Auditing Racf

Copyright 2000, 2006 EKC Inc.
Eberhard Klemens Co.

Experts in Computer
Systems - Software - Security
Auditing the
Auditing the
RACF
RACF
Environment
Environment
Topic 1: Auditing RACF
Auditing 2
www.ekcinc.com
Experts in Computer
Topic 1 Objectives
Topic 1 Objectives
The Audit Environment
Sample Audit Points
Audit Controls
Audit Data
Audit Reporting
Auditing 3
www.ekcinc.com
Experts in Computer
Separation of Powers
Separation of Powers
SPECIAL AUDITOR
Auditing 4
www.ekcinc.com
Experts in Computer
Conducting the Audit
Judge how effectively RACF has been
implemented to handle security at the
installation.
Identify any security exposures.
Recommend ways to improve the system.
Auditing 5
www.ekcinc.com
Experts in Computer
The Audit Cycle
The Audit Cycle
Establish Benchmark
Check loggings regularly
Re-examine security implementation and
compare against last benchmark
Establish new benchmark
Auditing 6
www.ekcinc.com
Experts in Computer
Twelve Point Approach
Point 1 - System Controls - Level of Implementation
Point 2 - Change Control Over Options and Software
Point 3 - Protection for Database and SMF Files
Point 4 - Enforcement of Security Policy
Point 5 - Password Administration
Point 6 - Approach to Access Profiles
Auditing 7
www.ekcinc.com
Experts in Computer
Point 7 - Ability to Bypass Controls
Point 8 - Control of Non-Owned Ids
Point 9 - Controls Over Production Ids
Point 10 - Controls for Key System Components
Point 11 - Ability to Gain Unauthorized Access
Point 12 - Security Reporting and Follow-Up
Auditing 8
www.ekcinc.com
Experts in Computer
1 1 - - System Implementation System Implementation
Limit / Control / Review
Where to Look
RACF Release level
System Release level
DSMON
System Report
shows zOS and RACF
Release / FMID levels
SETROPTS LIST
shows module names and
lengths of installed exits
shows PROTECTALL
level and options
RACF Exits
DSMON System
Exits Report
PROTECTALL settings
Auditing 9
www.ekcinc.com
Experts in Computer
2 2 Administration / Change Control Administration / Change Control
Where to Look
assignment of
system-SPECIAL
DSMON Selected
User Attribute
Report
shows number of users
and user IDs given
system-SPECIAL
use of RVARY command SETROPTS LIST
shows if there is an
RVARY password specified
use of SETROPTS
REFRESH command
DSMON SUAR
and user IDs with SPECIAL
and AUDITOR
Auditing 10
www.ekcinc.com
Experts in Computer
3 3 Securing access to RACF & SMF Securing access to RACF & SMF
Where to Look
Access to RACF
database carefully
controlled
LISTDSD
shows access lists for
primary and backup
RACF databases
LISTDSD
Site specific
Access to SMF
files limited
shows access lists for
primary and backup
RACF databases
Review procedures and
schedule for backup
of RACF database(s)
Regularly scheduled
backups of RACF
database files
Auditing 11
www.ekcinc.com
Experts in Computer
4 4 Security Policy Review Security Policy Review
Where to Look
Determine existence
of security policy
Interviews with Security management staff.
Procedures in place
for PASSWORD
changes, makeup.
Review site specific procedures,
SETROPTS LIST
Handeling of deleted
userids
Review site specific procedures
Auditing 12
www.ekcinc.com
Experts in Computer
5 5 Password Policy Review Password Policy Review
Where to Look
Periodic required
password change
Review change interval.
PASSWORD
length
Review site specific
procedures,
Review unsuccessful
password attempts
SETROPTS LIST
SETROPTS LIST
PASSWORD
hacking
SETROPTS LIST
Auditing 13
www.ekcinc.com
Experts in Computer
6 6 Access Hierarchy Access Hierarchy
Where to Look
Verify access lists
for individuals and
groups
Review groups to determine
definition and use of
functional groups.
Verify appropriate
UACC access
Review dataset profiles for
apropriate UACC access.
DSMON
GROUP TREE
LISTDSD
Verify OWNER data
for profiles and
groups
LISTDSD
DSMON
GROUP TREE
Review owner data to
determine inheritance of
data / application ownership
Auditing 14
www.ekcinc.com
Experts in Computer
7 7 Ability to Bypass Controls Ability to Bypass Controls
Where to Look
Verify SETROPTS
PROTECTALL active
in FAILURE mode
shows if
PROTECTALL FAILURE
is in effect
SETROPTS LIST
shows if profile creator is
automatically added with
ALTER to access list
DSMON
with OPERATIONS
SETROPTS LIST
Ensure SETROPTS
NOADDCREATOR
is applied
Minimize use of
OPERATIONS
attribute
Auditing 15
www.ekcinc.com
Experts in Computer
8 8 Non Non- -Owned Owned Userids Userids
Where to Look
Use of region IDs for
batch jobs submitted
on behalf of users
SEARCH CLASS(PROPCNTL)
NOMASK
Search for
PROPCNTL
profiles
Review use of
surrogate profiles
Search for
SURROGAT
profiles
SEARCH CLASS(SURROGAT)
NOMASK
Auditing 16
www.ekcinc.com
Experts in Computer
9 9 Controls over Production IDs Controls over Production IDs
Where to Look
Review rationale used
to associate production
IDs with jobs
Site specific
Verify controls
over production
JCL libraries
Dataset
profiles
Review profiles to ensure
appropriate access
Review SURROGAT
use to ensure only
authorized use
SURROGAT
profiles
RL userid.SUBMIT
CL(SURROGAT) AU
Auditing 17
www.ekcinc.com
Experts in Computer
10 10 Key System Components Key System Components
Where to Look
Review inventory of
products requiring
security interface
Site specific-
List of installed products
Verify adequacy of
access controls
in place
Review general resource profiles
for vendor products.
Assure adequate use
of SAF-based
controls
DSMON Authorized
Caller Report
Auditing 18
www.ekcinc.com
Experts in Computer
11 11 Ability to gain unauthorized access Ability to gain unauthorized access
Where to Look
User IDs which have
never been used or not
used for an extended
period of time
SEARCH CLASS(USER) AGE(120)
Default userids
(IBMUSER)
LU IBMUSER
RACF default
password
Review procedures for changing passwords
Auditing 19
www.ekcinc.com
Experts in Computer
12 12 Security Reporting and Follow Security Reporting and Follow- -up up
Where to Look
Review types and
frequency of
reports
Review report
distribution
Determine actions
from violation
attempts
Site specific procedures
Auditing 20
www.ekcinc.com
Experts in Computer
Auditor Controls
Auditor Controls
General Controls
SETROPTS Commands SETR AUDIT(*)
Specific Controls
User activity ALU
Dataset activity ALTDSD
Resource activity RALTER
Auditing 21
www.ekcinc.com
Experts in Computer
Audit Controls
Audit Controls
-
-
SETROPTS
SETROPTS
APPLAUDIT and NOAPPLAUDIT
AUDIT and NOAUDIT
CMDVIOL and NOCMDVIOL
LIST
LOGOPTIONS
OPERAUDIT and NOOPERAUDIT
REFRESH GENERIC
REFRESH RACLIST
SAUDIT and NOSAUDIT
SECLABELAUDIT and NOSECLABELAUDIT
SECLEVELAUDIT and NOSECLEVELAUDIT
Auditing 22
www.ekcinc.com
Experts in Computer
Controlling Logging
Controlling Logging
Application
Owner
SYS1.MANx
Auditor
Auditing 23
www.ekcinc.com
Experts in Computer
Owner
Owner
-
-
Controlled Logging
Controlled Logging
ALTDSD 'PAYROLL.MASTER.*'
AUDIT(FAILURES(READ))
PAYROLL.MASTER.* . . . FAILURES(READ)
Profile Name AUDIT GLOBALAUDIT
Auditing 24
www.ekcinc.com
Experts in Computer
Auditor Controls
Auditor Controls

Logging
Logging
ALTDSD 'PAYROLL.MASTER.*'
GLOBALAUDIT(SUCCESS(UPDATE))
SETR LOGOPTIONS(ALWAYS(DASDVOL))
SETR LOGOPTIONS(FAILURES(TERMINAL))
PAYROLL.MASTER.* . . . FAILURES(READ) SUCCESS(UPDATE)
Profile Name AUDIT GLOBALAUDIT
ALU STAN UAUDIT
Auditing 25
www.ekcinc.com
Experts in Computer
Two Types of Audit Data
Two Types of Audit Data
Snapshot Data The Implementation
RACF Commands L, SETR LIST
Data Security Monitor DSMON
RACF Database Unload IRRDBU00
Event Data Wazhappnin???
RACF Commands LOGOPTIONS, GLOBALAUDIT
SMF Data Unload Utility IFASMFDP
Reporting Tools SAMPLIB
RICE reports ICEMAN statements for DB & SMF unloaded data
DB2 queries RACDBUxx, IRRADUxx
Auditing 26
www.ekcinc.com
Experts in Computer
Running the DSMON Program
Running the DSMON Program
I
C
H
D
S
M
0
0
//stepname EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=A
//SYSUT2 DD SYSOUT=A
//SYSIN DD *
LINECOUNT 55
FUNCTION ALL
USEROPT USRDSN PAY.MASTER.FILE
Hardware
Software
D
S
M
O
N
R
e
p
o
r
ts
Auditing 27
www.ekcinc.com
Experts in Computer
DSMON Reports
DSMON Reports
Selected Data Sets Report
Group Tree Report
RACF Global Access Table Report
RACF Class Descriptor Table Report
RACF Started Procedures Table Report
Selected User Attribute Summary Report
Selected User Attribute Report
RACF Authorized Caller Table Report
Program Properties Table Report
System Report
CPU-ID
CPU MODEL
OPERATING SYSTEM/LEVEL z/OS . . .
SYSTEM RESIDENCE VOLUME
RACF FMID HRF7709 IS ACTIVE
D
S
M
O
N
R
e
p
o
r
t s
RACF Exits Report
Auditing 28
www.ekcinc.com
Experts in Computer
System Report
System Report
CPU-ID 111606
CPU MODEL 2064
OPERATING SYSTEM/LEVEL z/OS 1.6.0
SYSTEM RESIDENCE VOLUME DR250B
SMF-ID ZOSR
RACF FMID HRF7709 IS ACTIVE
Auditing 29
www.ekcinc.com
Experts in Computer
Program Properties Table Report Program Properties Table Report
PROGRAM BYPASS PASSWORD SYSTEM
NAME PROTECTION KEY
---------------------------------------------------------------------------------
IEDQTCAM NO YES
ISTINM01 YES YES
IKTCAS00 NO YES
AHLGTF NO YES
HHLGTF NO YES
IHLGTF NO YES
IEFIIC NO YES
IEEMB860 YES YES
IEEVMNT2 NO YES
IASXWR00 NO YES
CSVVFCRE NO YES
HASJES20 YES YES
DFSMVRC0 NO YES
IATINTK YES YES
DXRRLM00 NO YES
Auditing 30
www.ekcinc.com
Experts in Computer
RACF Authorized Caller Table Report RACF Authorized Caller Table Report
MODULE RACINIT RACLIST
NAME AUTHORIZED AUTHORIZED
---------------------------------------------------------------------------
DFHSIP NO YES
Auditing 31
www.ekcinc.com
Experts in Computer
RACF Exit Report
RACF Exit Report
EXIT MODULE MODULE
NAME LENGTH
----------------------------------------------------------
ICHPWX01 1354
ICHDEX01 224
Auditing 32
www.ekcinc.com
Experts in Computer
USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------
SPECIAL OPERATIONS AUDITOR REVOKE NODE.USERID PASSWORD ASSOCIATION
SYNC TYPE
---------------------------------------------------------------------------------------------------------------------------------------------------
BIGBIRD SYSTEM SYSTEM
BERT SYSTEM
ELMO GROUP GROUP
ERNIE SYSTEM SYSTEM
GROVER SYSTEM SYSTEM
GROUCH GROUP
IBMUSER SYSTEM SYSTEM SYSTEM
SNUFFY GROUP
ZOE GROUP
Auditing 33
www.ekcinc.com
Experts in Computer
Selected User Attribute Summary Selected User Attribute Summary
--------------------------------------------------------------------------------------------------------------
TOTAL DEFINED USERS: 563
TOTAL SELECTED ATTRIBUTE USERS:
ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR REVOKE
-------------------------- ------------- -------------------- -------------- -------------
SYSTEM 4 3 1 2
GROUP 1 2 1 1
Auditing 34
www.ekcinc.com
Experts in Computer
Started Procedures Table Report Started Procedures Table Report
FROM THE STARTED PROCEDURES TABLE (ICHRIN03):
FROM PROFILES IN THE STARTED CLASS:
------------------------------------------------------------------------------------------------------------------------------------------------
PROFILE ASSOCIATED ASSOCIATED
NAME USER GROUP PRIVILEGED TRUSTED TRACE
------------------------------------------------------------------------------------------------------------------------------------------------
CICS.REGIONA CICSA NO NO NO
CICS.REGIONB CICSB NO NO NO
DCEKERN.* (G) DCEKERN DCEGRP NO NO NO
EZAFTPAP.* (G) TCPIP OMVSGRP NO YES NO
FTPD.* (G) OMVSKERN OMVSGRP NO NO NO
MVSNFS.* (G) TCPIP OMVSGRP NO NO NO
OMVS.* (G) OMVSKERN OMVSGRP NO NO NO
PORTMAP.* (G) TCPIP OMVSGRP NO YES YES
FTPSERVE.* (G) TCPIP OMVSGRP NO YES NO
INETD.* (G) INETD SYS1 NO NO NO
SMF.* (G) STCUSR SYS1 NO YES NO
IRRDPTAB.* (G) STCUSR SYS1 NO YES NO
JES2.* (G) STCUSR SYS1 NO YES NO
LLA.* (G) STCUSR SYS1 NO YES NO
TSO.* (G) TSO TSOGRP NO NO NO
VTAM.* (G) VTAM VTAMGRP NO YES NO
LOGREC.* (G) LOGREC SYS1 NO NO NO
** (G) =MEMBER STCGRP NO NO YES
Auditing 35
www.ekcinc.com
Experts in Computer
Class Descriptor Table Report
Class Descriptor Table Report
CLASS DEFAULT OPERATIONS
NAME STATUS AUDITING STATISTICS UACC ALLOWED
----------------------------------------------------------------------------------------------------------------------------
RACFVARS ACTIVE NO NO NONE NO
SECLABEL INACTIVE NO NO NONE NO
DASDVOL ACTIVE NO NO ACEE YES
GDASDVOL ACTIVE NO NO ACEE YES
TAPEVOL ACTIVE NO NO ACEE YES
TERMINAL INACTIVE NO NO ACEE NO
GTERMINL INACTIVE NO NO ACEE NO
APPL ACTIVE NO NO NONE NO
TIMS INACTIVE NO NO NONE NO
GIMS INACTIVE NO NO NONE NO
AIMS INACTIVE NO NO NONE NO
TCICSTRN ACTIVE NO NO NONE NO
GCICSTRN ACTIVE NO NO NONE NO
PCICSPSB INACTIVE NO NO NONE NO
GLOBAL ACTIVE NO NO NONE NO
GMBR INACTIVE NO NO NONE NO
DSNR INACTIVE NO NO ACEE NO
FACILITY ACTIVE NO NO NONE NO
Auditing 36
www.ekcinc.com
Experts in Computer
Global Access Checking Table Report Global Access Checking Table Report
CLASS ACCESS ENTRY
NAME LEVEL NAME
----------------------------------------------------------------------------------------
DATASET ALTER &RACUID.*
READ ISPF.*
UPDATE SYS1.BRODCAST
RVARSMBR -- NO ENTRIES --
SECLABEL -- NO ENTRIES --
DASDVOL -- NO ENTRIES --
TAPEVOL -- NO ENTRIES --
TERMINAL -- NO ENTRIES --
APPL -- NO ENTRIES --
TIMS -- NO ENTRIES --
AIMS -- NO ENTRIES --
TCICSTRN -- NO ENTRIES --
PCICSPSB -- NO ENTRIES --
Auditing 37
www.ekcinc.com
Experts in Computer
Group Tree Report
Group Tree Report
LEVEL GROUP (OWNER)
---------------------------------------------------------
1 SYS1 (IBMUSER)
|
2 | DATASETG (TOMC)
| |
3 | | ABA
| |
3 | | ARP
| | |
4 | | | ARPLST
|
2 | CICSADM
| |
3 | | TRANA
| |
3 | | TRANB
|
2 | DATACTRL
Auditing 38
www.ekcinc.com
Experts in Computer
VOLUME SELECTION
DATA SET NAME SERIAL CRITERION
-------------------------------------------------------------------------------------------
PAY.MASTER.FILE USER23 USERDSN
PAY.SALARY.FILE USER23 USERDSN
ISP.PPLIB.ISPLLIB M80LIB LNKLST - APF
ISP.V3R1M0.ISPLOAD M80LIB APF
ISP.V3R2M0.ISPLOAD M80LIB APF
LNKLST - APF
JES2311.STEPLIB SMS036 APF
SYS1.CMDLIB JS2RES APF
LNKLST - APF
SYSTEM
SYS1.COBLIB M80LIB LNKLST - APF
SYS1.LINKLIB MVSRES LNKLST - APF
SYSTEM
SYS1.NCATLG M80PGE MASTER CATALOG
SYS1.NUCLEUS MVSRES SYSTEM
SYS1.PROCLIB M80PGE SYSTEM
SYS1.RACF.BACKUP SMS124 RACF BACKUP
SYS1.RACF.PRIMARY SMS073 RACF PRIMARY
SYS1.UADS M80PGE SYSTEM
RACF RACF
INDICATED PROTECTED UACC
-------------------------------------------------------
NO YES NONE
NO YES NONE
NO YES READ
N.F YES READ
NO YES READ
N.C YES READ
NO YES READ
NO YES READ
NO YES READ
NO YES READ
NO YES READ
N.F YES NONE
NO YES READ
NO YES NONE
NO YES NONE
NO YES NONE
NO YES NONE
NO YES NONE
Auditing 39
www.ekcinc.com
Experts in Computer
Reporting on the Unloaded Database Reporting on the Unloaded Database
Valid users
IRRDBU00
Output Data
R
e
p
o
r
ts
Selected groups
Connections
MVS Open Edition
SQL Queries
or ICETOOLs
Auditing 40
www.ekcinc.com
Experts in Computer
SMF Data Unload Utility
SMF Data Unload Utility
DB2 or
Other
RDMS
IFASMFDP
ICETOOL
or Utilities
Installation
Written
Programs
Browse
SMF Data
Unloaded
SMF Data
USER2(IRRADU00)
USER3(IRRADU86)
Auditing 41
www.ekcinc.com
Experts in Computer
SMF Unload JCL Example
SMF Unload JCL Example
//SMFUNLD JOB ,'SMF DATA UNLOAD',
// MSGLEVEL=(1,1),TYPRUN=HOLD
//SMFDUMP EXEC PGM=IFASMFDP
//SYSPRINT DD SYSOUT=A
//ADUPRINT DD SYSOUT=A
//OUTDD DD DISP=SHR,DSN=USER01.RACF.IRRADU00
//SMFDATA DD DISP=SHR,DSN=USER01.RACF.SMFDATA
//SMFOUT DD DUMMY
//SYSIN DD *
INDD(SMFDATA,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(000:255))
ABEND(NORETRY)
USER2(IRRADU00)
USER3(IRRADU86)
/*
Auditing 42
www.ekcinc.com
Experts in Computer
Samplib
Samplib
Tools Available
Tools Available
IRRICE Collection
Uses DFSORT and ICETOOL to produce reports
based on Unloaded Database data and SMF data.
IRRADULD, ..QR, ..TB
Uses SQL to define (TB), Load (LD), and Query
(QR) auditing (unloaded SMF) data.
RACDBULD, ..QR, ..TB
Uses SQL to define (TB), Load (LD), and Query
(QR) security definition data.
Auditing 43
www.ekcinc.com
Experts in Computer
Sample IRRDBU00 Report
Sample IRRDBU00 Report
- 1 - UAGR: GR Profiles with a UACC Other Than None 06/09/28
Class General Resource Profile Name Generic Owner UACC
-------- ----------------------------- ------- -------- --------
DSNR DSN.WLM_REFRESH.DB8GENV1 NO 0 P390A READ
DSNR SYSPROC.WLM_REFRESH.DB8GRFSH NO 0 P390A READ
DSNR SYSPROC.WLM_REFRESH.WLMENV1 NO 0 IBMUSER READ
DSNR SYSPROC.WLM_REFRESH.WLMENV2 NO 0 IBMUSER READ
FIRECALL FIRECALL NO 0 SYS1 READ
FACILITY DITTO.* YES 0 IBMUSER READ
FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ
Auditing 44
www.ekcinc.com
Experts in Computer
Sample IRRADU00 Report
Sample IRRADU00 Report
- 1 - CADU: Number of IRRADU00 Events
06/09/28 09:57:32 am
Type Count
-------- ---------------
ACCESS 1842
ALTUSER 6
CONNECT 3
DACCESS 1
DEFINE 4
DIRSRCH 15
JOBINIT 2951
PERMIT 1
RDEFINE 2
REMOVE 3
SETROPTS 1
Auditing 45
www.ekcinc.com
Experts in Computer
Weve checked the RACF implementation
for appropriate security controls.
Identified security exposures.
Made our recommendations.
Whats this 18 hour Special?
Experts in Computer
Part 2: Emergency Access
Auditing 47
www.ekcinc.com
Experts in Computer
What is Emergency Access?
What is Emergency Access?
Non-standard access
Storage fixes
General Error fixes
System upgrades
Testing the Recovery Plan
Auditing 48
www.ekcinc.com
Experts in Computer
Typical Methods
Typical Methods
May I have the envelope please?
Temporary connect
Scheduled connect
Always on, just in case security
Secondary accounts
Auditing 49
www.ekcinc.com
Experts in Computer
The Pre
The Pre
-
-
loaded Account
loaded Account
All the access in the world
Keeping it relevant
Turning it off / Re-loading
Not tied to an individual
Accounting for use
Auditing 50
www.ekcinc.com
Experts in Computer
Temporary Connection
Connect at 5pm
Disconnect at 9am
Is it enough?
Less difficult to audit
Request/approval trace
Auditing 51
www.ekcinc.com
Experts in Computer
Scheduled connect at 3am
Disconnect at 9am
Is it enough?
Request/approval trace
Auditing 52
www.ekcinc.com
Experts in Computer
The Trusted Professional
The Trusted Professional
Extra access for the normal fixer
Enough access for typical emergencies
May not be enough
Difficult to audit
What paper trail?
Auditing 53
www.ekcinc.com
Experts in Computer
Dual Accounts
Dual Accounts
Secondary account for the normal fixer
Enough access for typical emergencies
May not be enough
After the fact request/approval
Auditing 54
www.ekcinc.com
Experts in Computer
The Business Recovery Plan
The Business Recovery Plan
Most companies use test data, right?
DRP accounts do everything
Minimum alteration risk
Maximum disclosure risk
Auditing the Recovery Test
Auditing 55
www.ekcinc.com
Experts in Computer
The BRP Reality
The BRP Reality
> -----Original Message-----
> From: RACF Discussion List On Behalf Of XXXX XXXXXXXX
>
> We want to give users testing programs in a D/R LPAR the
> authority to run production jobs. The production jobs run
> under the USERID of SYSMANT. What's the RACF command to allow
> this to happen.
PERMIT SYSMANT.SUBMIT CLASS(SURROGAT) ACCESS(READ) ID(userID) .
Auditing 56
www.ekcinc.com
Experts in Computer
Emergency Access Recommendations Emergency Access Recommendations
Keep a good trail of request & authorization.
For periodical needs, use 2 accounts, log
access used by second account. (UAUDIT)
Rip up the envelope, get rid of the pre-loaded
account.
Collect and examine SMF data from DRP
Restrict or remove software capable of
editing raw SMF data.
Experts in Computer
Audit Reporting & Emergency Access

Auditing Racf

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Auditing Racf

Încărcat de

Drepturi de autor:

Formate disponibile

Copyright 2000, 2006 EKC Inc.

Eberhard Klemens Co.

S-ar putea să vă placă și