May2016RACFOptionsSurveyResponsesPresentedby

RichardK.Faulhaberrkf@newera.com twitter:@faulhaber_rk

April2016RACFPasswordEnvironmentSurveyResponses

http://www.newera-info.com/eBooks.html

May2016RACFOptionsSurveyResponses

IstheAutomaticDatasetProtectionoptionactive(ADSP)orinactive(NOADSP)?

• SpecifiesthatdatasetscreatedbyuserswhohavetheADSPattributeisRACF-protectedautomatically.

• BestPractice:ADSPshouldbeturnedOFF.

• ThePoint:Muchlessefficientthanusinggenericprofiles,whichcanbeusedtoprotectmorethanonedataset.

6

28

0

5

10

15

20

25

30

ADSP(AutomaticDatasetProtection)

Active Inactive

• PerIBM:“BecauseADSPforcesthecreationofadiscreteprofile foreachdatasetcreatedbyuserswhohavetheADSPattribute,youshouldnormally specifyNOADSPifyouspecifyGENERIC.”

DefaultBest

Practice

May2016RACFOptionsSurveyResponses

• EGNallowstheuseofthegenericcharacter**(aswellas*and%)whendefining datasetprofilenamesandentriesintheglobalaccesscheckingtable.

• BestPractice:Shouldbeturnedon(andneverturnedoff).

• ThePoint:“EGNshould beenabled inordertotakeadvantageofthemoregranularimplementationofdatasetprotectionavailableinRACF.”

IstheEnhancedGenericNamingoptionactive(EGN)orinactive(NOEGN)?

27

7

0

5

10

15

20

25

30

EGN(EnhancedGenericNaming)

Active Inactive

• PerIBM:“Guideline: Donot deactivateenhancedgenericnamingafter datasetprofileshavebeencreatedwhileenhancedgenericnamingwasactive.”

(Source:https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/icha700_Activating_enhanced_generic_naming_for_the_DATASET_class__EGN_option_.htm )

DefaultBest

Practice

May2016RACFOptionsSurveyResponses

• PerIBM:“Guideline: Donot deactivateenhancedgenericnamingafter datasetprofileshavebeencreatedwhileenhancedgenericnamingwasactive.”

(Source:https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/icha700_Activating_enhanced_generic_naming_for_the_DATASET_class__EGN_option_.htm )

DefaultBest

Practice

Important:IfyouprotectdatasetswithgenericprofileswhileEGNisactiveandthendeactivatethisoption,your resourcescannolongerbeprotected.Table1andTable2showexamplesofgenericprofiles createdwithenhancedgenericnamingactive.(Tablesfound onthispage:https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/ich2a40030.htm#ich2a400-gen31__egn1 )

SomeoftheseprofilesdonotprovideRACFprotectionwhentheoption isdeactivated.IfadatasetisunprotectedwhenEGNisdeactivated,youcanprotectthedatasetwithadiscreteprofile - asdescribed inNamingconsiderations forresourceprofiles z/OSSecurityServerRACFCommandLanguageReference(Link:https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/names.htm#names )

- eitherbeforeoraftertheoption isdeactivated,orwithagenericprofileaftertheoption isdeactivated.

Source:(https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/setropts.htm )

EGN(EnhancedGenericNaming)

May2016RACFOptionsSurveyResponses

• REALDSNcausestheREALdatasetnametoappearinboth logsandmessagesevenifthedatasetresourcenameischanged.

• BestPractice:“REALDSNshouldbeACTIVE tomakeiteasiertomonitorwhoisdoing whattowhichresources.”

• ThePoint:EnablingREALDSNmakesiteasiertomonitorandauditwhatisactuallytakingplaceonyoursystem(s).

IstheRealDataSetNamesoption active(REALDSN)orinactive(NOREALDSN)?

13

21

0

5

10

15

20

25

REALDSN(RealDataSetNames)

Active Inactive

DefaultBest

Practice

May2016RACFOptionsSurveyResponses

• BATCHALLRACFcausesJEStotestforauserIDandpasswordonthejobstatementorforpropagatedRACFidentification infoforallbatchjobs.Ifthetestfails,JESfailsthejob.

• BestPractice:BATCHALLRACFshouldbeenabled.

• ThePoint:Itisimportant toturn thisonsothatbatchjobsarecontrolledbyRACF.Notdoingsorepresentsasecurityrisk,allowingtheactivitiesofawouldbehackertobe“invisible”toRACF.

IstheJES-BATCHALLRACFoptionactive(BATCHALLRACF)orinactive(NOBATCHALLRACF)?

29

5

0

5

10

15

20

25

30

35

BATCHALLRACF

Active Inactive

BestPractice Default

May2016RACFOptionsSurveyResponses

• XBMALLRACFcausesJEStotestforuserIDandpasswordontheJOBstatementorJES-propagatedRACFIDinfoforalljobs runwithanXBM.OnlyvalidforXBM(eXecution BatchMonitor) jobsthrough JES2.

• BestPractice:Shouldbeswitchedon.

• ThePoint:Should beturnedonasitcouldpotentiallybeexploitedbyahacker.Eventhough itisonlyusedbyJES2forXBMjobs, itshouldprobablybeturnedonanywayincasetheissueisraisedinanaudit.

IstheJES-XBMALLRACFoptionactive(XBMALLRACF)orinactive(NOXBMALLRACF)?

14

20

0

5

10

15

20

25

XBMALLRACF

Active Inactive

DefaultBest

Practice

May2016RACFOptionsSurveyResponses

• Thissettingisignored.Ofhistoricalsignificance,only.

• BestPractice:Shouldbeturnedonpurelytoavoidconfusion duringaudits.

• ThePoint:PerIBM’sowndocumentation, thissettingisignored. Though thatisthecase,itshouldbeswitchedontoavoidconfusion duringaudits.

IstheJES-EARLYVERIFYoptionactive(EARLYVERIFY)orinactive(NOEARLYVERIFY)?

20

14

0

5

10

15

20

25

JES- EARLYVERIFY

Active Inactive

• PerIBM:“Earlyverificationisalwaysdone,eveniftheSETROPTScommandhasbeenissuedwithJES(NOEARLYVERIFY)specified.”

Source:(https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/early.htm )

BestPractice Default

May2016RACFOptionsSurveyResponses

• PROTECTALLcausesthesystemtoautomaticallyrejectrequeststocreateoraccessdatasetsthatarenotRACF-protected.

• BestPractice:ShouldbeactiveandsettoFAIL.

• ThePoint:PROTECTALL(FAILURES)shouldbeactive.Whenitisdisabled,allusers,groups, etc…wouldhaveunrestrictedaccesstoalldatasets,unlesstheyarespecificallydenied.

IsthePROTECTALLoptionactive(PROTECTALL)orinactive(NOPROTECTALL)?Ifitisactive,isthesub-parm setforFAILURESorWARNING?

28

24

0

5

10

15

20

25

30

PROTECTALL

Active(FAILURES) Active(WARNING) Inactive

DefaultBest

Practice

May2016RACFOptionsSurveyResponses

• TAPEDSNcausesRACFtoprotectindividual tapedatasetsaswellastapevolumes.

• BestPractice:TAPEDSNshouldbeactive.

• ThePoint:TAPEDSNshouldbesetactivesoastocloseapotentialsecurityweaknessthatahackercouldexploit.

IstheTapeDatasetProtectionoption active(TAPEDSN)orinactive(NOTAPEDSN)?

23

11

0

5

10

15

20

25

TAPEDSN

Active Inactive

DefaultBest

Practice

• PerIBM:“Guideline: Ifyouuseatapemanagementsystem,suchasDFSMSrmm,donotenableTAPEDSN.Formoreinformation, seeUsingDFSMSrmmwithRACF.”https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/usermm.htm

May2016RACFOptionsSurveyResponses

• RETPDwithitsvalueestablishesthenumberofdaysRACFprotectionremainsineffectforatapedataset.Valuemaybe0through 65533,or99999forneverexpire.

• BestPractice:RETPD(0)isokifatapemanagementsystemisbeingused.Neverexpire(99999) iscommonasitistheDISASTIGrequirement.

• ThePoint:Ifthisvalueissettothedefault,0,thefunction isturnedoffsothatitcanbemanagedbyatapemanagementsystem.TAPEDSNmustbeactivated,otherwise thevalueofRETPDismeaningless.

IstheSecurityRetentionPeriodoption set?Ifso,what isitsnumericvalue?

19

15

0

2

4

6

8

10

12

14

16

18

20

RETPD

Active Inactive

Values: 5->99993 ->99999[neverexpire]4->0[inactive]

Default

BestPractice

BestPractice(ifusingtapemanagement

system)

May2016RACFOptionsSurveyResponses

• Determineshowdatamanagementistoerasecontentsofdeleteddatasets,andscratchedorreleasedDASDextents,byoverwritingcontentswithzeroes.

• BestPractice:ShouldbesettoERASE(ALL)unlessthiscausesperformance issues.Inthatcase,itcanbeappliedatamoregranularlevel.

• ThePoint:Itisimportant tohavethisenabledsothatconfidentialdatasetscannotbereadbyunauthorized usersevenaftertheyhavebeendeleted.

IstheEraseOnScratchoptionsettoactive(ERASE)orinactive(NOERASE)?Ifitisactive,whichsup-operandisset?ALL,SECLEVEL,orNOSECLEVEL?

32

10

19

0

2

4

6

8

10

12

14

16

18

20

ERASE

Active(ALL) Active(SECLEVEL) Active(NOSECLEVEL) Inactive

DefaultBestPractice

May2016RACFOptionsSurveyResponses

• ActivatesRACFprotection fordatasetswithsingle-qualifiernames.Specifiestheprefixtobeusedastheprefix(1-8characters)tobeusedastheHLQintheinternalformofthenames.

• BestPractice:Shouldbeturnedoff.(NOPREFIX).

• ThePoint:Though AE2maysuggestthatit“representsextremelybadpractice”tocreatesingleleveldatasetnames,somesitestandardsmaypreferit,insomecases.

IstheSingleLevelNameoptionsettoactive(PREFIX)orinactive(NOPREFIX)?

25

9

0

5

10

15

20

25

30

PREFIX

Active Inactive

Default&Best

Practice

May2016RACFOptionsSurveyResponses

• Iflist-of-groupscheckingisactive,thenregardlessofwhichgroup theuserisloggedon to,RACFrecognizestheuser'sgroup-relatedauthorities inotherconnectgroups. Ifauserisinmorethanonegroupandtriestoaccessaresource,RACFusesthehighestauthorityallowedbytheuser'slistofgroupsandtheresource'saccesslist.

• BestPractice:Shouldbeactive.

• ThePoint:TheGRPLISToptionmakesmanagingauser’saccesstoresourcesmuchsimpler.

IstheListofGroupsAccessCheckingoptionsettoactive(GRPLIST)orinactive(NOGRPLIST)?

34

00

5

10

15

20

25

30

35

40

GRPLIST

Active Inactive

DefaultBest

Practice

May2016RACFOptionsSurveyResponses

• Specifiesthenumberofdays(1-255)auserIDcanremainunusedandstillbeconsideredvalid.

• BestPractice:INACTIVEshouldbeenabled.Valueof1-35isacceptable.30daysiscommon.

• ThePoint:INACTIVEmaynotguaranteeanunusedUSERIDscannotbeused.ItdoesensurethatmanualinterventionbyanAdmin isrequiredbeforethatisallowed.

IstheInactiveUserIDs AutomaticallyRevokedoption setwithINACTIVEorNOINACTIVE?IfitissetwithINACTIVE,forhowmanydaysistheunused-userid-intervalset?

26

8

0

5

10

15

20

25

30

INACTIVE

Active Inactive

DefaultBest

Practice

Values: 3->120days 4->60days1->100days 3->45days8->90days

May2016RACFOptionsSurveyResponses

• Allowsforthecreationofnewdatasetprofilesbasedonexisting(model)profiles.

• BestPractice:Modelling shouldnotbeineffect.

• ThePoint:Datasetmodeling isconsideredoutofdateandisnotrecommended. Becauseitallowsforcopying infofromanexisting(model)profile, itisnotasrigorousamethodofsecurityasishavingtomakeindividualdecisionseachtimeaDATASETresourcedefinition iscreatedintheRACFdatabase.

IstheDatasetModelingoptionsettoactive(MODEL)orinactive(NOMODEL)?Ifactive,pleasespecifyinthecommentshowthesup-operands areset.

8

26

0

5

10

15

20

25

30

MODEL

Active Inactive

DefaultBest

Practice

April2016RACFPasswordEnvironmentSurveyResponses

PASSWORD_IS_IN_EFFECT_FOR_THE_SWITCHPASSWORD_IS_IN_EFFECT_FOR_THE_STATUSSECLEVELAUDITSECLABEL_AUDITSECLABEL_CONTROLGENERIC_OWNER_ONLYCOMPATIBILITY_MODEMULTI-LEVEL_QUIETMULTI-LEVEL_STABLENO_WRITE-DOWNMULTI-LEVEL_ACTIVECATALOGUED_DATA_SETS_ONLY

USER-ID_FOR_JES_NJEUSERIDUSER-ID_FOR_JES_UNDEFINEDUSERPARTNER_LU-VERIFICATION_SESSIONKEYAPPLAUDITADDCREATORKERBLVLMULTI-LEVEL_FILE_SYSTEMMULTI-LEVEL_INTERPROCESS_COMMUNICATIONSMULTI-LEVEL_NAME_HIDINGSECURITY_LABEL_BY_SYSTEMPRIMARY_LANGUAGE_DEFAULTSECONDARY_LANGUAGE_DEFAULT

RACFSurveyforJune2016…RACFDataProcessingOptions:

RichardK.Faulhaberrkf@newera.com twitter:@faulhaber_rk