IBM Z Software


This portal is to open public enhancement requests against IBM Z Software products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas

  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

Add a new idea Subscribe
Status Under review
Workspace zSecure
Categories zSecure Audit
Created by Guest
Created on Sep 18, 2025

RELATED IDEAS

zSecure - CIS-OS-6.3.3 USS Banner support for multi freeze file input

I have two Systems a) CH01MSYS (M1) and b) CH02MSYS (M2) part of the same complex MAINT.

Running the validation for each system individually works as expected. However, in the zOS Sysplex/USS environment the setup is a bit special and the validation with multiple freeze files requires more focus on the system to be analyzed.

In CKACUST(C2RH@IDF) member I have the following definition:
ALLOC TYPE=INPUT DD=BANNER PATH='/etc/ssh/banner'
OPTION SITE_BANNER=BANNER                        

And that works as expected. However, the path /etc/ssh is in reality the path /CH01MSYS/etc/ssh and /CH02MSYS/etc/ssh.
As each system uses the /$SYSNAME mountpoint as a symbolic link. If one accesses path /etc/ssh it resolves differently depending on which system one is logged in as /etc is a symbolic link resolving to /$SYSNAME/etc. More details can be found in the IBM doc here: https://www.ibm.com/docs/en/zos/3.1.0?topic=sysplex-creating-root-file-system

Each /etc/ssh/banner file has the system name in it to inform the user not only about the legal disclaimer but as well to which system the user has connected.

Hence obviously the 'compare' or audit run fails for the other system.

So when I run the Audit validation on System M1 with both freeze files in it, then M1 is compliant as the freeze file content matches what is found in /etc/ssh/banner. However M2 is not compliant even the content on M2 freeze file and 'real' path /CH02MSYS/etc/ssh/banner matches.

My suggestion is that there is either to support in the include member CKACUST(C2RH@IDF) either a way like (not preferred):
ALLOC TYPE=INPUT DD=BANNER SYSTEM=M1 PATH='/CH01MSYS/etc/ssh/banner'
OPTION SITE_BANNER=BANNER 

ALLOC TYPE=INPUT DD=BANNER SYSTEM=M2 PATH='/CH02MSYS/etc/ssh/banner'
OPTION SITE_BANNER=BANNER  

However, the above is not flexible or dynamic when using the 'real' path for the validation.

I would somehow expect that the audit report follows the 'real' path when doing the validation as when I have to define all manually as above it is not flexible and dynamic.

Dynamic version (preferred):
Hence I would assume there is a more 'intelligence' in the validation code to take into account a sysplex environment
and 'follow' the correct path. Then even when the validation is running on M1 system, it can access the path /CH02MSYS/etc/ssh/banner and compare with the M2 freeze file. As the information about the complex member is known so is the full path in the freeze files.

Idea priority High

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.