0% found this document useful (0 votes)
36 views2 pages

RACF Tips - RSH Consulting

The document discusses various tips and best practices for securing and administering the RACF security system on IBM mainframes. It covers topics such as improving Google searches for RACF information, protecting programs like EDGINERS that initialize tapes, auditing the program properties table for unauthorized privileges, and addressing issues found by the RACF health checker utility.

Uploaded by

Vivek S Mayinkar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
36 views2 pages

RACF Tips - RSH Consulting

The document discusses various tips and best practices for securing and administering the RACF security system on IBM mainframes. It covers topics such as improving Google searches for RACF information, protecting programs like EDGINERS that initialize tapes, auditing the program properties table for unauthorized privileges, and addressing issues found by the RACF health checker utility.

Uploaded by

Vivek S Mayinkar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

Volume 7

RSH RACF TIPS Issue 2


April
For Administrators, Auditors, and Technicians 2013

Improved RACF Googling check was introduced via APAR OA33013 and
has since been incorporated into z/OS 1.13 . The
resource is STGADMIN.IGG.DEFINE.RECAT.
How often does your Google search on a RACF
READ access allows DEFINE RECATALOG for a
topic return page after page of irrelevant links?
dataset without having access to the dataset. The
Would you like to tell Google to search only those
original implementation of this check actually
sites where you expect to find answers to your
granted too much authority and required a
RACF questions? You can simply by appending:
corrective fix. See APAR OA38273 for details.
site:ibm.com OR site:rshconsulting.com
Thank you Joel Tilton of Publix for this tip.
. .
. .

SURROGAT Contest Winner Protecting Program EDGINERS


Mike Booher of Secura was the winner of our
It is standard practice to protect the z/OS tape
SURROGAT resource naming contest. Here is a
initialization program IEHINITT with a profile in the
list of the resources and their related products.
PROGRAM class and to limit access to tape
userid.DFHINSTL CICS librarians and others responsible for initializing
userid.DFHSTART CICS and erasing tapes. But should you do the same
userid.DFHEXCI CICS for EDGINERS, IEHINITT's equivalent provided
userid.DSITSOSV Tivoli NetView with DFSMS's Removal Media Manager (RMM)?
userid.SUBMIT JES
ATBALLC.userid MVS/APPC Use of EDGINERS can be controlled by a profile
BBO.SYNC.userid WebSphere in the FACILITY class that guards resource
BPX.SRV.userid z/OS Unix STGADMIN.EDG.OPERATOR. UPDATE is
LOGONBY.userid z/VM. needed to use it, but if no guarding profile is
SYSREXX.userid System REXX defined, anyone can use EDGINERS. Just to be
safe, protect it with a PROGRAM profile as well.
. .

. .

IRRUT200 ACTIVATE Hang


Auditors: Check the PPT
When you specify PARM=ACTIVATE with
IRRUT200, it copies the Primary database to the The Program Properties Table (PPT) is a z/OS
Backup and then activates the Backup. IRRUT200 configuration feature used to assign certain high
has been using the RACF subsystem to execute level privileges to specific programs. z/OS comes
an RVARY to activate the Backup. If the RVARY with a PPT preloaded with entries for IBM
is placed in the RACF subsystem queue behind programs. They are documented in the MVS
other work needing serialization, IRRUT200 will Initialization and Tuning Reference manual.
hang. APAR OA35325 has a fix for this problem.
An installation can define its own PPT entries via
. . PARMLIB member SCHEDxx. These entries
require close scrutiny, especially if they are
assigned privileges KEY(n) or NOPASS.
DEFINE RECATALOG Check
KEY can be used to assign a Storage Protection
There is now a FACILITY class resource check for Key to a program in the range of 0 to 7. Keys in
IDCAMS command DEFINE RECATALOG. The this range are considered to be 'SYSTEM' keys

RACF is a Trademark of the International Business Machines Corporation


© 2013 RSH Consulting, Inc. www.rshconsulting.com ■ 617-969-9050
RSH RACF Tips Volume 7, Issue 2, April 2013

. .
and allow the program to execute privileged
Supervisor Calls (SVCs) that it could use to
elevate its authority and circumvent security.
RACF Health Checker Issues
NOPASS originally meant Bypass Password
The RACF_SENSITIVE_RESOURCES check
Protection and harks back to when datasets were
protected by MVS passwords. It also bypasses flags a dataset with a high-severity exception 'V'
RACF. Programs with NOPASS will not be subject for not being found on its designated volume
when, in fact, it actually does exist but is under
to authorization checks when accessing datasets.
exclusive control of some other address space.
No fix is yet available. See APAR OA41458.
DSMON's Program Properties Table Report lists
all PPT entries and indicates if they have been
RSH discovered that OPERCMDS resources
assigned KEY(0-7) or NOPASS. Require clear
and convincing justification as to why either of MVS.SET.PROG and MVS.SETPROG are
these privileges has been assigned to any flagged with a high-severity exception 'E' if they
installation-defined entry. One to watch for is the are protected by a profile with UACC of READ.
CICS program DFHSIP which is often needlessly These resources, however, require a minimum of
UPDATE permission to use them. IBM has been
and inappropriately assigned NOPASS. Review
the code of any PPT program that was written in- notified and will eventually fix this error.
house to confirm it does not compromise security.
. .

It requires more than just a matching name for a


program to acquire PPT privileges. The program
must also be executed from an Authorized Group GID VLF Cache Problem
Program Facility (APF) library. Ensure update
access to all your APF libraries is very restricted. If you happen to connect a user to a group with a
GID at the same instant the user is dubbing into
The IBM-supplied PPT will always contain a few Unix for the first time, the VLF cache entry for the
entries that are not applicable to a particular user's User Security Packet (USP) may not pick
system. A system's Job Entry Subsystem will be up the additional group GID. The only way to
either JES2 or JES3, so either the HASJES20 or correct this is to recycle VLF, which requires
IATINTK entry will be extraneous. There is no recycling LLA. See APAR OA41056 for details.
harm in leaving such entries intact and nothing to
be gained by having them removed or altered. . .

. .
RSH News
RACF FMID Reference Many thanks to all who have responded to our
queries seeking to confirm you are receiving the
Ever come across a reference to RACF by its 4- newsletter and helping us update the mailing list.
digit Function Modification Identifier (FMID) code
and wondered what release of RACF it meant? Upcoming RSH RACF Training:
The RACF FMIDs are listed in the chapter on  RACF - Audit & Compliance Roadmap
SMF records in the RACF Macros and Interfaces April 23-25, 2013 - Boston, MA
manual. See the description for the type-80 record
field SMF80VRM. Here are three RACF FMIDs.  RACF - Intro and Basic Administration
May 21-23, 2013 - Boston, MA
7760 z/OS Security Server (RACF) V1 R11
7770 z/OS Security Server (RACF) V1 R12  RACF and z/OS Unix
7780 z/OS Security Server (RACF) V1 R13 July 23-25, 2013 - WebEx

RSH CONSULTING, INC. RACF


29 Caroline Park, Newton, Massachusetts 02468 PROFESSIONAL
www.rshconsulting.com ■ 617-969-9050 SERVICES

You might also like