ISREDIT MACRO /* CARM0527 VIEW USERLIST report */ /* 01/23/2006 JL Nelson Created to perform USERID checks. /* 01/24/2006 JL Nelson Ignore IBM supplied USERIDs. /* 01/27/2006 JL Nelson RACF0580 look for TSO segments only. /* 03/13/2006 JL Nelson Set/test RCode for critical ISREDIT commands. /* 07/09/2007 CL Fenton Changed output from multi to single lines. /* 09/12/2007 CL Fenton Changed RACF0710, RACF0720, and RACF0730 from /* Manual Review to Documentable within VMS. /* 02/28/2009 CL Fenton Added bypass of userid and tsoid when userid /* is blank. /* 09/02/2009 CL Fenton Chgs made on allowing passdate of 00.000 and /* reporting name gt 9999999999 in other words hi values. /* 04/07/2010 CL Fenton Chgs record format to all for PASS-INTERVAL. /* 08/31/2010 CL Fenton Added Dialog data set to remove authorized /* users from PDI member created in this process. Also /* made changes for with positions to search. /* 04/07/2010 CL Fenton Chgs field entry for attributes and groups. /* 09/19/2011 CL Fenton Chgs in password interval to allow for 254 days /* CSD-AR002561268. /* 09/19/2011 CL Fenton Chgs processing of connect group entries on users, /* CSD-AR003000316. /* 06/28/2012 CL Fenton Chgs to RACF0710 and RACF0720 to bypass user /* connected to non SYS groups per vul check specs. /* 09/18/2012 CL Fenton Corrected multiple errors on USR containing /* special characters (+, -, *, and /). /* 05/22/2013 CL Fenton Added FTPUSERS for RACF0580 and removed 254 day /* for FTP users to remove conflict between RACF0580 and /* RACF0440, STS-000796. Also added the removal of EMERAUDT /* for RACF0580. /* 03/07/2014 CL Fenton Removed TSOPROC requirement from RACF0580, STS-004646. /* 06/02/2014 CL Fenton Added exclusion of users with FTP in name for /* RACF0580, STS-005560. /* 09/20/2016 CL Fenton Changed all references of IAO to ISSO. /* 05/22/2018 CL Fenton Added "Not Reviewed" to RACF0710, RACF0720, /* and RACF0730 for vuls that require additional analysis /* and reduced what groups are dropped for check, /* STS-019713. /* 02/19/2020 CL Fenton Added PHRASEDATE for evaluation, STS-023663. SET PGMNAME = &STR(CARM0527 02/19/20) NGLOBAL PGMNAME RETURN_CODE PDIID PDIMBR ZERRSM DIALOG DSNAME SET SYSPROMPT = OFF /* CONTROL NOPROMPT */ SET SYSFLUSH = OFF /* CONTROL NOFLUSH */ SET SYSASIS = ON /* CONTROL ASIS - caps off */ ISPEXEC CONTROL ERRORS RETURN /* ERROR ROUTINE */ ERROR DO SET RETURN_CODE = &LASTCC /* SAVE LAST ERROR CODE */ IF &LASTCC GE 16 THEN + WRITE &PGMNAME LASTCC = &LASTCC &ZERRLM RETURN END /* *************************************** */ /* VARIABLES ARE PASSED TO THIS MACRO */ /* CONSLIST */ /* COMLIST */ /* SYMLIST */ /* TERMMSGS */ /* *************************************** */ SET RETURN_CODE = 0 ISPEXEC VGET ( + CONSLIST + COMLIST + SYMLIST + TERMMSGS + PDIID + DIALOG + TYPERUN + ) ASIS SET RM527VG = &RETURN_CODE IF &RETURN_CODE NE 0 THEN DO WRITE &PGMNAME VGET RC = &RETURN_CODE &ZERRSM WRITE &PGMNAME CONSLIST/&CONSLIST COMLIST/&COMLIST SYMLIST/&SYMLIST + TERMMSGS/&TERMMSGS WRITE &PGMNAME PDIID/&PDIID + TYPERUN/&TYPERUN SET RETURN_CODE = &RETURN_CODE + 16 GOTO ERR_EXIT END /* *************************************** */ /* TURN ON MESSAGES */ /* *************************************** */ SET SYSSYMLIST = &SYMLIST /* CONTROL SYMLIST/NOSYMLIST */ SET SYSCONLIST = &CONSLIST /* CONTROL CONLIST/NOCONLIST */ SET SYSLIST = &COMLIST /* CONTROL LIST/NOLIST */ SET SYSMSG = &TERMMSGS /* CONTROL MSG/NOMSG */ ISREDIT (MBRNAME) = MEMBER ISREDIT (DSNAME) = DATASET ISREDIT (LASTLINE) = LINENUM .ZLAST ISREDIT (DW) = DATA_WIDTH SET BLANK = &STR( ) SET LP = &STR(( SET RP = ) SET CC = 32 SET PDIMBR = RACF0570 SET RACF0570 = 0 SET CURLINE = 0 /* *************************************** */ /* READ LOOP */ /* *************************************** */ NEXT_USERID: + SET RETURN_CODE = 0 SET CURLINE = &CURLINE + 1 IF &CURLINE GT &LASTLINE THEN GOTO END_USERID ISREDIT (DATA) = LINE &CURLINE SET USERID = &SUBSTR(01:08,&NRSTR(&DATA)) SELECT &STR(&USERID) WHEN (irrcerta) GOTO NEXT_USERID WHEN (irrmulti) GOTO NEXT_USERID WHEN (irrsitec) GOTO NEXT_USERID WHEN ( ) GOTO NEXT_USERID END SET NAME = &SUBSTR(10:31,&NRSTR(&DATA)) SET DFTGRP = &SUBSTR(94:101,&NRSTR(&DATA)) SET OWNER = &SUBSTR(33:40,&NRSTR(&DATA)) SET PASSDATE = &SUBSTR(42:47,&NRSTR(&DATA)) SET PWPDATE = &SUBSTR(49:54,&NRSTR(&DATA)) SET CNT = &CNT + 1 SET ERROR = 0 IF &STR(&NAME) EQ &STR( ) OR + &STR(&NAME) GT &STR(9999999999) OR + &STR(&NAME) EQ &STR(UNKNOWN ) THEN SET ERROR = &ERROR + 1 IF &STR(&DFTGRP) EQ &STR( ) OR + &STR(&DFTGRP) EQ &STR(NONE ) THEN SET ERROR = &ERROR + 1 IF &STR(&OWNER) EQ &STR( ) OR + &STR(&OWNER) EQ &STR(NONE ) THEN SET ERROR = &ERROR + 1 IF &SYSINDEX(&STR( APROTECTED ),&NRSTR(&DATA)) GT 90 AND + &ERROR EQ 0 THEN GOTO NEXT_USERID /*IF &STR(&PASSDATE) EQ &STR(N/A ) THEN + /* SET ERROR = &ERROR + 1 /*IF &STR(&PASSDATE) EQ &STR(N/A ) OR + /* &STR(&PASSDATE) EQ &STR(00.000 ) THEN SET ERROR = &ERROR + 1 IF &STR(&PASSDATE) EQ &STR(N/A ) AND + &STR(&PWPDATE) EQ &STR(N/A ) THEN + SET ERROR = &ERROR + 1 IF &ERROR EQ 0 THEN GOTO NEXT_USERID IF &RACF0570 EQ 0 THEN DO SET AC = &STR(The following userid&LP.s&RP does &LP.do&RP not + have the required field&LP.s&RP completed.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET RACF0570 = &RACF0570 + 1 SET AC = &STR( &USERID NAME=&NAME OWNER=&OWNER + DEFAULT-GROUP=&DFTGRP) IF &SYSINDEX(&STR( APROTECTED ),&NRSTR(&DATA)) EQ 0 THEN + SET AC = &STR(&AC PASSDATE=&PASSDATE) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO NEXT_USERID END_USERID: + SET RETURN_CODE = 0 IF &RACF0570 EQ 0 THEN DO SET AC = &STR(Not a Finding ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(All userid&LP.s&RP contain the required fields.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END ELSE DO SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: All userid records must have + the users name, the owner, a default group, and the password + fields defined.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SYSCALL ADD_MEMBER SET PDIMBR = RACF0580 SET RACF0580 = 0 SET CURLINE = 0 SET GROUP = &STR(EMERAUDT FTPUSERS) SET A = 1 DO WHILE &A LT &LENGTH(&STR(&GROUP)) SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1 SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP)) SYSCALL DIALOG_RTN &ATTR SET A = &B + 2 END ISREDIT EXCLUDE ALL "FTP" 10 32 ISREDIT CURSOR = 1 0 /* *************************************** */ /* READ LOOP */ /* *************************************** */ NEXT_TSOID: + SET RETURN_CODE = 0 SET CURLINE = &CURLINE + 1 IF &CURLINE GT &LASTLINE THEN GOTO END_TSOID ISREDIT (DATA) = LINE &CURLINE SET USERID = &SUBSTR(01:08,&NRSTR(&DATA)) SELECT &STR(&USERID) WHEN (irrcerta) GOTO NEXT_TSOID WHEN (irrmulti) GOTO NEXT_TSOID WHEN (irrsitec) GOTO NEXT_TSOID WHEN ( ) GOTO NEXT_TSOID END ISREDIT (XSTAT) = XSTATUS &CURLINE SET NAME = &SUBSTR(10:31,&NRSTR(&DATA)) SET TSOPROC = &SUBSTR(76:83,&NRSTR(&DATA)) SET PASSINT = &SUBSTR(56:58,&NRSTR(&DATA)) SET LASTACC = &SUBSTR(60:74,&NRSTR(&DATA)) IF &SYSINDEX(&STR( APROTECTED ),&STR(&DATA)) GT 90 THEN + GOTO NEXT_TSOID IF &SYSINDEX(&STR( AREVOKED ),&STR(&DATA)) GT 90 THEN + SET REV = &STR(REVOKED) ELSE + SET REV = &STR( ) SET ERROR = 0 /*IF &STR(&TSOPROC) EQ &STR( ) OR + /* &STR(&TSOPROC) EQ &STR(NONE ) THEN SET ERROR = &ERROR + 1 IF &STR(&XSTAT) EQ &STR(NX) THEN + IF &STR(&PASSINT) EQ &STR( ) OR + &STR(&PASSINT) EQ &STR(N/A) THEN SET ERROR = &ERROR + 1 ELSE + IF &PASSINT EQ 0 OR + &PASSINT GT 60 THEN SET ERROR = &ERROR + 1 IF &STR(&LASTACC) EQ &STR( ) OR + &STR(&LASTACC) EQ &STR(UNKNOWN ) THEN SET ERROR = &ERROR + 1 IF &ERROR EQ 0 THEN GOTO NEXT_TSOID IF &RACF0580 EQ 0 THEN DO SET AC = &STR(The following interactive userid&LP.s&RP does + &LP.do&RP not have the required field&LP.s&RP completed.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET RACF0580 = &RACF0580 + 1 SET AC = &STR( &USERID NAME=&NAME + LAST-ACCESS=&LASTACC + PASS-INTERVAL=&PASSINT &REV) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO NEXT_TSOID END_TSOID: + SET RETURN_CODE = 0 IF &RACF0580 EQ 0 THEN DO SET AC = &STR(Not a Finding ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(All interactive userid&LP.s&RP contain + the required fields.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END ELSE DO SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: All interactive userid + records must have the users name, TSO account number, and the + password fields defined.) SET AC = &STR(DISA recommendation: All interactive userid + records must have a password interval of 1 to 60 and an + appropriate password date.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(Note: Use "ALTUSER userid RESUME" to set the + LAST-ACCESS to the current date and time.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SYSCALL ADD_MEMBER SET PDIMBR = RACF0710 SET RACF0710 = 0 SET ATTRB = SPECIAL SET GROUP = &STR(EMERAUDT SECAAUDT SECBAUDT SECDAUDT) SET GROUP = &STR(EMERAUDT SECAAUDT SECBAUDT) SET GROUP = &STR(SECAAUDT) SET A = 1 DO WHILE &A LT &LENGTH(&STR(&GROUP)) SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1 SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP)) SYSCALL DIALOG_RTN &ATTR SET A = &B + 2 END ISREDIT CURSOR = 1 0 NEXT_SPECIAL: + SET RETURN_CODE = 0 ISREDIT SEEK '&ATTRB ' &CC &DW IF &RETURN_CODE NE 0 THEN GOTO END_SPECIAL ISREDIT (,POS) = CURSOR ISREDIT (STAT) = XSTATUS .ZCSR ISREDIT (DATA) = LINE .ZCSR IF &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(A) AND + &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(G) THEN GOTO NEXT_SPECIAL IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(A) AND + &NRSTR(&STAT) EQ &STR(X) THEN GOTO NEXT_SPECIAL /* Use below to exclude all security user in GROUP */ IF &NRSTR(&STAT) EQ &STR(X) THEN GOTO NEXT_SPECIAL IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR( ) THEN + GOTO NEXT_SPECIAL SET GRPNM = IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(G) THEN DO DO X = &POS-3 TO &CC BY - 1 + UNTIL &SUBSTR(&X:&X+6,&NRSTR(&DATA)) EQ &STR( GROUP=) END SET Y = &SYSINDEX(&STR( ),&NRSTR(&DATA),&X+1) SET GRPNM = &SUBSTR(&X+7:&POS-3,&NRSTR(&DATA)) SET GRPNM = &SUBSTR(&X+7:&Y-1,&NRSTR(&DATA)) ISPEXEC LMDINIT LISTID(TSTDSN) LEVEL(&GRPNM) SET RETURN_CODE = 0 ISPEXEC LMDLIST LISTID(&TSTDSN) SET LMDLIST_RC = &RETURN_CODE ISPEXEC LMDFREE LISTID(&TSTDSN) IF &LMDLIST_RC GT 0 THEN GOTO NEXT_SPECIAL IF &SYSINDEX(&STR(SYS),&NRSTR(&GRPNM)) EQ 1 AND + &NRSTR(&STAT) EQ &STR(X) THEN GOTO NEXT_SPECIAL /* Add below to allow SPECIAL when GRPNM not a SYStem prefix. */ IF &SYSINDEX(&STR(SYS),&NRSTR(&GRPNM)) NE 1 THEN GOTO NEXT_SPECIAL END SET USERID = &SUBSTR(01:08,&NRSTR(&DATA)) SET NAME = &SUBSTR(10:31,&NRSTR(&DATA)) IF &RACF0710 EQ 0 THEN DO SET AC = &STR(Not Reviewed) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(The following authorization&LP.s&RP to the &ATTRB + attribute is &LP.are&RP inappropriate:) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(1&RP The number of userids granted the &ATTRB + attribute is excessive.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(2&RP Justification for authorization was not + provided.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET RACF0710 = &RACF0710 + 1 IF &NRSTR(&GRPNM) EQ &STR( ) THEN + SET AC = &STR( &USERID NAME=&NAME ATTRIBUTE=&ATTRB ) ELSE + SET AC = &STR( &USERID NAME=&NAME GROUP=&GRPNM + CONNECT ATTRIBUTE=&ATTRB ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO NEXT_SPECIAL END_SPECIAL: + SET RETURN_CODE = 0 IF &RACF0710 EQ 0 THEN DO SET AC = &STR(Not a Finding ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(No userids were found with attribute of &ATTRB.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END ELSE DO SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: Ensure documentation + providing justification for access is maintained and filed + with the ISSO, and that unjustified access is removed.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SYSCALL ADD_MEMBER SET PDIMBR = RACF0720 SET RACF0720 = 0 SET ATTRB = OPERATIONS SET GROUP = &STR(EMERAUDT DASDAUDT) SET GROUP = &STR(DASDAUDT) SET A = 1 DO WHILE &A LT &LENGTH(&STR(&GROUP)) SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1 SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP)) SYSCALL DIALOG_RTN &ATTR SET A = &B + 2 END ISREDIT CURSOR = 1 0 NEXT_OPER: + SET RETURN_CODE = 0 ISREDIT FIND '&ATTRB ' &CC &DW NX IF &RETURN_CODE NE 0 THEN GOTO END_OPER ISREDIT (,POS) = CURSOR ISREDIT (DATA) = LINE .ZCSR IF &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(A) AND + &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(G) THEN + GOTO NEXT_OPER SET GRPNM = IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(G) THEN DO DO X = &POS-3 TO &CC BY - 1 + UNTIL &SUBSTR(&X:&X+6,&NRSTR(&DATA)) EQ &STR( GROUP=) END SET Y = &SYSINDEX(&STR( ),&NRSTR(&DATA),&X+1) SET GRPNM = &SUBSTR(&X+7:&POS-3,&NRSTR(&DATA)) SET GRPNM = &SUBSTR(&X+7:&Y-1,&NRSTR(&DATA)) /* Add below to allow OPERATIONS when GRPNM not a SYStem prefix. */ IF &SYSINDEX(&STR(SYS),&NRSTR(&GRPNM)) NE 1 THEN GOTO NEXT_OPER END SET USERID = &SUBSTR(01:08,&NRSTR(&DATA)) SET NAME = &SUBSTR(10:31,&NRSTR(&DATA)) IF &RACF0720 EQ 0 THEN DO SET AC = &STR(Not Reviewed) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(The following authorization&LP.s&RP to the &ATTRB + attribute is &LP.are&RP inappropriate:) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(1&RP The number of userids granted the &ATTRB + attribute is excessive.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(2&RP Justification for authorization was not + provided.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET RACF0720 = &RACF0720 + 1 IF &NRSTR(&GRPNM) EQ &STR( ) THEN + SET AC = &STR( &USERID NAME=&NAME ATTRIBUTE=&ATTRB ) ELSE + SET AC = &STR( &USERID NAME=&NAME GROUP=&GRPNM + CONNECT ATTRIBUTE=&ATTRB ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO NEXT_OPER END_OPER: + SET RETURN_CODE = 0 IF &RACF0720 EQ 0 THEN DO SET AC = &STR(Not a Finding ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(No userids were found with attribute of &ATTRB.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END ELSE DO SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: Ensure documentation + providing justification for access is maintained and filed + with the ISSO, and that unjustified access is removed.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SYSCALL ADD_MEMBER SET PDIMBR = RACF0730 SET RACF0730 = 0 SET ATTRB = AUDITOR SET GROUP = &STR(AUDTAUDT EMERAUDT SECAAUDT SECBAUDT SECDAUDT) SET GROUP = &STR(AUDTAUDT SECAAUDT) SET A = 1 DO WHILE &A LT &LENGTH(&STR(&GROUP)) SET B = &SYSINDEX(&STR( ),&STR(&GROUP ),&A) - 1 SET ATTR = &SUBSTR(&A:&B,&STR(&GROUP)) SYSCALL DIALOG_RTN &ATTR SET A = &B + 2 END ISREDIT CURSOR = 1 0 NEXT_AUDIT: + SET RETURN_CODE = 0 ISREDIT FIND '&ATTRB ' &CC &DW NX IF &RETURN_CODE NE 0 THEN GOTO END_AUDIT ISREDIT (,POS) = CURSOR ISREDIT (DATA) = LINE .ZCSR IF &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(A) AND + &SUBSTR(&POS-1,&NRSTR(&DATA)) NE &STR(G) THEN GOTO NEXT_AUDIT SET GRPNM = IF &SUBSTR(&POS-1,&NRSTR(&DATA)) EQ &STR(G) THEN DO DO X = &POS-3 TO &CC BY - 1 + UNTIL &SUBSTR(&X:&X+6,&NRSTR(&DATA)) EQ &STR( GROUP=) END SET Y = &SYSINDEX(&STR( ),&NRSTR(&DATA),&X+1) SET GRPNM = &SUBSTR(&X+7:&POS-3,&NRSTR(&DATA)) SET GRPNM = &SUBSTR(&X+7:&Y-1,&NRSTR(&DATA)) END SET USERID = &SUBSTR(01:08,&NRSTR(&DATA)) SET NAME = &SUBSTR(10:31,&NRSTR(&DATA)) IF &RACF0730 EQ 0 THEN DO SET AC = &STR(Not Reviewed) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(The following authorization&LP.s&RP to the + &ATTRB attribute is &LP.are&RP inappropriate:) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(1&RP The number of userids granted the &ATTRB + attribute is excessive.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(2&RP Justification for authorization was not + provided.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SET RACF0730 = &RACF0730 + 1 IF &NRSTR(&GRPNM) EQ &STR( ) THEN + SET AC = &STR( &USERID NAME=&NAME ATTRIBUTE=&ATTRB ) ELSE + SET AC = &STR( &USERID NAME=&NAME GROUP=&GRPNM + CONNECT ATTRIBUTE=&ATTRB ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) GOTO NEXT_AUDIT END_AUDIT: + SET RETURN_CODE = 0 IF &RACF0730 EQ 0 THEN DO SET AC = &STR(Not a Finding ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(No userids were found with attribute of &ATTRB.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END ELSE DO SET AC = &STR( ) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) SET AC = &STR(DISA recommendation: Ensure documentation + providing justification for access is maintained and filed + with the ISSO, and that unjustified access is removed.) ISPEXEC LMPUT DATAID(&PDIID) MODE(INVAR) DATALOC(AC) + DATALEN(&LENGTH(&NRSTR(&AC))) MEMBER(&PDIMBR) END SYSCALL ADD_MEMBER /* *************************************** */ /* END of program */ /* *************************************** */ END_EXIT: + SET RETURN_CODE = 0 ERR_EXIT: + IF &MAXCC GE 16 OR + &RETURN_CODE GT 0 THEN DO ISPEXEC VGET (ZISPFRC) SHARED IF &MAXCC GT &ZISPFRC THEN + SET ZISPFRC = &MAXCC ELSE + SET ZISPFRC = &RETURN_CODE ISPEXEC VPUT (ZISPFRC) SHARED WRITE &PGMNAME ZISPFRC = &ZISPFRC END SET RM527RC = &RETURN_CODE ISPEXEC VPUT ( + RM527VG + RM527RC + ) ASIS ISREDIT CANCEL EXIT CODE(0) /* *************************************** */ /* SYSCALL SUBROUTINES */ /* *************************************** */ DIALOG_RTN: PROC 1 AUMBR SET RETURN_CODE = 0 ISPEXEC LMMFIND DATAID(&DIALOG) MEMBER(&AUMBR) SET LMMFIND_DIALOG_RC = &RETURN_CODE IF &RETURN_CODE NE 0 THEN DO WRITE &PGMNAME Authorized user list &AUMBR not found. RETURN END GET_NEXT_USR: + SET RETURN_CODE = 0 ISPEXEC LMGET DATAID(&DIALOG) MODE(INVAR) DATALOC(URECORD) + MAXLEN(80) DATALEN(LRECL) SET LMGET_DIALOG_RC = &RETURN_CODE IF &RETURN_CODE EQ 8 THEN DO /* END OF MEMBER */ SET LMGET_DIALOG_RC = 0 /* SET RETURN CODE TO 0 */ RETURN END IF &RETURN_CODE GT 4 THEN DO WRITE &PGMNAME LMGET DIALOG RC = &RETURN_CODE &ZERRSM SET RETURN_CODE = &RETURN_CODE + 16 RETURN END IF &SUBSTR(1,&NRSTR(&URECORD)) EQ &STR(*) OR + &SUBSTR(1,&NRSTR(&URECORD)) EQ &STR( ) THEN + GOTO GET_NEXT_USR SET USR = &SUBSTR(1:8,&NRSTR(&URECORD)) ISREDIT EXCLUDE ALL '&NRSTR(&USR)' 1 GOTO GET_NEXT_USR /* --------------- */ END ADD_MEMBER: PROC 0 SET ZEDSMSG = FINISHED SET ZEDLMSG = &STR(Finished processing &PDIMBR.) ISPEXEC LOG MSG(ISRZ000) SET RETURN_CODE = 0 ISPEXEC LMMADD DATAID(&PDIID) MEMBER(&PDIMBR) IF &RETURN_CODE EQ 4 THEN DO /* MEMBER ALREADY EXISTS SET RETURN_CODE = 0 ISPEXEC LMMREP DATAID(&PDIID) MEMBER(&PDIMBR) IF &RETURN_CODE NE 0 THEN DO WRITE &PGMNAME LMMREP_PDI_RCODE = &RETURN_CODE &PDIMBR &ZERRSM END END ELSE DO IF &RETURN_CODE NE 0 THEN + WRITE &PGMNAME LMMADD_PDI_RCODE = &RETURN_CODE &PDIMBR &ZERRSM END ISREDIT RESET ISREDIT DELETE ALL NX SET RETURN_CODE = 0 ISREDIT COPY '&DSNAME' AFTER .ZF END