may 2016 racf options survey responses - new eramay 2016 racf options survey responses • egn...
TRANSCRIPT
May2016RACFOptionsSurveyResponsesPresentedby
[email protected] twitter:@faulhaber_rk
April2016RACFPasswordEnvironmentSurveyResponses
http://www.newera-info.com/eBooks.html
May2016RACFOptionsSurveyResponses
IstheAutomaticDatasetProtectionoptionactive(ADSP)orinactive(NOADSP)?
• SpecifiesthatdatasetscreatedbyuserswhohavetheADSPattributeisRACF-protectedautomatically.
• BestPractice:ADSPshouldbeturnedOFF.
• ThePoint:Muchlessefficientthanusinggenericprofiles,whichcanbeusedtoprotectmorethanonedataset.
6
28
0
5
10
15
20
25
30
ADSP(AutomaticDatasetProtection)
Active Inactive
• PerIBM:“BecauseADSPforcesthecreationofadiscreteprofile foreachdatasetcreatedbyuserswhohavetheADSPattribute,youshouldnormally specifyNOADSPifyouspecifyGENERIC.”
DefaultBest
Practice
May2016RACFOptionsSurveyResponses
• EGNallowstheuseofthegenericcharacter**(aswellas*and%)whendefining datasetprofilenamesandentriesintheglobalaccesscheckingtable.
• BestPractice:Shouldbeturnedon(andneverturnedoff).
• ThePoint:“EGNshould beenabled inordertotakeadvantageofthemoregranularimplementationofdatasetprotectionavailableinRACF.”
IstheEnhancedGenericNamingoptionactive(EGN)orinactive(NOEGN)?
27
7
0
5
10
15
20
25
30
EGN(EnhancedGenericNaming)
Active Inactive
• PerIBM:“Guideline: Donot deactivateenhancedgenericnamingafter datasetprofileshavebeencreatedwhileenhancedgenericnamingwasactive.”
(Source:https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/icha700_Activating_enhanced_generic_naming_for_the_DATASET_class__EGN_option_.htm )
DefaultBest
Practice
May2016RACFOptionsSurveyResponses
• PerIBM:“Guideline: Donot deactivateenhancedgenericnamingafter datasetprofileshavebeencreatedwhileenhancedgenericnamingwasactive.”
(Source:https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/icha700_Activating_enhanced_generic_naming_for_the_DATASET_class__EGN_option_.htm )
DefaultBest
Practice
Important:IfyouprotectdatasetswithgenericprofileswhileEGNisactiveandthendeactivatethisoption,your resourcescannolongerbeprotected.Table1andTable2showexamplesofgenericprofiles createdwithenhancedgenericnamingactive.(Tablesfound onthispage:https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/ich2a40030.htm#ich2a400-gen31__egn1 )
SomeoftheseprofilesdonotprovideRACFprotectionwhentheoption isdeactivated.IfadatasetisunprotectedwhenEGNisdeactivated,youcanprotectthedatasetwithadiscreteprofile - asdescribed inNamingconsiderations forresourceprofiles z/OSSecurityServerRACFCommandLanguageReference(Link:https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/names.htm#names )
- eitherbeforeoraftertheoption isdeactivated,orwithagenericprofileaftertheoption isdeactivated.
Source:(https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha400/setropts.htm )
EGN(EnhancedGenericNaming)
May2016RACFOptionsSurveyResponses
• REALDSNcausestheREALdatasetnametoappearinboth logsandmessagesevenifthedatasetresourcenameischanged.
• BestPractice:“REALDSNshouldbeACTIVE tomakeiteasiertomonitorwhoisdoing whattowhichresources.”
• ThePoint:EnablingREALDSNmakesiteasiertomonitorandauditwhatisactuallytakingplaceonyoursystem(s).
IstheRealDataSetNamesoption active(REALDSN)orinactive(NOREALDSN)?
13
21
0
5
10
15
20
25
REALDSN(RealDataSetNames)
Active Inactive
DefaultBest
Practice
May2016RACFOptionsSurveyResponses
• BATCHALLRACFcausesJEStotestforauserIDandpasswordonthejobstatementorforpropagatedRACFidentification infoforallbatchjobs.Ifthetestfails,JESfailsthejob.
• BestPractice:BATCHALLRACFshouldbeenabled.
• ThePoint:Itisimportant toturn thisonsothatbatchjobsarecontrolledbyRACF.Notdoingsorepresentsasecurityrisk,allowingtheactivitiesofawouldbehackertobe“invisible”toRACF.
IstheJES-BATCHALLRACFoptionactive(BATCHALLRACF)orinactive(NOBATCHALLRACF)?
29
5
0
5
10
15
20
25
30
35
BATCHALLRACF
Active Inactive
BestPractice Default
May2016RACFOptionsSurveyResponses
• XBMALLRACFcausesJEStotestforuserIDandpasswordontheJOBstatementorJES-propagatedRACFIDinfoforalljobs runwithanXBM.OnlyvalidforXBM(eXecution BatchMonitor) jobsthrough JES2.
• BestPractice:Shouldbeswitchedon.
• ThePoint:Should beturnedonasitcouldpotentiallybeexploitedbyahacker.Eventhough itisonlyusedbyJES2forXBMjobs, itshouldprobablybeturnedonanywayincasetheissueisraisedinanaudit.
IstheJES-XBMALLRACFoptionactive(XBMALLRACF)orinactive(NOXBMALLRACF)?
14
20
0
5
10
15
20
25
XBMALLRACF
Active Inactive
DefaultBest
Practice
May2016RACFOptionsSurveyResponses
• Thissettingisignored.Ofhistoricalsignificance,only.
• BestPractice:Shouldbeturnedonpurelytoavoidconfusion duringaudits.
• ThePoint:PerIBM’sowndocumentation, thissettingisignored. Though thatisthecase,itshouldbeswitchedontoavoidconfusion duringaudits.
IstheJES-EARLYVERIFYoptionactive(EARLYVERIFY)orinactive(NOEARLYVERIFY)?
20
14
0
5
10
15
20
25
JES- EARLYVERIFY
Active Inactive
• PerIBM:“Earlyverificationisalwaysdone,eveniftheSETROPTScommandhasbeenissuedwithJES(NOEARLYVERIFY)specified.”
Source:(https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/early.htm )
BestPractice Default
May2016RACFOptionsSurveyResponses
• PROTECTALLcausesthesystemtoautomaticallyrejectrequeststocreateoraccessdatasetsthatarenotRACF-protected.
• BestPractice:ShouldbeactiveandsettoFAIL.
• ThePoint:PROTECTALL(FAILURES)shouldbeactive.Whenitisdisabled,allusers,groups, etc…wouldhaveunrestrictedaccesstoalldatasets,unlesstheyarespecificallydenied.
IsthePROTECTALLoptionactive(PROTECTALL)orinactive(NOPROTECTALL)?Ifitisactive,isthesub-parm setforFAILURESorWARNING?
28
24
0
5
10
15
20
25
30
PROTECTALL
Active(FAILURES) Active(WARNING) Inactive
DefaultBest
Practice
May2016RACFOptionsSurveyResponses
• TAPEDSNcausesRACFtoprotectindividual tapedatasetsaswellastapevolumes.
• BestPractice:TAPEDSNshouldbeactive.
• ThePoint:TAPEDSNshouldbesetactivesoastocloseapotentialsecurityweaknessthatahackercouldexploit.
IstheTapeDatasetProtectionoption active(TAPEDSN)orinactive(NOTAPEDSN)?
23
11
0
5
10
15
20
25
TAPEDSN
Active Inactive
DefaultBest
Practice
• PerIBM:“Guideline: Ifyouuseatapemanagementsystem,suchasDFSMSrmm,donotenableTAPEDSN.Formoreinformation, seeUsingDFSMSrmmwithRACF.”https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/usermm.htm
May2016RACFOptionsSurveyResponses
• RETPDwithitsvalueestablishesthenumberofdaysRACFprotectionremainsineffectforatapedataset.Valuemaybe0through 65533,or99999forneverexpire.
• BestPractice:RETPD(0)isokifatapemanagementsystemisbeingused.Neverexpire(99999) iscommonasitistheDISASTIGrequirement.
• ThePoint:Ifthisvalueissettothedefault,0,thefunction isturnedoffsothatitcanbemanagedbyatapemanagementsystem.TAPEDSNmustbeactivated,otherwise thevalueofRETPDismeaningless.
IstheSecurityRetentionPeriodoption set?Ifso,what isitsnumericvalue?
19
15
0
2
4
6
8
10
12
14
16
18
20
RETPD
Active Inactive
Values: 5->99993 ->99999[neverexpire]4->0[inactive]
Default
BestPractice
BestPractice(ifusingtapemanagement
system)
May2016RACFOptionsSurveyResponses
• Determineshowdatamanagementistoerasecontentsofdeleteddatasets,andscratchedorreleasedDASDextents,byoverwritingcontentswithzeroes.
• BestPractice:ShouldbesettoERASE(ALL)unlessthiscausesperformance issues.Inthatcase,itcanbeappliedatamoregranularlevel.
• ThePoint:Itisimportant tohavethisenabledsothatconfidentialdatasetscannotbereadbyunauthorized usersevenaftertheyhavebeendeleted.
IstheEraseOnScratchoptionsettoactive(ERASE)orinactive(NOERASE)?Ifitisactive,whichsup-operandisset?ALL,SECLEVEL,orNOSECLEVEL?
32
10
19
0
2
4
6
8
10
12
14
16
18
20
ERASE
Active(ALL) Active(SECLEVEL) Active(NOSECLEVEL) Inactive
DefaultBestPractice
May2016RACFOptionsSurveyResponses
• ActivatesRACFprotection fordatasetswithsingle-qualifiernames.Specifiestheprefixtobeusedastheprefix(1-8characters)tobeusedastheHLQintheinternalformofthenames.
• BestPractice:Shouldbeturnedoff.(NOPREFIX).
• ThePoint:Though AE2maysuggestthatit“representsextremelybadpractice”tocreatesingleleveldatasetnames,somesitestandardsmaypreferit,insomecases.
IstheSingleLevelNameoptionsettoactive(PREFIX)orinactive(NOPREFIX)?
25
9
0
5
10
15
20
25
30
PREFIX
Active Inactive
Default&Best
Practice
May2016RACFOptionsSurveyResponses
• Iflist-of-groupscheckingisactive,thenregardlessofwhichgroup theuserisloggedon to,RACFrecognizestheuser'sgroup-relatedauthorities inotherconnectgroups. Ifauserisinmorethanonegroupandtriestoaccessaresource,RACFusesthehighestauthorityallowedbytheuser'slistofgroupsandtheresource'saccesslist.
• BestPractice:Shouldbeactive.
• ThePoint:TheGRPLISToptionmakesmanagingauser’saccesstoresourcesmuchsimpler.
IstheListofGroupsAccessCheckingoptionsettoactive(GRPLIST)orinactive(NOGRPLIST)?
34
00
5
10
15
20
25
30
35
40
GRPLIST
Active Inactive
DefaultBest
Practice
May2016RACFOptionsSurveyResponses
• Specifiesthenumberofdays(1-255)auserIDcanremainunusedandstillbeconsideredvalid.
• BestPractice:INACTIVEshouldbeenabled.Valueof1-35isacceptable.30daysiscommon.
• ThePoint:INACTIVEmaynotguaranteeanunusedUSERIDscannotbeused.ItdoesensurethatmanualinterventionbyanAdmin isrequiredbeforethatisallowed.
IstheInactiveUserIDs AutomaticallyRevokedoption setwithINACTIVEorNOINACTIVE?IfitissetwithINACTIVE,forhowmanydaysistheunused-userid-intervalset?
26
8
0
5
10
15
20
25
30
INACTIVE
Active Inactive
DefaultBest
Practice
Values: 3->120days 4->60days1->100days 3->45days8->90days
May2016RACFOptionsSurveyResponses
• Allowsforthecreationofnewdatasetprofilesbasedonexisting(model)profiles.
• BestPractice:Modelling shouldnotbeineffect.
• ThePoint:Datasetmodeling isconsideredoutofdateandisnotrecommended. Becauseitallowsforcopying infofromanexisting(model)profile, itisnotasrigorousamethodofsecurityasishavingtomakeindividualdecisionseachtimeaDATASETresourcedefinition iscreatedintheRACFdatabase.
IstheDatasetModelingoptionsettoactive(MODEL)orinactive(NOMODEL)?Ifactive,pleasespecifyinthecommentshowthesup-operands areset.
8
26
0
5
10
15
20
25
30
MODEL
Active Inactive
DefaultBest
Practice
April2016RACFPasswordEnvironmentSurveyResponses
PASSWORD_IS_IN_EFFECT_FOR_THE_SWITCHPASSWORD_IS_IN_EFFECT_FOR_THE_STATUSSECLEVELAUDITSECLABEL_AUDITSECLABEL_CONTROLGENERIC_OWNER_ONLYCOMPATIBILITY_MODEMULTI-LEVEL_QUIETMULTI-LEVEL_STABLENO_WRITE-DOWNMULTI-LEVEL_ACTIVECATALOGUED_DATA_SETS_ONLY
USER-ID_FOR_JES_NJEUSERIDUSER-ID_FOR_JES_UNDEFINEDUSERPARTNER_LU-VERIFICATION_SESSIONKEYAPPLAUDITADDCREATORKERBLVLMULTI-LEVEL_FILE_SYSTEMMULTI-LEVEL_INTERPROCESS_COMMUNICATIONSMULTI-LEVEL_NAME_HIDINGSECURITY_LABEL_BY_SYSTEMPRIMARY_LANGUAGE_DEFAULTSECONDARY_LANGUAGE_DEFAULT
RACFSurveyforJune2016…RACFDataProcessingOptions:
[email protected] twitter:@faulhaber_rk