I ask this question in the context of idea Make OK+B audit records audit-adequate which reflects my current understanding and which also spawned https://communities.ca.com/ideas/235724083
In Top Secrets Audit Guide they are noted in Chapter 2 as "Misuse of CA Top Secret".
Would you think, that the order of evaluation of these privileges (=they are evaluated first) is a waste of cpu or not?
But I'm open and interested in other point-of-views, so I'd be glad to read from you ...
(afterwards added:): I'd like to know, for which "group of acids" the usage of bypass-privileges really makes sense, and why? Or, is there a "group of acids", for which such privileges are almost "necessary"? And why?
Nachricht geändert durch JOSEF THALER
The NOxxxCHK attributes is one of the first things checked when a security check occurs. If the user has the appropriate, NOxxxCHK no further security checking occurs. Since the full security check is not done, this saves on CPU.
But there is the cost of an OK+B record being written to the audit file.
You could make use of the TSSINSTX exit in CA Top Secret to suppress the OK+B audit records. You would have to add your own user written code to the TSSINSTX installation exit to do this.
The following sample user code for the TSS installation exit has been given to a number of clients who want to suppress OK+B records from being logged to
the audit file:
If Acid = *BYPASS*
or if Pgm = IKJEFT01 and running as batch job.
VIOLATN DS 0H
ICM R5,15,TXA#FLOG R5 = Addr Fast Logging Buffer
USING FLOG,R5 Map Buffer
TM FLIND1,$FLBYPSS Bypass Security ?
BZ LOGIT no, log this event
ICM R3,15,TXA#ACID R3 = Addr Acid
CLC 0(8,R3),=CL8'*BYPASS*' Acid *BYPASS* ?
BE NOLOG Y, don't log
CLC FLPGM,=CL8'IKJEFT01' TMP ?
BNE LOGIT N, log this event
CLI FLTYPNUM,C'J' TMP Batch ?
B LOGIT N, log it
NOLOG B EXIT4 Bypass logging
LOGIT B EXIT0 log this event
If TXA#ACID is *BYPASS*, it is an OK+B event. This code can be modified to suppress OK+B records from whatever circumstances you choose.
This is sample code and not supported or maintained by CA. It is the users responsibility to support, customize and maintain this sample code.
Joseph Porto - CA Level 1 Support
many thanks for your reaction and for all the details.
My intention, to ask my question is more in-depth:
The decision whether to make use of something or not, is always an appreciation of values like security risk, flexibility, availability, performance etc. Therefore I'd like to know, for which "group of acids" the usage of bypass-privileges really makes sense and why? Or, is there a "group of acids", for which such privileges are almost "necessary"? And why?
If there is something with no real sense (NOxxxCHK --> "misuse of Top Secret" !!) I would say, it is waste of cpu, although in might cost only two instructions (multiplied by trillons to security-checks). Therefore ...my original question...
When deciding where to use the NOxxxCHK types attributes, you first need to refer to you security policies and auditors.
If either does not allows the use of the security bypass attributes at your site, then there is no "group of acids" that you can give these privileges to.
You are correct when you say "The decision whether to make use of something or not, is always an appreciation of values like security risk, flexibility, availability, performance etc."
The security risks, flexibility, availability, performance etc vary from site to site. I would also need extensive knowledge about your site to understand how each of those variables.
We,. CA, can only really some general recommendations/suggestions. Our suggestions are not 1 size fits all. You must ultimately decided if the suggestion/recommendation will benefit your site.
1. We know that using the bypass attributes save CPU but at the cost of I/O to the audit file.
2. We also know that you can use TSSINSTX to suppress records being written to the audit file.
From my experience with support, I have seen our clients use the bypass attributes in the following manner:
1. One group of acids you could use the bypass attributes on are started tasks that you feel can be "trusted" like CICS, a scheduling application, CA LDAP...etc.... I would limit the started task to the STC FACILITY and not any other FACILITY or terminal. Benefits: Started task will not be cancelled by CA Top Secret if it has the bypass attributes, reduced CPU due to less security checking, less administration to the STC acid because its authorized for everything. Use of TSSINSTX can reduce OK+B entries for the started task acid. Drawback: Mis-use of the application to defeat security.
2. Use the bypass attribute for special acids that are used for emergency purposes and disaster recovery. Benefits: Recover a system faster without security stopping you. Drawback: If these emergency acids get in the wrong hands, they can be abused.
ad OK+B records:
(1) is there an estimation of cost of an i/o for the OK+B record versus the pathlength of a regular non-privileged security-check ?
(2) In my opinion and from an auditors point-of-view the current behavior of TSS cutting OK+B records is misleading (OK+B are written,, even although the acid has the regular permission to the ressource) and wasting ressources (OK+B are written, even the ressource is not protected by Top Secret!) But this is already adressed by Make OK+B audit records audit-adequate and Order of Evaluation of Bypass Attributes and can be commented and voted there.
I did not test it, but in my understanding - and to take just two examples - an acid having the NORESCHK-privilege includes to be a unix-root-user (IBMFAC(BPX.SUPERUSER)) and a DB2-sysadmin (DB2SYS(SYSADM)) and so on.
Same fact from an other point-of-view: If your security-environment is audited and you have to declare, which acids are SYSADMs in DB2, the Command "TSS WHOHAS DB2SYS(SYSADM)" might not be correct, because you have to include all acids having the NORESCHK-privilege).
So you really need to have good reasons (emergency cases excluded) to make use of these privileges in regular business, both test and production. But again, I'd like to know, whether there exist good reasons for that. If you take the answers to this question as representative, so far 100% refuse this privileges and want to get rid of the rest of them....
Did some checking around. Didn't find anything in the doc or our problem tracking system that gives an estimate on the 'cost'. If you need an answer to this questions, please open an issue with support for it will require research into the code.
Thank you for your opinion about the bypass attributes. CA Top Secret has to meet the needs of various users. The use of bypass attributes is a choice, so each site can decide for themselves if they will implement this functionality.