Professional Documents
Culture Documents
Logging
Logging
ALTDSD 'PAYROLL.MASTER.*'
GLOBALAUDIT(SUCCESS(UPDATE))
SETR LOGOPTIONS(ALWAYS(DASDVOL))
SETR LOGOPTIONS(FAILURES(TERMINAL))
PAYROLL.MASTER.* . . . FAILURES(READ) SUCCESS(UPDATE)
Profile Name AUDIT GLOBALAUDIT
ALU STAN UAUDIT
Auditing 25
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Two Types of Audit Data
Two Types of Audit Data
Snapshot Data The Implementation
RACF Commands L, SETR LIST
Data Security Monitor DSMON
RACF Database Unload IRRDBU00
Event Data Wazhappnin???
RACF Commands LOGOPTIONS, GLOBALAUDIT
SMF Data Unload Utility IFASMFDP
Reporting Tools SAMPLIB
RICE reports ICEMAN statements for DB & SMF unloaded data
DB2 queries RACDBUxx, IRRADUxx
Auditing 26
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Running the DSMON Program
Running the DSMON Program
I
C
H
D
S
M
0
0
//stepname EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=A
//SYSUT2 DD SYSOUT=A
//SYSIN DD *
LINECOUNT 55
FUNCTION ALL
USEROPT USRDSN PAY.MASTER.FILE
Hardware
Software
D
S
M
O
N
R
e
p
o
r
ts
Auditing 27
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
DSMON Reports
DSMON Reports
Selected Data Sets Report
Group Tree Report
RACF Global Access Table Report
RACF Class Descriptor Table Report
RACF Started Procedures Table Report
Selected User Attribute Summary Report
Selected User Attribute Report
RACF Authorized Caller Table Report
Program Properties Table Report
System Report
CPU-ID
CPU MODEL
OPERATING SYSTEM/LEVEL z/OS . . .
SYSTEM RESIDENCE VOLUME
RACF FMID HRF7709 IS ACTIVE
D
S
M
O
N
R
e
p
o
r
t s
RACF Exits Report
Auditing 28
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
System Report
System Report
CPU-ID 111606
CPU MODEL 2064
OPERATING SYSTEM/LEVEL z/OS 1.6.0
SYSTEM RESIDENCE VOLUME DR250B
SMF-ID ZOSR
RACF FMID HRF7709 IS ACTIVE
Auditing 29
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Program Properties Table Report Program Properties Table Report
PROGRAM BYPASS PASSWORD SYSTEM
NAME PROTECTION KEY
---------------------------------------------------------------------------------
IEDQTCAM NO YES
ISTINM01 YES YES
IKTCAS00 NO YES
AHLGTF NO YES
HHLGTF NO YES
IHLGTF NO YES
IEFIIC NO YES
IEEMB860 YES YES
IEEVMNT2 NO YES
IASXWR00 NO YES
CSVVFCRE NO YES
HASJES20 YES YES
DFSMVRC0 NO YES
IATINTK YES YES
DXRRLM00 NO YES
Auditing 30
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
RACF Authorized Caller Table Report RACF Authorized Caller Table Report
MODULE RACINIT RACLIST
NAME AUTHORIZED AUTHORIZED
---------------------------------------------------------------------------
DFHSIP NO YES
Auditing 31
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
RACF Exit Report
RACF Exit Report
EXIT MODULE MODULE
NAME LENGTH
----------------------------------------------------------
ICHPWX01 1354
ICHDEX01 224
Auditing 32
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Selected User Attribute Report
Selected User Attribute Report
USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------
SPECIAL OPERATIONS AUDITOR REVOKE NODE.USERID PASSWORD ASSOCIATION
SYNC TYPE
---------------------------------------------------------------------------------------------------------------------------------------------------
BIGBIRD SYSTEM SYSTEM
BERT SYSTEM
ELMO GROUP GROUP
ERNIE SYSTEM SYSTEM
GROVER SYSTEM SYSTEM
GROUCH GROUP
IBMUSER SYSTEM SYSTEM SYSTEM
SNUFFY GROUP
ZOE GROUP
Auditing 33
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Selected User Attribute Summary Selected User Attribute Summary
--------------------------------------------------------------------------------------------------------------
TOTAL DEFINED USERS: 563
TOTAL SELECTED ATTRIBUTE USERS:
ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR REVOKE
-------------------------- ------------- -------------------- -------------- -------------
SYSTEM 4 3 1 2
GROUP 1 2 1 1
Auditing 34
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Started Procedures Table Report Started Procedures Table Report
FROM THE STARTED PROCEDURES TABLE (ICHRIN03):
FROM PROFILES IN THE STARTED CLASS:
------------------------------------------------------------------------------------------------------------------------------------------------
PROFILE ASSOCIATED ASSOCIATED
NAME USER GROUP PRIVILEGED TRUSTED TRACE
------------------------------------------------------------------------------------------------------------------------------------------------
CICS.REGIONA CICSA NO NO NO
CICS.REGIONB CICSB NO NO NO
DCEKERN.* (G) DCEKERN DCEGRP NO NO NO
EZAFTPAP.* (G) TCPIP OMVSGRP NO YES NO
FTPD.* (G) OMVSKERN OMVSGRP NO NO NO
MVSNFS.* (G) TCPIP OMVSGRP NO NO NO
OMVS.* (G) OMVSKERN OMVSGRP NO NO NO
PORTMAP.* (G) TCPIP OMVSGRP NO YES YES
FTPSERVE.* (G) TCPIP OMVSGRP NO YES NO
INETD.* (G) INETD SYS1 NO NO NO
SMF.* (G) STCUSR SYS1 NO YES NO
IRRDPTAB.* (G) STCUSR SYS1 NO YES NO
JES2.* (G) STCUSR SYS1 NO YES NO
LLA.* (G) STCUSR SYS1 NO YES NO
TSO.* (G) TSO TSOGRP NO NO NO
VTAM.* (G) VTAM VTAMGRP NO YES NO
LOGREC.* (G) LOGREC SYS1 NO NO NO
** (G) =MEMBER STCGRP NO NO YES
Auditing 35
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Class Descriptor Table Report
Class Descriptor Table Report
CLASS DEFAULT OPERATIONS
NAME STATUS AUDITING STATISTICS UACC ALLOWED
----------------------------------------------------------------------------------------------------------------------------
RACFVARS ACTIVE NO NO NONE NO
SECLABEL INACTIVE NO NO NONE NO
DASDVOL ACTIVE NO NO ACEE YES
GDASDVOL ACTIVE NO NO ACEE YES
TAPEVOL ACTIVE NO NO ACEE YES
TERMINAL INACTIVE NO NO ACEE NO
GTERMINL INACTIVE NO NO ACEE NO
APPL ACTIVE NO NO NONE NO
TIMS INACTIVE NO NO NONE NO
GIMS INACTIVE NO NO NONE NO
AIMS INACTIVE NO NO NONE NO
TCICSTRN ACTIVE NO NO NONE NO
GCICSTRN ACTIVE NO NO NONE NO
PCICSPSB INACTIVE NO NO NONE NO
GLOBAL ACTIVE NO NO NONE NO
GMBR INACTIVE NO NO NONE NO
DSNR INACTIVE NO NO ACEE NO
FACILITY ACTIVE NO NO NONE NO
Auditing 36
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Global Access Checking Table Report Global Access Checking Table Report
CLASS ACCESS ENTRY
NAME LEVEL NAME
----------------------------------------------------------------------------------------
DATASET ALTER &RACUID.*
READ ISPF.*
UPDATE SYS1.BRODCAST
RVARSMBR -- NO ENTRIES --
SECLABEL -- NO ENTRIES --
DASDVOL -- NO ENTRIES --
TAPEVOL -- NO ENTRIES --
TERMINAL -- NO ENTRIES --
APPL -- NO ENTRIES --
TIMS -- NO ENTRIES --
AIMS -- NO ENTRIES --
TCICSTRN -- NO ENTRIES --
PCICSPSB -- NO ENTRIES --
Auditing 37
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Group Tree Report
Group Tree Report
LEVEL GROUP (OWNER)
---------------------------------------------------------
1 SYS1 (IBMUSER)
|
2 | DATASETG (TOMC)
| |
3 | | ABA
| |
3 | | ARP
| | |
4 | | | ARPLST
|
2 | CICSADM
| |
3 | | TRANA
| |
3 | | TRANB
|
2 | DATACTRL
Auditing 38
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Selected Data Sets Report
Selected Data Sets Report
VOLUME SELECTION
DATA SET NAME SERIAL CRITERION
-------------------------------------------------------------------------------------------
PAY.MASTER.FILE USER23 USERDSN
PAY.SALARY.FILE USER23 USERDSN
ISP.PPLIB.ISPLLIB M80LIB LNKLST - APF
ISP.V3R1M0.ISPLOAD M80LIB APF
ISP.V3R2M0.ISPLOAD M80LIB APF
LNKLST - APF
JES2311.STEPLIB SMS036 APF
JES2313.STEPLIB SMS036 APF
JES2410.STEPLIB SMS036 APF
JES2420.STEPLIB SMS036 APF
SYS1.CMDLIB JS2RES APF
LNKLST - APF
SYSTEM
SYS1.COBLIB M80LIB LNKLST - APF
SYS1.LINKLIB MVSRES LNKLST - APF
SYSTEM
SYS1.NCATLG M80PGE MASTER CATALOG
SYS1.NUCLEUS MVSRES SYSTEM
SYS1.PROCLIB M80PGE SYSTEM
SYS1.RACF.BACKUP SMS124 RACF BACKUP
SYS1.RACF.PRIMARY SMS073 RACF PRIMARY
SYS1.UADS M80PGE SYSTEM
RACF RACF
INDICATED PROTECTED UACC
-------------------------------------------------------
NO YES NONE
NO YES NONE
NO YES READ
N.F YES READ
NO YES READ
N.C YES READ
NO YES READ
NO YES READ
NO YES READ
NO YES READ
NO YES READ
N.F YES NONE
NO YES READ
NO YES NONE
NO YES NONE
NO YES NONE
NO YES NONE
NO YES NONE
Auditing 39
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Reporting on the Unloaded Database Reporting on the Unloaded Database
Valid users
IRRDBU00
Output Data
R
e
p
o
r
ts
Selected groups
Connections
MVS Open Edition
SQL Queries
or ICETOOLs
Auditing 40
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
SMF Data Unload Utility
SMF Data Unload Utility
DB2 or
Other
RDMS
IFASMFDP
ICETOOL
or Utilities
Installation
Written
Programs
Browse
SMF Data
Unloaded
SMF Data
USER2(IRRADU00)
USER3(IRRADU86)
Auditing 41
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
SMF Unload JCL Example
SMF Unload JCL Example
//SMFUNLD JOB ,'SMF DATA UNLOAD',
// MSGLEVEL=(1,1),TYPRUN=HOLD
//SMFDUMP EXEC PGM=IFASMFDP
//SYSPRINT DD SYSOUT=A
//ADUPRINT DD SYSOUT=A
//OUTDD DD DISP=SHR,DSN=USER01.RACF.IRRADU00
//SMFDATA DD DISP=SHR,DSN=USER01.RACF.SMFDATA
//SMFOUT DD DUMMY
//SYSIN DD *
INDD(SMFDATA,OPTIONS(DUMP))
OUTDD(SMFOUT,TYPE(000:255))
ABEND(NORETRY)
USER2(IRRADU00)
USER3(IRRADU86)
/*
Auditing 42
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Samplib
Samplib
Tools Available
Tools Available
IRRICE Collection
Uses DFSORT and ICETOOL to produce reports
based on Unloaded Database data and SMF data.
IRRADULD, ..QR, ..TB
Uses SQL to define (TB), Load (LD), and Query
(QR) auditing (unloaded SMF) data.
RACDBULD, ..QR, ..TB
Uses SQL to define (TB), Load (LD), and Query
(QR) security definition data.
Auditing 43
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Sample IRRDBU00 Report
Sample IRRDBU00 Report
- 1 - UAGR: GR Profiles with a UACC Other Than None 06/09/28
Class General Resource Profile Name Generic Owner UACC
-------- ----------------------------- ------- -------- --------
DSNR DSN.WLM_REFRESH.DB8GENV1 NO 0 P390A READ
DSNR SYSPROC.WLM_REFRESH.DB8GRFSH NO 0 P390A READ
DSNR SYSPROC.WLM_REFRESH.WLMENV1 NO 0 IBMUSER READ
DSNR SYSPROC.WLM_REFRESH.WLMENV2 NO 0 IBMUSER READ
FIRECALL FIRECALL NO 0 SYS1 READ
FACILITY DITTO.* YES 0 IBMUSER READ
FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ
Auditing 44
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Sample IRRADU00 Report
Sample IRRADU00 Report
- 1 - CADU: Number of IRRADU00 Events
06/09/28 09:57:32 am
Type Count
-------- ---------------
ACCESS 1842
ALTUSER 6
CONNECT 3
DACCESS 1
DEFINE 4
DIRSRCH 15
JOBINIT 2951
PERMIT 1
RDEFINE 2
REMOVE 3
SETROPTS 1
Auditing 45
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Conducting the Audit
Conducting the Audit
Weve checked the RACF implementation
for appropriate security controls.
Identified security exposures.
Made our recommendations.
Whats this 18 hour Special?
Copyright 2000, 2006 EKC Inc.
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Part 2: Emergency Access
Auditing 47
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
What is Emergency Access?
What is Emergency Access?
Non-standard access
Storage fixes
General Error fixes
System upgrades
Testing the Recovery Plan
Auditing 48
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Typical Methods
Typical Methods
May I have the envelope please?
Temporary connect
Scheduled connect
Always on, just in case security
Secondary accounts
Auditing 49
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
The Pre
The Pre
-
-
loaded Account
loaded Account
All the access in the world
Keeping it relevant
Turning it off / Re-loading
Not tied to an individual
Accounting for use
Auditing 50
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Temporary Connection
Temporary Connection
Connect at 5pm
Disconnect at 9am
Is it enough?
Less difficult to audit
Request/approval trace
Auditing 51
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Temporary Connection
Temporary Connection
Scheduled connect at 3am
Disconnect at 9am
Is it enough?
Less difficult to audit
Request/approval trace
Auditing 52
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
The Trusted Professional
The Trusted Professional
Extra access for the normal fixer
Enough access for typical emergencies
May not be enough
Difficult to audit
What paper trail?
Auditing 53
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Dual Accounts
Dual Accounts
Secondary account for the normal fixer
Enough access for typical emergencies
May not be enough
Less difficult to audit
After the fact request/approval
Auditing 54
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
The Business Recovery Plan
The Business Recovery Plan
Most companies use test data, right?
DRP accounts do everything
Minimum alteration risk
Maximum disclosure risk
Auditing the Recovery Test
Auditing 55
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
The BRP Reality
The BRP Reality
> -----Original Message-----
> From: RACF Discussion List On Behalf Of XXXX XXXXXXXX
>
> We want to give users testing programs in a D/R LPAR the
> authority to run production jobs. The production jobs run
> under the USERID of SYSMANT. What's the RACF command to allow
> this to happen.
PERMIT SYSMANT.SUBMIT CLASS(SURROGAT) ACCESS(READ) ID(userID) .
Auditing 56
Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Emergency Access Recommendations Emergency Access Recommendations
Keep a good trail of request & authorization.
For periodical needs, use 2 accounts, log
access used by second account. (UAUDIT)
Rip up the envelope, get rid of the pre-loaded
account.
Collect and examine SMF data from DRP
Restrict or remove software capable of
editing raw SMF data.
Copyright 2000, 2006 EKC Inc.
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Audit Reporting & Emergency Access