I am getting a violation with new HFS rules, even though the TEST works.

book

Article ID: 40163

calendar_today

Updated On:

Products

CA ACF2 CA ACF2 - DB2 Option CA ACF2 for zVM CA ACF2 - z/OS CA ACF2 - MISC CA PanApt CA PanAudit

Issue/Introduction

Problem:

 

I am getting a violation with new HFS rules, even though the TEST command works.  The rule looks like this:

 

$KEY(/usr) TYPE($UM) 

/lpp/mqm UID(PROD) SERVICE(READ) ALLOW 

/lpp/mqm UID(OPER) SERVICE(READ) ALLOW 

- UID(*) PREVENT

 

Cause:

CA ACF2 resource rule processing considers the period character as a delimiter. This delimiter is used when writing extended resource rules, that is, to provide security for resource names of greater than forty characters. Path names, however, use the slash character as a delimiter. Before a file is validated, the path name will have all slash characters, with the exception of the first, translated into a period delimiter. Other special characters will be translated into the dollar sign ($). These include characters that are used as masking characters in resource rules. If not translated, these characters could create undesired results. The special characters include the period, asterisk, dash, plus, blank, and quote. An exit point is provided that can further modify any character to meet special needs, with the exception of the slash character, which will always be translated to a period delimiter.

 

Resolution:

So the rule should look like this:

$KEY(/usr) TYPE($UM) 

lpp.mqm UID(PROD) SERVICE(READ) ALLOW 

lpp.mqm UID(OPER) SERVICE(READ) ALLOW 

- UID(*) PREVENT

Environment

Release:
Component: ACF2MS