/* REXX */ /* CLS2REXXed by FSOX001 on 5 Jun 2017 at 11:21:52 */ /*trace ?r*/ Signal On NoValue Call On Error Signal On Failure Signal On Syntax Parse source opsys . exec_name . Address ISREDIT "MACRO" /* CARM0120 EDIT TEMP5(*) */ /*********************************************************************/ /* 09/10/2007 CL Fenton Copied from CARM0420 to evaluate resources. */ /* 11/30/2007 CL Fenton Added analysis for resource will not be */ /* defined. */ /* 01/31/2008 CL Fenton Chgd contents of 3, 4, and 5 records */ /* written to TEMP6. Record not includes fixed length */ /* RESOURCE field. Removed DUP_USERS variable. */ /* 04/29/2008 CL Fenton Changes in the evaluation of audit logging. */ /* 07/16/2009 CL Fenton Changes to bypass GENERIC testing. */ /* 05/30/2012 CL Fenton Chgs to allow use of AUACCESS for */ /* authorized users list to prevent the possible */ /* "IKJ56548I INSUFFICIENT STORAGE FOR CLIST TO */ /* CONTINUE" message from occurring when a DIALOG user */ /* group contains an excessive number of user, */ /* CSD-AR003400969. */ /* 06/06/2012 CL Fenton Corrected 852 and 932 errors on REC2TBL */ /* on resources that have special characters (+, -, *, */ /* and /), CSD-AR003419256. */ /* 09/18/2012 CL Fenton Corrected 860 errors on RESNAME in the */ /* collection of REC3TBL entries with special */ /* characters (+, -, *, and /). */ /* 04/10/2013 CL Fenton Corrected possible error on FIND */ /* &RESOURCE when cursor position is past where record */ /* is found. */ /* 03/31/2016 CL Fenton Changes to not specify empty groups in */ /* finding details, STS-013692. */ /* 04/04/2016 CL Fenton Changes to ensure UACC(NONE) is specified */ /* and testing to review GENERIC, *, access, */ /* STS-013858. */ /* 03/08/2017 CL Fenton Changes made to process all profiles */ /* identified for a specific resources, STS-016365. */ /* 05/23/2017 CL Fenton Converted script from CLIST to REXX. */ /* Also added GROUPID user list processing (CARM0005), */ /* STS-017060. */ /* 11/01/2017 CL Fenton Corrected issue with everyone (*) having */ /* access in profile and requirements specify everyones */ /* access as NONE, STS-018586. */ /* 02/16/2018 CL Fenton Streamlined and rearranged several processes */ /* and verified permissions of GENERIC where requirements */ /* specified NONE, STS-019211. */ /* 02/27/2018 CL Fenton Corrected issue with multiple resources */ /* using the same profile and identifying additional */ /* resources. */ /* 10/26/2018 CL Fenton Corrected issue when user is directly */ /* permitted and permitted through a group to ignore the */ /* group permission, STS-020788. */ /* 06/05/2019 CL Fenton Chgs to evaluate ZCIC0021 for system that */ /* are running both production and test/developement */ /* CICS regions, STS-021044. */ /* 07/19/2019 CL Fenton Chgs correct possible "Control stack full" */ /* error by changing SIGNAL statements in do loop */ /* properly leave the loop, STS-022967. */ /* 07/19/2019 CL Fenton Changes include a limit of 1000 userids */ /* being extracted until all userids are collected for */ /* groups with excessive number of userids to avoid an */ /* error on variable LIDLIST, STS-022967. */ /* 05/01/2020 CL Fenton Added additional resources to reduce time in */ /* analysis and changes to reduce the number of IOs to */ /* read the same information multiple times, STS-024509. */ /* 09/28/2020 CL Fenton Changes made to initialize a variable to */ /* prevent errors, STS-025321. */ /* 06/16/2021 CL Fenton Changes made to initialize a zerr variables */ /* to prevent errors and 013-18 abends, STS-026455. */ /* */ /* */ /* */ /*********************************************************************/ pgmname = "CARM0120 06/16/21" sysprompt = "OFF" /* CONTROL NOPROMPT */ sysflush = "OFF" /* CONTROL NOFLUSH */ sysasis = "ON" /* CONTROL ASIS - caps off */ Address ISPEXEC "CONTROL NONDISPL ENTER" Address ISPEXEC "CONTROL ERRORS RETURN" /*******************************************/ /* VARIABLES ARE PASSED TO THIS MACRO */ /*******************************************/ maxcc = 0 return_code = 0 Address ISPEXEC "VGET (CONSLIST COMLIST SYMLIST TERMMSGS", "CACM042R CACT0008 AUACCESS CNTL SENSITVE TEMP6 BTITLE ODSNAME", "RACFRPT CARM0005 LISTGRP) ASIS" rm20vget = return_code If return_code <> 0 then do Say pgmname "VGET RC =" return_code Say pgmname "CONSLIST/"conslist "COMLIST/"comlist "SYMLIST/"symlist, "TERMMSGS/"termmsgs Say pgmname "CACM042R/"cacm042r "CACT0008/"cact0008, "AUACCESS/"auaccess "CNTL/"cntl "SENSITVE/"sensitve Say pgmname "TEMP6/"temp6 "BTITLE/"btitle "ODSNAME/"odsname, "RACFRPT/"racfrpt "CARM0005/"carm0005 "LISTGRP/"listgrp return_code = return_code + 16 SIGNAL ERR_EXIT end If CONSLIST = "ON" | COMLIST = "ON" | SYMLIST = "ON" , then Trace ?r /*******************************************/ /* SET MESSAGES */ /*******************************************/ tblusr = "#" syssymlist = symlist /* CONTROL SYMLIST/NOSYMLIST */ sysconlist = conslist /* CONTROL CONLIST/NOCONLIST */ syslist = comlist /* CONTROL LIST/NOLIST */ sysmsg = termmsgs /* CONTROL MSG/NOMSG */ return_code = 0 zerrmsg = "" zerrsm = "" zerrlm = "" sortsw = "D" "(OMEMBER) = MEMBER" "(DSNAME) = DATASET" headlin2 = left(" ",130,"=") tst = listdsi("AUACCESS FILE") auaccessdsn = sysdsname /*******************************************/ /* Expand GROUPIDs */ /*******************************************/ "CURSOR = 1 0" return_code = 0 do until return_code > 0 lidrc = 0 lidline = 1 "FIND 'GROUPID(' NX" If return_code > 0 then leave "(CURLINE) = LINENUM .ZCSR" "(DATA) = LINE" curline parse var data . "GROUPID(" uzid ")" . do until lidrc > 0 Address ISPEXEC "VPUT (UZID SORTSW LIDRC LIDLINE) ASIS" Address ISPEXEC "EDIT DATAID("racfrpt") MACRO("carm0005")", "MEMBER("listgrp")" Address ISPEXEC "VGET (LIDLIST LIDRC LIDLINE) ASIS" Call Process_groupid lidline = lidline + 1 end "EXCLUDE 'GROUPID("left(uzid,8)")' ALL" end "RESET" rectype = 2 pdiname = omember resname = "" Address ISPEXEC "VPUT (RECTYPE PDINAME RESNAME) ASIS" return_code = 0 Address ISPEXEC "VIEW DATAID("cntl") MEMBER("cact0008")", "MACRO("cacm042r")" view_cact0008_rc = return_code If view_cact0008_rc > 4 then do Say pgmname "VIEW CNTL" cact0008 "RC =" view_cact0008_rc return_code = return_code + 16 SIGNAL ERR_EXIT end Address ISPEXEC "VGET (REC2TBL) ASIS" Call Process_pdimbr /*******************************************/ /* COPY REPORT */ /*******************************************/ COPY_REPORT: return_code = 0 "RESET" "CURSOR = 1 0" headline = " "omember "-" btitle ac = headline Address ISPEXEC "LMPUT DATAID("sensitve") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ac = headlin2 /* ==== */ Address ISPEXEC "LMPUT DATAID("sensitve") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ac = " " Address ISPEXEC "LMPUT DATAID("sensitve") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ud1 = "" Do CURLINE = 1 to ender "(X) = XSTATUS" curline If x = "NX" then do "(AC) = LINE" curline If left(ac,10) = " " then do ac = substr(ac,52) If ud1 <> "X" then do ud1 = "X" msg = "Resource is not defined." Address ISPEXEC "LMPUT DATAID("sensitve") MODE(INVAR)", "DATALOC(MSG) DATALEN("length(msg)") MEMBER("omember")" end end Else, If ud1 = "X" then do ud1 = "" msg = " " Address ISPEXEC "LMPUT DATAID("sensitve") MODE(INVAR)", "DATALOC(MSG) DATALEN("length(msg)") MEMBER("omember")" end Address ISPEXEC "LMPUT DATAID("sensitve") MODE(INVAR)", "DATALOC(AC) DATALEN("length(ac)") MEMBER("omember")" If pos("GROUPID(",ac) > 0 & pos("USER=",ac) > 0 then do grp = substr(ac,5,25) usr = substr(ac,38,16) "EXCLUDE P'"grp"========"usr"' 5 ALL" end end End return_code = 0 Address ISPEXEC "LMMADD DATAID("sensitve") MEMBER("omember")" If return_code = 4 then do return_code = 0 Address ISPEXEC "LMMREP DATAID("sensitve") MEMBER("omember")" If return_code <> 0 then do Say pgmname "LMMREP_SENSITVE_RC =" return_code omember zerrsm end end Else do If return_code <> 0 then, Say pgmname "LMMADD_SENSITVE_RC =" return_code omember zerrsm end END_EDIT: return_code = 0 ERR_EXIT: If maxcc >= 16 | return_code > 0 then do Address ISPEXEC "VGET (ZISPFRC) SHARED" If maxcc > zispfrc then, zispfrc = maxcc Else, zispfrc = return_code Address ISPEXEC "VPUT (ZISPFRC) SHARED" Say pgmname "ZISPFRC =" zispfrc end rm420rc = return_code Address ISPEXEC "VPUT (RM20VGET RM420RC) ASIS" "CANCEL" Exit 0 Process_groupid: return_code = 0 "FIND 'GROUPID("left(uzid,8)")' LAST" If return_code > 0 then return /* Return 0 */ do until return_code <> 0 "(DATA) = LINE .ZCSR" if pos("USER=",data) > 0 then, "FIND '"left(data,38)" ' 1 PREV" data1 = left(data,38) "(CURLN) = LINENUM .ZCSR" "FIND 'UACC(' PREV 54" "(DATA) = LINE .ZCSR" parse var data profile 45 . do xx = 1 to length(lidlist) by 28 parse var lidlist . =(xx) user +8 name +20 . ac = left(data1,38) "USER="user "NAME="name profile "LINE_AFTER" curln "= (AC)" end "CURSOR =" curln 0 "FIND 'GROUPID("left(uzid,8)")' PREV NX" end "EXCLUDE ') USER=' 38 ALL" "CURSOR =" curline 50 return_code = 0 return /* Return 1 */ Process_pdimbr: auuacc_lvl = 0 auuacc = "NONE" aulog_lvl = 0 aulog = "NONE" return_code = 0 /*******************************************/ /* PUT HEADINGS OUT */ /*******************************************/ headline = " "omember "-" btitle ac = headline Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ac = headlin2 /* ==== */ Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ac = " " Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" headline = "SRR START AULOG =" left(aulog,10) "AUUACC =" auuacc ac = headline Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" /*****************/ /* CHECK ERRORS */ /*****************/ "CURSOR = 1 0" std_error = "N" std_notap = "N" NEXT_ERROR: return_code = 0 do until return_code > 0 return_code = 0 "FIND '"left(" ",50)"' 1" If return_code <> 0 then leave "(DATA) = LINE .ZCSR" parse var data . 54 resource . If pos("X"resource" ",rec2tbl" ") = 0 then do ac = left("SRR YES0",54)resource Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" end If pos(data,"YES") = 5 then std_error = "Y" If pos(data,"N/A") = 5 then std_notap = "Y" end END_ERROR: return_code = 0 If std_error = "Y" then do ac = "SRR STD0 DISA recommendation RDEFINE -" ac = ac" System resources will be protected." Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" end /*******************************************/ /* Authorized user checks */ /*******************************************/ Do XX = 1 to length(strip(rec2tbl,"T")) y = pos(" ",rec2tbl,xx+9) test_text = substr(rec2tbl,xx+8,1) If test_text = " " then do xx = y + 1 iterate end parse var rec2tbl . =(xx) . +9 resource . "CURSOR = 1 0" return_code = 0 "EXCLUDE '"resource" ' 3" If return_code > 0 then do xx = y + 1 iterate end "EXCLUDE 'UACC(' 54 PREV" "(DATA) = LINE .ZCSR" profile = left(data,44) If pos(resource,profile) > 0 then do ac = left("SRR YES0" profile,54)resource Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR)", "DATALOC(AC) DATALEN("length(ac)") MEMBER("omember")" end end "DELETE ALL X" "(ENDER) = LINENUM .ZLAST" Do XX = 1 to length(strip(rec2tbl,"T")) y = pos(" ",rec2tbl,xx+9) parse var rec2tbl . =(xx) . +8 test_text +1 resource . xx = y + 1 If test_text = " " then call Process_info end /********************************/ /* Check for generic RACF rules */ /********************************/ "CURSOR = 1 0" std_read = "N" return_code = 0 If std_read = "Y" then do ac2 = "ALTER" If auuacc_lvl < 5 then, ac2 = "UPDATE and/or" ac2 If auuacc_lvl < 3 then, ac2 = "READ," ac2 If auuacc_lvl = 0 then, ac2 = "EXECUTE," ac2 ac = "SRR STD29DISA recommendation - GENERIC USERID's should", "not be used for ACCESS of" ac2 Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" end /*******************************************/ /* Check Auditing */ /*******************************************/ "CURSOR = 1 0" std_audit = "N" Do X = 1 to length(rec2tbl) parse var rec2tbl . =(x) aulog +7 . +2 resource . Select When aulog = " " then aulog_lvl = 0 When aulog = "NONE " then aulog_lvl = 0 When aulog = "EXECUTE " then do aulog_lvl = 3 aulog = "READ " end When aulog = "READ " then aulog_lvl = 3 When aulog = "UPDATE " then aulog_lvl = 5 When aulog = "CONTROL " then aulog_lvl = 6 When aulog = "ALTER " then aulog_lvl = 9 Otherwise do Say pgmname "Unknown access" access "not found in list 540", omember aulog_lvl = 9 end end y = pos(" ",rec2tbl,x+9) x = y + 1 std_audit = "N" If aulog_lvl = 0 then iterate return_code = 0 "FIND '"resource "' 3 FIRST" If return_code <> 0 then iterate return_code = 0 "FIND 'UACC' 54 PREV" If return_code <> 0 then iterate "(DATA) = LINE .ZCSR" profile = left(data,44) audit = " " pauds = "ER" paudf = "ER" If substr(data,76,5) = "AUDIT" then, audit = substr(data,76,42) si = pos("SUCCESS",audit) fi = pos("FAILURES",audit) ai = pos("ALL",audit) sx = "NONE" fx = "NONE" If si > 0 then, parse var audit . "SUCCESS(" sx ")" . If fi > 0 then, parse var audit . "FAILURES(" fx ")" . If ai > 0 then do parse var audit . "ALL(" sx ")" . fx = sx end Select When fx = "NONE " then lvl = 0 When fx = "EXECUTE " then lvl = 1 When fx = "READ " then lvl = 3 When fx = "UPDATE " then lvl = 5 When fx = "CONTROL " then lvl = 6 When fx = "ALTER " then lvl = 9 Otherwise do Say pgmname "Unknown access" fx "not found in list 615" omember lvl = 0 end end If lvl <= aulog_lvl & lvl <> 0 then, paudf = "OK" Select When sx = "NONE " then lvl = 0 When sx = "EXECUTE " then lvl = 1 When sx = "READ " then lvl = 3 When sx = "UPDATE " then lvl = 5 When sx = "CONTROL " then lvl = 6 When sx = "ALTER " then lvl = 9 Otherwise do Say pgmname "Unknown access" sx "not found in list 632" omember lvl = 0 end end If lvl <= aulog_lvl & lvl <> 0 then, pauds = "OK" If pauds <> "OK" | paudf <> "OK" then do ac = "SRR YES3" profile left(resource,44) audit Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" std_audit = "Y" end end END_UACC3: return_code = 0 If std_audit = "Y" then do aulogt = aulog ac = "SRR STD39DISA recommendation - AUDIT(" ac = ac"SUCCESS("aulogt")FAILURES(READ))" Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" end /**************************/ /* Check RACF Warn option */ /**************************/ "CURSOR = 1 0" std_warn = "N" NEXT_UACC4: do until return_code > 0 return_code = 0 "FIND 'UACC' 54" If return_code <> 0 then leave "(DATA) = LINE .ZCSR" parse var data profile 44 . warn . wi = pos("(N)",warn) If wi = 0 then do ac = "SRR YES4" profile" "left(resource,44) warn Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" std_warn = "Y" end end END_UACC4: return_code = 0 If std_warn = "Y" then do ac = "SRR STD49DISA recommendation - WARN(N)" Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" end /***********************************/ /* Check RACF UACC univeral access */ /***********************************/ "CURSOR = 1 0" std_uacc = "N" NEXT_UACC5: do until return_code > 0 return_code = 0 "FIND 'UACC' 54" If return_code <> 0 then leave "(DATA) = LINE .ZCSR" parse var data profile 44 . 54 uacc . parse var data . "UACC(" uacc_txt ")" . If pos("NONE",uacc) > 0 then iterate Select When uacc_txt = "NONE " then lvl = 0 When uacc_txt = "EXECUTE " then lvl = 1 When uacc_txt = "READ " then lvl = 3 When uacc_txt = "UPDATE " then lvl = 5 When uacc_txt = "CONTROL " then lvl = 6 When uacc_txt = "ALTER " then lvl = 9 Otherwise do Say pgmname "Unknown access" uacc_txt "not found in list 747" omember lvl = 9 end end ac = "SRR YES5" profile" "left(resource,44) uacc Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" std_uacc = "Y" end END_UACC5: return_code = 0 If std_uacc = "Y" then do ac = "SRR STD59DISA recommendation - UACC(NONE)" Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" end headline = "SRR END" ac = headline Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN(" length(ac)") MEMBER("omember")" ac = headlin2 /* ==== */ Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ac = " " Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" /*************************************/ /* Copy Update only entries for PDIs */ /*************************************/ cnt = 0 ud1 = "" Do curline = 1 to ender "(AC) = LINE" curline If left(ac,10) = " " then do ac = substr(ac,52) If ud1 <> "X" then do ud1 = "X" msg = "Resource is not defined." Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR)", "DATALOC(MSG) DATALEN("length(msg)") MEMBER("omember")" end end Else If ud1 = "X" then do ud1 = "" msg = " " Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR)", "DATALOC(MSG) DATALEN("length(msg)") MEMBER("omember")" end If left(ac,7) = "SRR N/A" then iterate If substr(ac,23,6) = "ACCESS" then do access = substr(ac,30,8) Select When access = "NONE " then lvl = 0 When access = "EXECUTE " then lvl = 1 When access = "READ " then lvl = 3 When access = "UPDATE " then lvl = 5 When access = "CONTROL " then lvl = 6 When access = "ALTER " then lvl = 9 Otherwise do Say pgmname "Unknown access" access "not found in list 828" omember lvl = 0 end end If lvl <= auuacc_lvl |, substr(ac,30,2) = " " |, (substr(ac,05,5) = "GROUP" &, substr(ac,40,5) = "USER=") then iterate end Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" cnt = cnt + 1 If cnt > 25 then leave end CLOSE_SRR: return_code = 0 ac = " " Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" ac = "For complete details see" odsname"("omember")." Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" return_code = 0 Address ISPEXEC "LMMADD DATAID("temp6") MEMBER("omember")" If return_code = 4 then do return_code = 0 Address ISPEXEC "LMMREP DATAID("temp6") MEMBER("omember")" If return_code <> 0 then do Say pgmname "LMMREP_TEMP6_RC =" return_code omember zerrsm end end Else do If return_code <> 0 then, Say pgmname "LMMADD_TEMP6_RC =" return_code omember zerrsm end return_code = 0 Return 0 /* Return 2 */ Process_info: resline = 1 dashline = 1 rectype = 3 resname = resource Address ISPEXEC "VPUT (RECTYPE PDINAME RESNAME) ASIS" return_code = 0 Address ISPEXEC "VIEW DATAID("cntl") MEMBER("cact0008")", "MACRO("cacm042r")" view_cact0008_rc = return_code If view_cact0008_rc > 4 then do Say pgmname "VIEW CNTL" cact0008 "RC =" view_cact0008_rc return /* Return 3 */ end Address ISPEXEC "VGET (REC3TBL AUACCCNT) ASIS" If auacccnt > 50 then do return_code = 0 Address ISPEXEC "LMCLOSE DATAID("auaccess")" lmclose_pdidd_rc = return_code If return_code <> 0 then do Say pgmname "LMCLOSE_AUACCESS_RC" return_code zerrsm end return_code = 0 Address ISPEXEC "LMCOMP DATAID("auaccess")" lmcomp_auaccess_rc = return_code If return_code <> 0 then do Say pgmname "LMCOMP_AUACCESS_RC" return_code zerrsm end return_code = 0 Address ISPEXEC "LMOPEN DATAID("auaccess") OPTION(INPUT)" lmopen_auaccess_rc = return_code If return_code <> 0 then do Say pgmname "LMOPEN_AUACCESS_RC" return_code zerrsm end auacccnt = 0 Address ISPEXEC "VPUT (AUACCCNT) ASIS" end Address ISPEXEC "VERASE (REC3TBL) ASIS" if sysdsn("'"auaccessdsn"("pdiname")'") = "OK" then do Address TSO "ALLOC FI(DD1) DA('"auaccessdsn"("pdiname")') SHR REUSE" Address TSO "execio * diskr DD1 (finis stem AUREC." Address TSO "FREE FI(DD1)" end else do say pgmname auaccessdsn"("pdiname") :", sysdsn("'"auaccessdsn"("pdiname")'") end REPEAT_RESOURCE: ZEDSMSG = "Start" ZEDLMSG = "Starting Repeat Resources process." Address ISPEXEC "LOG MSG(ISRZ000)" return_code = 0 do until return_code > 0 "RESET" "CURSOR =" resline 40 return_code = 0 "FIND '"resource "' 3" If return_code > 0 then iterate "(RESLINE) = CURSOR" "FIND '- - - - - ' 1 PREV" If return_code = 0 then do "(DASHLINE) = CURSOR" "CURSOR =" resline 3 end "FIND 'UACC(' 54 PREV" "(UACCLINE) = CURSOR" If dashline > uaccline then, "(DATA) = LINE" dashline + 1 Else, "(DATA) = LINE .ZCSR" res_profile = left(data,44) return_code = 0 "EXCLUDE ALL ' '" "FIND ALL '"res_profile"' 80" If return_code > 0 then iterate auuacc_lvl = 0 x = pos("* ",rec3tbl) If x > 0 then, parse var rec3tbl . =(x) . +8 auuacc_lvl +1 . std_user = "N" ds_rule = " " Call Auth_user_check END_USER: return_code = 0 If std_user = "Y" then do ac2 = "ALTER" If auuacc_lvl < 6 then, ac2 = "CONTROL and/or" ac2 If auuacc_lvl < 5 then, ac2 = "UPDATE," ac2 If auuacc_lvl < 3 then, ac2 = "READ," ac2 If auuacc_lvl = 0 then, ac2 = "EXECUTE," ac2 ac = "SRR STD19DISA recommendation USERID -" ac = ac" Users and Started tasks should be in the" ac = ac" authorized user list for ACCESS of" ac2 Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR)", "DATALOC(AC) DATALEN("length(ac)") MEMBER("omember")" end end ZEDSMSG = "Finish" ZEDLMSG = "Finished Repeat Resources process." Address ISPEXEC "LOG MSG(ISRZ000)" Return /* Return 4 */ /*******************************************/ /* Authorized user checks */ /*******************************************/ Auth_user_check: Address ISPEXEC "LMMFIND DATAID("auaccess") MEMBER("pdiname")" If return_code > 0 then do return_code = 0 "CURSOR = 1 0" scmd = "'USER=' 40" Call USERID_NOTAUTH Return 0 end std_user = "N" READ_AUACCESS: do aua = 1 to aurec.0 aurec = aurec.aua return_code = 0 If left(aurec,8) = "*" then, "FIND ALL 'GENERIC("left(aurec,8)"' 5 NX" Else, "FIND ALL 'USER="left(aurec,8)"' 40 NX" If return_code <> 0 then iterate aulid = left(aurec,8) aulvl = substr(aurec,9,1) "CURSOR = 1 0" return_code = 0 NEXT_USER: do until return_code <> 0 return_code = 0 If left(aurec,8) = "*" then, "FIND 'GENERIC("aulid"' 5 NX" Else, "FIND 'USER="aulid"' 40 NX" If return_code <> 0 then leave "(DATA) = LINE .ZCSR" parse var data . 30 access 38 . 80 profile . Select When access = "NONE " then alvl = 0 When access = "EXECUTE " then alvl = 1 When access = "READ " then alvl = 3 When access = "UPDATE " then alvl = 5 When access = "CONTROL " then alvl = 6 When access = "ALTER " then alvl = 9 Otherwise do Say pgmname "Unknown access" access "not found in list 383" omember alvl = 9 end end /*******************************************/ /* CHECK USER IN AUTH USER LIST */ /*******************************************/ If alvl <= auuacc_lvl | alvl <= aulvl then do "XSTATUS .ZCSR = X" end end end "EXCLUDE 'USER=Empty*' ALL 40" return_code = 0 "FIND '"res_profile"' 80 ALL NX" "(A) = FIND_COUNTS" "CURSOR = 1 0" scmd = "'USER=' 40" Call USERID_NOTAUTH Return /* Return 5 */ USERID_NOTAUTH: do until return_code <> 0 return_code = 0 "FIND" scmd "NX" If return_code <> 0 then do If scmd = "'USER=' 40" then do "CURSOR = 1 0" scmd = "'GENERIC(' 5" return_code = 0 end iterate end "(DATA) = LINE .ZCSR" parse var data . 30 access 38 . 80 profile +45 . parse var data . 5 info 80 . Select When access = "NONE " then alvl = 0 When access = "EXECUTE " then alvl = 1 When access = "READ " then alvl = 3 When access = "UPDATE " then alvl = 5 When access = "CONTROL " then alvl = 6 When access = "ALTER " then alvl = 9 Otherwise do Say pgmname "Unknown access" access "not found in list 422" omember alvl = 9 end end If alvl <= auuacc_lvl then iterate /* Following information added to remove users in group if permitted directly*/ If pos("GROUPID(",data) = 5 then do "(CURLN) = LINENUM .ZCSR" parse var data . 40 test parse var test "USER=" user . return_code = 0 "SEEK '"test"' 40 ALL" If return_code = 0 then do "(DATA1) = LINE .ZCSR" "CURSOR =" curln 60 If pos("USERID("left(user,8)")",data1) = 6 then, iterate end "CURSOR =" curln 60 return_code = 0 end ac = "SRR YES1" left(profile,44) left(resource,44) info Address ISPEXEC "LMPUT DATAID("temp6") MODE(INVAR) DATALOC(AC)", "DATALEN("length(ac)") MEMBER("omember")" std_user = "Y" end Return /* Return 6 */ NoValue: Failure: Syntax: say pgmname 'REXX error' rc 'in line' sigl':' strip(ERRORTEXT(rc)) say SOURCELINE(sigl) SIGNAL ERR_EXIT Error: return_code = RC if RC >= 16 then do say pgmname "LASTCC =" RC strip(zerrlm) say pgmname 'REXX error' rc 'in line' sigl':' strip(ERRORTEXT(rc)) say SOURCELINE(sigl) end if return_code > maxcc then, maxcc = return_code return /* Return 7 */