/.../bin/aopnetd - /V1R8M0/usr/.../bin/aopnetd 9 /V1R8M0/.../bin/aopoms - /V1R8M0/usr/.../bin/aopoms 9 /V1R8M0/.../bin/aopoutd - /V1R8M0/usr/.../bin/aopoutd 9 /V1R8M0/.../bin/aopsapd - /V1R8M0/usr/.../bin/aopsapd Pri Absolute pathname 9 /V1R8M0/usr/lpp/Printsrv/bin/aopd 9 /V1R8M0/usr/lpp/Printsrv/bin/aopippdxp 9 /V1R8M0/usr/lpp/Printsrv/bin/aoplpd 9 /V1R8M0/usr/lpp/Printsrv/bin/aopnetd 9 /V1R8M0/usr/lpp/Printsrv/bin/aopoms 9 /V1R8M0/usr/lpp/Printsrv/bin/aopoutd
Gotcha’s • Watch your data length • Default may be too much • UID and GID may be over large (trim) • Specific format changes may require length override: $chmod needs 15 (or 0) to be safe • Over-trimming works, but may not deliver the desired information • Dates, etc
Summary • CARLa allows display of diverse data • Length can play a role in data display • If it is there, we can display it – most likely how you want to see it • Binary, octet, address, dump • Dates, character, string
Profiles with EXECUTE access newlist type=racf title="Profiles with EXECUTE access" define acl subselect acl(access=execute) s acl(access=execute) sortlist class profile acl(aclid,8) P R O F I L E L I S T I N G 11 Aug 2008 23:04 Profiles with EXECUTE access Class Profile key User DATASET IBMTCIM.LOAD STRTASK IBMB IBMQAP1 STRCONS DATASET IBMTCIM.LOAD.EXECUTE IBMBER2 DATASET IBMQA.ACL1.** IBMGRACF DATASET IBMQA.ACL2.** IBMGRACF
Profiles with IBMUSER access newlist type=racf title="Profiles where IBMUSER is on access list" define acl subselect acl(id=ibmuser) s acl(id=ibmuser) sortlist class profile acl(aclaccess,7,"Access") P R O F I L E L I S T I N G 12 Aug 2008 00:20 Profiles where IBMUSER is on access list Class Profile key Access ACCTNUM ** ALTER DATASET CBC.** NONE DATASET CRMQARUN.ACCESS.B.** READ DATASET CRMQARUN.NOACCESS.B.** NONE FACILITY $CNF.RACF ALTER FACILITY CKF.RACF ALTER STARTED BLSJPRMI.* ALTER STARTED CATALOG.* ALTER STARTED CIC410A.* ALTER
Thank You We hope this enhances your understanding of the power and flexibility of CKRCARLA output data formatting.