Free Training for You on Hot Topics

The topics include:

• RACF Performance Tuning
• Real Life Experience with AIM (and the IRA Re-Structure)
• The Future of z/OS (Presented by its Senior Architect)
• How to Use Sarbanes-Oxley to Your Advantage
• Crypto for RACFers

Today's Proverbs

(Source Unknown) "A Password is like a toothbrush.... it's used daily, must be changed regularly, and you don't share it with others"

AND

"Passwords should be easy to remember, but difficult to guess."

NEW YORK RUG Meeting Dates

Wednesday, April 27, 2005 from 10AM to around 5PM. PLEASE NOTE THIS IS A SPECIAL MEETING WITH DIFFERENT TIMES AND REGISTRATION REQUIRED. THIS IS A LOT OF TRAINING AVAILABLE IN ONE DAY. You will not be allowed to attend without pre-registering (it's free), as described inside. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday. Please note the NYRUG will meet twice a year from now on.

-------------------------------------------

Vanguard Conference on East Coast This Time

It's scheduled for May 8-12, 2005 in Orlando, FL.

From the RACF-L List Server

RACF is bypassed when programs in supervisor state or with protect key zero open VSAM datasets. Such programs can bypass RACF in other ways if they wish. This applies only to VSAM datasets. Not everyone agrees with the design decision (see the thread on the RACF-L), but we think everyone should be aware of it in any case.

To Get a Free Subscription to the RACF User News

Phone Stu at (301) 229-7187 with your request, leaving your name, postal address (sorry, only US postal addresses; others will need to read issues online), and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: www.stuhenderson.com 

The find Command in USS, Almost as Sexy as SEARCH

If you think the SEARCH command is the sexiest command in all RACF, you're right. And you'll probably want to know about the find command in USS. (The find command is the second sexiest command in USS. The sexiest is named grep, but this is a family publication.) If you are responsible for dataset security in RACF, you should also be responsible for file security in USS. So here are some examples of the find command, followed by a little bit of syntax rules. If you are an auditor, this command will make your audit much easier.

• Suppose you want to find every file whose owning UID doesn't exist (sort of like running IRRRID00 to find every entry in a permit list that doesn't exist). In USS, you would issue:

  find / -nouser

• To limit the scan to just 3 levels of the directory tree (to see how long it takes: if it doesn't take long, you can increase the number of levels):

  find / -nouser -level 3

• To find all the files whose owning GID doesn't exist, and to put the information in a disk file named nonodata, you would issue:

  find / -nogroup > nonodata

• To find all such files, and then to list their permissions, (using the ls -l command to list them):

  find / -nogroup -exec ls -l {} ; (Note the terminating semicolon, surrounded by spaces. The curly braces are replaced with the filename, sort of like using SEARCH CLIST).

• To find all files modified after the file /u/stu/mydata was last modified, issue:

  find / -newer /u/stu/mydata

• To find all files whose owning group is GROUPA, issue:

  find / -group GROUPA

• To find all files whose owning group is NOT GROUPA, issue:

  find / ! -group GROUPA

• To find all files whose owning user is STU, issue:

  find / -user stu

• To find all the files with an access control list specifying a group which doesn't exist, issue:

  find / -acl_nogroup

• To do the same for users which don't exist:

  find / -acl_nouser

• To find all files with extended attributes (such as APF-authorized, Load from the shared library region, program is program controlled, or program can run in a shared address space), use the -o flag to say or and issue:

  find / -ext a -o -ext l -o -ext p -o -ext s

  (This is useful in finding programs which could undermine your security.)

• To find all files with the SETUID bit set and whose owning UID is 0 (a common tool used in hacking into UNIX systems), issue:

  find / -user 0 -a -perm -4000

• To find all the files whose names start with stu and end in .txt, issue:

  find / -name "stu*.txt"

Some Syntax Rules

The find command is followed by a pathname and then some flags. The pathname identifies the starting point for the operation in the USS file directory tree. (This is similar to the directory tree on your Windows computer. Or think of the RACF group tree structure, with a directory named / replacing SYS1 at the top.)

You can recognize the flags because they are preceded by dashes. The flags let you specify one or more conditions to be met for a file to selected by find. To have more than one condition, separate the flags with -a or -o. The -a flag connects the conditions with a logical and. The -o connects them with a logical or. The ! exclamation point means not.

Other conditions include:

• -atime xxx to find files accessed xxx days ago

• -mtime xxx to find files modified xxx days ago

• -ctime xxx to find files whose attributes were changed nnn days ago

• -aaudit xxx to find files whose auditor audit bits match xxx

• -audit xxx to find files whose user audit bits match xxx

Note to Auditors

Which of these would you use in your audit program?

Fantastic Contest

The Henderson Group will award a beautiful prize (a handsome black canvas Henderson Group briefcase) to the winner of this contest. The winner will be the person who submits the coolest example of a way to use the find command in USS. All entries must be received by the Henderson Group by May 31, 2005. Opinion of the judge is final.

Interesting Products

(Please note that it is your responsibility to evaluate any product for yourself. We do not recommend products; we just tell you about ones we think you might find interesting.)

• IntellinX helps large organizations to comply with regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and HIPAA. IntellinX provides non- intrusive recording of all the end-user interaction (displayed screens and user keystrokes) with the host systems. These recordings are analyzed in real- time, triggering instant alerts, allowing the auditor to zoom-in on specific suspects and replay specific sessions that contain suspicious acts or behavior patterns. All recorded user sessions are stored in case after-the-fact replay and analysis is required. IntellinX features zero-footprint non-invasive network sniffing of screen communications, context-sensitive pattern recognition of application flows, event handling based on pre-defined business rules, point-and-click administration and composing tools, and comprehensive reporting and alerting facilities. Generating a "full audit trail and trace" of all end-users and all online applications, IntellinX is ideal for compliance with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA and other privacy protection regulation. For more info contact Tom Tilley at (910) 371-2166 or at thomast@sabratec.com.

• ReACT v2.1.2 is a unique application designed to automate the password reset and synchronization process across the entire enterprise. Unlike other tools, ReACT eliminates the need to reset a password to a temporary value. ReACT allows the end user to reset their own password at any time without the need to change their password again at sign-on. ReACT virtually eliminates password reset related calls to the Help Desk, which accounts for up to 35% of their total calls. At up to $38 per call, the savings is evident. For More Information or a free 30-day evaluation, contact: Phone:(800)662-6090 or Email: aspgsales@aspg.com or Website: www.aspg.com.

Get Others Comments on Seminars Before You Take Them, Share Your Comments

There is a new website www.trainingreviews.com  that lets people share their comments and evaluations about various training they have taken. We have no association with this site, and pass it along to you for you to evaluate yourself. If you find it useful, please let us know. If you have taken a course and want to share your opinions, let trainingreviews know.

NYRUG (New York RACF Users Group):

Our next meeting is at IBM, 590 Madison Avenue, Room (room 1219). Attendees must present a government issued photo ID to enter the building. Admission is free to hear these great speakers, but you must pre-register by emailing NO LATER THAN NOON APRIL 26, 2005 to Mark Nelson (markan@us.ibm.com) with "NYRUG MEET" in the subject line and your name and company in the body. Pre-registration is highly recommended. Once again, we have some of the best speakers possible on topics you need to learn about. All speakers are from IBM unless otherwise noted. Starting at 10AM: Ending a Little Before 5PM

Starting at 10:00 AM

• An Introduction to zSeries Cryptography (Eleanor Chan Trimboli and Mike Kelly; ICSF Design and Development)
• RACF Performance Tips (Russ Hardgrove; RACF Level 2 Support)
• Lunch around noon to 1PM
• AIM (Application Identity Mapping) (Jeff Benson of Guardian Life Insurance)
• The Enduring Value of z (Jim Porell; senior IBM Architect)
• Break around 3PM
• Leveraging Urgent Regulatory Imperatives such as SOX to Batten Down your z/OS Ship (Bob Kennedy)

(Please note that times are approximate and that speakers and topics are subject to revision.)

Time: Wednesday, April 27, 2005 from 10AM to around 5PM.

Place: IBM, 590 Madison Avenue in Room 1219. Attendees must present a photo ID to enter the building and must pre-register in advance.

==============================================================

BWRUG (Baltimore/Washington RUG): Next Meeting

The BWRUG is looking for someone to volunteer a to host a meeting. This should not be a software vendor or a consultant, but someone in an organization that uses RACF and would like to support information sharing. You'll need to provide a meeting room during normal business hours, and perhaps coffee and cookies. We will provide speakers and publicity. Contact Stu if you'd like to make this happen. Sorry, but vendors are not invited to host meetings.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website: http://www.stuhenderson.com 

HG How to Audit Training Schedule:
The Henderson Group now offers its series of "How to Audit.." seminars for IT auditors. These describe clearly how the associated software works, where the control points are, how to collect and interpret data, and how to conduct the audit. More information is available at our website: www.stuhenderson.com  If you have a class you would like to have added to this series, please let us know. (See info on "RACF and Security" classes below.)

  A)    HG64 How to Audit MVS, RACF, ACF2, CICS, and DB2 ($1450)      
                Nov. 2-4,        2005 in Washington, DC
 

  B)    HG73 How to Audit CICS ($410)  
                Apl. 28,         2005 in Washington, DC 


  C)    HG74 How to Audit RACF ($820)  
                Apl.  7-8,       2005 in Washington, DC


  D)    HG75 How to Audit MVS ($410)  
                Apl.  29,        2005 in Washington, DC

HG RACF and Security Training Schedule: (Avoid the Price Increase by Attending Before 2006)
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog. For more info or to see what students say about these classes, please go to www.stuhenderson.com . (See info on "How to Audit ..." classes above.)

  1)    HG04 Effective RACF Administration    ($1895 in 2005, $1995 in 2006)  
                May    3-6,              2005 in Washington, DC
                Sept 12-15.,             2005 in New York City
                Feb. 27-Mar. 2,          2006 in Clearwater, FL


  2)    HG05 Advanced RACF Administration  ($1890 in 2005, $1990 in 2006)
                May   24-27,             2005 in Washington, DC
                Sept. 19-22,             2005 in New York City
                Mar.  6-9,               2006 in Clearwater, FL


  3)    HG06 UNIX (USS) for RACF Administrators  ($410 in 2005, $460 in 2006)
                
                Apl     15,              2005 in Washington, DC
                Sept.   16,              2005 in New York City
                March    3,              2006 in Clearwater, FL


  4)    HG17 Comprehensive z/OS Security (Formerly: How to Be an Effective 
        z/OS or OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, 
        and JES security along with MVS security, SAF, OS/390, and z/OS)  ($1190)             
                May 18-20,               2005 in Washington, DC

Permanently Interesting Products Column
This column has been permanently moved from this newsletter to Stu's website. You can find it at: www.stuhenderson.com/XINFOTXT.HTM 

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

• Technical support hotline, Meetings, Free Newsletter subscription, Seminar Catalogs: Stu Henderson - (301) 229-7187 5702 Newington Rd, Bethesda, MD 20816
• For Back Issues of this newsletter and Links to Several Useful Web Sites: check the Henderson Group website at the Henderson Group: www.stuhenderson.com 

RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary. You will want to set up a filter for incoming emails to direct mail from the list server to a dedicated folder or directory.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com 

The RACF User News
is published two times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

Other Internet places:

• RACF Password Cracker Program. Email Peter Goldis at pete@goldisconsulting.com or look at http://www.goldisconsulting.com 
  
• Steve Neeland's RACF page is http://www.geocities.com/steveneeland/ 
• Thierry Falissard's RACF page is http://www.os390-mvs.freesurf.fr/ 
• Nigel Pentland's security page http://www.nigelpentland.co.uk 
• IBM security planner: http://www.ibm.com/servers/security/planner 
• IBM RACF home page: http://www-1.ibm.com/servers/eserver/zos/racf 
• IBM z/OS home page, including RACF: http://www-1.ibm.com/servers/eserver/zos/racf 
• IBM RACF Goodies Site: http://www-1.ibm.com/servers/eserver/zseries/zos/racf/goodies.html 
• IBM Redbooks: http://www.ibm.com/redbooks 
• IBM z/OS 1.6 Manuals: http://www-1.ibm.com/servers/eserver/zseries/zos/bkserv/r6pdf/ 
• Other vendors contact info listed earlier under "Permanently Interesting Products" on stu's website at: www.stuhenderson.com/XINFOTXT.HTM 
• the Henderson Group at: http://www.stuhenderson.com