Upload
hakhue
View
240
Download
5
Embed Size (px)
Citation preview
Copyright 2000, 2006 EKC Inc.
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Auditing theAuditing theRACFRACF
EnvironmentEnvironmentTopic 1: Auditing RACF
Auditing 2Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Topic 1 ObjectivesTopic 1 Objectives
The Audit Environment
Sample Audit Points
Audit Controls
Audit Data
Audit Reporting
Auditing 3Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Separation of PowersSeparation of Powers
SPECIAL AUDITOR
Auditing 4Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Conducting the AuditConducting the Audit
Judge how effectively RACF has beenimplemented to handle security at theinstallation.
Identify any security exposures.
Recommend ways to improve the system.
Auditing 5Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
The Audit CycleThe Audit Cycle
Establish Benchmark
Check loggings regularly
Re-examine security implementation andcompare against last benchmark
Establish new benchmark
Auditing 6Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Twelve Point ApproachTwelve Point Approach Point 1 - System Controls - Level of Implementation
Point 2 - Change Control Over Options and Software
Point 3 - Protection for Database and SMF Files
Point 4 - Enforcement of Security Policy
Point 5 - Password Administration
Point 6 - Approach to Access Profiles
Auditing 7Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Twelve Point ApproachTwelve Point Approach Point 7 - Ability to Bypass Controls
Point 8 - Control of Non-Owned Ids
Point 9 - Controls Over Production Ids
Point 10 - Controls for Key System Components
Point 11 - Ability to Gain Unauthorized Access
Point 12 - Security Reporting and Follow-Up
Auditing 8Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
11 -- System ImplementationSystem Implementation
Limit / Control / Review Where to Look
RACF Release level
System Release levelDSMONSystem Report
shows zOS and RACFRelease / FMID levels
SETROPTS LIST
shows module names andlengths of installed exits
shows PROTECTALLlevel and options
RACF Exits DSMON SystemExits Report
PROTECTALL settings
Auditing 9Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
22 –– Administration / Change ControlAdministration / Change Control
Limit / Control / Review Where to Look
assignment ofsystem-SPECIAL
DSMON SelectedUser AttributeReport
shows number of usersand user IDs givensystem-SPECIAL
use of RVARY command SETROPTS LISTshows if there is anRVARY password specified
use of SETROPTSREFRESH command DSMON SUAR
shows number of usersand user IDs with SPECIALand AUDITOR
Auditing 10Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
33 –– Securing access to RACF & SMFSecuring access to RACF & SMF
Limit / Control / Review Where to Look
Access to RACFdatabase carefullycontrolled
LISTDSD
shows access lists forprimary and backupRACF databases
LISTDSD
Site specific
Access to SMFfiles limited
shows access lists forprimary and backupRACF databases
Review procedures andschedule for backupof RACF database(s)
Regularly scheduledbackups of RACFdatabase files
Auditing 11Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
44 –– Security Policy ReviewSecurity Policy Review
Limit / Control / Review Where to Look
Determine existenceof security policy Interviews with Security management staff.
Procedures in placefor PASSWORDchanges, makeup.
Review site specific procedures,SETROPTS LIST
Handeling of deleteduserids Review site specific procedures
Auditing 12Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
55 –– Password Policy ReviewPassword Policy Review
Limit / Control / Review Where to Look
Periodic requiredpassword change Review change interval.
PASSWORDlength
Review site specificprocedures,
Review unsuccessfulpassword attempts
SETROPTS LIST
SETROPTS LIST
PASSWORD“hacking” SETROPTS LIST
Auditing 13Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
66 –– Access HierarchyAccess Hierarchy
Limit / Control / Review Where to Look
Verify access listsfor individuals andgroups
Review groups to determinedefinition and use offunctional groups.
Verify appropriateUACC access
Review dataset profiles forapropriate UACC access.
DSMONGROUP TREE
LISTDSD
Verify OWNER datafor profiles andgroups
LISTDSD
DSMONGROUP TREE
Review owner data todetermine inheritance ofdata / application ownership
Auditing 14Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
77 –– Ability to Bypass ControlsAbility to Bypass Controls
Limit / Control / Review Where to Look
Verify SETROPTSPROTECTALL activein FAILURE mode
shows ifPROTECTALL FAILUREis in effect
SETROPTS LISTshows if profile creator isautomatically added withALTER to access list
DSMONshows number of userswith OPERATIONS
SETROPTS LIST
Ensure SETROPTSNOADDCREATORis applied
Minimize use ofOPERATIONSattribute
Auditing 15Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
88 –– NonNon--OwnedOwned UseridsUserids
Limit / Control / Review Where to Look
Use of region IDs forbatch jobs submittedon behalf of users
SEARCH CLASS(PROPCNTL)NOMASK
Search forPROPCNTLprofiles
Review use ofsurrogate profiles
Search forSURROGATprofiles
SEARCH CLASS(SURROGAT)NOMASK
Auditing 16Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
99 –– Controls over Production IDsControls over Production IDs
Limit / Control / Review Where to Look
Review rationale usedto associate productionIDs with jobs
Site specific
Verify controlsover productionJCL libraries
Datasetprofiles
Review profiles to ensureappropriate access
Review SURROGATuse to ensure onlyauthorized use
SURROGATprofiles
RL userid.SUBMITCL(SURROGAT) AU
Auditing 17Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
1010 –– Key System ComponentsKey System Components
Limit / Control / Review Where to Look
Review inventory ofproducts requiringsecurity interface
Site specific-List of installed products
Verify adequacy ofaccess controlsin place
Review general resource profilesfor vendor products.
Assure adequate useof SAF-basedcontrols
DSMON AuthorizedCaller Report
Auditing 18Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
1111 –– Ability to gain unauthorized accessAbility to gain unauthorized access
Limit / Control / Review Where to Look
User IDs which havenever been used or notused for an extendedperiod of time
SEARCH CLASS(USER) AGE(120)
Default userids(IBMUSER)
LU IBMUSER
RACF defaultpassword
Review procedures for changing passwords
Auditing 19Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
1212 –– Security Reporting and FollowSecurity Reporting and Follow--upup
Limit / Control / Review Where to Look
Review types andfrequency ofreports
Review reportdistribution
Determine actionsfrom violationattempts
Site specific procedures
Site specific procedures
Site specific procedures
Auditing 20Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Auditor ControlsAuditor Controls
General ControlsSETROPTS Commands – SETR AUDIT(*)
Specific ControlsUser activity – ALU …
Dataset activity – ALTDSD
Resource activity – RALTER
Auditing 21Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Audit ControlsAudit Controls --SETROPTSSETROPTS
APPLAUDIT and NOAPPLAUDIT AUDIT and NOAUDIT CMDVIOL and NOCMDVIOL LIST LOGOPTIONS OPERAUDIT and NOOPERAUDIT REFRESH GENERIC REFRESH RACLIST SAUDIT and NOSAUDIT SECLABELAUDIT and NOSECLABELAUDIT SECLEVELAUDIT and NOSECLEVELAUDIT
Auditing 22Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Controlling LoggingControlling Logging
ApplicationOwner
SYS1.MANx
Auditor
Auditing 23Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
OwnerOwner--Controlled LoggingControlled Logging
ALTDSD 'PAYROLL.MASTER.*'AUDIT(FAILURES(READ))
PAYROLL.MASTER.* . . . FAILURES(READ)
Profile Name AUDIT GLOBALAUDIT
Auditing 24Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Auditor ControlsAuditor Controls –– LoggingLogging
ALTDSD 'PAYROLL.MASTER.*'GLOBALAUDIT(SUCCESS(UPDATE))
SETR LOGOPTIONS(ALWAYS(DASDVOL))SETR LOGOPTIONS(FAILURES(TERMINAL))
PAYROLL.MASTER.* . . . FAILURES(READ) SUCCESS(UPDATE)
Profile Name AUDIT GLOBALAUDIT
ALU STAN UAUDIT
Auditing 25Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Two Types of Audit DataTwo Types of Audit Data
Snapshot Data – The ImplementationRACF Commands – L…, SETR LIST
Data Security Monitor – DSMON
RACF Database Unload – IRRDBU00
Event Data – Wazhappnin???RACF Commands – LOGOPTIONS, GLOBALAUDIT…
SMF Data Unload Utility – IFASMFDP
Reporting Tools – SAMPLIB
RICE reports – ICEMAN statements for DB & SMF unloaded data
DB2 queries – RACDBUxx, IRRADUxx
Auditing 26Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Running the DSMON ProgramRunning the DSMON Program
ICHDSM00
//stepname EXEC PGM=ICHDSM00//SYSPRINT DD SYSOUT=A//SYSUT2 DD SYSOUT=A//SYSIN DD *LINECOUNT 55FUNCTION ALLUSEROPT USRDSN PAY.MASTER.FILE
Hardware
Software
DSMONReports
Auditing 27Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
DSMON ReportsDSMON Reports
Selected Data Sets Report
Group Tree Report
RACF Global Access Table Report
RACF Class Descriptor Table Report
RACF Started Procedures Table Report
Selected User Attribute Summary Report
Selected User Attribute Report
RACF Authorized Caller Table Report
Program Properties Table Report
System Report
CPU-IDCPU MODELOPERATING SYSTEM/LEVEL z/OS . . .SYSTEM RESIDENCE VOLUMERACF FMID HRF7709 IS ACTIVE
DSMON
Reports
RACF Exits Report
Auditing 28Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
System ReportSystem Report
CPU-ID 111606CPU MODEL 2064OPERATING SYSTEM/LEVEL z/OS 1.6.0SYSTEM RESIDENCE VOLUME DR250BSMF-ID ZOSRRACF FMID HRF7709 IS ACTIVE
Auditing 29Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Program Properties Table ReportProgram Properties Table ReportPROGRAM BYPASS PASSWORD SYSTEMNAME PROTECTION KEY---------------------------------------------------------------------------------IEDQTCAM NO YESISTINM01 YES YESIKTCAS00 NO YESAHLGTF NO YESHHLGTF NO YESIHLGTF NO YESIEFIIC NO YESIEEMB860 YES YESIEEVMNT2 NO YESIASXWR00 NO YESCSVVFCRE NO YESHASJES20 YES YESDFSMVRC0 NO YESIATINTK YES YESDXRRLM00 NO YES
Auditing 30Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
RACF Authorized Caller Table ReportRACF Authorized Caller Table Report
MODULE RACINIT RACLISTNAME AUTHORIZED AUTHORIZED---------------------------------------------------------------------------DFHSIP NO YES
Auditing 31Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
RACF Exit ReportRACF Exit Report
EXIT MODULE MODULENAME LENGTH----------------------------------------------------------ICHPWX01 1354ICHDEX01 224
Auditing 32Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Selected User Attribute ReportSelected User Attribute Report
USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------SPECIAL OPERATIONS AUDITOR REVOKE NODE.USERID PASSWORD ASSOCIATION
SYNC TYPE---------------------------------------------------------------------------------------------------------------------------------------------------BIGBIRD SYSTEM SYSTEMBERT SYSTEMELMO GROUP GROUPERNIE SYSTEM SYSTEMGROVER SYSTEM SYSTEMGROUCH GROUPIBMUSER SYSTEM SYSTEM SYSTEMSNUFFY GROUPZOE GROUP
Auditing 33Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Selected User Attribute SummarySelected User Attribute Summary
--------------------------------------------------------------------------------------------------------------TOTAL DEFINED USERS: 563TOTAL SELECTED ATTRIBUTE USERS:ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR REVOKE-------------------------- ------------- -------------------- -------------- -------------SYSTEM 4 3 1 2GROUP 1 2 1 1
Auditing 34Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Started Procedures Table ReportStarted Procedures Table Report
FROM THE STARTED PROCEDURES TABLE (ICHRIN03):FROM PROFILES IN THE STARTED CLASS:------------------------------------------------------------------------------------------------------------------------------------------------PROFILE ASSOCIATED ASSOCIATEDNAME USER GROUP PRIVILEGED TRUSTED TRACE------------------------------------------------------------------------------------------------------------------------------------------------CICS.REGIONA CICSA NO NO NOCICS.REGIONB CICSB NO NO NODCEKERN.* (G) DCEKERN DCEGRP NO NO NOEZAFTPAP.* (G) TCPIP OMVSGRP NO YES NOFTPD.* (G) OMVSKERN OMVSGRP NO NO NOMVSNFS.* (G) TCPIP OMVSGRP NO NO NOOMVS.* (G) OMVSKERN OMVSGRP NO NO NOPORTMAP.* (G) TCPIP OMVSGRP NO YES YESFTPSERVE.* (G) TCPIP OMVSGRP NO YES NOINETD.* (G) INETD SYS1 NO NO NOSMF.* (G) STCUSR SYS1 NO YES NOIRRDPTAB.* (G) STCUSR SYS1 NO YES NOJES2.* (G) STCUSR SYS1 NO YES NOLLA.* (G) STCUSR SYS1 NO YES NOTSO.* (G) TSO TSOGRP NO NO NOVTAM.* (G) VTAM VTAMGRP NO YES NOLOGREC.* (G) LOGREC SYS1 NO NO NO** (G) =MEMBER STCGRP NO NO YES
Auditing 35Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Class Descriptor Table ReportClass Descriptor Table ReportCLASS DEFAULT OPERATIONSNAME STATUS AUDITING STATISTICS UACC ALLOWED----------------------------------------------------------------------------------------------------------------------------RACFVARS ACTIVE NO NO NONE NOSECLABEL INACTIVE NO NO NONE NODASDVOL ACTIVE NO NO ACEE YESGDASDVOL ACTIVE NO NO ACEE YESTAPEVOL ACTIVE NO NO ACEE YESTERMINAL INACTIVE NO NO ACEE NOGTERMINL INACTIVE NO NO ACEE NOAPPL ACTIVE NO NO NONE NOTIMS INACTIVE NO NO NONE NOGIMS INACTIVE NO NO NONE NOAIMS INACTIVE NO NO NONE NOTCICSTRN ACTIVE NO NO NONE NOGCICSTRN ACTIVE NO NO NONE NOPCICSPSB INACTIVE NO NO NONE NOGLOBAL ACTIVE NO NO NONE NOGMBR INACTIVE NO NO NONE NODSNR INACTIVE NO NO ACEE NOFACILITY ACTIVE NO NO NONE NO
Auditing 36Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Global Access Checking Table ReportGlobal Access Checking Table Report
CLASS ACCESS ENTRYNAME LEVEL NAME----------------------------------------------------------------------------------------DATASET ALTER &RACUID.*
READ ISPF.*UPDATE SYS1.BRODCAST
RVARSMBR -- NO ENTRIES --SECLABEL -- NO ENTRIES --DASDVOL -- NO ENTRIES --TAPEVOL -- NO ENTRIES --TERMINAL -- NO ENTRIES --APPL -- NO ENTRIES --TIMS -- NO ENTRIES --AIMS -- NO ENTRIES --TCICSTRN -- NO ENTRIES --PCICSPSB -- NO ENTRIES --
Auditing 37Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Group Tree ReportGroup Tree Report
LEVEL GROUP (OWNER)---------------------------------------------------------
1 SYS1 (IBMUSER)|
2 | DATASETG (TOMC)| |
3 | | ABA| |
3 | | ARP| | |
4 | | | ARPLST|
2 | CICSADM| |
3 | | TRANA| |
3 | | TRANB|
2 | DATACTRL
Auditing 38Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Selected Data Sets ReportSelected Data Sets Report
VOLUME SELECTIONDATA SET NAME SERIAL CRITERION-------------------------------------------------------------------------------------------PAY.MASTER.FILE USER23 USERDSNPAY.SALARY.FILE USER23 USERDSNISP.PPLIB.ISPLLIB M80LIB LNKLST - APFISP.V3R1M0.ISPLOAD M80LIB APFISP.V3R2M0.ISPLOAD M80LIB APF
LNKLST - APFJES2311.STEPLIB SMS036 APFJES2313.STEPLIB SMS036 APFJES2410.STEPLIB SMS036 APFJES2420.STEPLIB SMS036 APFSYS1.CMDLIB JS2RES APF
LNKLST - APFSYSTEM
SYS1.COBLIB M80LIB LNKLST - APFSYS1.LINKLIB MVSRES LNKLST - APF
SYSTEMSYS1.NCATLG M80PGE MASTER CATALOGSYS1.NUCLEUS MVSRES SYSTEMSYS1.PROCLIB M80PGE SYSTEMSYS1.RACF.BACKUP SMS124 RACF BACKUPSYS1.RACF.PRIMARY SMS073 RACF PRIMARYSYS1.UADS M80PGE SYSTEM
RACF RACFINDICATED PROTECTED UACC-------------------------------------------------------NO YES NONENO YES NONENO YES READN.F YES READNO YES READ
N.C YES READNO YES READNO YES READNO YES READNO YES READ
NO YES READN.F YES NONE
NO YES READNO YES NONENO YES NONENO YES NONENO YES NONENO YES NONE
Auditing 39Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Reporting on the Unloaded DatabaseReporting on the Unloaded Database
Valid users
IRRDBU00Output Data
Reports
Selected groupsConnections
MVS Open Edition
SQL Queriesor ICETOOLs
Auditing 40Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
SMF Data Unload UtilitySMF Data Unload UtilityDB2 orOtherRDMS
IFASMFDP
ICETOOLor Utilities
InstallationWritten
Programs
Browse
SMF Data UnloadedSMF DataUSER2(IRRADU00)
USER3(IRRADU86)
Auditing 41Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
SMF Unload JCL ExampleSMF Unload JCL Example
//SMFUNLD JOB ,'SMF DATA UNLOAD',// MSGLEVEL=(1,1),TYPRUN=HOLD//SMFDUMP EXEC PGM=IFASMFDP//SYSPRINT DD SYSOUT=A//ADUPRINT DD SYSOUT=A//OUTDD DD DISP=SHR,DSN=USER01.RACF.IRRADU00//SMFDATA DD DISP=SHR,DSN=USER01.RACF.SMFDATA//SMFOUT DD DUMMY//SYSIN DD *
INDD(SMFDATA,OPTIONS(DUMP))OUTDD(SMFOUT,TYPE(000:255))ABEND(NORETRY)USER2(IRRADU00)USER3(IRRADU86)
/*
Auditing 42Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
SamplibSamplib Tools AvailableTools Available
IRRICE Collection– Uses DFSORT and ICETOOL to produce reports
based on Unloaded Database data and SMF data.
IRRADULD, ..QR, ..TB– Uses SQL to define (TB), Load (LD), and Query
(QR) auditing (unloaded SMF) data.
RACDBULD, ..QR, ..TB– Uses SQL to define (TB), Load (LD), and Query
(QR) security definition data.
Auditing 43Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Sample IRRDBU00 ReportSample IRRDBU00 Report
- 1 - UAGR: GR Profiles with a UACC Other Than None 06/09/28
Class General Resource Profile Name Generic Owner UACC-------- ----------------------------- ------- -------- --------
DSNR DSN.WLM_REFRESH.DB8GENV1 NO 0 P390A READDSNR SYSPROC.WLM_REFRESH.DB8GRFSH NO 0 P390A READDSNR SYSPROC.WLM_REFRESH.WLMENV1 NO 0 IBMUSER READDSNR SYSPROC.WLM_REFRESH.WLMENV2 NO 0 IBMUSER READFIRECALL FIRECALL NO 0 SYS1 READFACILITY DITTO.* YES 0 IBMUSER READFACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ
Auditing 44Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Sample IRRADU00 ReportSample IRRADU00 Report
- 1 - CADU: Number of IRRADU00 Events06/09/28 09:57:32 am
Type Count-------- ---------------ACCESS 1842ALTUSER 6CONNECT 3DACCESS 1DEFINE 4DIRSRCH 15JOBINIT 2951PERMIT 1RDEFINE 2REMOVE 3SETROPTS 1
Auditing 45Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Conducting the AuditConducting the AuditWe’ve checked the RACF implementation
for appropriate security controls.
Identified security exposures.
Made our recommendations.
What’s this 18 hour “Special”?
Copyright 2000, 2006 EKC Inc.
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Part 2: Emergency Access
Auditing 47Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
What is Emergency Access?What is Emergency Access?Non-standard access
Storage fixes
General Error fixes
System upgrades
Testing the Recovery Plan
Auditing 48Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Typical MethodsTypical MethodsMay I have the envelope please?
Temporary connect
Scheduled connect
Always on, just in case security
Secondary accounts
Auditing 49Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
The PreThe Pre--loaded Accountloaded AccountAll the access in the world
Keeping it relevant
Turning it off / Re-loading
Not tied to an individual
Accounting for use
Auditing 50Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Temporary ConnectionTemporary ConnectionConnect at 5pm
Disconnect at 9am
Is it enough?
Less difficult to audit
Request/approval trace
Auditing 51Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Temporary ConnectionTemporary ConnectionScheduled connect at 3am
Disconnect at 9am
Is it enough?
Less difficult to audit
Request/approval trace
Auditing 52Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
The Trusted ProfessionalThe Trusted ProfessionalExtra access for the normal fixer
Enough access for typical emergencies
May not be enough
Difficult to audit
What paper trail?
Auditing 53Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Dual AccountsDual AccountsSecondary account for the normal fixer
Enough access for typical emergencies
May not be enough
Less difficult to audit
After the fact request/approval
Auditing 54Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
The Business Recovery PlanThe Business Recovery PlanMost companies use “test” data, right?
DRP accounts do everything
Minimum alteration risk
Maximum disclosure risk
Auditing the Recovery Test
Auditing 55Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
The BRP RealityThe BRP Reality
> -----Original Message-----> From: RACF Discussion List On Behalf Of XXXX XXXXXXXX>> We want to give users testing programs in a D/R LPAR the> authority to run production jobs. The production jobs run> under the USERID of SYSMANT. What's the RACF command to allow> this to happen.
PERMIT SYSMANT.SUBMIT CLASS(SURROGAT) ACCESS(READ) ID(userID) .
Auditing 56Copyright 2000, 2006 EKC Inc.
www.ekcinc.com
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Emergency Access RecommendationsEmergency Access Recommendations
Keep a good trail of request & authorization.For periodical needs, use 2 accounts, log
access used by second account. (UAUDIT)
Rip up the envelope, get rid of the pre-loadedaccount.
Collect and examine SMF data from DRPRestrict or remove software capable of
editing raw SMF data.
Copyright 2000, 2006 EKC Inc.
Eberhard Klemens Co.Experts in Computer
Systems - Software - Security
Audit Reporting & Emergency Access