racf overview - amazon s3 · 2016-11-07 · vanguard security & compliance 2016 racf release...

SECURITY & COMPLIANCE CONFERENCE 2016

RACF Overview

John Hilman

Vanguard Professional Services

BAS1

VANGUARD SECURITY & COMPLIANCE 2016

Legal Notice

Copyright

©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license

to view these materials for your organization’s internal purposes. Any unauthorized

reproduction, distribution, exhibition or use of these copyrighted materials is expressly

prohibited.

Trademarks

The following are trademarks of Vanguard Integrity Professionals – Nevada:

©2016 Vanguard Integrity Professionals, Inc. 2

Vanguard Administrator

Vanguard Advisor

Vanguard Analyzer

Vanguard SecurityCenter

Vanguard Offline

Vanguard Cleanup

Vanguard PasswordReset

Vanguard Authenticator

Vanguard inCompliance

Vanguard IAM

Vanguard GRC

Vanguard QuickGen

Vanguard Active Alerts

Vanguard Configuration Manager

Vanguard Configuration Manager Enterprise Edition

Vanguard Policy Manager

Vanguard Enforcer

Vanguard ez/Token

Vanguard Tokenless Authenticator

Vanguard ez/PIV Card Authenticator

Vanguard ez/Integrator

Vanguard ez/SignOn

Vanguard ez/Password Synchronization

Vanguard Security Solutions

Vanguard Security & Compliance

Vanguard zSecurity University


The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.

Other company, product, and service names may be trademarks or service marks of others.

Trademarks


CICS

CICSPlex

DB2

eServer

IBM

IBM z

IBM z Systems

IBM z13

S/390

System z

System z9

System z10

System/390

VTAM

WebSphere

z Systems

z9

z10

z13

z/Architecture

z/OS

z/VM

zEnterprise

IMS

MQSeries

MVS

NetView

OS/390

Parallel Sysplex

RACF

RMF


Session Topics

• What is RACF®?

• Components of RACF

• How we Interface with RACF

• Functions of RACF



What Makes a Mainframe?


z/OS®

Hardware Software

TSO DB2®

JES

IMS™

Storage

Applications

UNIX®

DASD

VOL123

VOL987

CICS®


Security on the Mainframe


Top Secret

ACF2

RACF


What is RACF?

RESOURCE ACCESS CONTROL FACILITY

• A Security Program

• A component of the Security Server for z/OS

• Controls what can be done on z/OS

• Protects the resources

• Provides security by:

– Identifying and verifying users

– Authorizing users to access protected resources

– Recording and reporting access attempts



Passive System

• RACF is a PASSIVE SYSTEM when shipped; by default, RACF protects NOTHING

• USERS and RESOURCES must be defined to RACF

• RACF must be CALLED by RESOURCE MANAGERS

• RACF can be implemented in phases

• RACF provides for CENTRALIZED and DECENTRALIZED administration



RACF Release History

Significant RACF Releases • RACF Version 1.1 SEP 1976

– First release of RACF

– User identification/verification

– Data set authorization checking

• RACF Version 1.3 JUL 1978 – General resources

• RACF Version 1.5 SEP 1983 – Generic profiles

– Global Access Check table




Significant RACF Releases • RACF Version 1.9 SEP 1990

– MLS Support

– Data Base Unload

• RACF Version 2.1 JUN 1994 – OpenEdition MVS™

– STARTED class profiles

– SMF data unload

• RACF Version 2.2 SEP 1995 – RACF Remote Sharing (RRSF)

– Remove ID Utility




MVS Evolution to OS/390®

• OS/390 Security Server – RACF and other OS/390 security related software

components

• Version 1.1 MAR 1996 - Same functions as RACF 2.2

• Version 2.8 SEP 1999 - UNIXPRIV class profiles

- PROTECTED user IDs

• Version 2.10 SEP 2000 - AIM




OS/390 Version 2 Evolution to z/OS Version 1 • z/OS V1Rn.0 SecureWay Security Server

– RACF and other security related components

• Version 1.1 MAR 2001 • Version 1.2 SEP 2001

- UNIVERSAL Groups

• z/OS V1Rn.0 Security Server

• Version 1.3 MAR 2002 - ACLs

• Version 1.4 SEP 2002 - Unique UNIX Identity




Evolution of z/OS Version 1 • z/OS V1Rn.0 Security Server

• Version 1.5 SEP 2003

- DB2 Version 8 Support

• Version 1.6 SEP 2004 - Dynamic CDT

• Version 1.7 SEP 2005 - Mixed-Case Passwords - NORESUME and NOREVOKE on ALTUSER






- Support for Password Phrases from 14 to 100 characters


- Support for Password Phrases from 9 to 100 characters






- Password Phrase Exploitation – TSO, UNIX, LDAP - Granular Password Resets - Custom User and Group Fields


- Automatically assign unique UIDs and GIDs through UNIX applications

- REXX interface to extract RACF profile and SETROPTS information






- Generic profile load performance improvements - "Ghost" generic profile avoidance


- TCP/IP support for the RACF Remote Sharing Facility (RRSF)






- New health checks - RACDCERT enhancements - Support for &RACUID in BPX.UNIQUE.USER

• Version 2.2 SEP 2015 - ROAUDIT attribute for listing profiles - Additional special characters for passwords - KDFAES algorithm for password encryption



Components of RACF

A Series of Programs

A Database

Log Records

A Series of Commands

A Set of Tables




Processing Programs

• Executable Load Modules – ICHnnnnn – IRRnnnnn

• Macros

– RACROUTE – ICHEINTY – Other Macros

• Exits




Utilities • Database Utilities

• Audit Utilities




TSO Command Processors • Executable Load Modules

• RACF Commands

• Main Module and Alias

– ADDUSER – AU



Components of RACF


A Database

Log Records


A Set of Tables



Control of System Resources

• RACF needs to know:

– what protection is appropriate for resource

– user access requirements

• Where does RACF keep the information?

– kept in RACF Profiles

• Where does RACF keep the Profiles?

– kept in the RACF Data Base


Profiles

DATA BASE


RACF Database

RACF DATA SETS • One or more

• Primary and Backup

• Physical Sequential Internally Structured


RVARY LIST

ICH15013I RACF DATABASE STATUS:

ACTIVE USE NUMBER VOLUME DATASET

---------- ------ ------------- ------------- --------------

YES PRIM 1 VIPPS1 SYS1.VAN.RACFPRIM

YES BACK 1 VIPPS2 SYS1.VAN.RACFBACK


RACF Profile Types


RACF DATABASE

GROUP PROFILES

DATASET PROFILES

USER PROFILES

GENERAL RESOURCE PROFILES


Summary of RACF Profile Types


USER

CONNECT

DATASET(s)

and

GENERAL

RESOURCES

PERMIT'ed

GROUP

PERMIT'ed


Components of RACF


A Database

Log Records


A Set of Tables



What is Logging?

• Logging is the recording of data about specific

events.

• It is the key to auditing the use of RACF at your

installation.

• RACF uses the system management facilities (SMF)

to log data.


SMF RACF


Log Records

What are Log Records?

• RACF Security Event Records

• Written to z/OS System Management Facility (SMF) Data Sets

• SMF Record types 80, 81, and 83

What determines which security events are recorded?

• RACF System-wide Options settings (LOGOPTIONS)

• RACF User Profile attribute (UAUDIT)

• RACF Resource Profile auditing options (AUDIT/GLOBALAUDIT)



Components of RACF


A Database

Log Records


A Set of Tables



RACF Data Base and Commands


ALU userid PA(pass) RESUME

RACF DATA BASE

USER GROUP

DATA SET GENERAL

RESOURCE


Interacting With RACF

• From the READY prompt

• Using RACF Panels

• Submitting Batch jobs

• Executing a CLIST

• Using Vanguard


READY


Types of Commands


• ADD

• MODIFY

• LIST

• DELETE

• OTHER


Command Names & Aliases


GROUPS USERS DATASETSGENERAL

RESOURCES

ADD ADDGROUP (AG) ADDUSER (AU) ADDSD (AD) RDEFINE (RDEF)

MODIFY ALTGROUP (ALG) ALTUSER (ALU) ALTDSD (ALD) RALTER (RALT)

LIST LISTGRP (LG) LISTUSER (LU) LISTDSD (LD) RLIST (RL)

DELETE DELGROUP (DG) DELUSER (DU) DELDSD (DD) RDELETE (RDEL)

OTHER

PASSWORD (PW)

CONNECT (CO)

REMOVE (RE)

RVARY (Deactivate/Activate RACF Database(s))

PERMIT (PE)

SEARCH (SR)

SETROPTS (SETR) (System-wide RACF Options)

P R O F I L E T Y P E S

C

O

M

M

A

N

D

T

Y

P

E

S


Command Components

Command name

• Must be spelled correctly

• Full name or alias only

– ADDUSER or AU

– CONNECT or CO

– RDEFINE or RDEF

– PERMIT or PE



Command Components

Positional Parameter(s)

• Always the first parameter(s)

– au JIM

– ag PAYROLL

– ad ‘PAYROLL.MASTER.**’

• Special case for datasets - use quotes around profile name

• If you don’t, TSO PROFILE PREFIX applies

– rdef FACILITY VRA$.SCOPE



Command Components

Keyword Parameters

• Must be spelled correctly

• Can be entered anywhere after positional

parameters in any order

• TSO parse rules apply Shortest spelling that is unique can be used

– alu bobs RESUME

– alu bobs RESTRICTED

– alu bobs RES

• will cause an error

• alu bobs RESU

• alu bobs REST



Command Components

Keyword Parameter Values, cont

• Special cases

– imbedded blanks in value fields

– imbedded quotes in value fields

– alu bobs NAME(BOB SMITH)

• will truncate to just BOB

• SMITH will be an invalid keyword

– alu bobs NAME(‘BOB SMITH’)

– alu jim DATA(‘100 So. Anita DR, Orange CA 92868’)

– alu sean NAME(‘SEAN O’‘BRIEN’)

• results – SEAN O'BRIEN



From the READY Prompt


“I forgot my password,

can you help me?”


RACF Panels – User Profiles



RACF Panels



Commands From Batch Jobs



Command List (CLIST)



Executing a CLIST



Using Vanguard Administrator™



Using Vanguard Administrator



Using Vanguard SecurityCenter™


Click Help Desk button

Enter User ID


Help Desk Administration


Enter New Password

and Verify, uncheck

Revoked, then press

OK


Components of RACF


A Database

Log Records


A Set of Tables



RACF Tables

• Database Name Table

• Range Table

• Started Procedures Table

• Global Access Table

• Class Descriptor Table

• Router Table

• Authorized Caller Table

• Naming Convention Table


RACF Providing Security



User ID Authorization


Tom

Mary

Joe

MVS

LOGON TOM

MARY

JOE

RACF

Data Base

User Identification

and Verification

TOM

ACEE

# 1

Function


Resource Authorization Checking


Resource

Profiles

CICS Transactions

Data Sets

Tape Processing

IMS Transactions

Tom

Mary

Joe

MVS

TOM

MARY

JOE RACF Data Base

# 2

Function


Security Administration


# 3

Function

MVS

User Profiles

RACF Data Base

RACF

Commands

Data Set Profiles

Resource Profiles

SPECIAL

Group Profiles


Surveillance - Logging and Reporting


Resource

Profiles

CICS Transactions

Data Sets

Tape Processing

IMS Transactions

MVS

Access Attempts

RACF Data Base

SMF Records

AUDITOR

# 4

Function

racf overview - amazon s3 · 2016-11-07 · vanguard security & compliance 2016 racf release...

Documents