Top Secret

 View Only
  • 1.  What is the basic intention/purpose of NOxxxCHK (NORESCHK) privileges in Top Secret ?

    Posted Sep 18, 2015 08:51 AM

    I ask this question in the context of idea Make OK+B audit records audit-adequate which reflects my current understanding and which also spawned https://communities.ca.com/ideas/235724083

     

    In Top Secrets Audit Guide they are noted in Chapter 2 as "Misuse of CA Top Secret".

     

    Would you think, that the order of evaluation of these privileges (=they are evaluated first) is a waste of cpu or not?

     

    But I'm open and interested in other point-of-views, so I'd be glad to read from you ...

     

     

     

     

    (afterwards added:): I'd like to know, for which "group of acids" the usage of bypass-privileges really makes sense, and why? Or, is there a "group of acids", for which such privileges are almost "necessary"? And why?  

     

    Nachricht geändert durch JOSEF THALER



  • 2.  Re: What is the basic intention/purpose of NOxxxCHK (NORESCHK) privileges in Top Secret ?

    Broadcom Employee
    Posted Sep 18, 2015 02:00 PM

    Josef,

     

    The NOxxxCHK attributes is one of the first things checked when a security check occurs. If the user has the appropriate, NOxxxCHK no further security checking occurs. Since the full security check is not done, this saves on CPU.

     

    But there is the cost of an OK+B record being written to the audit file.

     

    You could make use of the TSSINSTX exit in CA Top Secret to suppress the OK+B audit records. You would have to add your own user written code to the TSSINSTX installation exit to do this.

     

    The following sample user code  for the TSS installation exit has been given to a number of clients who want to suppress OK+B records from being logged to

    the audit file:                                                          

                                                                             

        If Acid = *BYPASS*                                                   

        or if Pgm = IKJEFT01 and running as batch job.                       

                                                                             

    VIOLATN  DS    0H                                                             

             ICM   R5,15,TXA#FLOG     R5 = Addr Fast Logging Buffer        

             USING FLOG,R5            Map Buffer                           

             TM    FLIND1,$FLBYPSS    Bypass Security ?                    

             BZ    LOGIT              no, log this event                   

             ICM   R3,15,TXA#ACID     R3 = Addr Acid                       

             CLC   0(8,R3),=CL8'*BYPASS*'  Acid *BYPASS* ?                 

             BE    NOLOG              Y, don't log                         

             CLC   FLPGM,=CL8'IKJEFT01'   TMP ?                            

             BNE   LOGIT              N, log this event                    

             CLI   FLTYPNUM,C'J'      TMP Batch ?                          

             BE    NOLOG              Y, don't log                         

             B     LOGIT              N, log it                            

    NOLOG    B     EXIT4              Bypass logging                       

    LOGIT    B     EXIT0              log this event                       

                                                                           

    If TXA#ACID is *BYPASS*, it is an OK+B event. This code can be modified to suppress OK+B records from whatever circumstances you choose.      

     

    This is sample code and not supported or maintained by CA. It is the users responsibility to support, customize and maintain this sample code.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support



  • 3.  Re: What is the basic intention/purpose of NOxxxCHK (NORESCHK) privileges in Top Secret ?

    Posted Sep 18, 2015 04:28 PM

    Joseph,

     

    many thanks for your reaction and for all the details.

     

    My intention, to ask my question is more in-depth:

    The decision whether to make use of something or not,  is always an appreciation of values like security risk, flexibility, availability, performance etc. Therefore I'd like to know, for which "group of acids" the usage of bypass-privileges really makes sense and why? Or, is there a "group of acids", for which such privileges are almost "necessary"? And why?

    If there is something with no real sense (NOxxxCHK  --> "misuse  of Top Secret" !!) I would say, it is waste of cpu, although in might cost only two instructions (multiplied by trillons to security-checks). Therefore ...my original question...

     

    Regards,

    Josef.       



  • 4.  Re: What is the basic intention/purpose of NOxxxCHK (NORESCHK) privileges in Top Secret ?

    Broadcom Employee
    Posted Sep 18, 2015 05:32 PM

    Josef,

     

    When deciding where to use the NOxxxCHK types attributes, you first need to refer to you security policies and auditors.

     

    If either does not allows the use of the security bypass attributes at your site, then there is no "group of acids" that you can give these privileges to.

     

    You are correct when you say "The decision whether to make use of something or not,  is always an appreciation of values like security risk, flexibility, availability, performance etc."

     

    The security risks, flexibility, availability, performance etc vary from site to site. I would also need extensive knowledge about your site to understand how each of those variables.

     

    We,. CA, can only really some general recommendations/suggestions. Our suggestions are not 1 size fits all. You must ultimately decided if the suggestion/recommendation will benefit your site.

     

    1. We know that using the bypass attributes save CPU but at the cost of I/O to the audit file.

    2. We also know that you can use TSSINSTX to suppress records being written to the audit file.

     

    From my experience with support, I have seen our clients use the bypass attributes in the following manner:

     

    1. One group of acids you could  use the bypass attributes on are started tasks that you feel can be "trusted" like CICS, a scheduling application, CA LDAP...etc.... I would limit the started task to the STC FACILITY and not any other FACILITY or terminal. Benefits: Started task will not be cancelled by CA Top Secret if it has the bypass attributes, reduced CPU due to less security checking, less administration to the STC acid because its authorized for everything. Use of TSSINSTX can reduce OK+B entries for the started task acid. Drawback: Mis-use of the application to defeat security.

    2. Use the bypass attribute for special acids that are used for emergency purposes and disaster recovery. Benefits: Recover a system faster without security stopping you. Drawback: If these emergency acids get in the wrong hands, they can be abused.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support



  • 5.  Re: What is the basic intention/purpose of NOxxxCHK (NORESCHK) privileges in Top Secret ?

    Posted Sep 21, 2015 04:43 AM

    Joseph,

     

    ad OK+B records:

    (1) is there an estimation of cost of an i/o for the OK+B record versus the pathlength of a regular non-privileged security-check ?

    (2) In my opinion and from an auditors point-of-view the current behavior of TSS cutting OK+B records is misleading (OK+B are written,, even although the acid has the regular permission to the ressource) and wasting ressources (OK+B are written, even the ressource is not protected by Top Secret!) But this is already adressed by Make OK+B audit records audit-adequate and Order of Evaluation of Bypass Attributes and can be commented and voted there.

     

    ad NOxxxCHK-privilege:

    I did not test it, but in my understanding - and to take just two examples - an acid having the NORESCHK-privilege includes to be a unix-root-user (IBMFAC(BPX.SUPERUSER)) and a DB2-sysadmin (DB2SYS(SYSADM)) and so on.

    Same fact from an other point-of-view: If your security-environment is audited and you have to declare, which acids are SYSADMs in DB2,  the Command "TSS WHOHAS DB2SYS(SYSADM)" might not be correct, because you have to include all acids having the NORESCHK-privilege).

     

    So you really need to have good reasons (emergency cases excluded) to make use of these privileges in regular business, both test and production. But again, I'd like to know, whether there exist good reasons for that. If you take the answers to this question as representative, so far 100% refuse this privileges and want to get rid of the rest of them....

     

    Regards,   

    Josef



  • 6.  Re: What is the basic intention/purpose of NOxxxCHK (NORESCHK) privileges in Top Secret ?

    Broadcom Employee
    Posted Sep 22, 2015 04:15 PM

    Josef,

     

    Your questions:

     

    (1) is there an estimation of cost of an i/o for the OK+B record versus the pathlength of a regular non-privileged security-check ?

    Answer:

    Did some checking around. Didn't find anything in the doc or our problem tracking system that gives an estimate on the 'cost'. If you need an answer to this questions, please open an issue with support for it will require research into the code.

     

    Thank you for your opinion about the bypass attributes. CA Top Secret has to meet the needs of various users. The use of bypass attributes is a choice, so each site can decide for themselves if they will implement this functionality.

     

    Regards,

     

    Joseph Porto - CA Level 1 Support