racf overview - amazon s3 · 2016-11-07 · vanguard security & compliance 2016 racf release...
TRANSCRIPT
SECURITY & COMPLIANCE CONFERENCE 2016
RACF Overview
John Hilman
Vanguard Professional Services
BAS1
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited license
to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
©2016 Vanguard Integrity Professionals, Inc. 2
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
The following are trademarks or registered trademarks of the International Business Machines Corporation: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries.
Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation.
Other company, product, and service names may be trademarks or service marks of others.
Trademarks
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• What is RACF®?
• Components of RACF
• How we Interface with RACF
• Functions of RACF
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
What Makes a Mainframe?
©2016 Vanguard Integrity Professionals, Inc. 5
z/OS®
Hardware Software
TSO DB2®
JES
IMS™
Storage
Applications
UNIX®
DASD
VOL123
VOL987
CICS®
VANGUARD SECURITY & COMPLIANCE 2016
Security on the Mainframe
©2016 Vanguard Integrity Professionals, Inc. 6
Top Secret
ACF2
RACF
VANGUARD SECURITY & COMPLIANCE 2016
What is RACF?
RESOURCE ACCESS CONTROL FACILITY
• A Security Program
• A component of the Security Server for z/OS
• Controls what can be done on z/OS
• Protects the resources
• Provides security by:
– Identifying and verifying users
– Authorizing users to access protected resources
– Recording and reporting access attempts
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
Passive System
• RACF is a PASSIVE SYSTEM when shipped; by default, RACF protects NOTHING
• USERS and RESOURCES must be defined to RACF
• RACF must be CALLED by RESOURCE MANAGERS
• RACF can be implemented in phases
• RACF provides for CENTRALIZED and DECENTRALIZED administration
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Significant RACF Releases • RACF Version 1.1 SEP 1976
– First release of RACF
– User identification/verification
– Data set authorization checking
• RACF Version 1.3 JUL 1978 – General resources
• RACF Version 1.5 SEP 1983 – Generic profiles
– Global Access Check table
©2016 Vanguard Integrity Professionals, Inc. 9
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Significant RACF Releases • RACF Version 1.9 SEP 1990
– MLS Support
– Data Base Unload
• RACF Version 2.1 JUN 1994 – OpenEdition MVS™
– STARTED class profiles
– SMF data unload
• RACF Version 2.2 SEP 1995 – RACF Remote Sharing (RRSF)
– Remove ID Utility
©2016 Vanguard Integrity Professionals, Inc. 10
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
MVS Evolution to OS/390®
• OS/390 Security Server – RACF and other OS/390 security related software
components
• Version 1.1 MAR 1996 - Same functions as RACF 2.2
• Version 2.8 SEP 1999 - UNIXPRIV class profiles
- PROTECTED user IDs
• Version 2.10 SEP 2000 - AIM
©2016 Vanguard Integrity Professionals, Inc. 11
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
OS/390 Version 2 Evolution to z/OS Version 1 • z/OS V1Rn.0 SecureWay Security Server
– RACF and other security related components
• Version 1.1 MAR 2001 • Version 1.2 SEP 2001
- UNIVERSAL Groups
• z/OS V1Rn.0 Security Server
• Version 1.3 MAR 2002 - ACLs
• Version 1.4 SEP 2002 - Unique UNIX Identity
©2016 Vanguard Integrity Professionals, Inc. 12
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Evolution of z/OS Version 1 • z/OS V1Rn.0 Security Server
• Version 1.5 SEP 2003
- DB2 Version 8 Support
• Version 1.6 SEP 2004 - Dynamic CDT
• Version 1.7 SEP 2005 - Mixed-Case Passwords - NORESUME and NOREVOKE on ALTUSER
©2016 Vanguard Integrity Professionals, Inc. 13
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Evolution of z/OS Version 1 • z/OS V1Rn.0 Security Server
• Version 1.8 SEP 2006
- Support for Password Phrases from 14 to 100 characters
• Version 1.9 SEP 2007
- Support for Password Phrases from 9 to 100 characters
©2016 Vanguard Integrity Professionals, Inc. 14
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Evolution of z/OS Version 1 • z/OS V1Rn.0 Security Server
• Version 1.10 SEP 2008
- Password Phrase Exploitation – TSO, UNIX, LDAP - Granular Password Resets - Custom User and Group Fields
• Version 1.11 SEP 2009
- Automatically assign unique UIDs and GIDs through UNIX applications
- REXX interface to extract RACF profile and SETROPTS information
©2016 Vanguard Integrity Professionals, Inc. 15
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Evolution of z/OS Version 1 • z/OS V1Rn.0 Security Server
• Version 1.12 SEP 2010
- Generic profile load performance improvements - "Ghost" generic profile avoidance
• Version 1.13 SEP 2011
- TCP/IP support for the RACF Remote Sharing Facility (RRSF)
©2016 Vanguard Integrity Professionals, Inc. 16
VANGUARD SECURITY & COMPLIANCE 2016
RACF Release History
Evolution of z/OS Version 2 • z/OS V2Rn.0 Security Server
• Version 2.1 SEP 2013
- New health checks - RACDCERT enhancements - Support for &RACUID in BPX.UNIQUE.USER
• Version 2.2 SEP 2015 - ROAUDIT attribute for listing profiles - Additional special characters for passwords - KDFAES algorithm for password encryption
©2016 Vanguard Integrity Professionals, Inc. 17
VANGUARD SECURITY & COMPLIANCE 2016
Components of RACF
A Series of Programs
A Database
Log Records
A Series of Commands
A Set of Tables
©2016 Vanguard Integrity Professionals, Inc. 18
VANGUARD SECURITY & COMPLIANCE 2016
A Series of Programs
Processing Programs
• Executable Load Modules – ICHnnnnn – IRRnnnnn
• Macros
– RACROUTE – ICHEINTY – Other Macros
• Exits
©2016 Vanguard Integrity Professionals, Inc. 19
VANGUARD SECURITY & COMPLIANCE 2016
A Series of Programs
Utilities • Database Utilities
• Audit Utilities
©2016 Vanguard Integrity Professionals, Inc. 20
VANGUARD SECURITY & COMPLIANCE 2016
A Series of Programs
TSO Command Processors • Executable Load Modules
• RACF Commands
• Main Module and Alias
– ADDUSER – AU
©2016 Vanguard Integrity Professionals, Inc. 21
VANGUARD SECURITY & COMPLIANCE 2016
Components of RACF
A Series of Programs
A Database
Log Records
A Series of Commands
A Set of Tables
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
Control of System Resources
• RACF needs to know:
– what protection is appropriate for resource
– user access requirements
• Where does RACF keep the information?
– kept in RACF Profiles
• Where does RACF keep the Profiles?
– kept in the RACF Data Base
©2016 Vanguard Integrity Professionals, Inc. 23
Profiles
DATA BASE
VANGUARD SECURITY & COMPLIANCE 2016
RACF Database
RACF DATA SETS • One or more
• Primary and Backup
• Physical Sequential Internally Structured
©2016 Vanguard Integrity Professionals, Inc. 24
RVARY LIST
ICH15013I RACF DATABASE STATUS:
ACTIVE USE NUMBER VOLUME DATASET
---------- ------ ------------- ------------- --------------
YES PRIM 1 VIPPS1 SYS1.VAN.RACFPRIM
YES BACK 1 VIPPS2 SYS1.VAN.RACFBACK
VANGUARD SECURITY & COMPLIANCE 2016
RACF Profile Types
©2016 Vanguard Integrity Professionals, Inc. 25
RACF DATABASE
GROUP PROFILES
DATASET PROFILES
USER PROFILES
GENERAL RESOURCE PROFILES
VANGUARD SECURITY & COMPLIANCE 2016
Summary of RACF Profile Types
©2016 Vanguard Integrity Professionals, Inc. 26
USER
CONNECT
DATASET(s)
and
GENERAL
RESOURCES
PERMIT'ed
GROUP
PERMIT'ed
VANGUARD SECURITY & COMPLIANCE 2016
Components of RACF
A Series of Programs
A Database
Log Records
A Series of Commands
A Set of Tables
©2016 Vanguard Integrity Professionals, Inc. 27
VANGUARD SECURITY & COMPLIANCE 2016
What is Logging?
• Logging is the recording of data about specific
events.
• It is the key to auditing the use of RACF at your
installation.
• RACF uses the system management facilities (SMF)
to log data.
©2016 Vanguard Integrity Professionals, Inc. 28
SMF RACF
VANGUARD SECURITY & COMPLIANCE 2016
Log Records
What are Log Records?
• RACF Security Event Records
• Written to z/OS System Management Facility (SMF) Data Sets
• SMF Record types 80, 81, and 83
What determines which security events are recorded?
• RACF System-wide Options settings (LOGOPTIONS)
• RACF User Profile attribute (UAUDIT)
• RACF Resource Profile auditing options (AUDIT/GLOBALAUDIT)
©2016 Vanguard Integrity Professionals, Inc. 29
VANGUARD SECURITY & COMPLIANCE 2016
Components of RACF
A Series of Programs
A Database
Log Records
A Series of Commands
A Set of Tables
©2016 Vanguard Integrity Professionals, Inc. 30
VANGUARD SECURITY & COMPLIANCE 2016
RACF Data Base and Commands
©2016 Vanguard Integrity Professionals, Inc. 31
ALU userid PA(pass) RESUME
RACF DATA BASE
USER GROUP
DATA SET GENERAL
RESOURCE
VANGUARD SECURITY & COMPLIANCE 2016
Interacting With RACF
• From the READY prompt
• Using RACF Panels
• Submitting Batch jobs
• Executing a CLIST
• Using Vanguard
©2016 Vanguard Integrity Professionals, Inc. 32
READY
VANGUARD SECURITY & COMPLIANCE 2016
Types of Commands
©2016 Vanguard Integrity Professionals, Inc. 33
• ADD
• MODIFY
• LIST
• DELETE
• OTHER
VANGUARD SECURITY & COMPLIANCE 2016
Command Names & Aliases
©2016 Vanguard Integrity Professionals, Inc. 34
GROUPS USERS DATASETSGENERAL
RESOURCES
ADD ADDGROUP (AG) ADDUSER (AU) ADDSD (AD) RDEFINE (RDEF)
MODIFY ALTGROUP (ALG) ALTUSER (ALU) ALTDSD (ALD) RALTER (RALT)
LIST LISTGRP (LG) LISTUSER (LU) LISTDSD (LD) RLIST (RL)
DELETE DELGROUP (DG) DELUSER (DU) DELDSD (DD) RDELETE (RDEL)
OTHER
PASSWORD (PW)
CONNECT (CO)
REMOVE (RE)
RVARY (Deactivate/Activate RACF Database(s))
PERMIT (PE)
SEARCH (SR)
SETROPTS (SETR) (System-wide RACF Options)
P R O F I L E T Y P E S
C
O
M
M
A
N
D
T
Y
P
E
S
VANGUARD SECURITY & COMPLIANCE 2016
Command Components
Command name
• Must be spelled correctly
• Full name or alias only
– ADDUSER or AU
– CONNECT or CO
– RDEFINE or RDEF
– PERMIT or PE
©2016 Vanguard Integrity Professionals, Inc. 35
VANGUARD SECURITY & COMPLIANCE 2016
Command Components
Positional Parameter(s)
• Always the first parameter(s)
– au JIM
– ag PAYROLL
– ad ‘PAYROLL.MASTER.**’
• Special case for datasets - use quotes around profile name
• If you don’t, TSO PROFILE PREFIX applies
– rdef FACILITY VRA$.SCOPE
©2016 Vanguard Integrity Professionals, Inc. 36
VANGUARD SECURITY & COMPLIANCE 2016
Command Components
Keyword Parameters
• Must be spelled correctly
• Can be entered anywhere after positional
parameters in any order
• TSO parse rules apply Shortest spelling that is unique can be used
– alu bobs RESUME
– alu bobs RESTRICTED
– alu bobs RES
• will cause an error
• alu bobs RESU
• alu bobs REST
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Command Components
Keyword Parameter Values, cont
• Special cases
– imbedded blanks in value fields
– imbedded quotes in value fields
– alu bobs NAME(BOB SMITH)
• will truncate to just BOB
• SMITH will be an invalid keyword
– alu bobs NAME(‘BOB SMITH’)
– alu jim DATA(‘100 So. Anita DR, Orange CA 92868’)
– alu sean NAME(‘SEAN O’‘BRIEN’)
• results – SEAN O'BRIEN
©2016 Vanguard Integrity Professionals, Inc. 38
VANGUARD SECURITY & COMPLIANCE 2016
From the READY Prompt
©2016 Vanguard Integrity Professionals, Inc. 39
“I forgot my password,
can you help me?”
VANGUARD SECURITY & COMPLIANCE 2016
RACF Panels – User Profiles
©2016 Vanguard Integrity Professionals, Inc. 40
VANGUARD SECURITY & COMPLIANCE 2016
RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 41
VANGUARD SECURITY & COMPLIANCE 2016
RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 42
VANGUARD SECURITY & COMPLIANCE 2016
RACF Panels
©2016 Vanguard Integrity Professionals, Inc. 43
VANGUARD SECURITY & COMPLIANCE 2016
Commands From Batch Jobs
©2016 Vanguard Integrity Professionals, Inc. 44
VANGUARD SECURITY & COMPLIANCE 2016
Command List (CLIST)
©2016 Vanguard Integrity Professionals, Inc. 45
VANGUARD SECURITY & COMPLIANCE 2016
Executing a CLIST
©2016 Vanguard Integrity Professionals, Inc. 46
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard Administrator™
©2016 Vanguard Integrity Professionals, Inc. 47
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard Administrator
©2016 Vanguard Integrity Professionals, Inc. 48
VANGUARD SECURITY & COMPLIANCE 2016
Using Vanguard SecurityCenter™
©2016 Vanguard Integrity Professionals, Inc. 49
Click Help Desk button
Enter User ID
VANGUARD SECURITY & COMPLIANCE 2016
Help Desk Administration
©2016 Vanguard Integrity Professionals, Inc. 50
Enter New Password
and Verify, uncheck
Revoked, then press
OK
VANGUARD SECURITY & COMPLIANCE 2016
Components of RACF
A Series of Programs
A Database
Log Records
A Series of Commands
A Set of Tables
©2016 Vanguard Integrity Professionals, Inc. 51
VANGUARD SECURITY & COMPLIANCE 2016
RACF Tables
• Database Name Table
• Range Table
• Started Procedures Table
• Global Access Table
• Class Descriptor Table
• Router Table
• Authorized Caller Table
• Naming Convention Table
©2016 Vanguard Integrity Professionals, Inc. 52
RACF Providing Security
©2016 Vanguard Integrity Professionals, Inc. 53
VANGUARD SECURITY & COMPLIANCE 2016
User ID Authorization
©2016 Vanguard Integrity Professionals, Inc. 54
Tom
Mary
Joe
MVS
LOGON TOM
MARY
JOE
RACF
Data Base
User Identification
and Verification
TOM
ACEE
# 1
Function
VANGUARD SECURITY & COMPLIANCE 2016
Resource Authorization Checking
©2016 Vanguard Integrity Professionals, Inc. 55
Resource
Profiles
CICS Transactions
Data Sets
Tape Processing
IMS Transactions
Tom
Mary
Joe
MVS
TOM
MARY
JOE RACF Data Base
# 2
Function
VANGUARD SECURITY & COMPLIANCE 2016
Security Administration
©2016 Vanguard Integrity Professionals, Inc. 56
# 3
Function
MVS
User Profiles
RACF Data Base
RACF
Commands
Data Set Profiles
Resource Profiles
SPECIAL
Group Profiles
VANGUARD SECURITY & COMPLIANCE 2016
Surveillance - Logging and Reporting
©2016 Vanguard Integrity Professionals, Inc. 57
Resource
Profiles
CICS Transactions
Data Sets
Tape Processing
IMS Transactions
MVS
Access Attempts
RACF Data Base
SMF Records
AUDITOR
# 4
Function