RACF (part of z/OS Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
Another Neat RACF Web Site with Great Tools
It's from Steve Neeland, and we've just learned that it's being moved. Keep an
eye out on the RACF-L server or Stu's website to learn the new location.
(We've just discovered, the new site is:
http://www.geocities.com/steveneeland/Sort_Reports.html
)
You'll find a variety of tools for producing useful RACF reports.
Thierry Falissard's Great Website Has Moved Too
It's at
http://www.os390-mvs.freesurf.fr/
Yet Another Great RACF Website
It's from IBM, and it's their security planning wizard at: http://www.ibm.com/servers/security/planner
You Can Now Control Access to USS
by means of the APPL resource class with a rule named OMVSAPPL. This adds to the "non-standard" uses of the APPL, the other one being use of APPL to control access to FTP (using the first seven letters of the FTP started task name as the name of the rule in the APPL class).
NEW YORK RUG Meeting Dates
Wednesday, April 28th, 2004 from 10AM to 4PM. PLEASE NOTE THIS IS A SPECIAL MEETING WITH DIFFERENT TIMES AND REGISTRATION REQUIRED. THIS IS A LOT OF TRAINING AVAILABLE IN ONE DAY. You will not be allowed to attend without pre- registering (it's free), as described inside. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday from 1 to 5PM. Please note the NYRUG will meet twice a year from now on.
BALTIMORE/WASHINGTON RUG Meeting Dates
The BWRUG will meet at Johns Hopkins University in Baltimore April 12, 2004 from 9AM to noon. PLEASE NOTE THIS IS A SPECIAL MEETING WITH DIFFERENT TIMES AND REGISTRATION REQUIRED. THIS IS A LOT OF TRAINING AVAILABLE IN ONE HALF DAY. You will not be allowed to attend without pre-registering (it's free), as described inside. Our next meeting will be in October, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details. Please note the BWRUG will meet twice a year from now on. -------------------------------------------
To Get a Free Subscription to the RACF User News
Phone Stu at (301) 229-7187 with your request, leaving your name, postal address (sorry, only US postal addresses; others will need to read issues online), and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: www.stuhenderson.com. -------------------------------------------
To Learn About New Seminar Dates
Email to stu@stuhenderson.com with Seminars in the Subject and your
name and company in the body. We will then send you brief announcements of
our new seminar dates and locations, perhaps three or four times per year. Of
course, you can always check our website http://www.stuhenderson.com for
current information.
RACF for z/OS 1.5 Available
The new release has several features including:
What is MLS and Why Should I Care?
MLS (Multi-Level Security) is an extra layer of security, beyond that provided by UACCs and permit lists in dataset and resource rules. If you activate MLS, then user profiles, dataset profiles, and resource profiles can all have security labels. A user may be permitted to several security labels, but can only be logged onto one of them at a time. If SECLABEL checking is active, each user can only access datasets and resources whose SECLABEL is equal to (or in some cases dominated by) the user's SECLABEL. (See issue 62 of this newsletter [available at stu's website] for more background on SECLABELs. You activate SECLABEL checking by activating the SECLABEL class (SETR CLASSACT(SECLABEL). You can set different levels of rigor for SECLABEL checking by issuing SETR commands with options whose names start MLS. With RACF for z/OS 1.5, SECLABEL checking is extended to DB2 tables (health insurance companies seem to love this) and to USS files.
Who's Got the Best UNIX Around?
Have we mentioned that USS is the most secure, most standard, most flexible, and most scalable UNIX you'll find anywhere? Consider that USS:
Survey Results
Two issues ago, we invited RACF installations to share information about which RACF options they use. We have now analyzed the survey results. We begged a statistician to tell us that we could draw conclusions about the general population of RACF shops from the survey forms people sent in. "From a sample size of six! Where only people with good numbers will be motivated to share! You've got to be kidding.", he laughed and walked away. So here are some results from the survey, with the warning that you shouldn't draw any conclusions from them:
How to Get Training When Your Training Budget's Been Slashed
Attend a local RACF user group where there's often great training for free!
The Pace of RACF Releases seems to be slowing down.
We now see a release more like once a year than like twice a year. Along with this comes the feeling that much (but not all) of the major work on RACF has been accomplished: the basic functionality is there; much of the early design mistakes have been corrected; performance is seldom a problem; new releases consist mostly of extensions to interconnect with other platforms and software.
How to Minimize Problems with Auditors
Go to IBM's security planner ( http://www.ibm.com/servers/security/planner ) and select options that fit your situation. The planner will give you a set of SETR options and other RACF specifications that they suggest (subject to your own review and evaluation of course) for shops like yours. Review it, get comfortable with it, re-run it with different options if need be, and then adopt it as your security standard ("based on suggestions provided by IBM"). Then make sure you meet it. When the auditors come around, give them a copy of your standard ("based on suggestions provided by IBM") and invite them to compare what you actually have to your organization's security standard. Thanks, IBM.
An Often Overlooked Aspect of Mainframe Security
A VTAM session is a connection between two LUs (logical units). A terminal can be an LU, as well as a program like CICS that you sign onto from a terminal. So is a remote printer, an NJE connection, or an APPN connection between your network and another organization's network. Each session can have certain security options set to determine how the two LUs are identified. If these settings are not properly made, there is the risk of someone spoofing VTAM, and using a false identity to abuse the system. Unless the Data Security Officer and the VTAM system programmer communicate regularly, the people responsible for security often do not know what settings are possible for these connections, nor how they are set. To learn more, you might check out net-q's website listed below under "Interesting Products".
Question and Answer
Q)
What is the importance of the group tree and the GROUP TREE REPORT in DSMON?
A)
The group tree has no effect at all unless some user has group privileges (such as group-SPECIAL, group-OPERATIONS, or group- AUDITOR) in some group. In that case, the user has certain privileges in that group, in groups OWNED by that group (not supgrouped but owned), groups owned by those groups, and so on (extending also to other profiles owned by those groups and to dataset rules with such groups and userids as the high level qualifier). So if you look in the DSMON report and see no users with group privileges, you may safely ignore the group tree report. If there are such users, then do an LU command on each of them to see what group or groups they have the privilege in, and then turn to the GROUP TREE REPORT to see the scope of their group privileges.
Interesting Products
(Please note that it is your responsibility to evaluate any product for yourself. We do not evaluate nor recommend products here; we just tell you about ones we think you might find interesting.)
New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's
website:
http://www.stuhenderson.com
NYRUG (New York RACF Users Group) and BWRUG (Baltimore/
Washington RUG) NEWS
NYRUG: Our Next Meeting
The New York RACF Users' Group will meet April 28th, 2004 from 10:00AM to
4PM at DTCC, 55 Water Street in downtown Manhattan. You will not be allowed
to attend without pre-registering (it's free), as described below.) This
will be another educational meeting, similar to our last one, with speakers on
these topics:
"Paul De Graaff"
a message with NYRUG as the subject and your name and organization in the body. On the day of the meeting, go directly to the guard desk in the lobby of 55 Water Street and ask for the NYRUG. You will NOT be allowed into the meeting unless you have pre-registered in advance. If you're not sure whether you'll be attending, better to register and not show than to not register and be refused admission.
==============================================================
BWRUG (Baltimore/Washington RUG):
The BWRUG will meet at Johns Hopkins University at Eastern in Baltimore April
12, 2004 from 9AM to noon. The location will be:
Johns Hopkins at Eastern
1101 East 33rd Street, Room B-102
Baltimore, MD 21218
You will need to pre-register by emailing to stu@stuhenderson.com with
BWRUG
as the subject and your name and organization in the body.
Attendees must sign in at the Guard Desk as described in Directions below.
This will be an educational meeting, with presentations on:
By car from the north on I-95
Take the Baltimore Beltway (I-695) toward Towson to exit 25 (Charles Street). Continue on Charles Street south for about 7 miles. Make a left onto University Parkway, which crosses Charles at an angle. Stay on University Parkway until it meets 33rd Street. Turn left at 33rd. Johns Hopkins at Eastern will be on your right directly across from the former site of Memorial Stadium (now a construction site). The visitor entrance is past the building on the right. The visitors Parking in on the right of the main entrance on the lower lot (before you pass the building).
Attendees must sign in at the Guard Desk (Main Entrance, where the flags are).
By car from the south on I-95
Take I-95 N to exit 53 (I-395). Stay in the right lane. As I-395 ends you will see Oriole Park at Camden Yards in front of you on your left. Turn right onto Pratt Street; go 10 blocks (stay in left lane). Turn left onto President Street and follow the signs for I-83 N. Take exit 9A East (Cold Spring Lane). Take the third right from Cold Spring Lane onto Roland Avenue (at the light). Stay to the left; Roland turns into University Parkway after it splits. Follow University Parkway to 33rd Street. Turn left at 33rd. Johns Hopkins at Eastern will be on your right directly across from the former site of Memorial Stadium (now a construction site). The visitor entrance is past the building on the right. The visitors Parking in on the right of the main entrance on the lower lot (before you pass the building). Attendees must sign in at the Guard Desk (Main Entrance, where the flags are).
By car from the west (I-70)
Go toward Baltimore; take the exit for I-695/Glen Burnie (exit 91A). Continue to I-95 North. Take I-95 N to exit 53 (I-395). Stay in the right lane. As I- 395 ends you will see Oriole Park at Camden Yards in front of you on your left. Turn right onto Pratt Street; go 10 blocks (stay in left lane). Turn left onto President Street and follow the signs for I-83 N. Take exit 9A East (Cold Spring Lane). Take the third right from Cold Spring Lane onto Roland Avenue (at the light). Stay to the left; Roland turns into University Parkway after it splits. Follow University Parkway to 33rd Street. Turn left at 33rd. Johns Hopkins at Eastern will be on your right directly across from the former site of Memorial Stadium(now a construction site). The visitor entrance is past the building on the right. The visitors Parking in on the right of the main entrance on the lower lot (before you pass the building). Attendees must sign in at the Guard Desk (Main Entrance, where the flags are).
HG How to Audit Training Schedule:
The Henderson Group now offers its series of "How to Audit.."
seminars for IT auditors. These describe clearly how the associated software
works, where the control points are, how to collect and interpret data, and
how to conduct the audit. The workbooks include complete audit programs.
More information is available at our website: www.stuhenderson.com. If you
have a class you would like to have added to this series, please let us know.
(See info on "RACF and Security" classes below.)
A) HG64 How to Audit MVS, RACF, ACF2, CICS, and DB2 ($1450)
Nov. 1-3, 2004 in Clearwater, FL
B) HG70 How to Audit Cross-Platform Applications ($820)
Apl 1-2, 2004 in Bethesda, MD (near Washington, DC)
C) HG71 How to Audit Mainframe/Internet Connections ($820)
Mar. 1-2, 2004 in Clearwater, FL
D) HG72 How to Audit TCP/IP ($410)
Mar. 4, 2004 in Clearwater, FL
E) HG73 How to Audit CICS ($410)
Mar. 3, 2004 in Clearwater, FL
F) HG74 How to Audit RACF ($820)
Apl 15-16, 2004 in Bethesda, MD (near Washington, DC)
G) HG75 How to Audit MVS ($410)
Apl 14, 2004 in Bethesda, MD (near Washington, DC)
H) HG75 How to Audit UNIX (incl. LINUX, AIX, and USS) ($410)
Nov. 4, 2004 in Clearwater, FL
HG RACF and Security Training Schedule:
The Henderson Group offers its RACF and computer security/audit
seminars around the country and on-site too. See the details below or call
(301) 229-7187 for a free seminar catalog. For more info or to see what
students say about these classes, please go to www.stuhenderson.com. (See
info on "How to Audit ..." classes above.)
1) HG04 Effective RACF Administration ($1895)
May 18-21, 2004 in Des Moines, IA
Sept. 14-17, 2004 in New York City
Oct. 18-21, 2004 in Cape Code, MA
2) HG05 Advanced RACF Administration ($1890)
Oct. 4-7, 2004 in Bethesda, MD
3) HG06 UNIX (USS) for RACF Administrators ($410)
May 17, 2004 in Des Moines, IA
4) HG17 Comprehensive z/OS Security (formerly How to Be an Effective
z/OS or OS/390 (MVS) Data Security Officer) (covers
CICS, VTAM, DB2, and JES security along with MVS security, SAF,
OS/390, and z/OS) ($1190)
Sept. 20-22 2004 in New York City
Permanently Interesting Products Column
This column has been permanently moved from this newsletter to Stu's
website. You can find it at: www.stuhenderson.com/XINFOTXT.HTM
RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the
server. (Don't send it to the server itself or your request
will be routed to every subscriber.) For example, if your
name is John Smith and you want to subscribe, then
send this E-mail:
subscribe racf-l john smith
to the address: listserv@listserv.uga.edu
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary. You will want to set up a filter for incoming emails to direct mail from the list server to a dedicated folder or directory.
New Free Email Newsletter for Mainframe
Auditors
To learn more about the
Mainframe Audit News (MA News), check
Stu's website at: http://www.stuhenderson.com
The RACF User News
is published two times a year
(December, March, and September) to share information
about RACF. All information in it is offered on an "as is"
basis, and should be used at your own risk, and with
your own testing.
Other Internet places: