Re: How to determine if Enhanced HOLDDATA received?
Classification: Confidential That is the case. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: Thursday, January 19, 2023 8:31 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? [CAUTION: This Email is from outside the Organization. Unless you trust the sender, Don't click links or open attachments as it may be a Phishing email, which can steal your Information and compromise your Computer.] Doesn't the process for security/integrity violations include creating an APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR hold with the relevant APAR number? -- Shmuel (Seymour J.) Metz https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fmason.gmu.edu%2F~smetz3&data=05%7C01%7Callan.staller%40HCL.COM%7Cbbe8856c15974c25baf908dafa29cdce%7C189de737c93a4f5a8b686f4ca9941912%7C0%7C0%7C638097354710102895%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gKR8MBto9LVN5k%2BtJZzYX36lJaDtrhjKarwLkap0CS4%3D&reserved=0 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Kurt J. Quackenbush [ku...@us.ibm.com] Sent: Thursday, January 19, 2023 8:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? > Is it possible for a PTF to have no hold except the SECINT? That is to ask, > is it likely that a PTF introducing a security issue could be applied because > there is no HOLD(ERROR) or even a HOLD(ACTION) which could inform that there > is a SECINT for the PFT? In theory, yes. In practice, I'm not sure. But I think your question reinforces the benefit of registering for the IBM Z Security Portal and regularly obtaining the HOLDDDATA. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ::DISCLAIMER:: The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
I would assume that a lot of that service predates the SECINT hold class, and a source of SECINT was better than nothing. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Tom Marchant [000a2a8c2020-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 6:26 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? There are many ERROR holds in the Enhanced Holddata against Function SYSMODs. I believe that this is done when the error is in the function, as opposed to being introduced by a PTF. Perhaps these days it is unusual for a SECINT error to be introduced by a PTF, but if it was, I would expect the SECINT hold to be against that PTF. -- Tom Marchant On Thu, 19 Jan 2023 21:01:46 -, Patrick Loftus wrote: >The holddata for SECINT looks like below. Note the function SYSMOD, not PTF >SYSMOD ID: >++ HOLD(HSMA230) FMID(HSMA230) REASON(BHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B5.9,T5.7) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA240) FMID(HSMA240) REASON(CHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B5.9,T5.7) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA230) FMID(HSMA230) REASON(BHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA240) FMID(HSMA240) REASON(CHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA220) FMID(HSMA220) REASON(AHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) > > CHGDT(yyddd))) CLASS(SECINT). >Etc etc > >This is unlike the normal full holddata, which can be the PTF SYSMOD ID's: >++HOLD(UJ09068) FMID(HBB77B0) REASON(BA64026) ERROR DATE(22314) > > COMMENT(SMRTDATA(CHGDT(221110))) CLASS(PE). > > >The optional SECINT ASSIGNS file, which you don't have to download, look >like this: >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). >Etc etc >In the example from Dave Jousma, with the APPLY SOURCEID(SECINT), I believe >this would only work if you've also obtained the ASSIGN file from Resource >Link too. > >When you run the REPORT ERRSYSMODS report, for SECINT HOLD CLASS it will the >"SYSMOD NAME" as the FMID ID, which is different to a "normal" HOLD which >lists the PTF SYSMOD. >Made up example:: >HOLD SYSMOD APAR ---RESOLVING SYSMOD HOLDHOLD >FMID NAME NUMBER NAMESTATUS RECEIVED CLASS SYMPTOMS >HMJ4102 UW31189 AN80203 UW32213 GOOD YESPE >HSMA230 HSMA230 AHx UIx GOOD YESSECINT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
There are many ERROR holds in the Enhanced Holddata against Function SYSMODs. I believe that this is done when the error is in the function, as opposed to being introduced by a PTF. Perhaps these days it is unusual for a SECINT error to be introduced by a PTF, but if it was, I would expect the SECINT hold to be against that PTF. -- Tom Marchant On Thu, 19 Jan 2023 21:01:46 -, Patrick Loftus wrote: >The holddata for SECINT looks like below. Note the function SYSMOD, not PTF >SYSMOD ID: >++ HOLD(HSMA230) FMID(HSMA230) REASON(BHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B5.9,T5.7) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA240) FMID(HSMA240) REASON(CHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B5.9,T5.7) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA230) FMID(HSMA230) REASON(BHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA240) FMID(HSMA240) REASON(CHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) > > CHGDT(yyddd))) CLASS(SECINT). > >++ HOLD(HSMA220) FMID(HSMA220) REASON(AHx) ERROR DATE(yyddd) > > COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) > > CHGDT(yyddd))) CLASS(SECINT). >Etc etc > >This is unlike the normal full holddata, which can be the PTF SYSMOD ID's: >++HOLD(UJ09068) FMID(HBB77B0) REASON(BA64026) ERROR DATE(22314) > > COMMENT(SMRTDATA(CHGDT(221110))) CLASS(PE). > > >The optional SECINT ASSIGNS file, which you don't have to download, look >like this: >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UIx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). > >++ ASSIGN SOURCEID(SECINT) TO(UJx). >Etc etc >In the example from Dave Jousma, with the APPLY SOURCEID(SECINT), I believe >this would only work if you've also obtained the ASSIGN file from Resource >Link too. > >When you run the REPORT ERRSYSMODS report, for SECINT HOLD CLASS it will the >"SYSMOD NAME" as the FMID ID, which is different to a "normal" HOLD which >lists the PTF SYSMOD. >Made up example:: >HOLD SYSMOD APAR ---RESOLVING SYSMOD HOLDHOLD >FMID NAME NUMBER NAMESTATUS RECEIVED CLASS SYMPTOMS >HMJ4102 UW31189 AN80203 UW32213 GOOD YESPE >HSMA230 HSMA230 AHx UIx GOOD YESSECINT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
The holddata for SECINT looks like below. Note the function SYSMOD, not PTF SYSMOD ID: ++ HOLD(HSMA230) FMID(HSMA230) REASON(BHx) ERROR DATE(yyddd) COMMENT(SMRTDATA(FIX(UIx) SYMP(B5.9,T5.7) CHGDT(yyddd))) CLASS(SECINT). ++ HOLD(HSMA240) FMID(HSMA240) REASON(CHx) ERROR DATE(yyddd) COMMENT(SMRTDATA(FIX(UIx) SYMP(B5.9,T5.7) CHGDT(yyddd))) CLASS(SECINT). ++ HOLD(HSMA230) FMID(HSMA230) REASON(BHx) ERROR DATE(yyddd) COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) CHGDT(yyddd))) CLASS(SECINT). ++ HOLD(HSMA240) FMID(HSMA240) REASON(CHx) ERROR DATE(yyddd) COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) CHGDT(yyddd))) CLASS(SECINT). ++ HOLD(HSMA220) FMID(HSMA220) REASON(AHx) ERROR DATE(yyddd) COMMENT(SMRTDATA(FIX(UIx) SYMP(B7.5,T7.2) CHGDT(yyddd))) CLASS(SECINT). Etc etc This is unlike the normal full holddata, which can be the PTF SYSMOD ID's: ++HOLD(UJ09068) FMID(HBB77B0) REASON(BA64026) ERROR DATE(22314) COMMENT(SMRTDATA(CHGDT(221110))) CLASS(PE). The optional SECINT ASSIGNS file, which you don't have to download, look like this: ++ ASSIGN SOURCEID(SECINT) TO(UIx). ++ ASSIGN SOURCEID(SECINT) TO(UIx). ++ ASSIGN SOURCEID(SECINT) TO(UIx). ++ ASSIGN SOURCEID(SECINT) TO(UIx). ++ ASSIGN SOURCEID(SECINT) TO(UJx). ++ ASSIGN SOURCEID(SECINT) TO(UJx). ++ ASSIGN SOURCEID(SECINT) TO(UJx). ++ ASSIGN SOURCEID(SECINT) TO(UJx). Etc etc In the example from Dave Jousma, with the APPLY SOURCEID(SECINT), I believe this would only work if you've also obtained the ASSIGN file from Resource Link too. When you run the REPORT ERRSYSMODS report, for SECINT HOLD CLASS it will the "SYSMOD NAME" as the FMID ID, which is different to a "normal" HOLD which lists the PTF SYSMOD. Made up example:: HOLD SYSMOD APAR ---RESOLVING SYSMOD HOLDHOLD FMID NAME NUMBER NAMESTATUS RECEIVED CLASS SYMPTOMS HMJ4102 UW31189 AN80203 UW32213 GOOD YESPE HSMA230 HSMA230 AHx UIx GOOD YESSECINT Regards Patrick -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 19 January 2023 16:13 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? We may be talking at cross purposes here; I'm concerned about the hold class SECINT, not the source with the same name. The SECINT hold is on the PTF with the exposure, not the PTF correcting it. LIST HOLDDATA HOLDERROR. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Dave Jousma [01a0403c5dc1-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 10:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? On Thu, 19 Jan 2023 15:30:07 +, Seymour J Metz wrote: >I'm concerned with the SMP side of things; as long as a PTF is correctly flagged as PE, I don't care about the APAR unless there is a reason to bypass. > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > I cannot say for sure if that is the case or not. When doing a maintenance cycle, I'll pull the list from RL, and run an apply check/apply specific to SECINT to satisfy audit requirements that we are applying vulnerability fixes. APPLY SOURCEID ( SECINT ) GROUPEXTEND ( NOAPARS NOUSERMODS ) BYPASS ( HOLDSYSTEM ) NOJCLINREPORT RETRY( YES ) My last time was a week ago, and I was surprised at the number that needed to go on to my pretty current V2.5 zone. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83571. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09625. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09744. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UO02058. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UO02059. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83640. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09561. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09564. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09567. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09570. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09665. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09697. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09698. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09729. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83424. Spot checking the first one, It was not fixing a ERR
Re: How to determine if Enhanced HOLDDATA received?
? The reason id for SECINT is the APAR number in the REASON parameter; SECINT is not a reason id. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Dave Jousma [01a0403c5dc1-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 12:00 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? On Thu, 19 Jan 2023 16:37:28 +, Seymour J Metz wrote: >"SECINT > The reason ID SYSMOD identifies a fix for a security or integrity error. > HOLDDATA for security > or integrity fixes is available through the z Systems Security Portal. > Information on registration > and accessing the z Systems Security Portal is available at Enterprise > security > (https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.ibm.com%2F&data=05%7C01%7Csmetz3%40gmu.edu%7C7982809cc8d84ae0087e08dafa3ec533%7C9e857255df574c47a0c00546460380cb%7C0%7C0%7C638097444756138021%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3BHP8smFDwX1Pxjp2Gz3WNl%2FzfdmQJ4dla2gN%2BIvJhs%3D&reserved=0 > systems/z/solutions/enterprise-security.html). If you are already > registered you can link directly > to the IBM Resource Link� Security Alerts. " > > >-- Might be a SMPE doc problem? IBM is documenting a reason ID in the Class section. I see that here: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Fzos%2F2.5.0%3Ftopic%3Dstatements-hold-mcs&data=05%7C01%7Csmetz3%40gmu.edu%7C7982809cc8d84ae0087e08dafa3ec533%7C9e857255df574c47a0c00546460380cb%7C0%7C0%7C638097444756138021%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=w271F5xT1xbeM8b6tr8h5ArxItYgAP6t567auKhfq3c%3D&reserved=0 which documents as your said: CLASS a 1- to 7-character string indicating an alternative reason to release an exception SYSMOD for processing. A class name is specified along with a reason ID to identify a condition when the reason ID need not be resolved. The same class name can be specified on any number of ++HOLD statements in any number of SYSMODs. These are the specific values currently used by IBM: Class Explanation ERREL The SYSMOD is held for an error reason ID but should be installed anyway. IBM has determined that the problem the SYSMOD resolves is significantly more critical than the error reflected by the holding APAR. HIPER The SYSMOD is held with a hold class of HIPER (High Impact) PE The SYSMOD is held with a hold class of “PTF in Error”. SECINT The reason ID SYSMOD identifies a fix for a security or integrity error. HOLDDATA for security or integrity fixes is available through the z Systems Security Portal. Information on registration and accessing the z Systems Security Portal is available at Enterprise security. If you are already registered you can link directly to the IBM Resource Link® Security Alerts. UCLREL UCLIN needed for the SYSMOD has been handled by IBM and no longer requires your attention. YR2000 Identifies PTFs that provide Year 2000 function, or fix a Year 2000-related problem. For additional information, see Naming conventions for HOLD reason IDs and HOLD classes. and the note at the bottom of that section takes you here: https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ibm.com%2Fdocs%2Fen%2Fzos%2F2.5.0%3Ftopic%3Dclasses-class-values&data=05%7C01%7Csmetz3%40gmu.edu%7C7982809cc8d84ae0087e08dafa3ec533%7C9e857255df574c47a0c00546460380cb%7C0%7C0%7C638097444756138021%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ux0aRAuMpHSJBkrN4NzorkXqBeRvmHsmg7MjF35BNWs%3D&reserved=0. And there is no mention of SECINT as a CLASS. Which doc is correct? I believe the latter. We are getting in the weeds here, and I'm done with the back and forth. The description above indicates SECINT is placed on the PTF that does the fix, and I believe that is incorrect as well. In prior post, i gave an example of PTF UI83571 that has SECINT SOURCEID from the RL ASSIGN download and receive. I see nothing on this PTF besides that, and I believe that is by design from IBM. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On 1/19/2023 7:55 AM, Itschak Mugzach wrote: Another issue is that IBM does disclose such information on IBM I (AS/400). That's interesting! I had (wrongly) assumed their methodology was the same across those two platforms. What about P? -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ This e-mail message, including any attachments, appended messages and the information contained therein, is for the sole use of the intended recipient(s). If you are not an intended recipient or have otherwise received this email message in error, any use, dissemination, distribution, review, storage or copying of this e-mail message and the information contained therein is strictly prohibited. If you are not an intended recipient, please contact the sender by reply e-mail and destroy all copies of this email message and do not otherwise utilize or retain this email message or any or all of the information contained therein. Although this email message and any attachments or appended messages are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way from its opening or use. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
An ASSIGN statement assigns a source-id, not a class. -- Tom Marchant On Thu, 19 Jan 2023 11:22:44 -0600, Dave Jousma wrote: >I'll correct myself. i normally just download the ASSIGN file and receive >that. I took a peek at the HOLDDATA file on RL and the sample PTF is in >there. However, that class will only assigned if you get the data from RL >which was my original point. > >++ HOLD(HSMA250) FMID(HSMA250) REASON(AH50369) ERROR DATE(22355) > > COMMENT(SMRTDATA(FIX(UI83571) SYMP(B7.5,T7.2) > > CHGDT(221221))) CLASS(SECINT). > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
The CLASS is on the ++HOLD, not on the ++PTF. The reference that Shmuel included had been updated relatively recently to include SECINT. It was not there in the SMP/E V3R6 manual. Perhaps the other reference to hold classes was not updated inadvertently. Or perhaps they don't intend that a user use BYPASS HOILDCLASS(SECINT). SECINT would not be a reason-id on a HOLD ERROR. The reason-id on a HOLD ERROR is an APAR number, and a PTF is applied with another PTF that SUPs the reason-id of the hold for that PTF. I tried to find information about PTF UI83571 and wasn't able to find anything. I guess that the PTFs that resolve SECINTs are also not documented -- Tom Marchant On Thu, 19 Jan 2023 11:00:52 -0600, Dave Jousma wrote: >On Thu, 19 Jan 2023 16:37:28 +, Seymour J Metz wrote: > >>"SECINT >> The reason ID SYSMOD identifies a fix for a security or integrity error. >> HOLDDATA for security >> or integrity fixes is available through the z Systems Security Portal. >> Information on registration >> and accessing the z Systems Security Portal is available at Enterprise >> security (www.ibm.com/ >> systems/z/solutions/enterprise-security.html). If you are already >> registered you can link directly >> to the IBM Resource Link� Security Alerts. " >> >> >>-- > >Might be a SMPE doc problem? IBM is documenting a reason ID in the Class >section. I see that here: >https://www.ibm.com/docs/en/zos/2.5.0?topic=statements-hold-mcs which >documents as your said: > >CLASS >a 1- to 7-character string indicating an alternative reason to release an >exception SYSMOD for processing. A class name is specified along with a reason >ID to identify a condition when the reason ID need not be resolved. The same >class name can be specified on any number of ++HOLD statements in any number >of SYSMODs. >These are the specific values currently used by IBM: >Class >Explanation >ERREL >The SYSMOD is held for an error reason ID but should be installed anyway. IBM >has determined that the problem the SYSMOD resolves is significantly more >critical than the error reflected by the holding APAR. >HIPER >The SYSMOD is held with a hold class of HIPER (High Impact) >PE >The SYSMOD is held with a hold class of “PTF in Error”. >SECINT >The reason ID SYSMOD identifies a fix for a security or integrity error. >HOLDDATA for security or integrity fixes is available through the z Systems >Security Portal. Information on registration and accessing the z Systems >Security Portal is available at Enterprise security. If you are already >registered you can link directly to the IBM Resource Link® Security Alerts. >UCLREL >UCLIN needed for the SYSMOD has been handled by IBM and no longer requires >your attention. >YR2000 >Identifies PTFs that provide Year 2000 function, or fix a Year 2000-related >problem. >For additional information, see Naming conventions for HOLD reason IDs and >HOLD classes. > >and the note at the bottom of that section takes you here: >https://www.ibm.com/docs/en/zos/2.5.0?topic=classes-class-values. And there >is no mention of SECINT as a CLASS. Which doc is correct? I believe the >latter. > >We are getting in the weeds here, and I'm done with the back and forth. The >description above indicates SECINT is placed on the PTF that does the fix, and >I believe that is incorrect as well. In prior post, i gave an example of PTF >UI83571 that has SECINT SOURCEID from the RL ASSIGN download and receive. I >see nothing on this PTF besides that, and I believe that is by design from >IBM. > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On Thu, 19 Jan 2023 11:00:52 -0600, Dave Jousma wrote: > >Might be a SMPE doc problem? IBM is documenting a reason ID in the Class >section. I see that here: >https://www.ibm.com/docs/en/zos/2.5.0?topic=statements-hold-mcs which >documents as your said: > >CLASS >a 1- to 7-character string indicating an alternative reason to release an >exception SYSMOD for processing. A class name is specified along with a reason >ID to identify a condition when the reason ID need not be resolved. The same >class name can be specified on any number of ++HOLD statements in any number >of SYSMODs. >These are the specific values currently used by IBM: >Class >Explanation >ERREL >The SYSMOD is held for an error reason ID but should be installed anyway. IBM >has determined that the problem the SYSMOD resolves is significantly more >critical than the error reflected by the holding APAR. >HIPER >The SYSMOD is held with a hold class of HIPER (High Impact) >PE >The SYSMOD is held with a hold class of “PTF in Error”. >SECINT >The reason ID SYSMOD identifies a fix for a security or integrity error. >HOLDDATA for security or integrity fixes is available through the z Systems >Security Portal. Information on registration and accessing the z Systems >Security Portal is available at Enterprise security. If you are already >registered you can link directly to the IBM Resource Link® Security Alerts. >UCLREL >UCLIN needed for the SYSMOD has been handled by IBM and no longer requires >your attention. >YR2000 >Identifies PTFs that provide Year 2000 function, or fix a Year 2000-related >problem. >For additional information, see Naming conventions for HOLD reason IDs and >HOLD classes. > >and the note at the bottom of that section takes you here: >https://www.ibm.com/docs/en/zos/2.5.0?topic=classes-class-values. And there >is no mention of SECINT as a CLASS. Which doc is correct? I believe the >latter. > >We are getting in the weeds here, and I'm done with the back and forth. The >description above indicates SECINT is placed on the PTF that does the fix, and >I believe that is incorrect as well. In prior post, i gave an example of PTF >UI83571 that has SECINT SOURCEID from the RL ASSIGN download and receive. I >see nothing on this PTF besides that, and I believe that is by design from >IBM. I'll correct myself. i normally just download the ASSIGN file and receive that. I took a peek at the HOLDDATA file on RL and the sample PTF is in there. However, that class will only assigned if you get the data from RL which was my original point. ++ HOLD(HSMA250) FMID(HSMA250) REASON(AH50369) ERROR DATE(22355) COMMENT(SMRTDATA(FIX(UI83571) SYMP(B7.5,T7.2) CHGDT(221221))) CLASS(SECINT). -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On Thu, 19 Jan 2023 16:37:28 +, Seymour J Metz wrote: >"SECINT > The reason ID SYSMOD identifies a fix for a security or integrity error. > HOLDDATA for security > or integrity fixes is available through the z Systems Security Portal. > Information on registration > and accessing the z Systems Security Portal is available at Enterprise > security (www.ibm.com/ > systems/z/solutions/enterprise-security.html). If you are already > registered you can link directly > to the IBM Resource Link� Security Alerts. " > > >-- Might be a SMPE doc problem? IBM is documenting a reason ID in the Class section. I see that here: https://www.ibm.com/docs/en/zos/2.5.0?topic=statements-hold-mcs which documents as your said: CLASS a 1- to 7-character string indicating an alternative reason to release an exception SYSMOD for processing. A class name is specified along with a reason ID to identify a condition when the reason ID need not be resolved. The same class name can be specified on any number of ++HOLD statements in any number of SYSMODs. These are the specific values currently used by IBM: Class Explanation ERREL The SYSMOD is held for an error reason ID but should be installed anyway. IBM has determined that the problem the SYSMOD resolves is significantly more critical than the error reflected by the holding APAR. HIPER The SYSMOD is held with a hold class of HIPER (High Impact) PE The SYSMOD is held with a hold class of “PTF in Error”. SECINT The reason ID SYSMOD identifies a fix for a security or integrity error. HOLDDATA for security or integrity fixes is available through the z Systems Security Portal. Information on registration and accessing the z Systems Security Portal is available at Enterprise security. If you are already registered you can link directly to the IBM Resource Link® Security Alerts. UCLREL UCLIN needed for the SYSMOD has been handled by IBM and no longer requires your attention. YR2000 Identifies PTFs that provide Year 2000 function, or fix a Year 2000-related problem. For additional information, see Naming conventions for HOLD reason IDs and HOLD classes. and the note at the bottom of that section takes you here: https://www.ibm.com/docs/en/zos/2.5.0?topic=classes-class-values. And there is no mention of SECINT as a CLASS. Which doc is correct? I believe the latter. We are getting in the weeds here, and I'm done with the back and forth. The description above indicates SECINT is placed on the PTF that does the fix, and I believe that is incorrect as well. In prior post, i gave an example of PTF UI83571 that has SECINT SOURCEID from the RL ASSIGN download and receive. I see nothing on this PTF besides that, and I believe that is by design from IBM. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
"SECINT The reason ID SYSMOD identifies a fix for a security or integrity error. HOLDDATA for security or integrity fixes is available through the z Systems Security Portal. Information on registration and accessing the z Systems Security Portal is available at Enterprise security (www.ibm.com/ systems/z/solutions/enterprise-security.html). If you are already registered you can link directly to the IBM Resource Link® Security Alerts. " -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Dave Jousma [01a0403c5dc1-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 11:27 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? On Thu, 19 Jan 2023 16:13:06 +, Seymour J Metz wrote: >We may be talking at cross purposes here; I'm concerned about the hold class >SECINT, not the source with the same name. The SECINT hold is on the PTF with >the exposure, not the PTF correcting it. > > LIST HOLDDATA HOLDERROR. > > Maybe. I just ran this report on my global zone for V2.4 and V2.5 and there are no SECINT references. I dont believe SECINT is a valid Hold CLASS -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On Thu, 19 Jan 2023 16:13:06 +, Seymour J Metz wrote: >We may be talking at cross purposes here; I'm concerned about the hold class >SECINT, not the source with the same name. The SECINT hold is on the PTF with >the exposure, not the PTF correcting it. > > LIST HOLDDATA HOLDERROR. > > Maybe. I just ran this report on my global zone for V2.4 and V2.5 and there are no SECINT references. I dont believe SECINT is a valid Hold CLASS -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
We may be talking at cross purposes here; I'm concerned about the hold class SECINT, not the source with the same name. The SECINT hold is on the PTF with the exposure, not the PTF correcting it. LIST HOLDDATA HOLDERROR. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Dave Jousma [01a0403c5dc1-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 10:55 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? On Thu, 19 Jan 2023 15:30:07 +, Seymour J Metz wrote: >I'm concerned with the SMP side of things; as long as a PTF is correctly >flagged as PE, I don't care about the APAR unless there is a reason to bypass. > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > I cannot say for sure if that is the case or not. When doing a maintenance cycle, I'll pull the list from RL, and run an apply check/apply specific to SECINT to satisfy audit requirements that we are applying vulnerability fixes. APPLY SOURCEID ( SECINT ) GROUPEXTEND ( NOAPARS NOUSERMODS ) BYPASS ( HOLDSYSTEM ) NOJCLINREPORT RETRY( YES ) My last time was a week ago, and I was surprised at the number that needed to go on to my pretty current V2.5 zone. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83571. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09625. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09744. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UO02058. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UO02059. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83640. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09561. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09564. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09567. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09570. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09665. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09697. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09698. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09729. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83424. Spot checking the first one, It was not fixing a ERROR PTF. Entry Type: SYSMOD Zone Name: GLOBAL Entry Name: UI83571 Zone Type: GLOBAL Description: Type:PTF Status: FMID: Date/Time: 23.003 08:42:37 REC - SREL Z038 FMID HSMA250 PRE UI83116 SUP AH50369 DH50369 SOURCEID ORD00052 PUT2212 SECINT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
The funny thing is that IBM only hides the reason. I am able to identify ptfs that are SECINT programmatically, but I would like to get the CVE factors. Another issue is that IBM does disclose such information on IBM I (AS/400). ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Thu, Jan 19, 2023 at 5:47 PM Seymour J Metz wrote: > ideally there would be holds for both PE and SECINT classes, each with the > APAR number in the REASON. That way even if you don't have access to SECENT > you can tell that there is an error. My question was whether the public > HOLDDATA included PE for any PTF with SECINT. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf > of Tom Marchant [000a2a8c2020-dmarc-requ...@listserv.ua.edu] > Sent: Thursday, January 19, 2023 10:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: How to determine if Enhanced HOLDDATA received? > > Wouldn't a hold with CLASS(SECINT) be an ERROR hold? > > -- > Tom Marchant > > On Thu, 19 Jan 2023 14:30:38 +, Seymour J Metz wrote: > > >Doesn't the process for security/integrity violations include creating an > APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR > hold with the relevant APAR number? > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On Thu, 19 Jan 2023 15:30:07 +, Seymour J Metz wrote: >I'm concerned with the SMP side of things; as long as a PTF is correctly >flagged as PE, I don't care about the APAR unless there is a reason to bypass. > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > I cannot say for sure if that is the case or not. When doing a maintenance cycle, I'll pull the list from RL, and run an apply check/apply specific to SECINT to satisfy audit requirements that we are applying vulnerability fixes. APPLY SOURCEID ( SECINT ) GROUPEXTEND ( NOAPARS NOUSERMODS ) BYPASS ( HOLDSYSTEM ) NOJCLINREPORT RETRY( YES ) My last time was a week ago, and I was surprised at the number that needed to go on to my pretty current V2.5 zone. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83571. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09625. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09744. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UO02058. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UO02059. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83640. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09561. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09564. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09567. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09570. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09665. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09697. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09698. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UJ09729. GIM22701IAPPLY PROCESSING WAS SUCCESSFUL FOR SYSMOD UI83424. Spot checking the first one, It was not fixing a ERROR PTF. Entry Type: SYSMOD Zone Name: GLOBAL Entry Name: UI83571 Zone Type: GLOBAL Description: Type:PTF Status: FMID: Date/Time: 23.003 08:42:37 REC - SREL Z038 FMID HSMA250 PRE UI83116 SUP AH50369 DH50369 SOURCEID ORD00052 PUT2212 SECINT -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
ideally there would be holds for both PE and SECINT classes, each with the APAR number in the REASON. That way even if you don't have access to SECENT you can tell that there is an error. My question was whether the public HOLDDATA included PE for any PTF with SECINT. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Tom Marchant [000a2a8c2020-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 10:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? Wouldn't a hold with CLASS(SECINT) be an ERROR hold? -- Tom Marchant On Thu, 19 Jan 2023 14:30:38 +, Seymour J Metz wrote: >Doesn't the process for security/integrity violations include creating an >APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR hold >with the relevant APAR number? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Wouldn't a hold with CLASS(SECINT) be an ERROR hold? -- Tom Marchant On Thu, 19 Jan 2023 14:30:38 +, Seymour J Metz wrote: >Doesn't the process for security/integrity violations include creating an >APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR hold >with the relevant APAR number? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
I'm concerned with the SMP side of things; as long as a PTF is correctly flagged as PE, I don't care about the APAR unless there is a reason to bypass. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Dave Jousma [01a0403c5dc1-dmarc-requ...@listserv.ua.edu] Sent: Thursday, January 19, 2023 9:51 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? On Thu, 19 Jan 2023 14:30:38 +, Seymour J Metz wrote: >Doesn't the process for security/integrity violations include creating an >APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR hold >with the relevant APAR number? > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > APARS are created, but for customers, APARS associated with a SECINT flagged PTF result in “Document not found” when following the links. IBM doesn’t publish the APAR’s associated with SECINT fixes. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On Thu, 19 Jan 2023 14:30:38 +, Seymour J Metz wrote: >Doesn't the process for security/integrity violations include creating an >APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR hold >with the relevant APAR number? > > >-- >Shmuel (Seymour J.) Metz >http://mason.gmu.edu/~smetz3 > APARS are created, but for customers, APARS associated with a SECINT flagged PTF result in “Document not found” when following the links. IBM doesn’t publish the APAR’s associated with SECINT fixes. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Doesn't the process for security/integrity violations include creating an APAR? If so, shouldn't any PTF with hold class SECINT also have an ERROR hold with the relevant APAR number? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of Kurt J. Quackenbush [ku...@us.ibm.com] Sent: Thursday, January 19, 2023 8:54 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? > Is it possible for a PTF to have no hold except the SECINT? That is to ask, > is it likely that a PTF introducing a security issue could be applied because > there is no HOLD(ERROR) or even a HOLD(ACTION) which could inform that there > is a SECINT for the PFT? In theory, yes. In practice, I'm not sure. But I think your question reinforces the benefit of registering for the IBM Z Security Portal and regularly obtaining the HOLDDDATA. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
> Is it possible for a PTF to have no hold except the SECINT? That is to ask, > is it likely that a PTF introducing a security issue could be applied because > there is no HOLD(ERROR) or even a HOLD(ACTION) which could inform that there > is a SECINT for the PFT? In theory, yes. In practice, I'm not sure. But I think your question reinforces the benefit of registering for the IBM Z Security Portal and regularly obtaining the HOLDDDATA. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
> how can I determine if such holddata was receive or not? Using just SMP/E I suppose the only way is to list all of the HOLDDATA in the global zone and search for any with CLASS(SECINT). You can use LIST HOLDDATA HOLDERROR then search the output. This won't show you when HOLDDATA was received or from where, just what was received into the global zone at some time in the past. Using z/OSMF Software Management you can use the Software Instance -> Maintenance Report -> Missing Critical Service action. This is very much like the SMP/E REPORT ERRSYSMODS command and will tell you if there are any uninstalled HIPER, PE, and SECINT fixes based on the HOLDDATA received into the global zone. It will also show you the last date and time when any HOLDDATA was received. The last date is information not accessible through SMP/E direct interfaces. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
If you do a cross zone query against the SYSMOD name of the FMID (e.g. HRF77B0), then select the GLOBAL zone, then "L" for HOLDDATA, you will see all the SECINT class holds if they are there. If they've also received the SECINT assign statements, there will also be SYSMODs with a SOURCEID of SECINT. Regards -Original Message- From: IBM Mainframe Discussion List On Behalf Of Itschak Mugzach Sent: 18 January 2023 20:00 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? Kurt, As one the do not run apply check, how can I determine if such holddata was receive or not? I believe that second holddata is relatively rare so if one receives holddata, how can we determine the source for it? I respect the decision who can access the data, but I need to understand if the client received such holddata or not during security assessment ITschk בתאריך יום ד׳, 18 בינו׳ 2023 ב-21:34 מאת Kurt J. Quackenbush < ku...@us.ibm.com>: > HOLDDATA with CLASS(SECINT) is only available on the IBM Z Security Portal. > > Who can and cannot obtain access to the IBM Z Security Portal is > documented in this FAQ: https://ibm.biz/security-portal-faq. > > In short, from the FAQ, "the Security Portal is for IBM clients that > have a licensed IBM Z or LinuxONE mainframe. It is not intended for > users of emulators, such as zPDT, zRD&T, etc. using the z/OS ADCD or z/VM > ADCD." > So, a vendor that also has a license can obtain access. No license? > No access. And I am only a messenger on this topic. > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com > > Chuck Norris never uses CHECK when he applies PTFs. > > >> Do you have access to security portal? the information I am looking > >> for are only available there. I was told by IBM that as a vendor, I > >> can't get access to it. See below for details about the cvss info: > >> The HOLDDATA available from the IBM Z and LinuxONE Security Portal > >> adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the > >> CVSS Base and Temporal scores. > > > I am surprised to hear IBM would take a position like that. It seems > almost inconceivable that large vendors like BMC and Broadcom are > locked out of the Secure Portal. > > > My experience has been that an individual working for an IBM Z > > customer, > with a manager or CISO that will vouch for them, can get access. > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
I think that if there is a problem with a ptf then a holddata item be present. List some sort of error, like an abend or even just 'incorrect results in obscure cases'. On Wed, Jan 18, 2023 at 2:11 PM Gibney, Dave <03b5261cfd78-dmarc-requ...@listserv.ua.edu> wrote: > > Is it possible for a PTF to have no hold except the SECINT? That is to ask, > is it likely that a PTF introducing a security issue could be applied because > there is no HOLD(ERROR) or even a HOLD(ACTION) which could inform that there > is a SECINT for the PFT? > > > -Original Message- > > From: IBM Mainframe Discussion List On > > Behalf Of Kurt J. Quackenbush > > Sent: Wednesday, January 18, 2023 11:34 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Re: How to determine if Enhanced HOLDDATA received? > > > > [EXTERNAL EMAIL] > > > > HOLDDATA with CLASS(SECINT) is only available on the IBM Z Security Portal. > > > > Who can and cannot obtain access to the IBM Z Security Portal is > > documented in this FAQ: > > https://urldefense.com/v3/__https://ibm.biz/security-portal- > > faq__;!!JmPEgBY0HMszNaDT!udnBZoAidHBU- > > nmJaQ0x_rAqjr3sKY3itcxgjYC4xq2ba2WcWInaZ1FXSydmPoc_MhkB6e- > > IHCxU$ . > > > > In short, from the FAQ, "the Security Portal is for IBM clients that have a > > licensed IBM Z or LinuxONE mainframe. It is not intended for users of > > emulators, such as zPDT, zRD&T, etc. using the z/OS ADCD or z/VM ADCD." > > So, a vendor that also has a license can obtain access. No license? No > > access. > > And I am only a messenger on this topic. > > > > Kurt Quackenbush > > IBM | z/OS SMP/E and z/OSMF Software Management > > | ku...@us.ibm.com > > > > Chuck Norris never uses CHECK when he applies PTFs. > > > > >> Do you have access to security portal? the information I am looking > > >> for are only available there. I was told by IBM that as a vendor, I > > >> can't get access to it. See below for details about the cvss info: > > >> The HOLDDATA available from the IBM Z and LinuxONE Security Portal > > >> adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the > > CVSS > > >> Base and Temporal scores. > > > > > I am surprised to hear IBM would take a position like that. It seems > > > almost > > inconceivable that large vendors like BMC and Broadcom are locked out of > > the Secure Portal. > > > > > My experience has been that an individual working for an IBM Z customer, > > with a manager or CISO that will vouch for them, can get access. > > > > > > > > -- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Is it possible for a PTF to have no hold except the SECINT? That is to ask, is it likely that a PTF introducing a security issue could be applied because there is no HOLD(ERROR) or even a HOLD(ACTION) which could inform that there is a SECINT for the PFT? > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Kurt J. Quackenbush > Sent: Wednesday, January 18, 2023 11:34 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: How to determine if Enhanced HOLDDATA received? > > [EXTERNAL EMAIL] > > HOLDDATA with CLASS(SECINT) is only available on the IBM Z Security Portal. > > Who can and cannot obtain access to the IBM Z Security Portal is > documented in this FAQ: > https://urldefense.com/v3/__https://ibm.biz/security-portal- > faq__;!!JmPEgBY0HMszNaDT!udnBZoAidHBU- > nmJaQ0x_rAqjr3sKY3itcxgjYC4xq2ba2WcWInaZ1FXSydmPoc_MhkB6e- > IHCxU$ . > > In short, from the FAQ, "the Security Portal is for IBM clients that have a > licensed IBM Z or LinuxONE mainframe. It is not intended for users of > emulators, such as zPDT, zRD&T, etc. using the z/OS ADCD or z/VM ADCD." > So, a vendor that also has a license can obtain access. No license? No > access. > And I am only a messenger on this topic. > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management > | ku...@us.ibm.com > > Chuck Norris never uses CHECK when he applies PTFs. > > >> Do you have access to security portal? the information I am looking > >> for are only available there. I was told by IBM that as a vendor, I > >> can't get access to it. See below for details about the cvss info: > >> The HOLDDATA available from the IBM Z and LinuxONE Security Portal > >> adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the > CVSS > >> Base and Temporal scores. > > > I am surprised to hear IBM would take a position like that. It seems almost > inconceivable that large vendors like BMC and Broadcom are locked out of > the Secure Portal. > > > My experience has been that an individual working for an IBM Z customer, > with a manager or CISO that will vouch for them, can get access. > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Kurt, As one the do not run apply check, how can I determine if such holddata was receive or not? I believe that second holddata is relatively rare so if one receives holddata, how can we determine the source for it? I respect the decision who can access the data, but I need to understand if the client received such holddata or not during security assessment ITschk בתאריך יום ד׳, 18 בינו׳ 2023 ב-21:34 מאת Kurt J. Quackenbush < ku...@us.ibm.com>: > HOLDDATA with CLASS(SECINT) is only available on the IBM Z Security Portal. > > Who can and cannot obtain access to the IBM Z Security Portal is > documented in this FAQ: https://ibm.biz/security-portal-faq. > > In short, from the FAQ, "the Security Portal is for IBM clients that have > a licensed IBM Z or LinuxONE mainframe. It is not intended for users of > emulators, such as zPDT, zRD&T, etc. using the z/OS ADCD or z/VM ADCD." > So, a vendor that also has a license can obtain access. No license? No > access. And I am only a messenger on this topic. > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com > > Chuck Norris never uses CHECK when he applies PTFs. > > >> Do you have access to security portal? the information I am looking > >> for are only available there. I was told by IBM that as a vendor, I > >> can't get access to it. See below for details about the cvss info: > >> The HOLDDATA available from the IBM Z and LinuxONE Security Portal > >> adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the CVSS > >> Base and Temporal scores. > > > I am surprised to hear IBM would take a position like that. It seems > almost inconceivable that large vendors like BMC and Broadcom are locked > out of the Secure Portal. > > > My experience has been that an individual working for an IBM Z customer, > with a manager or CISO that will vouch for them, can get access. > > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
HOLDDATA with CLASS(SECINT) is only available on the IBM Z Security Portal. Who can and cannot obtain access to the IBM Z Security Portal is documented in this FAQ: https://ibm.biz/security-portal-faq. In short, from the FAQ, "the Security Portal is for IBM clients that have a licensed IBM Z or LinuxONE mainframe. It is not intended for users of emulators, such as zPDT, zRD&T, etc. using the z/OS ADCD or z/VM ADCD." So, a vendor that also has a license can obtain access. No license? No access. And I am only a messenger on this topic. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. >> Do you have access to security portal? the information I am looking >> for are only available there. I was told by IBM that as a vendor, I >> can't get access to it. See below for details about the cvss info: >> The HOLDDATA available from the IBM Z and LinuxONE Security Portal >> adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the CVSS >> Base and Temporal scores. > I am surprised to hear IBM would take a position like that. It seems almost > inconceivable that large vendors like BMC and Broadcom are locked out of the > Secure Portal. > My experience has been that an individual working for an IBM Z customer, with > a manager or CISO that will vouch for them, can get access. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Enhanced hold data does not include secint source id's as far as I know. I have to logon to resourcelink to download the list and receive that, and then apply by source ID. I guess I don't understand why isv do jot have access. Dave Jousma Vice President | Director, Technology Engineering Fifth Third Bank | 1830 East Paris Ave, SE | MD RSCB2H | Grand Rapids, MI 49546 616.653.8429 From: IBM Mainframe Discussion List on behalf of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, January 17, 2023 6:04:25 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: How to determine if Enhanced HOLDDATA received? **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** We are not at that size... and our interest is not at a specific client by a bit wider. בתאריך יום ד׳, 18 בינו׳ 2023 ב-0:33 מאת Ed Jaffe < edja...@phoenixsoftware.com>: > On 1/17/2023 1:15 PM, Itschak Mugzach wrote: > > Ed, > > Do you have access to security portal? the information I am looking for > are > > only available there. I was told by IBM that as a vendor, I can't get > > access to it. See below for details about the cvss info: > > The HOLDDATA available from the IBM Z and LinuxONE Security Portal adds a > > new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the CVSS Base and > > Temporal scores. > > I am surprised to hear IBM would take a position like that. It seems > almost inconceivable that large vendors like BMC and Broadcom are locked > out of the Secure Portal. > > My experience has been that an individual working for an IBM Z customer, > with a manager or CISO that will vouch for them, can get access. > > > -- > Phoenix Software International > Edward E. Jaffe > 831 Parkview Drive North > El Segundo, CA 90245 > https://urldefense.com/v3/__https://www.phoenixsoftware.com/__;!!MwwqYLOC6b6whF7V!k4vwRZZ0uzFo3N-MQCi39myqS8-EbrySIm9YeIH_HcPQ-zClDsXaAgkYDgeBvlRiUX_c3uXjyLMxA9eSXg4RMAApf9RMG-iMvL8$ > > > > > This e-mail message, including any attachments, appended messages and the > information contained therein, is for the sole use of the intended > recipient(s). If you are not an intended recipient or have otherwise > received this email message in error, any use, dissemination, distribution, > review, storage or copying of this e-mail message and the information > contained therein is strictly prohibited. If you are not an intended > recipient, please contact the sender by reply e-mail and destroy all copies > of this email message and do not otherwise utilize or retain this email > message or any or all of the information contained therein. Although this > email message and any attachments or appended messages are believed to be > free of any virus or other defect that might affect any computer system > into > which it is received and opened, it is the responsibility of the recipient > to ensure that it is virus free and no responsibility is accepted by the > sender for any loss or damage arising in any way from its opening or use. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: https://urldefense.com/v3/__http://www.Securiteam.co.il__;!!MwwqYLOC6b6whF7V!k4vwRZZ0uzFo3N-MQCi39myqS8-EbrySIm9YeIH_HcPQ-zClDsXaAgkYDgeBvlRiUX_c3uXjyLMxA9eSXg4RMAApf9RMj0WR2Lo$ **|* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN **CAUTION EXTERNAL EMAIL** **DO NOT open attachments or click on links from unknown senders or unexpected emails** This e-mail transmission contains information that is confidential and may be privileged. It is intended only for the addressee(s) named above. If you receive this e-mail in error, please do not read, copy or disseminate it in any manner. If you are not the intended recipient, any disclosure, copying, distribution or use of the contents of this information is prohibited. Please reply to the message immediately by informing the sender that the message was misdirected. After replying, please erase it from your computer system. Your assistance in correcting this error is appreciated. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
We are not at that size... and our interest is not at a specific client by a bit wider. בתאריך יום ד׳, 18 בינו׳ 2023 ב-0:33 מאת Ed Jaffe < edja...@phoenixsoftware.com>: > On 1/17/2023 1:15 PM, Itschak Mugzach wrote: > > Ed, > > Do you have access to security portal? the information I am looking for > are > > only available there. I was told by IBM that as a vendor, I can't get > > access to it. See below for details about the cvss info: > > The HOLDDATA available from the IBM Z and LinuxONE Security Portal adds a > > new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the CVSS Base and > > Temporal scores. > > I am surprised to hear IBM would take a position like that. It seems > almost inconceivable that large vendors like BMC and Broadcom are locked > out of the Secure Portal. > > My experience has been that an individual working for an IBM Z customer, > with a manager or CISO that will vouch for them, can get access. > > > -- > Phoenix Software International > Edward E. Jaffe > 831 Parkview Drive North > El Segundo, CA 90245 > https://www.phoenixsoftware.com/ > > > > > This e-mail message, including any attachments, appended messages and the > information contained therein, is for the sole use of the intended > recipient(s). If you are not an intended recipient or have otherwise > received this email message in error, any use, dissemination, distribution, > review, storage or copying of this e-mail message and the information > contained therein is strictly prohibited. If you are not an intended > recipient, please contact the sender by reply e-mail and destroy all copies > of this email message and do not otherwise utilize or retain this email > message or any or all of the information contained therein. Although this > email message and any attachments or appended messages are believed to be > free of any virus or other defect that might affect any computer system > into > which it is received and opened, it is the responsibility of the recipient > to ensure that it is virus free and no responsibility is accepted by the > sender for any loss or damage arising in any way from its opening or use. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On 1/17/2023 1:15 PM, Itschak Mugzach wrote: Ed, Do you have access to security portal? the information I am looking for are only available there. I was told by IBM that as a vendor, I can't get access to it. See below for details about the cvss info: The HOLDDATA available from the IBM Z and LinuxONE Security Portal adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the CVSS Base and Temporal scores. I am surprised to hear IBM would take a position like that. It seems almost inconceivable that large vendors like BMC and Broadcom are locked out of the Secure Portal. My experience has been that an individual working for an IBM Z customer, with a manager or CISO that will vouch for them, can get access. -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ This e-mail message, including any attachments, appended messages and the information contained therein, is for the sole use of the intended recipient(s). If you are not an intended recipient or have otherwise received this email message in error, any use, dissemination, distribution, review, storage or copying of this e-mail message and the information contained therein is strictly prohibited. If you are not an intended recipient, please contact the sender by reply e-mail and destroy all copies of this email message and do not otherwise utilize or retain this email message or any or all of the information contained therein. Although this email message and any attachments or appended messages are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way from its opening or use. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Ed, Do you have access to security portal? the information I am looking for are only available there. I was told by IBM that as a vendor, I can't get access to it. See below for details about the cvss info: The HOLDDATA available from the IBM Z and LinuxONE Security Portal adds a new HOLD CLASS, SECINT, and the HOLD SYMPTOMS contains the CVSS Base and Temporal scores. *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Jan 17, 2023 at 10:47 PM Ed Jaffe wrote: > On 1/17/2023 11:43 AM, Gibney, Dave wrote: > > Is there still such a thing as not-enhanced holddata? > > The month.txt and year.txt HOLDDATA files do not have FIXCATs. > > Only full.txt has FIXCATs. > > -- > Phoenix Software International > Edward E. Jaffe > 831 Parkview Drive North > El Segundo, CA 90245 > https://www.phoenixsoftware.com/ > > > > > This e-mail message, including any attachments, appended messages and the > information contained therein, is for the sole use of the intended > recipient(s). If you are not an intended recipient or have otherwise > received this email message in error, any use, dissemination, distribution, > review, storage or copying of this e-mail message and the information > contained therein is strictly prohibited. If you are not an intended > recipient, please contact the sender by reply e-mail and destroy all copies > of this email message and do not otherwise utilize or retain this email > message or any or all of the information contained therein. Although this > email message and any attachments or appended messages are believed to be > free of any virus or other defect that might affect any computer system > into > which it is received and opened, it is the responsibility of the recipient > to ensure that it is virus free and no responsibility is accepted by the > sender for any loss or damage arising in any way from its opening or use. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Rex, I investigated this issue, and there is a way to identify PTF as being SECINT. However, it does not include the CVSS metrics which I want to access. I do not understand why IBM hides this information, while it is disclosed to everybody when it comes to IBM I. *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Jan 17, 2023 at 10:44 PM Pommier, Rex wrote: > Kurt, > > Your response brings up a related question. I understand the SECINT > HOLDDATA is only available from the security portal. Are PTFs that get a > SECINT hold on them also flagged in the normal holddata with some other > hold reason? Asking another way, am I missing PTFs that have holddata on > them if I don't get the SECINT holddata from the portal? > > Thanks, > Rex > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of Kurt J. Quackenbush > Sent: Tuesday, January 17, 2023 1:57 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [EXTERNAL] Re: How to determine if Enhanced HOLDDATA received? > > > Is there still such a thing as not-enhanced holddata? > > No, the old not-enhanced HOLDDATA no longer exists (for many years). I do > not use the descriptor "enhanced" because IBM only provides the one flavor > of general use HOLDDATA. Everybody, including vendors, have access to > IBM's general use HOLDDATA. You can get the file here > https://urldefense.com/v3/__https://public.dhe.ibm.com/eserver/zseries/holddata/full.txt__;!!KjMRP1Ixj6eLE0Fj!pBdnXZ6I9JuqGglNFX8erL2uzWFHOOpQ31Qeg5lB-GgoxsEeZHY0mSYI5TALPLRXRxaTrjiIZ8_fjEAP$ > or with FTP as previously posted, or with Shopz or with SMP/E RECEIVE > ORDER. This HOLDDATA identifies PE, HIPER, and Fix Category fixes. The > HOLDDATA from the IBM Security Portal which identifies SECINT fixes is > separate. > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com > > Chuck Norris never uses CHECK when he applies PTFs. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > The information contained in this message is confidential, protected from > disclosure and may be legally privileged. If the reader of this message is > not the intended recipient or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any disclosure, distribution, copying, or any action taken or action > omitted in reliance on it, is strictly prohibited and may be unlawful. If > you have received this communication in error, please notify us immediately > by replying to this message and destroy the material in its entirety, > whether in electronic or hard copy format. Thank you. > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On 1/17/2023 11:43 AM, Gibney, Dave wrote: Is there still such a thing as not-enhanced holddata? The month.txt and year.txt HOLDDATA files do not have FIXCATs. Only full.txt has FIXCATs. -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ This e-mail message, including any attachments, appended messages and the information contained therein, is for the sole use of the intended recipient(s). If you are not an intended recipient or have otherwise received this email message in error, any use, dissemination, distribution, review, storage or copying of this e-mail message and the information contained therein is strictly prohibited. If you are not an intended recipient, please contact the sender by reply e-mail and destroy all copies of this email message and do not otherwise utilize or retain this email message or any or all of the information contained therein. Although this email message and any attachments or appended messages are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way from its opening or use. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Kurt, Your response brings up a related question. I understand the SECINT HOLDDATA is only available from the security portal. Are PTFs that get a SECINT hold on them also flagged in the normal holddata with some other hold reason? Asking another way, am I missing PTFs that have holddata on them if I don't get the SECINT holddata from the portal? Thanks, Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Kurt J. Quackenbush Sent: Tuesday, January 17, 2023 1:57 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: How to determine if Enhanced HOLDDATA received? > Is there still such a thing as not-enhanced holddata? No, the old not-enhanced HOLDDATA no longer exists (for many years). I do not use the descriptor "enhanced" because IBM only provides the one flavor of general use HOLDDATA. Everybody, including vendors, have access to IBM's general use HOLDDATA. You can get the file here https://urldefense.com/v3/__https://public.dhe.ibm.com/eserver/zseries/holddata/full.txt__;!!KjMRP1Ixj6eLE0Fj!pBdnXZ6I9JuqGglNFX8erL2uzWFHOOpQ31Qeg5lB-GgoxsEeZHY0mSYI5TALPLRXRxaTrjiIZ8_fjEAP$ or with FTP as previously posted, or with Shopz or with SMP/E RECEIVE ORDER. This HOLDDATA identifies PE, HIPER, and Fix Category fixes. The HOLDDATA from the IBM Security Portal which identifies SECINT fixes is separate. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- The information contained in this message is confidential, protected from disclosure and may be legally privileged. If the reader of this message is not the intended recipient or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any disclosure, distribution, copying, or any action taken or action omitted in reliance on it, is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to this message and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Tx Kurt. There are 66,601 ++HOLD statements, none of which is of reason SECINT. Back to my question. Is the reason(secint) reported by the standard HOLDDATA? ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Jan 17, 2023 at 9:57 PM Kurt J. Quackenbush wrote: > > Is there still such a thing as not-enhanced holddata? > > No, the old not-enhanced HOLDDATA no longer exists (for many years). I do > not use the descriptor "enhanced" because IBM only provides the one flavor > of general use HOLDDATA. Everybody, including vendors, have access to > IBM's general use HOLDDATA. You can get the file here > https://public.dhe.ibm.com/eserver/zseries/holddata/full.txt or with FTP > as previously posted, or with Shopz or with SMP/E RECEIVE ORDER. This > HOLDDATA identifies PE, HIPER, and Fix Category fixes. The HOLDDATA from > the IBM Security Portal which identifies SECINT fixes is separate. > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com > > Chuck Norris never uses CHECK when he applies PTFs. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
> Is there still such a thing as not-enhanced holddata? No, the old not-enhanced HOLDDATA no longer exists (for many years). I do not use the descriptor "enhanced" because IBM only provides the one flavor of general use HOLDDATA. Everybody, including vendors, have access to IBM's general use HOLDDATA. You can get the file here https://public.dhe.ibm.com/eserver/zseries/holddata/full.txt or with FTP as previously posted, or with Shopz or with SMP/E RECEIVE ORDER. This HOLDDATA identifies PE, HIPER, and Fix Category fixes. The HOLDDATA from the IBM Security Portal which identifies SECINT fixes is separate. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Is there still such a thing as not-enhanced holddata? > -Original Message- > From: IBM Mainframe Discussion List On > Behalf Of Ed Jaffe > Sent: Tuesday, January 17, 2023 11:41 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: How to determine if Enhanced HOLDDATA received? > > [EXTERNAL EMAIL] > > On 1/17/2023 11:12 AM, Itschak Mugzach wrote: > > I am not confused. As a vendor, we don;t have access to enhanced > holddata. > > Everyone has access to enhanced HOLDDATA. Just download it using FTP. > For example: > > //GETHOLDD JOB 1,JAFFE,CLASS=A,MSGCLASS=T,NOTIFY=&SYSUID > // EXEC PGM=FTP,REGION=64M > //SYSPRINT DD SYSOUT=* > //SYSINDD * > service.boulder.ibm.com > anonymous > edja...@phoenixsoftware.com > cd s390/holddata > locsite recfm=fb lrecl=80 > locsite primary=1 secondary=1 cylinders > get full.txt holddata.full.txt (REPLACE > quit > // > > > -- > Phoenix Software International > Edward E. Jaffe > 831 Parkview Drive North > El Segundo, CA 90245 > https://urldefense.com/v3/__https://www.phoenixsoftware.com/__;!!JmP > EgBY0HMszNaDT!qSpVphFjV91HcWaf1rh2eLmIh7dOpJnrf_77wlB8IvJSH9nEI3 > p_IEdX1JyCgQbJX3wX4tI76uD1aXmkHOrqSA$ > > > > This e-mail message, including any attachments, appended messages and > the > information contained therein, is for the sole use of the intended > recipient(s). If you are not an intended recipient or have otherwise > received this email message in error, any use, dissemination, distribution, > review, storage or copying of this e-mail message and the information > contained therein is strictly prohibited. If you are not an intended > recipient, please contact the sender by reply e-mail and destroy all copies > of this email message and do not otherwise utilize or retain this email > message or any or all of the information contained therein. Although this > email message and any attachments or appended messages are believed to > be > free of any virus or other defect that might affect any computer system into > which it is received and opened, it is the responsibility of the recipient > to ensure that it is virus free and no responsibility is accepted by the > sender for any loss or damage arising in any way from its opening or use. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
On 1/17/2023 11:12 AM, Itschak Mugzach wrote: I am not confused. As a vendor, we don;t have access to enhanced holddata. Everyone has access to enhanced HOLDDATA. Just download it using FTP. For example: //GETHOLDD JOB 1,JAFFE,CLASS=A,MSGCLASS=T,NOTIFY=&SYSUID // EXEC PGM=FTP,REGION=64M //SYSPRINT DD SYSOUT=* //SYSIN DD * service.boulder.ibm.com anonymous edja...@phoenixsoftware.com cd s390/holddata locsite recfm=fb lrecl=80 locsite primary=1 secondary=1 cylinders get full.txt holddata.full.txt (REPLACE quit // -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ This e-mail message, including any attachments, appended messages and the information contained therein, is for the sole use of the intended recipient(s). If you are not an intended recipient or have otherwise received this email message in error, any use, dissemination, distribution, review, storage or copying of this e-mail message and the information contained therein is strictly prohibited. If you are not an intended recipient, please contact the sender by reply e-mail and destroy all copies of this email message and do not otherwise utilize or retain this email message or any or all of the information contained therein. Although this email message and any attachments or appended messages are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way from its opening or use. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
Kurt, I am not confused. As a vendor, we don;t have access to enhanced holddata. I wonder how one can determine if enhanced hold data was received. In other words, how can I differentiate hold data from enhanced hold data. I can determine if the PTF is related to SECINT hold data, but I don't have the CVSS coefficients. ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Jan 17, 2023 at 8:42 PM Kurt J. Quackenbush wrote: > > Since I don't have access to the (IBM) Security Portal (vendors doesn't > have access to it, so I was told), I never installed such holddata. I > wonder if there is a way to identify that a specific RSU of Enhanced > HOLDDATA was received. > > Don't confuse the IBM Security Portal and SECINT HOLDDATA with the general > use HOLDDATA. Anybody, including vendors, can get the HOLDDATA that > identifies HIPER and PE fixes and Fix Categories. For example, here: > https://public.dhe.ibm.com/eserver/zseries/holddata/full.txt > > IBM's HOLDDATA is updated every day as PEs and HIPERs are discovered and > fixed, so there is no particular level like RSU or PUT or otherwise that > pertains to HOLDDATA. If in doubt when the HOLDDATA was last obtained, > just get the latest for that day. Or automate getting HOLDDATA everyday, > then you never have to ask yourself that question. > > Kurt Quackenbush > IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com > > Chuck Norris never uses CHECK when he applies PTFs. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
> Since I don't have access to the (IBM) Security Portal (vendors doesn't have > access to it, so I was told), I never installed such holddata. I wonder if > there is a way to identify that a specific RSU of Enhanced HOLDDATA was > received. Don't confuse the IBM Security Portal and SECINT HOLDDATA with the general use HOLDDATA. Anybody, including vendors, can get the HOLDDATA that identifies HIPER and PE fixes and Fix Categories. For example, here: https://public.dhe.ibm.com/eserver/zseries/holddata/full.txt IBM's HOLDDATA is updated every day as PEs and HIPERs are discovered and fixed, so there is no particular level like RSU or PUT or otherwise that pertains to HOLDDATA. If in doubt when the HOLDDATA was last obtained, just get the latest for that day. Or automate getting HOLDDATA everyday, then you never have to ask yourself that question. Kurt Quackenbush IBM | z/OS SMP/E and z/OSMF Software Management | ku...@us.ibm.com Chuck Norris never uses CHECK when he applies PTFs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to determine if Enhanced HOLDDATA received?
My first thought was LIST HODDATA SOURCEID(...), but it looks like the source id is only available for sysmods. I would advise just receiving the most recent hold data. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List [IBM-MAIN@LISTSERV.UA.EDU] on behalf of ITschak Mugzach [imugz...@gmail.com] Sent: Monday, January 16, 2023 12:13 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: How to determine if Enhanced HOLDDATA received? Since I don't have access to the (IBM) Security Portal (vendors doesn't have access to it, so I was told), I never installed such holddata. I wonder if there is a way to identify that a specific RSU of Enhanced HOLDDATA was received. BTW, I registered to the IBM I and Z notification service and I get a lot of emails telling me that IBM I service need to be installed, including SECINT type. Why does IBM publish SECINT to all in IBM I but not for Z? ITschak BTW, Enhanced HOLDDATA ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
How to determine if Enhanced HOLDDATA received?
Since I don't have access to the (IBM) Security Portal (vendors doesn't have access to it, so I was told), I never installed such holddata. I wonder if there is a way to identify that a specific RSU of Enhanced HOLDDATA was received. BTW, I registered to the IBM I and Z notification service and I get a lot of emails telling me that IBM I service need to be installed, including SECINT type. Why does IBM publish SECINT to all in IBM I but not for Z? ITschak BTW, Enhanced HOLDDATA ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN