auditing The Racf Environment - Ekc · Selected Data Sets ReportSelected Data Sets Report-----

Copyright 2000, 2006 EKC Inc.

Eberhard Klemens Co.Experts in Computer

Systems - Software - Security

Auditing theAuditing theRACFRACF

EnvironmentEnvironmentTopic 1: Auditing RACF

Auditing 2Copyright 2000, 2006 EKC Inc.

www.ekcinc.com



Topic 1 ObjectivesTopic 1 Objectives

The Audit Environment

Sample Audit Points

Audit Controls

Audit Data

Audit Reporting


www.ekcinc.com



Separation of PowersSeparation of Powers

SPECIAL AUDITOR


www.ekcinc.com



Conducting the AuditConducting the Audit

Judge how effectively RACF has beenimplemented to handle security at theinstallation.

Identify any security exposures.

Recommend ways to improve the system.


www.ekcinc.com



The Audit CycleThe Audit Cycle

Establish Benchmark

Check loggings regularly

Re-examine security implementation andcompare against last benchmark

Establish new benchmark


www.ekcinc.com



Twelve Point ApproachTwelve Point Approach Point 1 - System Controls - Level of Implementation

Point 2 - Change Control Over Options and Software

Point 3 - Protection for Database and SMF Files

Point 4 - Enforcement of Security Policy

Point 5 - Password Administration

Point 6 - Approach to Access Profiles


www.ekcinc.com



Twelve Point ApproachTwelve Point Approach Point 7 - Ability to Bypass Controls

Point 8 - Control of Non-Owned Ids

Point 9 - Controls Over Production Ids

Point 10 - Controls for Key System Components

Point 11 - Ability to Gain Unauthorized Access

Point 12 - Security Reporting and Follow-Up


www.ekcinc.com



11 -- System ImplementationSystem Implementation

Limit / Control / Review Where to Look

RACF Release level

System Release levelDSMONSystem Report

shows zOS and RACFRelease / FMID levels

SETROPTS LIST

shows module names andlengths of installed exits

shows PROTECTALLlevel and options

RACF Exits DSMON SystemExits Report

PROTECTALL settings


www.ekcinc.com



22 –– Administration / Change ControlAdministration / Change Control


assignment ofsystem-SPECIAL

DSMON SelectedUser AttributeReport

shows number of usersand user IDs givensystem-SPECIAL

use of RVARY command SETROPTS LISTshows if there is anRVARY password specified

use of SETROPTSREFRESH command DSMON SUAR

shows number of usersand user IDs with SPECIALand AUDITOR


www.ekcinc.com



33 –– Securing access to RACF & SMFSecuring access to RACF & SMF


Access to RACFdatabase carefullycontrolled

LISTDSD

shows access lists forprimary and backupRACF databases

LISTDSD

Site specific

Access to SMFfiles limited

shows access lists forprimary and backupRACF databases

Review procedures andschedule for backupof RACF database(s)

Regularly scheduledbackups of RACFdatabase files


www.ekcinc.com



44 –– Security Policy ReviewSecurity Policy Review


Determine existenceof security policy Interviews with Security management staff.

Procedures in placefor PASSWORDchanges, makeup.

Review site specific procedures,SETROPTS LIST

Handeling of deleteduserids Review site specific procedures


www.ekcinc.com



55 –– Password Policy ReviewPassword Policy Review


Periodic requiredpassword change Review change interval.

PASSWORDlength

Review site specificprocedures,

Review unsuccessfulpassword attempts

SETROPTS LIST

SETROPTS LIST

PASSWORD“hacking” SETROPTS LIST


www.ekcinc.com



66 –– Access HierarchyAccess Hierarchy


Verify access listsfor individuals andgroups

Review groups to determinedefinition and use offunctional groups.

Verify appropriateUACC access

Review dataset profiles forapropriate UACC access.

DSMONGROUP TREE

LISTDSD

Verify OWNER datafor profiles andgroups

LISTDSD

DSMONGROUP TREE

Review owner data todetermine inheritance ofdata / application ownership


www.ekcinc.com



77 –– Ability to Bypass ControlsAbility to Bypass Controls


Verify SETROPTSPROTECTALL activein FAILURE mode

shows ifPROTECTALL FAILUREis in effect

SETROPTS LISTshows if profile creator isautomatically added withALTER to access list

DSMONshows number of userswith OPERATIONS

SETROPTS LIST

Ensure SETROPTSNOADDCREATORis applied

Minimize use ofOPERATIONSattribute


www.ekcinc.com



88 –– NonNon--OwnedOwned UseridsUserids


Use of region IDs forbatch jobs submittedon behalf of users

SEARCH CLASS(PROPCNTL)NOMASK

Search forPROPCNTLprofiles

Review use ofsurrogate profiles

Search forSURROGATprofiles

SEARCH CLASS(SURROGAT)NOMASK


www.ekcinc.com



99 –– Controls over Production IDsControls over Production IDs


Review rationale usedto associate productionIDs with jobs

Site specific

Verify controlsover productionJCL libraries

Datasetprofiles

Review profiles to ensureappropriate access

Review SURROGATuse to ensure onlyauthorized use

SURROGATprofiles

RL userid.SUBMITCL(SURROGAT) AU


www.ekcinc.com



1010 –– Key System ComponentsKey System Components


Review inventory ofproducts requiringsecurity interface

Site specific-List of installed products

Verify adequacy ofaccess controlsin place

Review general resource profilesfor vendor products.

Assure adequate useof SAF-basedcontrols

DSMON AuthorizedCaller Report


www.ekcinc.com



1111 –– Ability to gain unauthorized accessAbility to gain unauthorized access


User IDs which havenever been used or notused for an extendedperiod of time

SEARCH CLASS(USER) AGE(120)

Default userids(IBMUSER)

LU IBMUSER

RACF defaultpassword

Review procedures for changing passwords


www.ekcinc.com



1212 –– Security Reporting and FollowSecurity Reporting and Follow--upup


Review types andfrequency ofreports

Review reportdistribution

Determine actionsfrom violationattempts

Site specific procedures




www.ekcinc.com



Auditor ControlsAuditor Controls

General ControlsSETROPTS Commands – SETR AUDIT(*)

Specific ControlsUser activity – ALU …

Dataset activity – ALTDSD

Resource activity – RALTER


www.ekcinc.com



Audit ControlsAudit Controls --SETROPTSSETROPTS

APPLAUDIT and NOAPPLAUDIT AUDIT and NOAUDIT CMDVIOL and NOCMDVIOL LIST LOGOPTIONS OPERAUDIT and NOOPERAUDIT REFRESH GENERIC REFRESH RACLIST SAUDIT and NOSAUDIT SECLABELAUDIT and NOSECLABELAUDIT SECLEVELAUDIT and NOSECLEVELAUDIT


www.ekcinc.com



Controlling LoggingControlling Logging

ApplicationOwner

SYS1.MANx

Auditor


www.ekcinc.com



OwnerOwner--Controlled LoggingControlled Logging

ALTDSD 'PAYROLL.MASTER.*'AUDIT(FAILURES(READ))

PAYROLL.MASTER.* . . . FAILURES(READ)

Profile Name AUDIT GLOBALAUDIT


www.ekcinc.com



Auditor ControlsAuditor Controls –– LoggingLogging

ALTDSD 'PAYROLL.MASTER.*'GLOBALAUDIT(SUCCESS(UPDATE))

SETR LOGOPTIONS(ALWAYS(DASDVOL))SETR LOGOPTIONS(FAILURES(TERMINAL))

PAYROLL.MASTER.* . . . FAILURES(READ) SUCCESS(UPDATE)

Profile Name AUDIT GLOBALAUDIT

ALU STAN UAUDIT


www.ekcinc.com



Two Types of Audit DataTwo Types of Audit Data

Snapshot Data – The ImplementationRACF Commands – L…, SETR LIST

Data Security Monitor – DSMON

RACF Database Unload – IRRDBU00

Event Data – Wazhappnin???RACF Commands – LOGOPTIONS, GLOBALAUDIT…

SMF Data Unload Utility – IFASMFDP

Reporting Tools – SAMPLIB

RICE reports – ICEMAN statements for DB & SMF unloaded data

DB2 queries – RACDBUxx, IRRADUxx


www.ekcinc.com



Running the DSMON ProgramRunning the DSMON Program

ICHDSM00

//stepname EXEC PGM=ICHDSM00//SYSPRINT DD SYSOUT=A//SYSUT2 DD SYSOUT=A//SYSIN DD *LINECOUNT 55FUNCTION ALLUSEROPT USRDSN PAY.MASTER.FILE

Hardware

Software

DSMONReports


www.ekcinc.com



DSMON ReportsDSMON Reports

Selected Data Sets Report

Group Tree Report

RACF Global Access Table Report

RACF Class Descriptor Table Report

RACF Started Procedures Table Report

Selected User Attribute Summary Report

Selected User Attribute Report

RACF Authorized Caller Table Report

Program Properties Table Report

System Report

CPU-IDCPU MODELOPERATING SYSTEM/LEVEL z/OS . . .SYSTEM RESIDENCE VOLUMERACF FMID HRF7709 IS ACTIVE

DSMON

Reports

RACF Exits Report


www.ekcinc.com



System ReportSystem Report

CPU-ID 111606CPU MODEL 2064OPERATING SYSTEM/LEVEL z/OS 1.6.0SYSTEM RESIDENCE VOLUME DR250BSMF-ID ZOSRRACF FMID HRF7709 IS ACTIVE


www.ekcinc.com



Program Properties Table ReportProgram Properties Table ReportPROGRAM BYPASS PASSWORD SYSTEMNAME PROTECTION KEY---------------------------------------------------------------------------------IEDQTCAM NO YESISTINM01 YES YESIKTCAS00 NO YESAHLGTF NO YESHHLGTF NO YESIHLGTF NO YESIEFIIC NO YESIEEMB860 YES YESIEEVMNT2 NO YESIASXWR00 NO YESCSVVFCRE NO YESHASJES20 YES YESDFSMVRC0 NO YESIATINTK YES YESDXRRLM00 NO YES


www.ekcinc.com



RACF Authorized Caller Table ReportRACF Authorized Caller Table Report

MODULE RACINIT RACLISTNAME AUTHORIZED AUTHORIZED---------------------------------------------------------------------------DFHSIP NO YES


www.ekcinc.com



RACF Exit ReportRACF Exit Report

EXIT MODULE MODULENAME LENGTH----------------------------------------------------------ICHPWX01 1354ICHDEX01 224


www.ekcinc.com



Selected User Attribute ReportSelected User Attribute Report

USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------SPECIAL OPERATIONS AUDITOR REVOKE NODE.USERID PASSWORD ASSOCIATION

SYNC TYPE---------------------------------------------------------------------------------------------------------------------------------------------------BIGBIRD SYSTEM SYSTEMBERT SYSTEMELMO GROUP GROUPERNIE SYSTEM SYSTEMGROVER SYSTEM SYSTEMGROUCH GROUPIBMUSER SYSTEM SYSTEM SYSTEMSNUFFY GROUPZOE GROUP


www.ekcinc.com



Selected User Attribute SummarySelected User Attribute Summary

--------------------------------------------------------------------------------------------------------------TOTAL DEFINED USERS: 563TOTAL SELECTED ATTRIBUTE USERS:ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR REVOKE-------------------------- ------------- -------------------- -------------- -------------SYSTEM 4 3 1 2GROUP 1 2 1 1


www.ekcinc.com



Started Procedures Table ReportStarted Procedures Table Report

FROM THE STARTED PROCEDURES TABLE (ICHRIN03):FROM PROFILES IN THE STARTED CLASS:------------------------------------------------------------------------------------------------------------------------------------------------PROFILE ASSOCIATED ASSOCIATEDNAME USER GROUP PRIVILEGED TRUSTED TRACE------------------------------------------------------------------------------------------------------------------------------------------------CICS.REGIONA CICSA NO NO NOCICS.REGIONB CICSB NO NO NODCEKERN.* (G) DCEKERN DCEGRP NO NO NOEZAFTPAP.* (G) TCPIP OMVSGRP NO YES NOFTPD.* (G) OMVSKERN OMVSGRP NO NO NOMVSNFS.* (G) TCPIP OMVSGRP NO NO NOOMVS.* (G) OMVSKERN OMVSGRP NO NO NOPORTMAP.* (G) TCPIP OMVSGRP NO YES YESFTPSERVE.* (G) TCPIP OMVSGRP NO YES NOINETD.* (G) INETD SYS1 NO NO NOSMF.* (G) STCUSR SYS1 NO YES NOIRRDPTAB.* (G) STCUSR SYS1 NO YES NOJES2.* (G) STCUSR SYS1 NO YES NOLLA.* (G) STCUSR SYS1 NO YES NOTSO.* (G) TSO TSOGRP NO NO NOVTAM.* (G) VTAM VTAMGRP NO YES NOLOGREC.* (G) LOGREC SYS1 NO NO NO** (G) =MEMBER STCGRP NO NO YES


www.ekcinc.com



Class Descriptor Table ReportClass Descriptor Table ReportCLASS DEFAULT OPERATIONSNAME STATUS AUDITING STATISTICS UACC ALLOWED----------------------------------------------------------------------------------------------------------------------------RACFVARS ACTIVE NO NO NONE NOSECLABEL INACTIVE NO NO NONE NODASDVOL ACTIVE NO NO ACEE YESGDASDVOL ACTIVE NO NO ACEE YESTAPEVOL ACTIVE NO NO ACEE YESTERMINAL INACTIVE NO NO ACEE NOGTERMINL INACTIVE NO NO ACEE NOAPPL ACTIVE NO NO NONE NOTIMS INACTIVE NO NO NONE NOGIMS INACTIVE NO NO NONE NOAIMS INACTIVE NO NO NONE NOTCICSTRN ACTIVE NO NO NONE NOGCICSTRN ACTIVE NO NO NONE NOPCICSPSB INACTIVE NO NO NONE NOGLOBAL ACTIVE NO NO NONE NOGMBR INACTIVE NO NO NONE NODSNR INACTIVE NO NO ACEE NOFACILITY ACTIVE NO NO NONE NO


www.ekcinc.com



Global Access Checking Table ReportGlobal Access Checking Table Report

CLASS ACCESS ENTRYNAME LEVEL NAME----------------------------------------------------------------------------------------DATASET ALTER &RACUID.*

READ ISPF.*UPDATE SYS1.BRODCAST

RVARSMBR -- NO ENTRIES --SECLABEL -- NO ENTRIES --DASDVOL -- NO ENTRIES --TAPEVOL -- NO ENTRIES --TERMINAL -- NO ENTRIES --APPL -- NO ENTRIES --TIMS -- NO ENTRIES --AIMS -- NO ENTRIES --TCICSTRN -- NO ENTRIES --PCICSPSB -- NO ENTRIES --


www.ekcinc.com



Group Tree ReportGroup Tree Report

LEVEL GROUP (OWNER)---------------------------------------------------------

1 SYS1 (IBMUSER)|

2 | DATASETG (TOMC)| |

3 | | ABA| |

3 | | ARP| | |

4 | | | ARPLST|

2 | CICSADM| |

3 | | TRANA| |

3 | | TRANB|

2 | DATACTRL


www.ekcinc.com



Selected Data Sets ReportSelected Data Sets Report

VOLUME SELECTIONDATA SET NAME SERIAL CRITERION-------------------------------------------------------------------------------------------PAY.MASTER.FILE USER23 USERDSNPAY.SALARY.FILE USER23 USERDSNISP.PPLIB.ISPLLIB M80LIB LNKLST - APFISP.V3R1M0.ISPLOAD M80LIB APFISP.V3R2M0.ISPLOAD M80LIB APF

LNKLST - APFJES2311.STEPLIB SMS036 APFJES2313.STEPLIB SMS036 APFJES2410.STEPLIB SMS036 APFJES2420.STEPLIB SMS036 APFSYS1.CMDLIB JS2RES APF

LNKLST - APFSYSTEM

SYS1.COBLIB M80LIB LNKLST - APFSYS1.LINKLIB MVSRES LNKLST - APF

SYSTEMSYS1.NCATLG M80PGE MASTER CATALOGSYS1.NUCLEUS MVSRES SYSTEMSYS1.PROCLIB M80PGE SYSTEMSYS1.RACF.BACKUP SMS124 RACF BACKUPSYS1.RACF.PRIMARY SMS073 RACF PRIMARYSYS1.UADS M80PGE SYSTEM

RACF RACFINDICATED PROTECTED UACC-------------------------------------------------------NO YES NONENO YES NONENO YES READN.F YES READNO YES READ

N.C YES READNO YES READNO YES READNO YES READNO YES READ

NO YES READN.F YES NONE

NO YES READNO YES NONENO YES NONENO YES NONENO YES NONENO YES NONE


www.ekcinc.com



Reporting on the Unloaded DatabaseReporting on the Unloaded Database

Valid users

IRRDBU00Output Data

Reports

Selected groupsConnections

MVS Open Edition

SQL Queriesor ICETOOLs


www.ekcinc.com



SMF Data Unload UtilitySMF Data Unload UtilityDB2 orOtherRDMS

IFASMFDP

ICETOOLor Utilities

InstallationWritten

Programs

Browse

SMF Data UnloadedSMF DataUSER2(IRRADU00)

USER3(IRRADU86)


www.ekcinc.com



SMF Unload JCL ExampleSMF Unload JCL Example

//SMFUNLD JOB ,'SMF DATA UNLOAD',// MSGLEVEL=(1,1),TYPRUN=HOLD//SMFDUMP EXEC PGM=IFASMFDP//SYSPRINT DD SYSOUT=A//ADUPRINT DD SYSOUT=A//OUTDD DD DISP=SHR,DSN=USER01.RACF.IRRADU00//SMFDATA DD DISP=SHR,DSN=USER01.RACF.SMFDATA//SMFOUT DD DUMMY//SYSIN DD *

INDD(SMFDATA,OPTIONS(DUMP))OUTDD(SMFOUT,TYPE(000:255))ABEND(NORETRY)USER2(IRRADU00)USER3(IRRADU86)

/*


www.ekcinc.com



SamplibSamplib Tools AvailableTools Available

IRRICE Collection– Uses DFSORT and ICETOOL to produce reports

based on Unloaded Database data and SMF data.

IRRADULD, ..QR, ..TB– Uses SQL to define (TB), Load (LD), and Query

(QR) auditing (unloaded SMF) data.

RACDBULD, ..QR, ..TB– Uses SQL to define (TB), Load (LD), and Query

(QR) security definition data.


www.ekcinc.com



Sample IRRDBU00 ReportSample IRRDBU00 Report

- 1 - UAGR: GR Profiles with a UACC Other Than None 06/09/28

Class General Resource Profile Name Generic Owner UACC-------- ----------------------------- ------- -------- --------

DSNR DSN.WLM_REFRESH.DB8GENV1 NO 0 P390A READDSNR SYSPROC.WLM_REFRESH.DB8GRFSH NO 0 P390A READDSNR SYSPROC.WLM_REFRESH.WLMENV1 NO 0 IBMUSER READDSNR SYSPROC.WLM_REFRESH.WLMENV2 NO 0 IBMUSER READFIRECALL FIRECALL NO 0 SYS1 READFACILITY DITTO.* YES 0 IBMUSER READFACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ


www.ekcinc.com



Sample IRRADU00 ReportSample IRRADU00 Report

- 1 - CADU: Number of IRRADU00 Events06/09/28 09:57:32 am

Type Count-------- ---------------ACCESS 1842ALTUSER 6CONNECT 3DACCESS 1DEFINE 4DIRSRCH 15JOBINIT 2951PERMIT 1RDEFINE 2REMOVE 3SETROPTS 1


www.ekcinc.com



Conducting the AuditConducting the AuditWe’ve checked the RACF implementation

for appropriate security controls.

Identified security exposures.

Made our recommendations.

What’s this 18 hour “Special”?




Part 2: Emergency Access


www.ekcinc.com



What is Emergency Access?What is Emergency Access?Non-standard access

Storage fixes

General Error fixes

System upgrades

Testing the Recovery Plan


www.ekcinc.com



Typical MethodsTypical MethodsMay I have the envelope please?

Temporary connect

Scheduled connect

Always on, just in case security

Secondary accounts


www.ekcinc.com



The PreThe Pre--loaded Accountloaded AccountAll the access in the world

Keeping it relevant

Turning it off / Re-loading

Not tied to an individual

Accounting for use


www.ekcinc.com



Temporary ConnectionTemporary ConnectionConnect at 5pm

Disconnect at 9am

Is it enough?

Less difficult to audit

Request/approval trace


www.ekcinc.com



Temporary ConnectionTemporary ConnectionScheduled connect at 3am

Disconnect at 9am

Is it enough?


Request/approval trace


www.ekcinc.com



The Trusted ProfessionalThe Trusted ProfessionalExtra access for the normal fixer

Enough access for typical emergencies

May not be enough

Difficult to audit

What paper trail?


www.ekcinc.com



Dual AccountsDual AccountsSecondary account for the normal fixer

Enough access for typical emergencies

May not be enough


After the fact request/approval


www.ekcinc.com



The Business Recovery PlanThe Business Recovery PlanMost companies use “test” data, right?

DRP accounts do everything

Minimum alteration risk

Maximum disclosure risk

Auditing the Recovery Test


www.ekcinc.com



The BRP RealityThe BRP Reality

> -----Original Message-----> From: RACF Discussion List On Behalf Of XXXX XXXXXXXX>> We want to give users testing programs in a D/R LPAR the> authority to run production jobs. The production jobs run> under the USERID of SYSMANT. What's the RACF command to allow> this to happen.

PERMIT SYSMANT.SUBMIT CLASS(SURROGAT) ACCESS(READ) ID(userID) .


www.ekcinc.com



Emergency Access RecommendationsEmergency Access Recommendations

Keep a good trail of request & authorization.For periodical needs, use 2 accounts, log

access used by second account. (UAUDIT)

Rip up the envelope, get rid of the pre-loadedaccount.

Collect and examine SMF data from DRPRestrict or remove software capable of

editing raw SMF data.




Audit Reporting & Emergency Access

Documents

auditing The Racf Environment - Ekc · Selected Data Sets ReportSelected Data Sets Report-----