Computer Security Policy Sharing Library Continues

Terry Shoback of Alliance Capital has volunteered again to manage the library of real life policies. She will make copies available to anyone who asks her. You are of course invited to share your company's policy with the library by sending her a copy. See how to contact her on page 8.

New Phone for Tampa RUG

Jim Cuddy still runs the Tampa RACF Users Group. His new number is: (800) 237-0738x34233.

Win a Henderson Group Golf Shirt

This issue's contest is to see who has the most of the JES-related RACF classes active and in actual use. The winner will be the person who sends us the first SETR LIST printout with the most classes active from the following list. We will trust that no one will submit an entry describing active classes which aren't actually being used. The list of eligible classes is: JESSPOOL, JESINPUT, JESJOBS, NODES, WRITER, and SURROGAT. NEW YORK RUG Meeting Dates

On Wednesdays, from 1 to 5 PM: on January 13, 1999, and then April 14, 1999. Mark your calendars now. See inside for details.

BALTIMORE/WASHINGTON RUG Meeting Dates

On Thurdays, from 9AM to Noon: No meeting in January, and then April 15, 1999. Mark your calendars now. See inside for details.

-------------------------------------------

A Change in RACFVARS with RACF 2.6

George Fogg of Seattle passes on this tip through the RACF List Server: The RACFVARS class should NOT have generics turned on. In RACF 2.6, if you try to create a new RACFVARS rule when generics is active for RACFVARS, you will get message ICH51003I NAME NOT FOUND IN RACF DATASET and message ICH10301I &... AND REMAINING ENTITIES NOT DEFINED TO RACF. The new rule will not be created.

What should you do? Issue:

SETR NOGENERIC(RACFVARS) NOGENCMD(RACFVARS) LIST.

Then update your written standard of how you want each of your SETR options set to reflect the change. You can do this now, before you get to RACF 2.6. Thanks, George.

New Way to Let Your Helpdesk Reset Passwords Without Group Special

RACF release 2.6 gives us a new way to delegate the authority to reset passwords, without giving away the SPECIAL or Group-Special privileges. It makes use of a new FACILITY class rule named: IRR.PASSWORD.RESET. Users who are permitted to this rule with READ permission can reset passwords for all userids EXCEPT userids which have SPECIAL, OPERATIONS, or AUDITOR. This is a great way to let your Helpdesk reset passwords, without letting them fool around with passwords of RACF administrators and auditors. Here are the commands:

RDEF FACILITY IRR.PASSWORD.RESET UACC(NONE) OWNER(OWNERGRP)... PE IRR.PASSWORD.RESET CLASS(FACILITY) ACC(READ) ID(HELPDESK) + RESET

(Note that the reset is to be used only on the first PERMIT command to this rule, since it clears the entire permit list of the rule before adding the new entry. This is to clear out the entry that permits the userid which created the rule to have ALTER access to it. You don't need this if you have specified SETR NOADDCREATOR.)

New Operand for ALTUSER to Specify That A Userid's Password Doesn't Need to Be Changed at the Next Logon

RACF release 2.6 lets you specify:

ALU userid NOEXPIRED PASSWORD(password)

so that the next time the user logs on, he or she doesn't have to change the password. (The opposite of NOEXPIRED is of course EXPIRED.) This is useful for userids which don't represent current users, for example userids predefined for CICS terminals, RJE and NJE userids, and userids which have just been converted from ACF2 or TopSecret.

Note that NOEXPIRED is different from NOINTERVAL. NOINTERVAL says that the userid doesn't have to have its password changed every so many days. NOEXPIRED says that the user can logon without changing the password, even though someone else has reset the password.

You can use the FACILITY class rule described next to permit someone to use the NOEXPIRED operand without giving him or her SPECIAL or Group SPECIAL.

New Way to Let Your Helpdesk LISTUSER and ALU NOEXPIRED

Again as of RACF release 2.6, you can delegate these abilities by permitting someone to a FACILITY class rule named: IRR.LISTUSER. A user or group with READ or higher permission to this rule can issue the LISTUSER command for all userids EXCEPT those userids with SPECIAL, OPERATIONS, or AUDITOR. A user with UPDATE or higher permission to this rule can issue ALTUSER .. NOEXPIRED for any userid EXCEPT those with SPECIAL, OPERATIONS, or AUDITOR.

Here are the RACF commands to let the Helpdesk issue LU and ALU...NOEXPIRED for any userid without SPECIAL, OPERATIONS, or AUDITOR, and to let a userid GEORGE list any such userid:

RDEF FACILITY IRR.LISTUSER UACC(NONE) OWNER(OWNERGRP)... PE IRR.LISTUSER CLASS(FACILITY) ACC(UPDATE) ID(HELPDESK) +
RESET
PE IRR.LISTUSER CLASS(FACILITY) ACC(READ) ID(GEORGE)

(Note that the RESET is to be used only on the first PERMIT command to this rule, since it clears the entire permit list of the rule before adding the new entry. This is to clear out the entry that permits the userid which created the rule to have ALTER access to it. You don't need this if you have specified SETR NOADDCREATOR.)

A Tip on How to Handle Lower Case Characters for the OMVS Segment

Roy McCollough passes this one on through the RACF list server: If you need to enter lower case characters in RACF commands (for example, to specify info for the OMVS segment), you can put single quotes around the data. The single quotes tell TSO not to translate the characters to upper case. For example: 'keep this in lower case'. (To include a single quote in the information, enter three single quotes. For example: 'don'''t make this upper case'. Check your TSO guides for more info. Thanks, Roy.

ITSS Adds Features to RACF Password Cracker Program

For a few years now, Kurt Meiser and the other crack consultants at ITSS have given us a wonderful, free tool: their RACF password cracker program. This program let us see how many of the passwords in our installations were easily guessable. Using this program let us evaluate the quality of passwords in our shop. It also helped us to build a case to our management on the need for a training program to teach users how to make passwords "easy to remember, but difficult to guess". Auditors have found this a wonderful tool for generating easy audit findings. (Talk about a tool you should run yourself before the auditors do it to you!) This program was well designed to prevent abuse by unauthorized users.

ITSS is about to upgrade this tool, adding these features:

• Removal of the restriction of a maximum of 1,000 dictionary elements
• Selectivity of execution, for example, privileged userids, specific groups
• Additional report fields and a summary report
• An exhaustive guessing mechanism (brute force approach)
• Unhashing of hashed passwords if found
• Retrieval of clear text passwords from the TSB if found.

The new version of the cracker program should be available 1Q1999. (We understand that it will be Y2K compliant.) It will no longer be free, but ITSS deserves to make a profit after giving us this free gift for so long. See "Permanently Interesting Products" later in this issue to contact ITSS.

More Re-Structuring of RACF Software Industry

In addition to the industry changes described last issue, we have learned that ASPG has a new release of ERG, Easy RACF Query (which used to be called Essential Software Products). ASPG is also developing a multi-platform security administration and reporting tool. ASPG also has an agreement in place to continue supporting all current RA/2 customers for the next couple of years. See "Permanently Interesting Products" for contact info.

See also other products under "Interesting Product" below.

Fifteen Minute Project to Improve Your RACF Ask your JES system programmer for a list of all the NJE and RJE connections into your computer, and the physical location of each. Each of these represents a path into your system through which four things can enter: batch jobs to be executed, operator commands, printouts to be printed, and punched decks to be punched. Conduct your own risk assessment (for example, would we have a problem if someone at another site submitted a batch job or an operator command to execute on our system? What do we have to protect against it (for example BATCHALLRACF)? How much can we trust the other site? Is it connected by a leased or dial-up line?) Where needed, use resource classes such as those described in the Golf Shirt contest described on page 1, and consider using FACILITY class rules to force the sites to log on through RACF.

Questions and Answers

• Q I want to find out all the dataset rules to which USER02 has any permissions at all. How can I do this in RACF?
• A This is easy. Use the SEARCH command:

  SR USER(USER02) NOMASK CLASS(DATASET)

  (Yes, we know that the default for CLASS is DATASET, but we show it here, so that readers will be ready for the next question, which we have invented, just to make a point.) Please note that this command could affect system performance, since it results in a call to RACF for every dataset rule in the RACF database.

• Q I want to find out all the FACILITY class rules to which USER02 has any permissions at all. How can I do this in RACF?
• A This is easy. Use the SEARCH command:

  SR USER(USER02) NOMASK CLASS(FACILITY)

• Q I want to find out the dataset rules to which USER02 has any permissions at all. However I only want to do this for dataset rules whose names start PROD.PAY and which contain the characters JANFEB anywhere else in the name. Don't I need to put quote marks around the the PROD.PAYROLL, since in contains a period? By the way, I only want to list the names of such dataset rules if they have WARNING turned on.
• A This is easy; and you must NOT put quote marks there. Use the SEARCH command: >P> SR USER(USER02) MASK(PROD.PAY JANFEB) WARNING

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS

NYRUG: At Our Next Meeting

Mark Nelson of IBM will speak on a topic which will be something like "Secrets of the RACF Wizards: or How to Take Advantage of Under-Used and Under-Appreciated RACF Facilities to Make Your Life as an Administrator Easier". If you want to learn tricks with the SEARCH command, and other ways to be cleverly lazy, then don't miss this goldmine of little known secret techniques. If time permits, Stu Henderson may describe how to prepare to use the Mainframe Firewall tool, a follow-on to his recent "What Mainframers Need to Know and Do About TCP/IP". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions

Time: Wednesday, January 13, 1999 from 1PM until it's too late to go back to the office.

Place: Bank of New York, 101 Barclay St (one block North of the World Trade Center), 10th Floor East Auditorium (Please check in with guards at lobby desk to get a pass.)

==============================================================

BWRUG (Baltimore/Washington RUG):

The BWRUG will not meet this quarter. Please mark your calenders for April 15, 1999. We expect to have a presentation then on the new features of the latest release of RACF.

Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

• MegaSolve Security Server Administrator provides these functions: super generic searches, CICS and TSO direct administration functions to support decentralization (for example to let a CICS user reset passwords), an access simulator, extensive resource monitor, customizable reports and command generation, and a fully automated scheduler. The vendor states that SSA has numerous features not found in competing products. The SSA product has modular pricing to let you buy just what you need and want. For info, call toll-free (888) 798-4388.
• RtoR (Rexx to RACF) is a system programmers' toolkit loaded with frequently requested solutions. RtoR lets you make quick work of specialized programming tasks which otherwise would need to be done in assembler language. RtoR can eliminate the need to code your own ICHEINTY macros. It also provides many TSO/ISF command extensions and displays. RtoR provides built-in levels of authority (scoping), limiting capabilities for example to a given department. For info, call Rosalie Eckhaus at (407) 788- 6389.

Permanently Interesting Products Column

We have not evaluated these, but think every RACF shop should know about them.

• ASPG's ERG (Easy RACF Query). Call Cathy Thompson at (800) 662-6090 or cathyt@aspg.com for more info.
• MegaSolve's Security Server Administrator. Phone Bill Tomlinson at (818) 887-4994 for more info.
• CONSUL/RACF Call Brent Phillips at (800) 323-0880 for information. On the Internet: http://www.consul.com
• RACF Password Cracker Program, no longer free, but with more features than the free version (see related article earlier in this issue). Email Kurt Meiser at kmeiser@ibm.net or mail request to ITSS, 11 Phillips Road, Poughkeepsie, NY 12603 USA.
• RA/2. Call Mario Labita at Software Engineering of America at (516) 328-7000.
• ICU MVS Penetration Analysis Tool from Janus Associates. Phone Rick Peterson at (301) 605-0507 for more info.
• RtoR from Open Software Technologies. Call Rosalie Eckhaus at (407) 788-6389 or http://www.open-softech.com/rtor.htm for info.
• TOOLKIT. Call Palace Guard Software (562) 491-4600 for more info.
• Beta System's software for RACF administration. Call (800) 777-9864 for more info.
• Vanguard's Administrator and Sysdata' RIOVISION. Call (714) 939-0377 for more info.
• SecurePass from Proginet to link RACF with Windows NT security. Call (516) 248-3366 for more info.

HG RACF and Security Training 1998 Schedule:

The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.

  1)        HG04 Effective RACF Administration (formerly called How to Implement and Administer RACF
            Effectively)   ($1695)  
                        Feb. 22-26, 1999 in Clearwater, FL
                        May  17-21, 1999 in Atlanta, GA
                        Sept.27-Oct. 1, 1999 in New York City
                        Nov. 15-19, 1999 in Washington, DC
                        Feb. 21-25, 2000 in Clearwater, FL

  2)        HG05 Advanced RACF Administration  ($850)     
                        June 21-22, 1999 in Denver, CO
                        Sept. 21-22, 1999 in Washington, DC

  3)        HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, JES, and
            other security along with MVS security, SAF, and OS/390)
            ($1150)
                        Mar. 1-3, 1999 in Clearwater, FL
                        June 16-18, 1999 in Atlanta, GA
                        Oct. 18-20, 1999 in Washington, DC

  4)        HG40 Mastering Windows NT Security ($850)  
                        June 23-24, 1999 in Denver, CO
            [This course will expand to 3 days in the second half of 1999.]                   RACF User Services (Key Phone Numbers / Addresses)

RACF User Services (Key Phone Numbers / Addresses)

• Technical support hotline, Meetings, Free Newsletter subscription, Seminar Catalogs: Stu Henderson - (301) 229-7187 5702 Newington Rd, Bethesda, MD 20816
• NYRUG Computer Security Policy Sharing Libary. Ms. Terry Shoback of Alliance Capital, 1345 Avenue of the Americas, New York, NY 10105, phone (212) 969-6461. (Call to get copies of other companies' policies for your review. Contribute your own company's policy for others to share.)

RACF List Server on the Internet

To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: LISTSERV@uga.cc.uga.edu or LISTSERV@UGA.BITNET

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.

Other Internet places:

• Georgia RUG home page on the Internet http://www.mindspring.com/~ajc10/garug.html
• IBM RACF home page: http://www.s390.ibm.com/products/racf/racfh.html
• IBM S/390 home page, including RACF: http://www.s390.ibm.com
• IBM FTP site, including RACF stuff: lscftp.kgn.ibm.com
• IBM Secureway site: http://www.ibm.com/security
• IBMLink at: http://www.ibmlink.com
• Beta Systems: http://www.betasystems.com
• MegaSolve: http://www.megasolve.com
• Proginet: http://www.proginet.com
• Consul: http://www.consul.com
• Vanguard (and SysData): http://www.viplink.com
• the Henderson Group: http://www.stuhenderson.com/index.html