IBM Security zSecure Suite: Getting started with CARLa

White Paper
July 2011

Ori Pomerantz
orip@us.ibm.com
© Copyright IBM Corp. 2011. All Rights Reserved.
US Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
IBM, the IBM logo, and ibm.com are trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and
trademark information” at www.ibm.com/legal/copytrade.shtml.
Trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other
countries.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications
Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon,
Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation
or its subsidiaries in the United States and other countries.
Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in
the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government
Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle
and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States,
other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM
Corp. and Quantum in the U.S. and other countries.
The information contained in this publication is provided for informational purposes only. While
efforts were made to verify the completeness and accuracy of the information contained in this
publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this
information is based on IBM’s current product plans and strategy, which are subject to change by
IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or
otherwise related to, this publication or any other materials. Nothing contained in this publication is
intended to,nor shall have the effect of, creating any warranties or representations from IBM or its
suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software.
References in this publication to IBM products, programs, or services do not imply that they will be
available in all countries in which IBM operates. Product release dates and/or capabilities referenced
in this presentation may change at any time at IBM’s sole discretion based on market opportunities
or other factors, and are not intended to be a commitment to future product or feature availability in
any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or
implying that any activities undertaken by you will result in any specific sales, revenue growth,
savings or other results.
Table of contents

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

1 Running CARLa Reports . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2 Reporting on groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
2.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
2.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

3 Formatting and selecting specific profiles . . . . . . . . . . . . 5

3.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
3.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
3.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

4 Reporting fields from multiple profile segments . . . . . . . 7

4.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
4.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

5 Reporting fields from multiple profiles . . . . . . . . . . . . . . . 9

5.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
5.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
5.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

6 Creating reports that use ISPF . . . . . . . . . . . . . . . . . . . . . 11

6.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
6.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
6.3 Result . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

•
•
• III
•
•
 Table of contents

7 Learning from system reports . . . . . . . . . . . . . . . . . . . . . 13

8 Automating administration. . . . . . . . . . . . . . . . . . . . . . . . 14
8.1 Selecting the current state as input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
8.2 Identifying inactive accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.2.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
8.2.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
8.3 Creating the RACF commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
8.3.1 Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
8.3.2 Explanation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16
8.4 Running the RACF commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Guides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

•
•
IV • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
Introduction
CARLa is the main reporting engine that is used within IBM Security zSecure. This white
paper shows you how to customize reports within IBM Security zSecure to ease auditing
and administration for central security personnel.

For more information about this subject, see the Redbook z/OS Mainframe Security Audit
Management using IBM Tivoli zSecure, Appendix B.

Additional information is available in chapters 12 and 13 of IBM Security zSecure Admin

and Audit for RACF. If you do not have access to the IBM network to obtain a copy of this
book, send an email to tivzos@us.ibm.com.

The best method to learn CARLa is to take the class, IBM Tivoli zSecure CARLa Auditing
and Reporting Language (TK231). This white paper is intended as a stop-gap measure to
help professionals who have not had the opportunity to take the class yet.

Acknowledgements
I would like to acknowledge the Help to Tom Zeehandelaar and Mark Hahn in writing this
white paper. Any remaining errors are my own.

Audience
This paper is for implementers, auditors, and administrators who use zSecure to produce
security-related reports.

•
•
• 1
•
•
 IBM Tivoli White Paper
Running CARLa Reports

1 Running CARLa Reports

Follow these steps to run a CARLa report:
1. Start the IBM Security zSecure user interface.
2. Type CO to run CARLa commands.

3. Type C to type a command and run it immediately.

4. Type a CARLa report in the multiline text area. An example of a report is in the
next section.

5. Enter the command GO.

6. After you see the report output, click F3 twice to return to the report area.

Tip: You can see a demonstration of these steps in an IBM Education Assistant module that is
available at the following website:

http://publib.boulder.ibm.com/infocenter/ieduasst/tivv1r0/
index.jsp?topic=/com.ibm.iea.zsec/zsec/1.11/audit/
run_carla_report/run_carla_report_viewlet_swf.html

•
•
2 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Reporting on groups

2 Reporting on groups
This section shows a simple report with all the entities of a particular type, in this case,
groups.

2.1 Report
To report on groups, run this CARLa report:
newlist type=RACF
select class=group segment=base
sortlist key connects

2.2 Explanation
To interpret the lines in the report, look at each line.
newlist type=RACF

This line tells the CARLa interpreter to start a new report. This line also indicates that the
report is based on RACF information.
select class=group segment=base

This line selects a group report. By default, a CARLa RACF report contains one line for
each segment of each profile of the selected type. Here, segment=base specifies that only
base segments are selected. Groups are displayed once even if they have multiple segments.

By default reports show all the entities of a particular type.

sortlist key connects

The list includes the following fields and their order:

• key: The name of each profile.

• connects: The users connected to each group. This field includes the user ID, the
user authorization level to the group, any special authorizations, and additional
fields.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 3
•
•
 IBM Tivoli White Paper
Reporting on groups

2.3 Result
The resulting report contains groups and the users within them, similar to Figure 1.

Figure 1: Groups and connected users report

•
•
4 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Formatting and selecting specific profiles

3 Formatting and selecting specific

profiles
In this section, you learn how to format reports. You also learn how to select specific
profiles instead of producing a full report on all the entities of a particular type.

3.1 Report
This CARLa report shows you how to select specific profiles and how to format the output.
newlist type=RACF tt=’top title’,
title=’Second line title, which can be longer’
select class=group segment=base mask=om*
sortlist creadate key(8,’GroupID’)

Note: Most of this report is identical to the previous one. The parts in bold are new.

3.2 Explanation
This is the explanation of the CARLa code:
newlist type=RACF tt=’top title’,
title=’Second line title, which can be longer’

The comma specifies that the next value is still part of the newlist line.
select class=group segment=base mask=om*

This line selects a group report. The mask keyword limits the groups to those groups whose
names start with OM.
sortlist creadate key(8,’GroupID’)

The list is sorted by group creation date, followed by the key. The key is displayed in eight
characters (space padded if there are fewer than eight characters), and the column is titled
GroupID.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 5
•
•
 IBM Tivoli White Paper
Formatting and selecting specific profiles

3.3 Result
The resulting report is similar to Figure 2, if your system has any groups that start with OM.

Figure 2: Second group report

•
•
6 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Reporting fields from multiple profile segments

4 Reporting fields from multiple

profile segments
In this section, you learn to combine fields from multiple segments of the same profile.

4.1 Report
This CARLa report shows how to combine fields from multiple segments of the same
profile:
newlist type=RACF
select class=user segment=omvs uid>0
sortlist uid(5) key(8) :tcommand

4.2 Explanation
This is the explanation of the CARLa code:
newlist type=RACF
select class=user segment=omvs uid>0

This report displays user information. The segment=omvs specifies to the CARLa
interpreter to search for information in the OMVS segment of the user profile. This segment
contains information related to the UNIX subsystem. The uid>0 restricts the report to users
with a UNIX UID of more than zero (those users who do not have root permissions).
sortlist uid(5) key(8) :tcommand

This line specifies the information included in the report: the UNIX user ID, the z/OS user
ID, and :tcommand. The colon (:) specifies that the field searched is in a different segment.
The tcommand field is the default TSO command, part of the TSO segment.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 7
•
•
 IBM Tivoli White Paper
Reporting fields from multiple profile segments

4.3 Result
If you have users with OMVS accounts, your result is similar to Figure 3. As you can see,
the command field is not an OMVS command, but a TSO command.

Figure 3: User report that uses multiple segments

•
•
8 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Reporting fields from multiple profiles

5 Reporting fields from multiple

profiles
In this section, you learn to combine fields from different profiles.

5.1 Report
This CARLa code shows how to combine fields from different profiles.
newlist type=RACF
select class=dataset segment=base
sortlist key(20,’DS profile’) creadate(10,’DS date’),
owner owner:creadate(10,’Owner date’)

5.2 Explanation
This is the explanation of the CARLa code:
newlist type=RACF
select class=dataset segment=base

This report displays information from data set profiles.

sortlist key(20,’DS profile’) creadate(10,’DS date’),

The profile name in this report is 20 characters long. Longer profile names are truncated.
owner owner:creadate(10,’Owner date’)

The owner is the user or group that owns the data set profile. This value is part of the data
set profile. The value, owner:creadate, is the creation date of that owner profile.You can
use the same syntax (owner:<field>) to specify other fields. For example, owner:uid gives
the OMVS user ID of the owner, in case it is a user with an OMVS segment.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 9
•
•
 IBM Tivoli White Paper
Reporting fields from multiple profiles

5.3 Result
In this report, you see the data set profiles in the RACF database, their creation dates, the
names of their owners, and the creation dates of the owner profiles. An example is shown
in Figure 4.

Figure 4: Report that uses information from multiple profiles

•
•
10 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Creating reports that use ISPF

6 Creating reports that use ISPF

In this section, you learn to create reports that use ISPF. These reports show a summary,
and users can expand lines to see additional details.

6.1 Report
This CARLa reports shows how to create a report that uses ISPF.
newlist type=RACF
select class=dataset segment=base
display key(20,’DS profile’) creadate(10,’DS date’),
owner(detail) owner:creadate(10,’Owner
date’,detail)

6.2 Explanation
This is the explanation of the CARLa code:
newlist type=RACF
select class=dataset segment=base
display key(20,’DS profile’) creadate(10,’DS date’),

The display command creates an ISPF report.

owner(detail) owner:creadate(10,’Owner
date’,detail)

The detail display modifier in a display command specifies fields that belong in the detail
screen when the user selects a specific entry.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 11
•
•
 IBM Tivoli White Paper
Creating reports that use ISPF

6.3 Result
The initial result contains only the data set profile name and the creation date, as shown in
Figure 5.

Figure 5: ISPF report

To view the details for a particular data set profile (in this case, the owner and the owner
creation date), type S beside that profile. This action gives a details report, similar to Figure
6.

Figure 6: ISPF report detail

•
•
12 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Learning from system reports

7 Learning from system reports

One method to learn programming languages is to look at existing programs. The zSecure
user interface contains several CARLa programs. In this section, you learn how to view the
CARLa code for existing reports.

First, create a report. If the report is in print format, press F3 to view the results panel. If it
is in ISPF format, press F3 and type the command results to view the results panel. Then,
select to view the COMMANDS file. It contains the CARLa code that produced the report,
as shown in Figure 7.

Figure 7: CARLa for a system report about general resource profiles

Note: Keywords can be shortened in CARLa. For example, line 7 is equivalent to this line:

select class=general and segment=base

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 13
•
•
 IBM Tivoli White Paper
Automating administration

8 Automating administration
In addition to producing reports, CARLa can produce commands to automate various
administrative tasks. This section shows how to automatically disable unused accounts.

8.1 Selecting the current state as input

With zSecure, you can produce reports on the current state or on historical data. To produce
commands that relate to the current state, follow these steps:
1. Type the command =SE.1 to specify the source of information for zSecure.
2. Type S beside the active backup RACF database. Type U beside any other input
files that are currently selected.

Tip: You can use the primary RACF database. However, in many installations the backup
database is preferable.

•
•
14 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Automating administration

8.2 Identifying inactive accounts

8.2.1 Report
To identify inactive accounts, run this CARLa report:
newlist type=RACF nopage
select class=user last_connect_date<TODAY-90
not(revoked),
segment=base
list key

8.2.2 Explanation
This is the explanation of the CARLa code:
• nopage: This keyword instructs CARLa not to produce page titles, column titles,
page numbers, and other formatting characters.

• last_connect_date<TODAY-90: This expression restricts the user list to those

users who have not connected in the last 90 days.
• not(revoked): This expression restricts the list to users who are not currently
revoked.

• segment=base: This value is for looking only at the base segments of user
profiles. Otherwise, the report includes inactive users multiple times, one for
every segment in the profile.

• list: This command produces an unsorted list, in contrast to sortlist. Not sorting
saves the processing cost of sorting the list. The list command also suppresses the
column titles and page numbers, leaving only the report title, which is suppressed
here by nopage.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 15
•
•
 IBM Tivoli White Paper
Automating administration

8.3 Creating the RACF commands

8.3.1 Report
The RACF command to revoke a user is:
altuser <user ID> revoke

This report generates these commands:

newlist type=RACF nopage file=ckrcmd
select class=user last_connect_date<TODAY-90
not(revoked),
segment=base
list “altuser” key(0) “revoke”

8.3.2 Explanation
This is the explanation of the CARLa code:
• file=ckrcmd: Sends the output to CKRCMD, the default command file created by
CARLa.
• “altuser” and “revoke”: These strings are displayed in the output unchanged.

• key(0): This keyword specifies the profile key, the user ID, without any padding
with spaces. Padding improves readability for human tasks, but it is not useful for
RACF commands.

•
•
16 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
Automating administration

8.4 Running the RACF commands

Generate and run the RACF commands using these steps:
1. Run the CARLa report. The result is a list of commands.

2. Press F3. The commands are in CKRCMD. Type R beside CKRCMD to run the
commands.

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 17
•
•
 IBM Tivoli White Paper
Automating administration

3. The commands run as if you typed them manually from the TSO command line.
The output is captured in a data set.

•
•
18 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•
 IBM Tivoli White Paper
References

References

Guides
• z/OS Mainframe Security and Audit Management using IBM Tivoli zSecure,
Appendix B

http://www.redbooks.ibm.com/redbooks/SG247633/wwhelp/wwhimpl/js/
html/wwhelp.htm

• IBM Security zSecure Admin and Audit for RACF, chapters 12 and 13

If you do not have access to the IBM network, email tivzos@us.ibm.com.

Training
• IBM Tivoli zSecure CARLa Auditing and Reporting Language (TK231)

http://www-304.ibm.com/jct03001c/services/learning/ites.wss/us/
en?pageType=course_description&courseCode=TK231

•
•
©Copyright IBM Corp. 2011 IBM Security zSecure Suite: Getting started with CARLa • 19
•
•
 IBM Tivoli White Paper
References

•
•
20 • IBM Security zSecure Suite: Getting started with CARLa ©Copyright IBM Corp. 2011
•
•