1 / 40

The Many Faces of CARLa Data

Mark S Hahn, Level 2 Technical Support, zSecure August 18, 2008. The Many Faces of CARLa Data. CARLa’s strengths. CARLa – CARLa Audit Report Language Powerful data extraction tool From select ESM data sets, SMF, CKFREEZE, user-defined data it

carter
Download Presentation

The Many Faces of CARLa Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mark S Hahn, Level 2 Technical Support, zSecure August 18, 2008 The Many Faces of CARLa Data

  2. CARLa’s strengths • CARLa – CARLa Audit Report Language • Powerful data extraction tool • From select ESM data sets, SMF, CKFREEZE, user-defined data it • Creates reports, TSO commands, ISPF displays, XML documents, CSV files and more USER ESM SMF FREEZE CKRCARLA XML W7 CSV TSO Reports

  3. Dozens of formats • Reference: LIST family of commands • Implicit / Explicit • Page Layouts not covered (e.g. CONDPAGE, KEY, NOMODIFY) • Format changes do not affect the value (contents) • Length changes can affect format • Exploitable / tricky applications • Special output formats useful in building TSO commands named ‘$xxx’ • fieldname(length,format,modifier,‘header’…)

  4. What are some fields? • Date / Time • Local variations • Text (userid, resource names, pathnames) • Upper / lower case? • Binary • Storage addresses • Flags • IP addresses • Octets • zOS UNIX directory entries

  5. Tricks with length • Length can change the data format • LJDATE DD MMM YYYY • LJDATE(5) DDMMM • LJDATE(8) DDMMMYY Newlist Type=racf Outlim=10 Select class=user ljdate>today-35 Sortlist key(8,'user') ljdate '|' ljdate(5) '|‘ , ljdate(8) user LastUseDate LastU LastUseD AXRSTC 25 Jun 2008 | 25Jun | 25Jun08 IBMWROB 24 Jul 2008 | 24Jul | 24Jul08 IBMWSC2 25 Jun 2008 | 25Jun | 25Jun08 IBMXDV1 23 Jun 2008 | 23Jun | 23Jun08

  6. More tricks with length • Length(1) • Only the first character • Very valuable where “real estate” scarce: RA.U display used multiple places • SOA: Security-Operations-Auditor • Used with | to prevent spaces between fields (SOA v S O A) Users like IBMX* 25 Jul 2008 00:46 User Complex Name DfltGrp Owner RIRP SOA gC LCX Grp IBMXAHI DEMO ADAM HEWITT IBMX IBMX I S X 2 IBMXAH2 DEMO ADAM HEWITT IBMX IBMX RI A X 2 IBMXCICS DEMO TEST CICS IBMX IBMX RI X 2 IBMXCV1 DEMO CHRIS A. VAN DAM IBMX IBMX O X 2

  7. Use of LEN(0) • Length(0) • Truncate trailing spaces after last non-blank character • Creating reports without excessive blanks • Creating commands

  8. NonDisplay (ND) • Hides the data • Still control field in SORTLIST • Useful for such as sortlist DATE(ND) userid , TIME(ND) eventdescto sort by date, userid and time … but doesn’t take up space to display date and time

  9. Sort – redundant fields S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 User Sys Date Time User Event description IBMWINT EENZ 8 Jul 2008 20:33 IBMWINT Racinit (Success:Successful initiation) IBMWSCH EEND 8 Jul 2008 20:50 IBMWSCH Racinit (Success:Successful initiation) IBMXHG1 EENA 8 Jul 2008 21:57 IBMXHG1 Racinit (Success:Successful initiation) IBMXHG1 EENA 8 Jul 2008 22:00 IBMXHG1 Racinit (Success:Successful termination STRTASK EENA 8 Jul 2008 20:33 STRTASK Racinit (Success:Successful termination NEWLIST TYPE=SMF OUTLIM=5 SELECT EVENT=RACINIT(SUCCESS) SORTLIST USER SYSTEM DATE TIME USER EVENTDESC

  10. Sort – don’t list S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 Sys Date Time User Event description EENZ 8 Jul 2008 20:33 IBMWINT Racinit (Success:Successful initiation) EEND 8 Jul 2008 20:50 IBMWSCH Racinit (Success:Successful initiation) EENA 8 Jul 2008 21:57 IBMXHG1 Racinit (Success:Successful initiation) EENA 8 Jul 2008 22:00 IBMXHG1 Racinit (Success:Successful termination) EENA 8 Jul 2008 20:33 STRTASK Racinit (Success:Successful termination) NEWLIST TYPE=SMF OUTLIM=5 SELECT EVENT=RACINIT(SUCCESS) SORTLIST USER(ND) SYSTEM DATE TIME USER EVENTDESC

  11. Repeating fields • Some fields have repeating values: groups, subgroups, memlist*, acl* • Use FIRSTONLY • Use HORIZONTAL (w/ or w/o 0) • Use WORDWRAP

  12. Using horizontal with members newlist type=racf select class=gcicstrn sortlist class key(16,'trancode') memlst(horizontal(0),wrap) GCICSTRN CAT1 CVMI CTIN CSM5 CSM3 CSM2 CSM1 CSMI CSHR CRTE CPMI CDFS CMAC XPOF XPRT XLOG XSIT XPSP XPED FILE CORE ADYN EZAC CRPM CRPC CRPA CBAM CMSG CIND CSFE DSNC CDBT CDBM CDBI CWTO CAFF CAFB CFSL CLSG CEST CEKL CRTP CPIR CPIQ CPIL CXRE CXCU CWXN CWBG CTSD CSZI CSTP CSTE CSSY CSSX CSQC CSOL CSNE CSNC CSLG CSKP CSHQ CSHA CSGX CSFU CSFR CRSY CRMF CRMD CPLT COVR CMTS CITS CIRR CIOR CIOF CIOD CGRP CFTL CFQS CFQR CFOR CFCL CEX2 CESC CEJR CDTS CDBQ CDBO CDBD CATD CATA GCICSTRN CIC410A.HANS CEMT CEDA

  13. Repeating fields newlist type=racf outlim=1 select class=dataset segment=base mask=SYS1.** sortlist key(8,'user') aclcnt acl newlist type=racf outlim=1 select class=dataset segment=base mask=SYS1.** sortlist key(8,'user') aclcnt acl(firstonly) P R O F I L E L I S T I N G 23 Jul 2008 01:15 user Perms User Access ACL id When SYS1.ACD 5 -group- ALTER SYS1 -group- ALTER SYSPROG -group- READ IBMW CRMQARUN NONE CRMQARUN - any - READ * P R O F I L E L I S T I N G 23 Jul 2008 01:15 user Perms User Access ACL id When SYS1.ACD 5 -group- ALTER SYS1 Note: These entries are NOT alphabetic – but chronological.

  14. Repeating fields - SORT newlist type=racf outlim=1 select class=dataset segment=base mask=SYS1.** sortlist key(8,'user') aclcnt acl(sort) P R O F I L E L I S T I N G 11 Aug 2008 22:59 user Perms User Access ACL id When SYS1.ACD 5 - any - READ * -group- READ CRMA -group- ALTER SYSPROG -group- ALTER SYS1 CRMQARUN NONE CRMQARUN

  15. Repeating fields newlist type=racf select class=group segment=base key=sys1 sortlist key(8,'group') SUBGRPNM(horizontal) newlist type=racf select class=group segment=base key=sys1 sortlist key(8,'group') SUBGRPNM(0,horizontal) P R O F I L E L I S T I N G 23 Jul 2008 02:37 group SubGroup SYS1 SYSCTLG VSAMDSET CR STCUSER SYSAUTH IMS P R O F I L E L I S T I N G 23 Jul 2008 02:37 group SubGroup SYS1 SYSCTLG VSAMDSET CR STCUSER SYSAUTH IMS DB2 DB2PM QMF

  16. Repeating fields (more) newlist type=racf ll=80 select class=user segment=base sortlist key(8,"User") cggrpct cggrpnm(hor,62,wrap) COMBAT8 1 COMBTGRP CRMAINT 15 CRM CRMA CRMAINTG CRMAWIN CRMB CRMBEPRD CRMBTSUP CRMBZDEV CRMC CRMCNG CRMCXDEL CRMD CRMGRACF C2ESERVG C2RADMIN CRMAROB 17 CRMA CRMARACF CRMB CRMBEPRD CRMBOMVS CRMBTSUP CRMC CRMCNG CRMCXDEL CRMDTEST CRMGRACF CRMQAGID C2ESERVG C2RADMIN C2RSERVG RCOPROB1 ZTKSUPP • In this example • Horizontal, maximum length 62 and wrap on blanks

  17. Flag reporting • Choices • YES/NO • Blank/YES • Blank/NO • Blank/String • Field name • Literal • Matter of preference • Something in every row and column • Blank is okay / text means ‘alert’

  18. Flag reporting • Three choices of output: Header/Blank, YES/NO, or String/Blank • Four states of flags: yes, no, missing and in error • BLANK$HDR – HDR$BLANK • Blank if true or missing – ‘hdr’ if true • ‘Hdr’ if false – blank otherwise • BLANK$NO - YESNO • Blank if true or missing – ‘Yes’ if true • ‘NO’ if false – ‘No’ if false; blank otherwise • BLANK$STR(‘string’) – STR$BLANK(‘string’) • Blank if true or missing – string if true • ‘string’ if false – blanks otherwise • FLAG • ‘Yes’ if true; blanks if false or missing; ‘??’ if error • FLAG2NICE • ‘Yes’ if true, ‘No’ if false, blank if missing, ‘?’ if unintelligible

  19. Flag formatting newlist type=racf outlim=100 select class=user segment=base sortlist key(8,'user') special(4,blank$hdr) special(4,blank$no), special(4,blank$str('SAFE')) , special(4,str$blank('DANGER')) , special(4,hdr$blank) , special(4,flag), special(4,yesno), special(4,flag2nice) P R O F I L E L I S T I N G 11 Aug 2008 22:00 user Spc Spc Spc Spc Spc Spc Spc Spc CRMARO2 Spc No SAFE No No CRMASC2 DANG Spc YES Yes Yes CRMASC3 Spc No SAFE No No CRMBAH2 Spc No SAFE No No

  20. Flag formatting - another newlist type=racf outlim=100 define badguy(hb,3) boolean where class=user special define goodguy(blank$hdr,4) boolean where class=user special select class=user segment=base sortlist key(8,'user') badguy goodguy P R O F I L E L I S T I N G 11 Aug 2008 22:14 user BAD GOOD CRMARO2 GOOD CRMASC2 BAD CRMASC3 GOOD CRMATST GOOD CRMBAHI GOOD CRMBAH2 GOOD CRMBCICS GOOD

  21. Text formatting • ASIS – copy without modification • CHAR – copy without modification, trim trailing blanks • LOWERCASE – all characters translated to lower case letters • UPPERCASE – all characters translated to capital letters * NOTE: trailing blanks and nulls removed for XML output, regardless

  22. Text formatting newlist type=racf outlim=5 select class=user sortlist key('user',8) , key('char',8,char), key('asis',8,asis) , key('upper',8,uppercase) , key('lower',8,lowercase) user char asis upper lower irrmulti irrmulti irrmulti IRRMULTI irrmulti irrsitec irrsitec irrsitec IRRSITEC irrsitec AB5200A AB5200A AB5200A AB5200A ab5200a AB5201A AB5201A AB5201A AB5201A ab5201a AB5240A AB5240A AB5240A AB5240A ab5240a

  23. Date / time formatting • DATETIME • TIME BIN (macro) format DD MMM YYYY HH:MM:SS.CC • DATETIMEZONE • Similar to DATETIME (‘,+/-’HH:MM) • DATE$STR(‘string’) • Format DATE or emit ‘string’ if missing (e.g. ‘NEVER’) • MONTH • Text string: ‘January’ to ‘December’ • MONTHDAY • Numeric (leading blank) day of month ‘ 1’ to ’31’

  24. Sort by date / time S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 Sys Date Time User Event description TEST 8 Jul 2008 20:33 STRTASK Racinit (Success:Successful termination) TEST 8 Jul 2008 20:33 IBMWINT Racinit (Success:Successful initiation) TEST 8 Jul 2008 20:50 IBMWSCH Racinit (Success:Successful initiation) TEST 8 Jul 2008 21:57 IBMXHG1 Racinit (Success:Successful initiation) TEST 8 Jul 2008 22:00 IBMXHG1 Racinit (Success:Successful termination) NEWLIST TYPE=SMF OUTLIM=5 SELECT event=racinit(success) SORTLIST SYSTEM DATE TIME USER EVENTdesc

  25. Lots of date formats Date Time User Event description 8Jul 23:13:31.08 STRTASK Racinit (Success:Successful termination) Date: 8 Jul 2008 DateTime: 8 Jul 2008 $date: 2008-07-08 JulDate: 2008/190 Month: July MonthDay: 8 Year: 2008 WeekDay: Tuesday USDate: 07/08/08 EUDate: 08-07-2008 XSD_DateTime: 2008-07-08T23:13:31.08+ Newlist Type=SMF Outlim=1 Select Event=RACINIT(SUCCESS) Sortlist Date(5) Time(11) User Eventdesc / / , 'Date:' Date(date) / , 'DateTime:' date(datetime) / , '$date:' date($date) / , 'JulDate:' date(juldate) / , 'Month:' date(month) / , 'MonthDay:' date(monthday) / , 'Year:' date(year) / , 'WeekDay:' date(weekday) / , 'USDate:' date(usdate) / , ‘EUDate:' date(eudate) / , 'XSD_DateTime:' datetime(xsd_datetime) Note: Date formatting will shift when length reduced.

  26. Short date / long time S M F R E C O R D L I S T I N G 8Jul08 20:33 to 8Jul08 22:00 Sys Date Time User Event description TEST 8Jul 20:33:40.10 IBMWINT Racinit (Success:Successful initiation) TEST 8Jul 20:50:13.40 IBMWSCH Racinit (Success:Successful initiation) TEST 8Jul 21:57:52.27 IBMXHG1 Racinit (Success:Successful initiation) TEST 8Jul 22:00:35.56 IBMXHG1 Racinit (Success:Successful termination) TEST 8Jul 20:33:23.25 STRTASK Racinit (Success:Successful termination) NEWLIST TYPE=SMF OUTLIM=5 SELECT EVENT=RACINIT(SUCCESS) SORTLIST USER(ND) SYSTEM DATE(5) TIME(11) USER EVENTDESC

  27. IP / PORT • IP • 4 byte IPv4 address (xx.xx.xx.xx) • 16 byte IPv6 address (xx:xx:…) • PORT • Format numeric IP port textually – used with DSTPORT and SRCPORT

  28. Storage addresses / DUMP • ADDRESS • 31 bit address is 8 hex characters • 64 bit address is two 8 hex characters separated by ‘_’ • DUMP • Storage dump format

  29. Dump, Hex and Printable Newlist Type=SMF Outlim=1 Select Event=RACINIT(SUCCESS) Sortlist Date Time User Eventdesc / / , 'Date Dump:' Date(dump) / 'Date Hex:' date(hex) / , 'Date Printable' date(printable) / / , 'User Dump:' user(dump) / 'User Hex:' user(hex) / , 'User Printable' user(printable) S M F R E C O R D L I S T I N G 8Jul08 23:13 to 8Jul08 23:13 Date Time User Event description 8 Jul 2008 23:13 STRTASK Racinit (Success:Successful termination) Date Dump: 0000. 0108190F *....* Date Hex: 0108190F Date Printable .... User Dump: 0000. E2E3D9E3 C1E2D240 *STRTASK * User Hex: E2E3D9E3 C1E2D240 User Printable STRTASK

  30. Another use for DUMP format Newlist type=smf title=‘SMF Dump’ Select type=118 Sortlist date(7) time(5) record(dump) S M F R E C O R D L I S T I N G 11Aug08 19:00 to 11Aug08 22:23 SMF Dump Date Time Record 11Aug08 19:00 0000. 00F80000 5E760068 5EC10108 224FC5C5 *.8..;...;A...|EE* 0010. D5C40000 00000005 00000028 00000044 *ND..............* 0020. 00180001 0000005C 00540001 00000000 *.......*........* 0030. 00000000 000000B0 00380001 000000E8 *.......^.......Y* 0040. 00100001 E3C3D7C9 D7404040 00000026 *....TCPIP ....* 0050. C29910B4 DCF02F06 40000000 01F47132 *Br...0.. ....4..* 0060. 00000000 00000045 00000000 00000000 *................* 0070. 00000000 01F0A31C 00B92AE3 00000000 *.....0t....T....* 0080. 00000000 0000051F 000B3FAF 0003CB30 *................* 0090. 0000051F 00000000 00000000 00000000 *................* 00A0. 00000000 00000800 00000000 00000000 *................* 00B0. 00000004 000001F4 0001D4C0 FFFFFFFF *.......4..M{....* 00C0. 00016C4D 00001AF3 000115C7 00004C24 *..%(...3...G..<.* 00D0. 00000015 010D44C7 00A8F6FF 0000A400 *.......G.y6...u.* 00E0. 00000002 0000E7A6 00D8A4B4 00027132 *......Xw.Qu.....* 00F0. 00000000 00D8F4DF *.....Q4.* 11Aug08 19:07 0000. 005E0000 5E760069 09140108 224FC5C5 *.;..;........|EE*

  31. $xxx Formats • $formats are for TSO commands • $CHAUDIT UNIX file audit flags command format for use with the chaudit command, e.g., ’r=s,w=f,x=sf’ (read successes, write failures, all executions). • $CHMOD UNIX file access flags command format for use with the chmod command, e.g., ’o=,u=rwx,g=rx’ (user read/write/execute, group read/execute, other no access). $RESFLGFormat to print the RESFLG field of a general resource profile for a RDEFINE or RALTER command. • $RETPDThis formats a two byte hexadecimal number as a RACF retention period. This intended for the creation of commands in the DATASET class, in the RETPD field. • Just like ISPF – use “ to enclose ‘ and vice versa e.g. LIST “LD DA(‘” | key(0) | “’)”

  32. $chmod / octal UNIX formats newlist type=unix outlim=500 select type=- sortlist type(1) filename(nd) attr , 'chmod ' attr(4,octal) filename(15), 'chmod ' attr($chmod,15) filename(15) - r-xr-xr-x chmod 0555 mknod chmod a=rx mknod - r-xr-xr-x chmod 0555 mount chmod a=rx mount • r--r--r-- chmod 0444 move_down.gif chmod a=r move_down.gif • r-xr-xr-t chmod 1555 rlogind2 chmod ug=rx,o=rxt rlogind2 Note: formatting adjusted for ease of use

  33. $chaudit / $extattr and more sortlist type(1) filename(nd) attr '(' | attr(4,octal) |, ')' attr($chmod,15) , extattr extattr($extattr,9) , auditflags auditflags($chaudit,9) , uid(5) gid(5) filename T FileMode File FileMode apsl apsl AuF AuF User Group File... - r--r--r-- (0444) a=r --s- +s -apl fff =f 0 0 FOMO... - r-xr--r-- (0544) u=rx,go=r -p-- +p -asl fff =f 0 0 FOMR... - r-xr--r-- (0544) u=rx,go=r -ps- +ps -al fff =f 0 0 FOMR... - r-xr-xr-t (1555) ug=rx,o=rxt -ps- +ps -al fff =f 0 0 FOMR...

  34. UNIX pathnames • Display as much as feasible showing beginning and ending of pathname, omitting middle qualifiers as needed • But don’t go too small (e.g. 10) Pri Absolute 9 /.../aopd 9 /... 9 /... 9 /... 9 /...

  35. UNIX pathnames newlist type=unix outlim=50 select auditpriority>5 sortlist auditpriority type(nd) abs_pathname(25) type(1) , abs_pathname(30) ********************************* Top of Data ***************** U N I X F I L E S 14 Jul 2008 00:07 Pri Absolute pathname T Absolute pathname 9 /V1R8M0/usr/.../bin/aopd - /V1R8M0/usr/.../bin/aopd 9 /V1R8M0/.../bin/aopippdxp - /V1R8M0/usr/.../bin/aopippdxp 9 /V1R8M0/.../bin/aoplpd - /V1R8M0/usr/.../bin/aoplpd 9 /V1R8M0/.../bin/aopnetd - /V1R8M0/usr/.../bin/aopnetd 9 /V1R8M0/.../bin/aopoms - /V1R8M0/usr/.../bin/aopoms 9 /V1R8M0/.../bin/aopoutd - /V1R8M0/usr/.../bin/aopoutd 9 /V1R8M0/.../bin/aopsapd - /V1R8M0/usr/.../bin/aopsapd Pri Absolute pathname 9 /V1R8M0/usr/lpp/Printsrv/bin/aopd 9 /V1R8M0/usr/lpp/Printsrv/bin/aopippdxp 9 /V1R8M0/usr/lpp/Printsrv/bin/aoplpd 9 /V1R8M0/usr/lpp/Printsrv/bin/aopnetd 9 /V1R8M0/usr/lpp/Printsrv/bin/aopoms 9 /V1R8M0/usr/lpp/Printsrv/bin/aopoutd

  36. Gotcha’s • Watch your data length • Default may be too much • UID and GID may be over large (trim) • Specific format changes may require length override: $chmod needs 15 (or 0) to be safe • Over-trimming works, but may not deliver the desired information • Dates, etc

  37. Summary • CARLa allows display of diverse data • Length can play a role in data display • If it is there, we can display it – most likely how you want to see it • Binary, octet, address, dump • Dates, character, string

  38. Profiles with EXECUTE access newlist type=racf title="Profiles with EXECUTE access" define acl subselect acl(access=execute) s acl(access=execute) sortlist class profile acl(aclid,8) P R O F I L E L I S T I N G 11 Aug 2008 23:04 Profiles with EXECUTE access Class Profile key User DATASET IBMTCIM.LOAD STRTASK IBMB IBMQAP1 STRCONS DATASET IBMTCIM.LOAD.EXECUTE IBMBER2 DATASET IBMQA.ACL1.** IBMGRACF DATASET IBMQA.ACL2.** IBMGRACF

  39. Profiles with IBMUSER access newlist type=racf title="Profiles where IBMUSER is on access list" define acl subselect acl(id=ibmuser) s acl(id=ibmuser) sortlist class profile acl(aclaccess,7,"Access") P R O F I L E L I S T I N G 12 Aug 2008 00:20 Profiles where IBMUSER is on access list Class Profile key Access ACCTNUM ** ALTER DATASET CBC.** NONE DATASET CRMQARUN.ACCESS.B.** READ DATASET CRMQARUN.NOACCESS.B.** NONE FACILITY $CNF.RACF ALTER FACILITY CKF.RACF ALTER STARTED BLSJPRMI.* ALTER STARTED CATALOG.* ALTER STARTED CIC410A.* ALTER

  40. Thank You We hope this enhances your understanding of the power and flexibility of CKRCARLA output data formatting.

More Related