ISREDIT MACRO /* CARM0525 View TEMP9 Setropts global */ /* 12/21/2005 JL.NELSON Copied from CARM0009 /* 12/21/2005 JL.NELSON Created for PDIs RACF0270, 310, and 320 /* 01/04/2006 JL.NELSON Added PDI RACF0510 /* 01/25/2006 JL.NELSON Changed RACF0510 to a Manual Review. /* 03/08/2006 JL.NELSON Made changes to avoid abend 920/932. /* 03/05/2007 CL.FENTON Added ZUSSR070 RACLIST test. /* 07/09/2007 CL.FENTON Changed output for Manual Review /* 08/07/2007 CL.FENTON Added additional details for RACF0510. /* 09/19/2011 CL.FENTON Added TEMPDSN resource class for RACF0270. /* And minor changes in output format. /* 03/08/2013 CL.FENTON Removed Manual Review for RACF0510, /* CSD-AR003417415. /* 08/17/2016 CL.Fenton Added evaluation for RACF0540, STS-015246. /* 04/24/2017 CL.Fenton Added evaluation for LOGOPTIONS "ALWAYS" for /* RACF0540, STS-016729, /* 05/22/2018 CL.Fenton Added "Not Reviewed" to RACF0510 for vuls /* that require additional analysis and changed test to /* for INSTALLATION on either RVARYx vars, STS-019713. /* 07/02/2021 CL Fenton Chgs to remove automation for RACF0310, /* RACF0320, and ZUSSR070, STS-026846. SET PGMNAME = &STR(CARM0525 07/02/21) NGLOBAL PGMNAME RETURN_CODE PDIID PDIMBR ZERRSM RCLASS CLASSLST + SETROPT FINDRC LASTLINE SET SYSPROMPT = OFF /* CONTROL NOPROMPT */ SET SYSFLUSH = OFF /* CONTROL NOFLUSH */ SET SYSASIS = ON /* CONTROL ASIS - caps off */ /* ERROR ROUTINE */ ERROR DO SET RETURN_CODE = &LASTCC /* SAVE LAST ERROR CODE */ IF &LASTCC GE 16 THEN + WRITE &PGMNAME LASTCC = &LASTCC &ZERRLM RETURN END /* *************************************** */ /* THIS EDIT MACRO PROVIDES THE FINDING */ /* DETAILS FOR RACF SETROPTS */ /* *************************************** */ /* CLASSACT - RACF0270 /* RVARYPW - RACF0510 /* *************************************** */ /* VARIABLES ARE PASSED TO THIS MACRO */ /* CONSLIST */ /* COMLIST */ /* SYMLIST */ /* TERMMSGS */ /* *************************************** */ SET RETURN_CODE = 0 ISPEXEC VGET ( + CONSLIST + COMLIST + SYMLIST + TERMMSGS + CARM0524 + PDIID + DSMONID + DSMONMBR + ) ASIS SET RM525VG = &RETURN_CODE IF &RETURN_CODE NE 0 THEN DO WRITE &PGMNAME VGET RC = &RETURN_CODE &ZERRSM WRITE &PGMNAME CONSLIST/&CONSLIST COMLIST/&COMLIST SYMLIST/&SYMLIST + TERMMSGS/&TERMMSGS WRITE &PGMNAME CARM0524/&CARM0524 PDIID/&PDIID DSMONID/&DSMONID + DSMONMBR/&DSMONMBR SET RETURN_CODE = &RETURN_CODE + 16 GOTO ERR_EXIT END /* *************************************** */ /* TURN ON MESSAGES */ /* *************************************** */ SET SYSSYMLIST = &SYMLIST /* CONTROL SYMLIST/NOSYMLIST */ SET SYSCONLIST = &CONSLIST /* CONTROL CONLIST/NOCONLIST */ SET SYSLIST = &COMLIST /* CONTROL LIST/NOLIST */ SET SYSMSG = &TERMMSGS /* CONTROL MSG/NOMSG */ /* *************************************** */ /* MAIN PROCESS */ /* *************************************** */ SET LP = &STR(( SET RP = ) SET SPC = &STR( ) ISREDIT (LASTLINE) = LINENUM .ZLAST SET PDIMBR = RACF0270 SET RACF0270 = 0 SET RCLASS = &STR(ACTIVE CLASSES) SET SETROPT = &STR(CLASSACT(name)) SET CLASSLST = &STR(#) SET RETURN_CODE = 0 SYSCALL FIND_CLASS /* WRITE &PGMNAME &CLASSLST IF &FINDRC NE 0 THEN GOTO END_RACF0270 SET TABLE = &STR(DATASET USER GROUP TEMPDSN) DO X = 1 TO &LENGTH(&TABLE) SET Y = &SYSINDEX(&STR( ),&STR(&TABLE ),&X) SET RES = &SUBSTR(&X:&Y-1,&STR(&TABLE )) IF &SYSINDEX(&STR( &RES ),&STR(&CLASSLST )) EQ 0 THEN + SET RACF0270 = &RACF0270 + 1 SET X = &Y END IF &RACF0270 EQ 0 THEN DO SET AC = &STR(Not a Finding ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(All CLASSACT required classes are active: + DATASET, USER, GROUP, and TEMPDSN.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END ELSE DO SET AC = &STR(The following SETROPTS value is improperly set:) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) DO X = 1 TO &LENGTH(&TABLE) SET Y = &SYSINDEX(&STR( ),&STR(&TABLE ),&X) SET RES = &SUBSTR(&X:&Y-1,&STR(&TABLE )) IF &SYSINDEX(&STR( &RES ),&STR(&CLASSLST )) EQ 0 THEN DO SET AC = &STR( SETROPTS CLASSACT(&RES) is missing.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET X = &Y END SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: SETROPTS CLASSACT(name) ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END END_RACF0270: + SET RETURN_CODE = 0 SYSCALL ADD_MEMBER SET PDIMBR = RACF0510 SET RACF0510 = 0 SET RCLASS = &STR(RVARY PASSWORD) SET SETROPT = &STR(RVARYPW) SET RVARY1 = SET RVARY2 = ISREDIT CURSOR = 1 0 SET RETURN_CODE = 0 ISREDIT FIND ' &RCLASS ' IF &RETURN_CODE NE 0 THEN DO SET RACF0510 = &RETURN_CODE SET AC = &STR(The SETROPTS &SETROPT is not defined.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: SETROPTS RVARYPW&LP + SWITCH&LP.pw&RP STATUS&LP.pw&RP &RP ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO END_RACF0510 END ELSE DO ISREDIT (CURLINE) = LINENUM .ZCSR ISREDIT (RVARY1) = LINE &CURLINE END SET RETURN_CODE = 0 ISREDIT FIND ' &RCLASS ' IF &RETURN_CODE EQ 0 THEN DO ISREDIT (CURLINE) = LINENUM .ZCSR ISREDIT (RVARY2) = LINE &CURLINE END SET X1 = &SYSINDEX(&STR(INSTALLATION ),&STR(&RVARY1)) SET X2 = &SYSINDEX(&STR(INSTALLATION ),&STR(&RVARY2)) /* IF &X1 GT 0 AND IF &X1 GT 0 OR + &X2 GT 0 THEN DO /*SET AC = &STR(Manual Review) SET AC = &STR(Not Reviewed) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(The SETROPTS &SETROPT value is improperly set.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( &RVARY1) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( &RVARY2) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( Passwords may not be set in accordance with + standard password guidelines.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO END_RACF0510 END /* ELSE */ SET AC = &STR(The SETROPTS &SETROPT value is improperly set.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) IF &X1 EQ 0 THEN DO SET AC = &STR( &RVARY1) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END IF &X2 EQ 0 THEN DO SET AC = &STR( &RVARY2) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: SETROPTS RVARYPW&LP + SWITCH&LP.pw&RP STATUS&LP.pw&RP &RP ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END_RACF0510: + SET RETURN_CODE = 0 SYSCALL ADD_MEMBER SET PDIMBR = RACF0540 SET RCLASS = &STR(LOGOPTIONS "NEVER" CLASSES) SET SETROPT = &STR(LOGOPTIONS(NEVER(NONE))) SET CLASSLST = &STR(#) SET PSTATUS = &STR(NF) SET RETURN_CODE = 0 SYSCALL FIND_CLASS IF &SYSINDEX(&STR( NONE ),&CLASSLST) EQ 0 THEN DO SET AC = &STR(The SETROPTS LOGOPTIONS "NEVER" CLASSES = NONE + is not specified.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET PSTATUS = &STR(O) END SET RCLASS = &STR(LOGOPTIONS "FAILURES" CLASSES) SET SETROPT = &STR(LOGOPTIONS(FAILURES(name))) SET CLASSLST = &STR(#) SET RETURN_CODE = 0 SYSCALL FIND_CLASS SET RCLASS = &STR(LOGOPTIONS "ALWAYS" CLASSES) SET RETURN_CODE = 0 SYSCALL FIND_CLASS SET RCLASS = &STR(LOGOPTIONS "FAILURES" CLASSES) IF &SYSINDEX(&STR( NONE ),&CLASSLST) GT 0 THEN DO SET AC = &STR(The SETROPTS LOGOPTIONS "FAILURES" CLASSES = NONE + is specified.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO END_RACF0540 END IF &FINDRC NE 0 THEN GOTO END_RACF0540 ISPEXEC VPUT ( + PDIMBR + CLASSLST + SETROPT + RCLASS + PSTATUS + ) ASIS SET RETURN_CODE = 0 ISPEXEC VIEW DATAID(&DSMONID) MACRO(&CARM0524) MEMBER(&DSMONMBR) IF &RETURN_CODE GT 4 THEN DO WRITE &PGMNAME VIEW_DSMON_RC = &RETURN_CODE + MEMBER &DSMONMBR for &PDIMBR &ZERRSM SET RETURN_CODE = &RETURN_CODE + 16 GOTO ERR_EXIT END END_RACF0540: + SET RETURN_CODE = 0 SYSCALL ADD_MEMBER END_EXIT: + SET RETURN_CODE = 0 ERR_EXIT: + IF &MAXCC GE 16 OR + &RETURN_CODE GT 0 THEN DO ISPEXEC VGET (ZISPFRC) SHARED IF &MAXCC GT &ZISPFRC THEN + SET ZISPFRC = &MAXCC ELSE + SET ZISPFRC = &RETURN_CODE ISPEXEC VPUT (ZISPFRC) SHARED WRITE &PGMNAME ZISPFRC = &ZISPFRC END SET RM525RC = &RETURN_CODE ISPEXEC VPUT ( + RM525VG + RM525RC + ) ASIS ISREDIT END EXIT CODE(0) ISREDIT MEND /* *************************************** */ /* SYSCALL SUBROUTINES */ /* *************************************** */ ADD_MEMBER: PROC 0 SET ZEDSMSG = FINISHED SET ZEDLMSG = &STR(Finished processing &PDIMBR.) ISPEXEC LOG MSG(ISRZ000) SET RETURN_CODE = 0 ISPEXEC LMMADD DATAID(&PDIID) MEMBER(&PDIMBR) IF &RETURN_CODE EQ 4 THEN DO /* MEMBER ALREADY EXISTS SET RETURN_CODE = 0 ISPEXEC LMMREP DATAID(&PDIID) MEMBER(&PDIMBR) IF &RETURN_CODE NE 0 THEN DO WRITE &PGMNAME LMMREP_PDI_RCODE = &RETURN_CODE &PDIMBR &ZERRSM END END ELSE DO IF &RETURN_CODE NE 0 THEN + WRITE &PGMNAME LMMADD_PDI_RCODE = &RETURN_CODE &PDIMBR &ZERRSM END END /* *************************************** */ /* SYSCALL SUBROUTINES */ /* *************************************** */ FIND_CLASS: PROC 0 SET FINDRC = 0 SET RETURN_CODE = 0 ISREDIT CURSOR = 1 0 ISREDIT FIND '&RCLASS ' 1 IF &RETURN_CODE NE 0 THEN DO SET FINDRC = &RETURN_CODE SET AC = &STR(The SETROPTS &SETROPT is not defined. ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: SETROPTS &SETROPT ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO END_FIND END ISREDIT (CURLINE) = LINENUM .ZCSR ISREDIT (DATA) = LINE &CURLINE SET X = &SYSINDEX(&STR(=),&STR(&DATA)) IF &X EQ 0 THEN GOTO END_FIND IF &STR(&RCLASS) EQ &STR(LOGOPTIONS "ALWAYS" CLASSES) AND + &SYSINDEX(&STR( NONE ),&STR(&DATA)) GT 0 THEN + GOTO END_FIND SET Y = &SYSINDEX(&STR( ),&STR(&DATA),&X+2) IF &X+1 LT &Y-1 THEN + IF &STR(&RCLASS) EQ &STR(LOGOPTIONS "ALWAYS" CLASSES) THEN + SET CLASSLST = &STR(&CLASSLST) + &SUBSTR(&X+2:&Y-1,&NRSTR(&DATA)) ELSE + SET CLASSLST = &SUBSTR(&X+1:&Y-1,&NRSTR(&DATA)) ELSE GOTO END_FIND NEXT_LIST: + SET RETURN_CODE = 0 SET CURLINE = &CURLINE + 1 IF &CURLINE GT &LASTLINE THEN GOTO END_LIST ISREDIT (DATA) = LINE &CURLINE IF &STR( ) NE &SUBSTR(1,&NRSTR(&DATA)) THEN + GOTO END_LIST SET Y = &SYSINDEX(&STR( ),&STR(&DATA),&X+2) IF &X+2 LT &Y-1 THEN + SET CLASSLST = &STR(&CLASSLST) + &SUBSTR(&X+2:&Y-1,&NRSTR(&DATA)) GOTO NEXT_LIST END_LIST: + SET RETURN_CODE = 0 SET CLASSLST = &STR(&CLASSLST #) END_FIND: + END