RACF (part of z/OS Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
NEW YORK RUG Meeting Dates
The NYRUG will likely meet April 28th, 2004 in downtown Manhattan. This will
be another totally educational meeting. Details will be in the March issue of
this newsletter.
BALTIMORE/WASHINGTON RUG
The BWRUG will likely meet April 7, 2004 near Baltimore. This will be a
totally educational meeting. Details will be in the March issue of this
newsletter.
To Learn About New Seminar Dates
Email to stu@stuhenderson.com with Seminars in the Subject and
your name and company in the body. We will then send you brief announcements
of our new seminar dates and locations, perhaps three or four times per year.
Of course, you can always check our website
http://www.stuhenderson.com
for current information.
To Get a Free Subscription to the RACF
User News
Phone Stu at (301) 229-7187
with your request, leaving your name, postal
address (sorry, only US postal addresses;
others will need to read issues online), and
phone. For back issues and articles on
topics like the SERVAUTH resource class,
check his website:
http://www.stuhenderson.com
SPECIAL YEAR-END ISSUE: FIND OUT WHERE YOU
STAND
Several readers have requested a survey of what other sites do with
RACF. Some survey attempts in the past have not been successful because
people were not comfortable sharing detailed information. In this issue, we
offer a way to get comparative statistics without sharing the details of your
RACF implementation.
This is a simple self-assessment you can fill out for yourself to
see how your RACF implementation rates. This is completely confidential: you
keep it to yourself. However, if enough people send their section totals in,
we will print average, minimum and maximum values for each section (while
keeping individual company names confidential), so you can compare.
Give yourself one point in the left-hand column for each item which
is true in your shop. Then add up your section total scores. Yes, we know that
these are arbitrary, and the point weighting is too. You don't get judged on
them; they just provide a means for comparison, and perhaps a discussion
starter within your department. Auditors may feel free to use this as a
guide in RACF audits.
Section A - SETR Options (one point each; maximum possible points= 9)
1._____ INITSTATS AND CMDVIOL ARE ACTIVE
2._____ SAUDIT AND OPERAUDIT ARE ACTIVE
3._____ WHEN(PROGRAM) IS IN EFFECT (This is how the PROGRAM
class is made active)
4._____ JES-BATCHALLRACF and JES-XBMALLRACF are both active
5._____ PROTECT-ALL IS ACTIVE (not in WARNING)
6._____ TAPE DATA SET PROTECTION IS ACTIVE
7._____ ERASE-ON-SCRATCH IS ACTIVE (at least for some datasets)
(This will appear in SETR LIST as ERASE ON SCRATCH IS ACTIVE; ERASE ON SCRATCH
BY SECLEVEL IS INACTIVE, one of the silliest status messages ever made) (Yes,
we know that there used to be a serious performance problem with EOS which has
been essentially fixed with the current technology of disk drives and
controllers, so roll it out gradually, and only for sensitive datasets.)
8._____ PASSWORD RULES HAVE A MINIMUM LENGTH OF AT LEAST 5 AND
REQUIRE ALPHANUMERICS (which requires at least one number and at least one
letter)
9._____ ADDCREATOR IS NOT IN EFFECT
________ TOTAL points for Section A
Section B - DSMON Options (one point each; maximum possible points = 9)
1._____ PROGRAM PROPERTIES TABLE: RACF ADMINISTRATOR KNOWS
WHICH ENTRIES WERE SUPPLIED BY IBM AND HAS DOCUMENTATION SUPPORTING OTHERS
2._____ AUTHORIZED CALLER TABLE HAS NO ENTRIES
3._____ RACF EXITS REPORT IS EMPTY OR RACF ADMINISTRATOR HAS
DOCUMENTATION SUPPORTING EACH EXIT
4._____ RACF ADMINISTRATOR HAS DOCUMENTATION AUTHORIZING EACH
USER WITH SYSTEM SPECIAL OR SYSTEM OPERATIONS
5._____ RACF ADMINISTRATOR HAS DOCUMENTATION EXPLAINING EFFECT
OF EACH USER HAVING GROUP SPECIAL OR GROUP OPERATIONS
6._____ IBM USER IS REVOKED, HAS SYSTEM SPECIAL AND SYSTEM
OPERATIONS
7._____ STARTED PROCEDURES TABLE HAS AN * AS LAST ENTRY,
ENSURING THAT EVERY STARTED TASK IS DEFINED TO RACF
8._____ STARTED PROCEDURES TABLE: RACF ADMINISTRATOR HAS
DOCUMENTATION SUPPORTING EVERY "YES" UNDER TRUSTED OR PRIVILEGED
9._____ SELECTED DATASETS REPORT HAS NO APF LIBRARIES WITH UACC
OF UPDATE OR HIGHER PLUS RACF DATASETS HAVE UACC OF NONE AND SYS1.UADS HAS
UACC OF NONE PLUS RACF PRIMARY DATASET IS ON DIFFERENT DISK PACK FROM
CORRESPONDING BACKUP DATASET
________ TOTAL points for Section B
Section C - Userids (one point each; maximum possible points = 6)
1._____ ALL STARTED TASK USERIDS ARE PROTECTED, THAT
IS, THEY HAVE NOPASSWORD AND NOOIDCARD
2._____ RACF ADMINISTRATOR IS CERTAIN THAT NO ONE CAN
GET SOMEONE ELSE'S PASSWORD RESET BY CALLING THE HELP DESK AND PRETENDING TO
BE THAT PERSON
3._____ HELP DESK IS PERMITTED TO RESET PASSWORDS BY
MEANS OF FACILITY CLASS RULES WHOSE NAMES BEGIN IRR..., (and not by Group-
Special)
4._____ RACF ADMINISTRATOR HAS EXECUTED A RACF
PASSWORD CRACKER PROGRAM TO DETERMINE WHETHER USERS NEED TRAINING IN HOW TO
MAKE PASSWORDS EASY TO REMEMBER BUT DIFFICULT TO GUESS
5._____ RACF ADMINISTRATOR HAS EVALUATED WHETHER ANY
USERIDS SHOULD BE RESTRICTED AND HAS MADE APPROPRIATE CHANGES
6._____ PRODUCTION BATCH JOBS HAVE DISTINCT USERIDS,
ONE USERID PER APPLICATION, BY MEANS OF SURROGAT RESOURCE CLASS AND JOB
SCHEDULING SOFTWARE
________ TOTAL points for Section C
Section D - RESOURCE CLASSES (one point each; maximum possible points = 9)
1._____ THE FOLLOWING RESOURCE CLASSES ARE ACTIVE: RACFVARS AND
DASDVOL, BOTH WITH RULES DEFINED
2._____ THE TAPEVOL CLASS IS ACTIVE AND THE FACILITY CLASS IS
ACTIVE AND THE FACILITY CLASS RULE NAMED ICHBLP IS DEFINED WITH A UACC OF NONE
3._____ JESSPOOL RESOURCE CLASS IS ACTIVE AND HAS RULES DEFINED
4._____ APPL AND VTAMAPPL RESOURCE CLASSES ARE ACTIVE AND HAVE
RULES DEFINED
5._____ EACH RESOURCE CLASS HAS ONE PERSON IDENTIFIED AS ITS
OWNER (JUST AS FOR EXAMPLE THE HEAD OF THE PAYROLL DEPARTMENT IS THE OWNER OF
THE PAYROLL APPLICATION)
6._____ TSOAUTH RESOURCE CLASS IS ACTIVE AND HAS RULES DEFINED
7._____ OPERCMDS RESOURCE CLASS IS ACTIVE AND HAS RULES DEFINED
8._____ NODES RESOURCE CLASS IS ACTIVE AND HAS RULES DEFINED
9._____ GENERICS IS TURNED ON FOR EVERY CLASS WHICH ACCEPTS IT
-------- TOTAL points for Section D
Section E - RACF DATASET MAINTENANCE AND USS (one point each; maximum possible
points = 9)
1._____ THE RACF DATABASE IS BACKED UP EVERY NIGHT USING THE
PROGRAM IRRUT200
2._____ DURING DISASTER RECOVERY PLAN TESTS, THE RACF DATABASE
IS RESTORED SEPARATELY USING IEBGENER OR SIMILAR PROGRAM AFTER THE FULL PACK
RESTORES ARE COMPLETED
3._____ EITHER THE RACF DATABASE HAS UNDERGONE ALL 3 PHASES OF
THE IRA RE-ORGANIZATION OR THE SYSTEM PROGRAMMER HAS COMMITTED TO MAKING THIS
HAPPEN IN THE NEXT 12 MONTHS
4._____ AT LEAST EVERY 6 MONTHS THE RACF ADMINISTRATOR USES THE
IRRUT200 PROGRAM TO GET STATISTICS FOR THE RACF DATABASE ON: PERCENT FULL,
CORRECTNESS OF SPACE ALLOCATION, AND BAD POINTERS
5._____ RACF ADMINISTRATION IS RESPONSIBLE FOR ASSIGNING ALL
UIDS AND GIDS FOR USS
6._____ RACF ADMINISTRATION IS RESPONSIBLE FOR ALL USS FILE
SECURITY
7._____ RACF ADMINISTRATION IS RESPONSIBLE FOR ALL UNIXPRIV
RESOURCE CLASS RULES
8._____ RACF ADMINISTRATION IS RESPONSIBLE FOR ALL FACILITY
CLASS RULES FOR USS (WHOSE NAMES BEGIN BPX....)
9._____ RACF ADMINISTRATION IS RESPONSIBLE FOR ALL SURROGAT
CLASS RULES FOR USS (WHOSE NAMES BEGIN BPX....)
________ TOTAL points for Section E
SUMMARY SHEET
If you would like to see how your RACF implementation compares to
others, please send this page with your summary counts filled out to Stu.
Please talk to other people in your organization to make sure that only one
person per organization sends this in. You may fill in your name and phone
number, or leave them blank if you wish. If you are willing, check the
category that best describes your organization.
We will publish summary statistics, without mentioning any
organization or person, for any section where we have five or more entries.
My organization's summary counts are:
Section A: _____ Section B: _____ Section C: _____
Section D: ______ Section E: _____ TOTAL ALL SECTIONS: _____
The following information is optional and will not be shared with anyone:
My Name is : __________________________________ My phone is: _______________________
My organization is (please check one):
_____Government _____Financial _____Retail _____Manufacturing _____Other
Please send this page to Stu, by faxing without coversheet to (301) 229-3958
OR by email to stu@stuhenderson.com OR by postal mail to : Stu Henderson,
5702 Newington Road, Bethesda, MD 20816
HG How to Audit Training Schedule:
The Henderson Group now offers its series of "How to Audit.."
seminars for IT auditors. These describe clearly how the associated software
works, where the control points are, how to collect and interpret data, and
how to conduct the audit. The workbooks include complete audit programs.
More information is available at our website: www.stuhenderson.com. If you
have a class you would like to have added to this series, please let us know.
(See info on "RACF and Security" classes below.)
A) HG64 How to Audit MVS, RACF, ACF2, CICS, and DB2 ($1450)
Nov. 1-3, 2004 in Clearwater, FL
B) HG70 How to Audit Cross-Platform Applications ($820)
Apl 1-2, 2004 in Bethesda, MD (near Washington, DC)
C) HG71 How to Audit Mainframe/Internet Connections ($820)
Mar. 1-2, 2004 in Clearwater, FL
D) HG73 How to Audit CICS ($410)
Mar. 3, 2004 in Clearwater, FL
E) HG74 How to Audit RACF ($820)
Apl 15-16, 2004 in Bethesda, MD (near Washington, DC)
F) HG75 How to Audit MVS ($410)
Apl 14, 2004 in Bethesda, MD (near Washington, DC)
G) HG76 How to Audit UNIX (incl. LINUX, AIX, and USS) ($410)
Nov. 4, 2004 in Clearwater, FL
HG RACF and Security Training Schedule:
The Henderson Group offers its RACF and computer security/audit
seminars around the country and on-site too. See the details below or call
(301) 229-7187 for a free seminar catalog. For more info or to see what
students say about these classes, please go to www.stuhenderson.com. (See
info on "How to Audit ..." classes above.)
1) HG04 Effective RACF Administration ($1895)
Mar. 9-12, 2004 in Clearwater, FL
May 18-21, 2004 in Des Moines, IA
Sept. 14-17, 2004 in NYC
Oct. 18-21, 2004 in Cape Cod, MA
2) HG05 Advanced RACF Administration ($1890)
Feb. 17-20, 2004 in Clearwater, FL
Oct. 4-7, 2004 in Bethesda, MD
3) HG06 UNIX (USS) for RACF Administrators ($410)
Mar. 8, 2004 in Clearwater, FL
May. 17, 2004 in Des Moines, IA
Sept. 23, 2004 in NYC
4) HG17 Comprehensive z/OS Security (covers CICS, VTAM, DB2, and JES
security along with MVS security, SAF, OS/390, and z/OS) ($1190)
Sept. 20-22, 2004 in NYC
Permanently Interesting Products Column
This column has been permanently moved from this newsletter to Stu's
website. You can find it at: www.stuhenderson.com/XINFOTXT.HTM
RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the
server. (Don't send it to the server itself or your request
will be routed to every subscriber.) For example, if your
name is John Smith and you want to subscribe, then
send this E-mail:
subscribe racf-l john smith
to the address: listserv@listserv.uga.edu
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary. You will want to set up a filter for incoming emails to direct mail from the list server to a dedicated folder or directory.
New Free Email Newsletter for Mainframe
Auditors
To learn more about the
Mainframe Audit News (MA News), check
Stu's website at: http://www.stuhenderson.com
The RACF User News
is published two times a year
(December, March, and September) to share information
about RACF. All information in it is offered on an "as is"
basis, and should be used at your own risk, and with
your own testing.
Other Internet places: