Compliance testing

The compliance testing feature of BMC AMI Security Policy Manager periodically analyzes your system and security setting for compliance with a set of rules. The feature already contains some rules, but you can define additional ones consistent with your organization's security policies.

You can define the frequency of rule evaluation. You can also set rules execute automatically when specified system events occur. Or, you can run rules manually by command or from the browser interface.

The feature generates reports, which you can opt to receive, that document instances of compliance and non-compliance with the rules.

Security policy rule configuration

Rules are defined in a PDS or PDSE. An INDEX member defines the details of the rules available and when they should be executed. The INDEX member can also define allowlist entries, that is, certain users, jobs or system entities excluded from specific tests.

INDEX member

The INDEX member contains a table of rule definitions. The following definitions are supported:

Rule definition	Description
Defaults	Defaults to apply to all rules
Rule	Specific rule definition
Allowlist	Allowlist table

Default definitions

The Defaults definition defines settings that are applied as default values to all other rules. If required, you can override the default values in each individual rule definition.

You can define only one Default table with the INDEX member. The following keywords are supported:

Keyword	Description
Defaults	Start of Defaults table
Startup Yes \| No	Default for whether rules are to be executed at SPM startup
Frequency n Seconds n Minutes n Hours n Days	Default frequency at which the rule is executed, in seconds, minutes, hours, or days
Category category	Default category, up to 15 characters

Example of a default definitions

* SPM Compliance Rules Defaults Defaults
Frequency 24 hours
Startup No
Category DEFCAT

Rule definition

A rule definition defines a specific rule. You can define multiple rule definitions in the INDEX member. The following keywords are supported:

Keyword	Description
Rule memberName	Start of a new rule definition and the member name that contains the associated SQL or REXX command
Startup Yes \| No	Determines whether this rule should be executed at SPM startup If omitted, the value defined in the Defaults table is used.
Frequency n Seconds n Minutes n Hours n Days	Frequency at which the rule is executed, in seconds, minutes, hours, or days If omitted, the value defined in the Defaults table is used.
Category category	Category assigned to this rule, up to 15 characters If omitted, the value defined in the Defaults table is used.
Reference reference	Reference for the rule, up to 15 characters You can use the reference as a cross-check to a standards document.
Description description	Description of the rule, up to 127 characters
ESMType RACF \| TSS \| ACF2	Specific ESM type that is required to run the rule If the value of ESMType (RACF, TSS, or ACF2) does not match the ESM of the system, the rule is ignored.
Version version (SPE2501)	Version of the supported compliance rule Examples Rule DS109 Version Base Rule DS223649 Version 9.0

Examples of rule definitions

* SPM Compliance Rules
Rule MVS00001
      Startup   Yes
    Frequency 24 hours
     Category MVS
     Reference MVS.1
      Priority 1
     Version   Base
       ESMType   RACF
     Description Protecting z/OS Master Catalogs

Rule DS223649
      Startup   Yes
      Frequency 24 hours
     Category DISA STIG
     Reference V-223649
      Priority 1
    Version   9.0
     ESMType   RACF
     Description Write or greater access to SYS1.NUCLEUS must be limited to system programmers only

Allowlists

(SPE2501)You can use allowlists to exclude specific entries that are authorized to access secure resources from Compliance reports, thereby reducing false positives. Allowlists are created in the Compliance rule index member as follows:

Allowlist allowlist-type
id-1 description
id-2 description
.
.
id-n description

Specific allowlists can be read in a compliance rule by allowlist-type to exclude the entries present from being reported in the compliance report.

For example, Compliance Rule MVS00001 reports users who have access to the Master Catalog data set. MVS00001 also uses allowlist type SYSPROG to exclude authorized users from the report.

Hence, you can exclude authorized users with access to the Master Catalog data set from the report, by adding these user IDs to the SYSPROG allowlist as illustrated in the following code block:

Allowlist SYSPROG
X000002 SYSPROG user id
X000003 SYSPROG user id

RacfGroup parameter

You can update the allowlist by using a RACF group instead of user IDs, to capture all user IDs that are connected to a group. To do this, use the RacfGroup parameter in the allowlist. In the preceding example, a group SGROUP can be defined in RACF and the users X000002 and X000003 can be connected to this group. The allowlist is then defined as follows:

Allowlist SYSPROG
RacfGroup SGROUP sysprogs

For information about allowlists that are used in various compliance rules, see Allowlists-and-compliance-rules.

Rule members

The rule member can contain two types of statement:

An SQL SELECT string to select records from the SPM database that do not comply with the rule being executed.
A REXX procedure and parameters to be executed.

You can define a rule over multiple lines. You can use an asterisk ( * ) in column 1 to add comments.

SQL rules must terminate with a semicolon ( ; ). Only one SELECT or WITH statement is permitted per rule.

You must prefix REXX procedures with the constant REXX followed by the procedure name and any arguments to be passed.

Example of SQL rule members

* Compliance Rule X00001
SELECT * from mvscommands WHERE userid <> OPERATOR ;
* Compliance Rule X00002
REXX RX002 DSN=SYS1,TYPE=SMF

For details about the SQL tables and columns that can be used for queries, see Database-tables-and-columns-for-RACF or Database-tables-and-columns-for-TSS.