racf database with vanguard cleanup · security & compliance conference 2016 ernie englehart senior...
TRANSCRIPT
-
SECURITY & COMPLIANCE CONFERENCE 2016
Ernie Englehart
Senior QA Analyst
VSS15
“Spring Cleaning” your RACF Database with
Vanguard Cleanup
-
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
-
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 4
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 5
Why use Vanguard Cleanup™?
Performance Smaller RACF® DB, faster authorization checking
Fewer Audit Findings Clean Access Lists Fewer profiles to review
RACF Administration Productivity Smaller RACF database eases, shortens maintenance
tasks, reduces errors
Security Unused profiles are removed, eliminating security
exposures
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 6
AGENDA
Technical Overview
Maintenance Tasks and Status
Reports and Command Generation
Summary and Questions
-
TECHNICAL OVERVIEW
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 8
What is Vanguard Cleanup
Vanguard Cleanup provides reports and generates commands to clean up and restore “unreferenced”:
User Profiles
Group Profiles
Data Set Profiles
General Resource Profiles
Standard Access List Permissions
Conditional Access List Permissions
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 9
To use Vanguard Cleanup, you must have authorization to FACILITY class profiles:
IRR.RADMIN.** - to access Manage Exclusions
and Manage User Correlation Features
VCL$.REPORTS – to create Vanguard Cleanup
reports
VCL$.VCLCMND – to generate RACF
commands
VRA$.VRAEXTR – to create VRA extract files
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Process Flow
©2016 Vanguard Integrity Professionals, Inc. 10
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Components
©2016 Vanguard Integrity Professionals, Inc. 11
The Capture Component: Exits
Standard RACF Post-Processing Exits are used to capture authorization requests
ICHRCX02 (AUTH) ICHRFX02 (FASTAUTH) ICHRFX04 (FASTAUTH) ICHRIX02 (VERIFY(x))
Dynamically installed when the Vanguard Cleanup Started Task initializes and remain active until the next IPL.
Deactivated when the Vanguard Cleanup Started task terminates.
Existing exits are front-ended and remain active in the system.
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Components
©2016 Vanguard Integrity Professionals, Inc. 12
The Started Task:
Gathers data in real time, which is buffered into a common data space and passed to a Vanguard Cleanup History Master File by an asynchronous collection process.
Moves the data collected in the Vanguard Cleanup data space to the Vanguard Cleanup History Master File. This automated process is called the Offload Process.
Updates the Vanguard Offline History Master File if Vanguard Offline is activated.
Filters data through use of VCLFILTR member in VANOPTS.
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Started Task Operator
Commands
©2016 Vanguard Integrity Professionals, Inc. 13
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Started Task Current Status
Report
©2016 Vanguard Integrity Professionals, Inc. 14
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Started Task Current Totals
Report
©2016 Vanguard Integrity Professionals, Inc. 15
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Components VCLFILTR
member of VANOPTS
©2016 Vanguard Integrity Professionals, Inc. 16
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Components VCLFILTR
member of VANOPTS (cont.)
©2016 Vanguard Integrity Professionals, Inc. 17
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Components History Master
File
©2016 Vanguard Integrity Professionals, Inc. 18
The Vanguard Cleanup History Master File:
Contains all normalized profile authorization requests.
Normalization allows Vanguard Cleanup to reduce the amount of duplicated data.
For example, if Vanguard Cleanup identified 20 authorization requests for a profile by a particular User ID and access intent level, it reduces that amount down to 1 record for the most recent access.
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Report Component
©2016 Vanguard Integrity Professionals, Inc. 19
The Report Component: Interfaces with a Vanguard Administrator Extract
File to generate usage reports.
History Collection Detail Unreferenced Datasets Unreferenced Resources Unreferenced Groups Unreferenced Userids Unreferenced Access Permissions Unreferenced Connects History Collection Verify(x) Access
Can Generate: Cleanup Commands Restore Commands
-
VANGUARD SECURITY & COMPLIANCE 2016
Invoking Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 20
-
VANGUARD SECURITY & COMPLIANCE 2016
Invoking Vanguard Cleanup
©2016 Vanguard Integrity Professionals, Inc. 21
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Available Options Members
©2016 Vanguard Integrity Professionals, Inc. 22
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Main Menu
©2016 Vanguard Integrity Professionals, Inc. 23
-
VANGUARD SECURITY & COMPLIANCE 2016
Initialize Cleanup Options
©2016 Vanguard Integrity Professionals, Inc. 24
-
VANGUARD SECURITY & COMPLIANCE 2016
Batch Job Defaults
©2016 Vanguard Integrity Professionals, Inc. 25
-
VANGUARD SECURITY & COMPLIANCE 2016
Batch Job Parameter Defaults
©2016 Vanguard Integrity Professionals, Inc. 26
-
VANGUARD SECURITY & COMPLIANCE 2016
Batch Job Parameter Defaults
©2016 Vanguard Integrity Professionals, Inc. 27
-
MAINTENANCE TASKS
AND STATUS
-
VANGUARD SECURITY & COMPLIANCE 2016
Status and Counters
©2016 Vanguard Integrity Professionals, Inc. 29
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Status and Counters Panel
©2016 Vanguard Integrity Professionals, Inc. 30
-
VANGUARD SECURITY & COMPLIANCE 2016
Maintenance Tasks
©2016 Vanguard Integrity Professionals, Inc. 31
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Exclusions
©2016 Vanguard Integrity Professionals, Inc. 32
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Exclusion Criteria – Users
©2016 Vanguard Integrity Professionals, Inc. 33
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage User Exclusion Criteria
©2016 Vanguard Integrity Professionals, Inc. 34
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Exclusion Criteria – Groups
©2016 Vanguard Integrity Professionals, Inc. 35
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Group Exclusion Criteria
©2016 Vanguard Integrity Professionals, Inc. 36
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Exclusion Criteria – Dataset Profiles
©2016 Vanguard Integrity Professionals, Inc. 37
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Dataset Exclusion Criteria
©2016 Vanguard Integrity Professionals, Inc. 38
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Exclusion Criteria – Classes
©2016 Vanguard Integrity Professionals, Inc. 39
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Class Exclusion Criteria
©2016 Vanguard Integrity Professionals, Inc. 40
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Exclusion Criteria – General Resource
Profiles
©2016 Vanguard Integrity Professionals, Inc. 41
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage Profile Exclusion Criteria
©2016 Vanguard Integrity Professionals, Inc. 42
-
VANGUARD SECURITY & COMPLIANCE 2016
Manage User Correlations
©2016 Vanguard Integrity Professionals, Inc. 43
-
VANGUARD SECURITY & COMPLIANCE 2016
List User IDs By Correlation Sets
©2016 Vanguard Integrity Professionals, Inc. 44
-
VANGUARD SECURITY & COMPLIANCE 2016
Excluded Classes
©2016 Vanguard Integrity Professionals, Inc. 45
The following classes are excluded from Vanguard Cleanup reporting:
• CDT • CFIELD • DIGTCERT • DIGTCRIT • DIGTNMAP • All Grouping classes
• DIGTRING • GLOBAL • KERBLINK • KEYSMATR • PROGRAM
• PTKTDATA • REALM • STARTED • VMSEGMT
-
VANGUARD SECURITY & COMPLIANCE 2016
Excluded General Resource Profiles
©2016 Vanguard Integrity Professionals, Inc. 46
Excluded Resource Profiles • FACILITY BPX.DEFAULT.USER. BPX.NEXT.USER, BPX.UNIQUE.USER, BPX.MAINCHECK, BPX.SAFFASTPATH, BPX.SMF • UNIXPRIV CHOWN.RESTRICTED,
FILE.GROUPOWNER.SETGID, RESTRICTED.FILESYS.ACCESS, SHARED.IDS
• (ALL) * and **
Excluded Resource Profiles by HLQ • OPERCMDS VCL$ • FACILITY All Vanguard (VRA$, VRC$, VSR$, …)
-
REPORTS AND COMMAND
GENERATION
-
VANGUARD SECURITY & COMPLIANCE 2016
Report & Command Generation
©2016 Vanguard Integrity Professionals, Inc. 48
-
VANGUARD SECURITY & COMPLIANCE 2016
History Collection Detail
©2016 Vanguard Integrity Professionals, Inc. 49
-
VANGUARD SECURITY & COMPLIANCE 2016
JCL Submit Processing Panel
©2016 Vanguard Integrity Professionals, Inc. 50
-
VANGUARD SECURITY & COMPLIANCE 2016
History Collection Detail Report
©2016 Vanguard Integrity Professionals, Inc. 51
-
VANGUARD SECURITY & COMPLIANCE 2016
History Collection Verify(x) Access
©2016 Vanguard Integrity Professionals, Inc. 52
-
VANGUARD SECURITY & COMPLIANCE 2016
History Collection Verify(x) Access Report
©2016 Vanguard Integrity Professionals, Inc. 53
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets
©2016 Vanguard Integrity Professionals, Inc. 54
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Page 1
©2016 Vanguard Integrity Professionals, Inc. 55
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Page 2
©2016 Vanguard Integrity Professionals, Inc. 56
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Page 3
©2016 Vanguard Integrity Professionals, Inc. 57
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Command
Datasets
©2016 Vanguard Integrity Professionals, Inc. 58
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – RACF Delete
Commands
©2016 Vanguard Integrity Professionals, Inc. 59
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – RACF Recovery
Commands
©2016 Vanguard Integrity Professionals, Inc. 60
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Enhanced
Masking
©2016 Vanguard Integrity Professionals, Inc. 61
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Enhanced
Masking Fields
©2016 Vanguard Integrity Professionals, Inc. 62
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Datasets Report – Enhanced
Masking Fields (cont.)
©2016 Vanguard Integrity Professionals, Inc. 63
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Resources
©2016 Vanguard Integrity Professionals, Inc. 64
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Resources Report
©2016 Vanguard Integrity Professionals, Inc. 65
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Resources Report – Enhanced
Masking
©2016 Vanguard Integrity Professionals, Inc. 66
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Groups
©2016 Vanguard Integrity Professionals, Inc. 67
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Groups Report
©2016 Vanguard Integrity Professionals, Inc. 68
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Groups Report – Enhanced Masking
©2016 Vanguard Integrity Professionals, Inc. 69
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Userids
©2016 Vanguard Integrity Professionals, Inc. 70
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Userids Report
©2016 Vanguard Integrity Professionals, Inc. 71
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Userids Report – Enhanced Masking
©2016 Vanguard Integrity Professionals, Inc. 72
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Userids Report – Enhanced Masking
(cont.)
©2016 Vanguard Integrity Professionals, Inc. 73
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Userids Report – Additional
Parameter
©2016 Vanguard Integrity Professionals, Inc. 74
OWNER_NOTIFY
Specifies the ID to be used in OWNER and NOTIFY keywords if the obsolete user ID is the owner of any resources or is defined to be notified of anything. If not specified, the old user ID is used with question marks.
NOTE: RACF commands with question marks in user or group IDs will fail.
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Access Permissions
©2016 Vanguard Integrity Professionals, Inc. 75
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Group Access Permissions Report
©2016 Vanguard Integrity Professionals, Inc. 76
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced User Access Permissions Report
©2016 Vanguard Integrity Professionals, Inc. 77
-
VANGUARD SECURITY & COMPLIANCE 2016
Obsolete IDs Access Report
©2016 Vanguard Integrity Professionals, Inc. 78
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Access Permissions Report –
Enhanced Masking
©2016 Vanguard Integrity Professionals, Inc. 79
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Access Permissions Report –
Redesigned (Q416)
©2016 Vanguard Integrity Professionals, Inc. 80
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Connects
©2016 Vanguard Integrity Professionals, Inc. 81
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Connects Report
©2016 Vanguard Integrity Professionals, Inc. 82
-
VANGUARD SECURITY & COMPLIANCE 2016
Unreferenced Connects Report – Enhanced
Masking
©2016 Vanguard Integrity Professionals, Inc. 83
-
SUMMARY AND
QUESTIONS
-
VANGUARD SECURITY & COMPLIANCE 2016
Vanguard Cleanup Summary
©2016 Vanguard Integrity Professionals, Inc. 85
What’s the Value?
Performance Smaller RACF database, fewer profiles loaded into
main storage, faster authorization checking
Fewer Audit Findings Clean Access Lists Fewer profiles to review
RACF Administration Productivity Smaller RACF database eases, shortens
maintenance tasks, reduces errors
Security Unused profiles are removed, security exposures
are reduced
-
VANGUARD SECURITY & COMPLIANCE 2016
Conclusion
©2016 Vanguard Integrity Professionals, Inc. 86
Questions?
-
VANGUARD SECURITY & COMPLIANCE 2016 ©2016 Vanguard Integrity Professionals, Inc. 87
SECURITY & COMPLIANCE CONFERENCE 2016
Thank you!
Ernie Englehart
(702) 794-0014