Compliance testing

The compliance testing feature of BMC AMI Security Policy Manager periodically analyzes your system and security setting for compliance with a set of rules. The feature already contains some rules, but you can define additional ones consistent with your organization's security policies.

You can define the frequency of rule evaluation. You can also set rules execute automatically when specified system events occur. Or, you can run rules manually by command or from the browser interface.

The feature generates reports, which you can opt to receive, that document instances of compliance and non-compliance with the rules.

AutoStart parameter

This parameter is required if you want to submit one or more REXX execs to customize the compliance rules.

The AutoStart parameter permits the Security Policy Manager server started task to automatically start the Security Policy Manager TSO address space stated task. This is required because the server address space must have visibility of the TSO address space.

Example of the AutoStart parameter

*********************************************
* Autostart Table                                                                                                                              *
*********************************************
AutoStart
Start                 * ECTSO
Start                 RSM1 ECTSO TSO2
Start                 RSM2 ECTSO TSO3
EndAutoStart

The following table describes the parameter values:

Parameter	Description
AutoStart [Start parm1 parm2 parm3]	One or more Start commands The following parameters are valid: Parm1—LPAR name Parm2—Name of the REXXTSO STC Parm3—Optional step name for the REXXTSO STC
EndAutoStart	End of AutoStart block

Examples of Start parameters

The following parameter results in an S ECTSO command on system RSM1:

START RSM1 ECTSO

The following parameter results in an S ECTSO.TSO1 command on system RSM1. It enables support of multiple STCs with same STC name for parallel processing.

START RSM1 ECTSO TSO1

The following definition starts three ECTSO STCs on RSM1 so that three REXX execs can run simultaneously:

START RSM1 ECTSO TSO1

START RSM1 ECTSO TSO2

START RSM1 ECTSO TSO3

Security policy rule configuration

Rules are defined in a PDS or PDSE. An INDEX member defines the details of the rules available and when they should be executed. The INDEX member can also define allowlist entries, that is, certain users, jobs or system entities excluded from specific tests.

INDEX member

The INDEX member contains a table of rule definitions. The following definitions are supported:

Rule definition	Description
Defaults	Defaults to apply to all rules
Rule	Specific rule definition
Allowlist	Allowlist table

Default definitions

The Defaults definition defines settings that are applied as default values to all other rules. If required, you can override the default values in each individual rule definition.

You can define only one Default table with the INDEX member. The following keywords are supported:

Keyword	Description
Defaults	Start of Defaults table
Startup Yes \| No	Default for whether rules are to be executed at Security Policy Manager startup
Frequency n Seconds n Minutes n Hours n Days	Default frequency at which the rule is executed, in seconds, minutes, hours, or days
Category category	Default category, up to 15 characters

Example of a default definitions

* SPM Compliance Rules Defaults Defaults
Frequency 24 hours
Startup No
Category DEFCAT

Rule definition

A rule definition defines a specific rule. You can define multiple rule definitions in the INDEX member. The following keywords are supported:

Keyword	Description
Rule memberName	Start of a new rule definition and the member name that contains the associated SQL or REXX command
Startup Yes \| No	Determines whether this rule should be executed at Security Policy Manager startup If omitted, the value defined in the Defaults table is used.
Frequency n Seconds n Minutes n Hours n Days	Frequency at which the rule is executed, in seconds, minutes, hours, or days If omitted, the value defined in the Defaults table is used.
Category category	Category assigned to this rule, up to 15 characters If omitted, the value defined in the Defaults table is used.
Reference reference	Reference for the rule, up to 15 characters You can use the reference as a cross-check to a standards document.
Description description	Description of the rule, up to 127 characters
ESMType RACF \| TSS \| ACF2	Specific ESM type that is required to run the rule If the value of ESMType (RACF, TSS, or ACF2) does not match the ESM of the system, the rule is ignored. With SPE2107 applied, support for ACF2 is available.
Alias alias esm1 esm2 (SPE2201)	Another name for a rule (usually a DISA STIG rule), when the rule has been renamed but the content hasn't changed If the rule applies to only one or two ESMs, indicate which ones apply: RACF, TSS, or ACF2. If the rule applies to all ESMs, do not specify an ESM. The ESM indication is for internal purposes only, and does not affect the rule processing. Important If a rule definition uses an Alias keyword, all other keywords (such as Startup, Frequency, and ESMType) are ignored. Example If DS1000 is the new name for rule DS99, code DS99 as usual, and then add the following rule definition: Rule DS1000 Alias DS99

Examples of rule definitions

* SPM Compliance Rules
RuleR0000001
Frequency 24 hours
Startup Yes
Category APFCAT
Reference 1.1a
Description Look for APF datasets with UACC(READ)
ESMType RACF

RuleR0000002
Startup Yes
Category TCPCAT
Reference 1.2a
Description TCP/IP stacks without Low Ports restricted
ESMType RACF

Rule members

The rule member can contain two types of statement:

An SQL SELECT string to select records from the Security Policy Manager database that do not comply with the rule being executed.
A REXX procedure and parameters to be executed.

You can define a rule over multiple lines. You can use an asterisk ( * ) in column 1 to add comments.

SQL rules must terminate with a semicolon ( ; ). Only one SELECT or WITH statement is permitted per rule.

You must prefix REXX procedures with the constant REXX followed by the procedure name and any arguments to be passed.

Example of SQL rule members

* Compliance Rule X00001
SELECT * from mvscommands WHERE userid <> OPERATOR ;
* Compliance Rule X00002
REXX RX002 DSN=SYS1,TYPE=SMF

For details about the SQL tables and columns that can be used for queries, see Database-tables-and-columns-for-RACF or Database-tables-and-columns-for-TSS.