acf2 bestpractices db2 enu
TRANSCRIPT
-
8/13/2019 ACF2 BestPractices DB2 ENU
1/29
-
8/13/2019 ACF2 BestPractices DB2 ENU
2/29
This documentation and any related computer software help programs (hereinafter referred to as the
"Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time.
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part,
without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may
not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and
CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation,
you may print a reasonable number of copies of the Documentation for internal use by you and your employees in
connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print copies of the Documentation is limited to the period during which the applicable license for such
software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify
in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER
OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,
INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR
LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and
is not modified in any way by the terms of this notice.
The manufacturer of this Documentation is CA.
Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein
belong to their respective companies.
-
8/13/2019 ACF2 BestPractices DB2 ENU
3/29
CA Product References
This document references the following CA products:
CA ACF2for z/OS (CA ACF2 for z/OS) CA Common Services for z/OS (CCS) CA Cleanup for ACF2(CA Cleanup)
Contact CA
Contact Technical Support
For your convenience, CA provides one site where you can access theinformation you need for your Home Office, Small Business, and Enterprise CA
products. Athttp://ca.com/support,you can access the following:
Online and telephone contact information for technical assistance andcustomer services
Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product
Provide Feedback
If you have comments or questions about CA product documentation, you can
send a message [email protected].
If you would like to provide feedback about CA product documentation, complete
our shortcustomer survey,which is also available on the CA Support website,
found athttp://ca.com/docs.
Best Practices Guide Process
These best practices represent years of product experience, much of which is
based on customer experience reported through interviews with development,
technical support, and technical services. Therefore, many of these bestpractices are truly a collaborative effort stemming from customer feedback.
To continue and build on this process, we encourage users to share common
themes of product use that might benefit other users. Please consider sharing
your best practices with us.
http://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supportmailto:[email protected]:[email protected]:[email protected]://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docshttp://www.ca.com/docsmailto:[email protected]://www.ca.com/support -
8/13/2019 ACF2 BestPractices DB2 ENU
4/29
To share your best practices, contact us [email protected] preface your
email subject line with "Best Practices forproduct name" so that we can easily
identify and categorize them.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/13/2019 ACF2 BestPractices DB2 ENU
5/29
Contents 5
Contents
Chapter 1: Introduction 7Purpose of this Guide .......................................................................... 7Audience...................................................................................... 7Documentation Set Overview................................................................... 7Mainframe 2.0 Overview ....................................................................... 8Mainframe 2.0 Features........................................................................ 9Chapter 2: Installation Best Practices 11Installation Considerations .................................................................... 11CA Mainframe Software Manager .............................................................. 11DB2 Subsystems Protection ................................................................... 12CAIENF DB2 Component of CA Common Services............................................... 12Chapter 3: Configuration Best Practices 15CA ACF2 Option for DB2 Configuration......................................................... 15
The OPTIONS Record...................................................................... 15The EXITS Record......................................................................... 16
CA ACF2 for z/OS Configuration ............................................................... 17CA ACF2 for z/OS OPTS Record............................................................ 17CA ACF2 for z/OS Exit Considerations
......................................................
17
CA ACF2 for z/OS INFODIR Record......................................................... 18Removal of Obsolete Security ................................................................. 19
Obsolete User Definitions and Entitlements................................................. 20Obsolete Configuration Options............................................................ 20Expired and Unused User IDs and Entitlements............................................. 20
Convert Native DB2 Security Information ...................................................... 21Chapter 4: Auditability Best Practices 23Auditability Considerations .................................................................... 23
Global Logging Controls................................................................... 23User-Based Controls ...................................................................... 24Entitlement-Based Controls................................................................ 25
Compliance Auditing.......................................................................... 26Regular and Audit Regimen Using CA Auditor................................................... 27
-
8/13/2019 ACF2 BestPractices DB2 ENU
6/29
6 Best Practices Guide
Index 29
-
8/13/2019 ACF2 BestPractices DB2 ENU
7/29
Chapter 1: Introduction 7
Chapter 1: Introduction
This section contains the following topics:
Purpose of this Guide(see page7)
Audience(see page7)
Documentation Set Overview(see page7)
Mainframe 2.0 Overview(see page8)
Mainframe 2.0 Features(see page9)
Purpose of this Guide
The guide provides a brief introduction to CA's Mainframe 2.0 strategy and
features, and describes the best practices for installing and configuring CA ACF2Option for DB2.
Audience
The intended audience of this guide is systems programmers and administrators
who install, configure, deploy, and maintain .
Documentation Set Overview
This list offers a basic description of each guide in the CA ACF2 Option for DB2
documentation set:
Administrator Guide
Describes how to secure the IBM Database 2 (DB2) product using CA ACF2
Option for DB2.
Getting Started Guide
Details the steps to install CA ACF2 Option for DB2.
Messages Guide
Lists the messages that CA ACF2 Option for DB2 issues, explains why the
message appears, and details how you should respond.
-
8/13/2019 ACF2 BestPractices DB2 ENU
8/29
Mainframe 2.0 Overview
8 Best Practices Guide
Mainframe 2.0 Overview
Mainframe 2.0 is our strategy for providing leadership in the mainframe
operating environment. We intend to lead the mainframe marketplace for
customer experience, Out-Tasking solutions, and solution innovation. After
listening to customer needs and requirements to keep the mainframe operating
environment viable and cost-effective, we are providing new tools to simplify
usage and to energize this operating environment for years to come.
CA Mainframe Software Manager (CA MSM) is an important step in realizing the
Mainframe 2.0 strategy. CA MSM simplifies and standardizes the delivery,
installation, and maintenance of mainframe products on z/OS systems. CA MSM
has a browser-based user interface (UI) with a modern look and feel for
managing those solutions. As products adopt Mainframe 2.0 features and CA
MSM services, you can acquire, install, and manage your software in a common
way.
CA MSM provides software acquisition and installation that make it easier for you
to obtain and install CA mainframe products, and apply the recommended
maintenance. The services within CA MSM enable you to manage your software
easily based on industry accepted best practices. The common browser-based UI
makes the look and feel of the environment friendly and familiar.
We follow the IBM z/OS packaging standards using SMP/E, with some additional
CA qualities of service added, to make installation simple and consistent.
Additionally, through the synchronization of product releases and the use of
common test environments, we will declare a yearly mainframe software stack
that includes many new releases with enhanced functionality. This stack is
certified for interoperability across the CA mainframe product portfolio and the
base IBM z/OS product stack.
-
8/13/2019 ACF2 BestPractices DB2 ENU
9/29
Mainframe 2.0 Features
Chapter 1: Introduction 9
Mainframe 2.0 Features
Mainframe 2.0 has the following main features:
CA Mainframe Software Manager (CA MSM)
Delivers simplified acquisition, installation, and deployment capabilities
using a common z/OS-based web application delivered through a
browser-based UI. CA MSM includes the following services:
Product Acquisition Service (PAS)
Facilitates the acquisition of our mainframe products and services,
including product base installation packages and program temporary
fixes (PTFs). This service integrates the inventory of products available
on your system with CA Support, providing a seamless environment for
managing and downloading software and fixes onto your system.
Software Installation Service (SIS)
Facilitates the installation and maintenance of our mainframe products
in the software inventory of the driving system. This service enables you
to browse and manage the software inventory using a web interface, and
automates tasks for products that use SMP/E to manage installation. You
can browse downloaded software packages, and browse and manage
one or more consolidated software inventories (CSIs) on the driving
system.
Software Deployment Service (SDS)
Facilitates the deployment of our mainframe products from the software
inventory of the driving system. This service enables you to deploy
installed products that are policy driven with a set of appropriate
transport mechanisms across a known topology. The enterprise systemtopology can include shared DASD environments, networked
environments, and z/OS systems. Policies represent a combination of CA
metadata input that identifies the component parts of a product and
user-supplied input that identifies the deployment criteria, such as
where it will go and what will it be called.
Electronic Software Delivery (ESD)
Enables you to get our products from an FTP server. We have improved this
process so that you no longer need to build a tape to install the product.
-
8/13/2019 ACF2 BestPractices DB2 ENU
10/29
Mainframe 2.0 Features
10 Best Practices Guide
Best Practices Management
Integrates with IBM Health Checker for z/OS to verify that deployed software
follows our best practices. The health checks continually monitor the system
and software to provide feedback on whether the software continues to be
configured optimally.
Best Practices Guide
Provides best practices for product installation and configuration.
Note:For additional information about the CA Mainframe 2.0 initiative, see
http://ca.com/mainframe2.
http://www.ca.com/us/products/collateral.aspx?cid=192430http://www.ca.com/us/products/collateral.aspx?cid=192430http://www.ca.com/us/products/collateral.aspx?cid=192430http://www.ca.com/us/products/collateral.aspx?cid=192430 -
8/13/2019 ACF2 BestPractices DB2 ENU
11/29
Chapter 2: Installation Best Practices 11
Chapter 2: Installation Best Practices
This section contains the following topics:
Installation Considerations(see page11)
CA Mainframe Software Manager(see page11)
DB2 Subsystems Protection(see page12)
CAIENF DB2 Component of CA Common Services(see page12)
Installation Considerations
We recommend an installation process using a standardized set of libraries and
procedures.
Business Value:
This process simplifies and standardizes the installation process so it is reliable
and repeatable. These standardized libraries typically begin with the CAI
high-level qualifier. We have optimized installation and maintenance procedures
to support these standard data set names. CA ACF2 Option for DB2 is installed
and maintained using SMP/E.
Additional Considerations:
We now offer an easy-to-install Electronic Software Delivery (ESD) program. You
can download product and maintenance releases over the Internet directly to
your system from thehttp://ca.com/support.When you order the product, you
receive the authorizations and instructions to access, download, and prepare the
installation files without the need for a physical tape.
CA Mainframe Software Manager
We recommend that you use CA MSM to acquire, install, and maintain your
product.
Business Value:
CA MSM provides a web interface, which works with Electronic Software Delivery
(ESD) and standardized installation, to provide a common way to manage CA
mainframe products. You can use it to download and install CA ACF2 Option for
DB2.
http://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/support -
8/13/2019 ACF2 BestPractices DB2 ENU
12/29
DB2 Subsystems Protection
12 Best Practices Guide
CA MSM lets you download product and maintenance releases over the Internet
directly to your system fromhttp://ca.com/support.After you use CA MSM to
download your product or maintenance, you use the same interface to install the
downloaded software packages using SMP/E.
Additional Considerations:
After you install the product, use the CA ACF2 Option for DB2 documentation set
athttp://ca.com/supportto configure your product. CA MSM can continue to
help you maintain your product.
More Information:
For more information about CA MSM, see the CA Mainframe Software Manager
Guide. For more information about product setup, see the CA ACF2 Option for
DB2 Getting Started Guide. Both documents are available at
http://ca.com/support.
DB2 Subsystems Protection
We recommend that you use the CA ACF2 Option for DB2 sample CADB2XAC
exit, which you can install into your DB2 SDSNEXIT data set as the DB2
DSNX@XAC resource authorization exit. This sample exit causes the DB2
subsystem to terminate if the subsystem initializes and executes without CA
ACF2 Option for DB2.
Business Value:
This practice lets you protect against a DB2 subsystem executing without using
CA ACF2 Option for DB2 security.
More Information:
To install this sample exit, see the CA ACF2 Option for DB2 Getting Started
Guide.
CAIENF DB2 Component of CA Common Services
We recommend installing and initializing the CAIENF DB2 component of CCS to
implement CA ACF2 Option for DB2.
http://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/supporthttp://www.ca.com/support -
8/13/2019 ACF2 BestPractices DB2 ENU
13/29
CAIENF DB2 Component of CA Common Services
Chapter 2: Installation Best Practices 13
Business Value:
If the CAIENF DB2 component is not initialized, CA ACF2 Option for DB2 will not
initialize in any DB2 subsystem, and DB2 will revert to using whatever native
DB2 security controls are still intact.
-
8/13/2019 ACF2 BestPractices DB2 ENU
14/29
-
8/13/2019 ACF2 BestPractices DB2 ENU
15/29
Chapter 3: Configuration Best Practices 15
Chapter 3: Configuration Best Practices
This section contains the following topics:
CA ACF2 Option for DB2 Configuration(see page15)
CA ACF2 for z/OS Configuration(see page17)
Removal of Obsolete Security(see page19)
Convert Native DB2 Security Information(see page21)
CA ACF2 Option for DB2 Configuration
CA ACF2 Option for DB2 security processing is controlled by DB2 control records
defined in the CA ACF2 for z/OS Infostorage database. These records are critical
because they can control how CA ACF2 for z/OS operates and what it secures inservicing the resource security requests from CA ACF2 Option for DB2. DB2
control records are also critical from a compliance point of view, because each
standing control might need to be examined for appropriateness and validated.
This section discusses the best practices for configuring CA ACF2 Option for DB2.
The OPTIONS Record
Because implementation of CA ACF2 Option for DB2 in a DB2 subsystem and the
DB2 resources secured in the subsystem are controlled by the configuration
options specified in the DB2 Control OPTIONS record, we recommend that you
do not specify a MODE other than ABORT for any DB2 resource in the OPTIONS
record.
Business Value:
When a DB2 resource is accessed, CA ACF2 Option for DB2 parallels native DB2
security processing in checking several different resources and privileges for
access. For example, when a DB2 table is read, CA ACF2 Option for DB2 checks
for SELECT access to the table, ownership of the table, the DBADM privilege on
the DB2 database that contains the table, and the SYSADM system privilege. If
any of these different authorization checks returns an allow condition, the
original resource access (reading the table) is allowed. This means that the
MODE specified for one resource class can affect access authorizations to a
different resource class.
-
8/13/2019 ACF2 BestPractices DB2 ENU
16/29
CA ACF2 Option for DB2 Configuration
16 Best Practices Guide
The EXITS Record
Proper exit usage can customize CA ACF2 Option for DB2 processing to
accommodate installation specific needs and considerations. We recommend
writing one or more exits.
Business Value:
Writing exits provides additional value to your installation, using them to better
customize CA ACF2 for z/OS for z/OS security functionality with your business
processes and applications.
Exit Code Review
You should examine CA ACF2 Option for DB2 line by line to identify specifically
what each exit does. We recommend using the freezer function of CA Auditor as
a method of helping to automatically monitor these critical data sets.
Business Value:
Proper exit usage can customize CA ACF2 for z/OS processing to accommodate
site-specific needs and considerations. Strict security and change management
controls ensures that only properly certified changes are allowed to occur.
Additional Considerations:
CA ACF2 Option for DB2 exit code and the libraries used to hold the source and
executable code should be carefully controlled and subjected to stringent change
control restrictions to ensure that all changes are properly tracked and audited.
The pre- and post-validation exits specified in the CA ACF2 for z/OS GSO EXITSrecord can affect the access decision returned by CA ACF2 for z/OS to any DB2
access authorization request. CA ACF2 for z/OS exit code and the libraries used
to hold the source and executable code should be carefully controlled and
subjected to stringent change control restrictions to ensure that all changes are
properly tracked and audited. You should put strict security and change
management controls in place to ensure that only properly certified changes are
allowed to occur.
-
8/13/2019 ACF2 BestPractices DB2 ENU
17/29
CA ACF2 for z/OS Configuration
Chapter 3: Configuration Best Practices 17
CA ACF2 for z/OS Configuration
CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS to
allow you to control access to DB2 resources, identify usage activity, violation
activity, administrative activity, and more. Because CA ACF2 for z/OS performs
the actual resource authorization checks, the integrity and performance of the
CA ACF2 Option for DB2 is dramatically affected by the installation and
configuration of CA ACF2 for z/OS. This section discusses best practices for
configuring security controls in CA ACF2 for z/OS that CA ACF2 Option for DB2
leverages.
More Information:
In addition to reading this guide, you should also familiarize yourself with the CA
ACF2 for z/OS for z/OS Best Practices Guide. In addition, see the CA ACF2 for
z/OS Administrator Guide for more information about the CA ACF2 for z/OS
options discussed in this section.
CA ACF2 for z/OS OPTS Record
CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS. We
recommend using the MODE value in the GSO OPTS record, which determines
the access decisions returned by CA ACF2 for z/OS to any DB2 access
authorization request.
Business Value:
The MODE field in the CA ACF2 for z/OS GSO OPTS record determines the access
decision returned by CA ACF2 for z/OS to any DB2 access authorization request.
Additional Considerations:
A MODE value other than ABORT or RULE in the OPTS record will cause CA ACF2
for z/OS to return an allow or allow with log response to any CA ACF2 Option for
DB2 authorization request. If the MODE value in the OPTS record is RULE, the
access decision will be determined by the CA ACF2 Option for DB2 resource rule,
and the rules must be written accordingly.
CA ACF2 for z/OS Exit Considerations
We recommend that you periodically review each exit to recertify its applicability
and usefulness. If the exit provides a function that CA ACF2 for z/OS now
provides, you can migrate from that exit point to the native product
functionality.
-
8/13/2019 ACF2 BestPractices DB2 ENU
18/29
CA ACF2 for z/OS Configuration
18 Best Practices Guide
Business Value:
As CA ACF2 for z/OS has evolved, we have added exit functionality to the base
product, typically using new options, security records, privileges, and so on.
Because CA ACF2 Option for DB2 leverages the security controls of CA ACF2 forz/OS, any exits specified in the CA ACF2 for z/OS base product can affect the
access decision CA ACF2 for z/OS returns to any DB2 access authorization
request; therefore, examine any CA ACF2 for z/OS exit line by line to identify
specifically the role of each exit.
Additional Considerations:
We also suggest that you consider the following:
Carefully control CA ACF2 for z/OS exit code and the libraries used to holdthe source and executable code, and implement stringent change control
restrictions to ensure that all changes are properly tracked and audited.
Implement strict security and change management controls to ensure thatonly properly certified changes are allowed to occur.
The freezer function of CA Auditor is an excellent method of helping to
automatically monitor these critical data sets.
CA ACF2 for z/OS INFODIR Record
Minimize DASD utilization by eliminating the need to retrieve the rules from the
security databases on DASD. We recommend using the CA ACF2 for z/OS
controls which enable memory-based sharing of the CA ACF2 Option for DB2
resource rules.
Business Value:
The performance of the authorization process in CA ACF2 for z/OS strongly
impacts the performance of the CA ACF2 Option for DB2 resource security
processing. One of the biggest performance-related items concerns
DASD-related overhead and contention for the CA ACF2 for z/OS security
databases. In particular, during the CA ACF2 for z/OS processing of a CA ACF2
Option for DB2 authorization request, CA ACF2 for z/OS locates and checks the
CA ACF2 Option for DB2 resource rule.
Additional Considerations:
Generally speaking, activation of these options involves a trade-off that must be
weighed carefully. These options generally control sharing of security objects in
common memory storage, a relatively scarce commodity even on the largest of
todays IBM mainframes. The cost of the storage must be weighed against the
benefit gained, namely the saving of DASD I/O operations.
-
8/13/2019 ACF2 BestPractices DB2 ENU
19/29
-
8/13/2019 ACF2 BestPractices DB2 ENU
20/29
Removal of Obsolete Security
20 Best Practices Guide
Obsolete User Definitions and Entitlements
It is common for an installation to have obsolete logonids and security
entitlements in the form of data set access rules and resource rules. We
recommend that your site implement CA Cleanup.
Business Value:
CA Cleanup provides automated, continuous cleanup of CA ACF2 for z/OS
security databases.
Obsolete Configuration Options
Implement CA Cleanup to identify obsolete GSO control options that should be
targeted for removal.
Business Value:
Frequently, an installation implements a security policy using particular GSO
options and then that policy will remain defined permanently, even though the
underlying business case reason behind the policy has been modified or perhaps
deleted.
Additional Considerations:
An audit of a security control may require that some substantiation for the need
of that control be performed. This process is easier to address if a change control
mechanism exists that tracks security policy changes that result in changes to
GSO records, configuration options, pertinent logonids, rules, and so on.
Otherwise, the process of substantiating change becomes difficult and one
probable outcome is the orphaning of security options and controls.
Expired and Unused User IDs and Entitlements
We recommend that you implement an automated credential and entitlement
monitoring system, such as CA Cleanup.
Business Value:
CA Cleanup provides a viable, cost-effective means of automatic identificationand de-administration of unused, obsolete, expired user credentials or security
entitlements.
-
8/13/2019 ACF2 BestPractices DB2 ENU
21/29
Convert Native DB2 Security Information
Chapter 3: Configuration Best Practices 21
Additional Considerations:
Expired, obsolete, and unused credentials and entitlements pose a large security
risk and, for this reason are the target of many contemporary compliance laws,
requirements, and regulations. The PCI-DSS standard contains very specificlanguage concerning processing of expired or obsolete user credentials and
entitlements. The v1.2 specification states that inactive accounts must be
removed or disabled after 90 days.
Convert Native DB2 Security Information
If you use native DB2 security, you can simplify rule writing by using a
conversion utility to create rule sets. We recommend that you run a conversion
utility to create your first set of rules.
Business Value:
The conversion effort turns existing native DB2 security information and the
security controls into corresponding security controls in CA ACF2.
Additional Considerations:
The conversion utility job CP12CNVT is located in the CAI.ACF2DB2.CACPJCL
data set. This utility provides a basis from which to start writing rules.
-
8/13/2019 ACF2 BestPractices DB2 ENU
22/29
-
8/13/2019 ACF2 BestPractices DB2 ENU
23/29
Chapter 4: Auditability Best Practices 23
Chapter 4: Auditability Best Practices
This section contains the following topics:
Auditability Considerations(see page23)
Compliance Auditing(see page26)
Regular and Audit Regimen Using CA Auditor(see page27)
Auditability Considerations
We recommend that you log data to fit your business needs, but we caution you
to devise your logging plans with auditability and resource usage in mind.
Business Value:
The security administrator, through entitlement-based controls and general
security configuration options, controls the amount of logging on a system. The
options that are set must reflect the business needs of the installation.
Logging does affect performance; logging does cost in terms of processing path
length, data repository size, and more. Consider this potential for overhead
when deciding what logging controls to activate.
More Information:
The following sections detail several logging controls and our recommendations
on how to use them.
Global Logging Controls
We recommend that you use global control options to customize how you
capture data to logs.
Business Value:
By capturing system-wide data to logs, you can secure data for an audit,
troubleshooting, and potential error recovery.
-
8/13/2019 ACF2 BestPractices DB2 ENU
24/29
Auditability Considerations
24 Best Practices Guide
Additional Considerations:
Examine the following GSO controls that affect logging at a global level:
BLPPGM record CLASMAP record DELRSRC record LOGPGM record MLSOPTS record OPTS record PPGM record SECVOLS record
User-Based Controls
We recommend that you implement user-based controls for logging to generate
log entries when CA ACF2 for z/OS uses the controls to determine what
resources a user has accessed.
Business Value:
This practice lets you track user and logonid activity.
-
8/13/2019 ACF2 BestPractices DB2 ENU
25/29
Auditability Considerations
Chapter 4: Auditability Best Practices 25
Additional Considerations:
You can log all system entry (logon, job) activity by using one of the following
logonid record privileges:
MON-LOG MONITOR PP-TRC P-TRCV TRACE TSO-TRC LOGSHIFTConsider the role that special privileges play on an individual user level and their
impact on logging. CA ACF2 for z/OS generates special log entries based on thefollowing logonid privileges:
SECURITY NON-CNCL PRIV-CTL (if this causes special privileges to be granted) READALL RULEVLD
Entitlement-Based Controls
When a CA ACF2 Option for DB2 resource rule is written, the security
administrator has control over the specific circumstances in which logging
records will be written. By default, CA ACF2 for z/OS logs failed access attempts
or access attempts made under special circumstance such as under security
authority. We recommend detailed examination of the rule sets.
Business Value:
Examination may reveal that some generated loggings are superfluous and can
be eliminated without impacting system security or auditability.
-
8/13/2019 ACF2 BestPractices DB2 ENU
26/29
Compliance Auditing
26 Best Practices Guide
Compliance Auditing
We recommend using CA Compliance Manager which provides a single source for
real-time, compliance-related information and events occurring within the
mainframe environment.
Business Value:
CA Compliance Manager lets you easily manage and audit your mainframe
environment. It accomplishes this with continuous, real-time monitoring and
collection of compliance and security-related information, policy alerting, and an
intuitive reporting interface for compliance and security event reporting. It also
gives you the comprehensive auditing tools that you need to prove your
compliance to IT and risk-management auditors.
Additional Considerations:
CA Compliance Manager consists of several components:
The Change Monitor detects and records changes to external securitymanager (ESM) configurations, operating system security configuration, and
selected PDS/PDSE data sets.
The Data Warehouse stores information about mainframe security events ina relational repository that is accessible for compliance reporting, allowing
complex reporting processes to be initiated. It also provides real-time access
to current and historical security information for forensic analysis, going
beyond current reporting capabilities of security products.
The Alert component provides real-time notification of potential securitybreaches indicated by changes in the security configuration and specificsecurity events. Stakeholders can receive immediate notification of pertinent
violations, user activity, and access or change activity to critical resources
using email notification, Write To Operator (WTO), or help desk ticket
creation.
-
8/13/2019 ACF2 BestPractices DB2 ENU
27/29
-
8/13/2019 ACF2 BestPractices DB2 ENU
28/29
Regular and Audit Regimen Using CA Auditor
28 Best Practices Guide
Additional Considerations:
As you devise your auditing regimen, consider the following points:
The z/OS system is the foundation for the applications and data that run yourbusiness; therefore, if the z/OS system has integrity exposures, the
associated applications have the same exposures.
A sound security policy bolsters z/OS integrity. Similarly, a proper z/OSimplementation supports your overall security because a user could exploit
any weakness to circumvent critical security controls and damage your
applications.
Sound system integrity is the result of careful planning, well-defined procedures,
proper security and change control mechanisms, and regular auditing to verify
that users are following these procedures.
-
8/13/2019 ACF2 BestPractices DB2 ENU
29/29
Index
A
access decisions 17
auditing your system 27
CCA Auditor
freezer function 16, 17
CA Cleanup 20
CA Common Services (CCS) 12
CAIENF DB2 component 12
CA Compliance Manager 26
conversion utility 21
credential monitoring 20
DDASD-related overhead 18
Eentitlement monitoring 20
exits 16
considerations 17
GGSO records
ABORT 17EXITS 16
identify obsolete 20
INFODIR 18
MODE value 17
OPTS record 17
RULE 17
RULEOPTS 18
IInfostorage database 15, 16
Llogging data 23, 24, 25
MMainframe 2.0
CA Mainframe Software Manager 11
Electronic Software Delivery 11
features 9
Overview 8
Oobsolete logonids 20
Pprivileges
DBADM privilege 15
SYSADM 15
Ssecurity controls 17
security entitlements 20
security processing 15, 16
SELECT access 15
subsystem protection 12