Upload
hanguyet
View
216
Download
2
Embed Size (px)
Citation preview
SECURITY & COMPLIANCE CONFERENCE 2016
Protecting JES Resources
with RACF
Tony Nix
Professional Services Consultant,
Vanguard Integrity Professionals
BTB-5
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
©2016 Vanguard Integrity Professionals, Inc. 2
Copyright
©2016 Vanguard Integrity Professionals, Inc. All Rights Reserved. You have a limited
license to view these materials for your organization’s internal purposes. Any unauthorized
reproduction, distribution, exhibition or use of these copyrighted materials is expressly
prohibited.
Trademarks
The following are trademarks of Vanguard Integrity Professionals – Nevada:
Vanguard Administrator
Vanguard Advisor
Vanguard Analyzer
Vanguard SecurityCenter
Vanguard Offline
Vanguard Cleanup
Vanguard PasswordReset
Vanguard Authenticator
Vanguard inCompliance
Vanguard IAM
Vanguard GRC
Vanguard QuickGen
Vanguard Active Alerts
Vanguard Configuration Manager
Vanguard Configuration Manager Enterprise Edition
Vanguard Policy Manager
Vanguard Enforcer
Vanguard ez/Token
Vanguard Tokenless Authenticator
Vanguard ez/PIV Card Authenticator
Vanguard ez/Integrator
Vanguard ez/SignOn
Vanguard ez/Password Synchronization
Vanguard Security Solutions
Vanguard Security & Compliance
Vanguard zSecurity University
VANGUARD SECURITY & COMPLIANCE 2016
Legal Notice
©2016 Vanguard Integrity Professionals, Inc. 3
CICS
CICSPlex
DB2
eServer
IBM
IBM z
IBM z Systems
IBM z13
S/390
System z
System z9
System z10
System/390
VTAM
WebSphere
z Systems
z9
z10
z13
z/Architecture
z/OS
z/VM
zEnterprise
IMS
MQSeries
MVS
NetView
OS/390
Parallel Sysplex
RACF
RMF
The following are trademarks or registered trademarks of the International Business Machines Corporation in the United States, other countries, or both: Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation. Other company, product, and service names may be trademarks or service marks of others.
VANGUARD SECURITY & COMPLIANCE 2016
Session Topics
• Job Control Overview
• Security Tokens
• Controlling Task Input
• Controlling Task Output
• Controlling Access to JES SPOOL Data
• Controlling NJE Security
• Working with the “node” qualifier value
©2016 Vanguard Integrity Professionals, Inc. 4
VANGUARD SECURITY & COMPLIANCE 2016
RACF® Related Classes
©2016 Vanguard Integrity Professionals, Inc. 5
MVS™/JES
INPUT
JESJOBS
JESINPUT
NODES
SURROGAT
PROPCNTL
FACILITY
BATCH
SUBMIT
RJE/RJP
NJE
TSO
COMMANDS
OPERCMDS
CONSOLE
JESINPUT
SDSF
OUTPUT
WRITER
SPOOL
SYSOUT
JESSPOOL
RJE/RJP
NJE
Line & PSF Printers
VANGUARD SECURITY & COMPLIANCE 2016
Scope of JES Security
©2016 Vanguard Integrity Professionals, Inc. 6
• JES Input Processing
• SETR JES(EARLYVERIFY)
• JES Conversion Processing
• JES Execution Processing
• JES Output Processing
• JES Purge Processing
VANGUARD SECURITY & COMPLIANCE 2016
Input and Output Controls
• Input Controls
– Allow control of job names (JESJOBS)
– Allow control of who can use which job classes
– Allow control of who can enter jobs from where
(JESINPUT/NODES)
– Allow control of Surrogate submission (SURROGAT)
– Allow control of propagating a userid (PROPCNTL)
• Output Controls
– Allow control of who can send SYSOUT where (WRITER)
– Allow control of who can access SYSOUT on the spool
(JESSPOOL)
©2016 Vanguard Integrity Professionals, Inc. 7
VANGUARD SECURITY & COMPLIANCE 2016
Security Tokens
• Associated with task during input services
– Identifies Submitter of task
– Identifies Owner of task
– Identifies Owner of all resources associated with the task
• SYSIN
• SYSOUT
• Transportable - not associated with a particular
address space
©2016 Vanguard Integrity Professionals, Inc. 8
VANGUARD SECURITY & COMPLIANCE 2016
Security Tokens
©2016 Vanguard Integrity Professionals, Inc. 9
STOKEN
UTOKEN
RTOKEN
JES INPUT QUEUE
PROCESSING
JES OUTPUT QUEUE
Job Submitter
Job Owner
Resource Owner
VANGUARD SECURITY & COMPLIANCE 2016
Token Format
©2016 Vanguard Integrity Professionals, Inc. 10
USERID GROUP EX-NODE POE USERID GROUP SUB-NODE FLAGS ETC.
OWNER SUBMITTER
Surrogate
Privileged
Trusted
Internal/External
Session Type
VANGUARD SECURITY & COMPLIANCE 2016
Who is the Submitter?
©2016 Vanguard Integrity Professionals, Inc. 11
From submitting job
UTOKEN
SUBMIT
UTOKEN
????????
Unknown NJE user
UTOKEN
++++++++
Unknown local user
Possible
NODES
translation
for NJE jobs
UTOKEN of the
submitting job/user
is called an STOKEN
SUBMITTER
STOKEN
VANGUARD SECURITY & COMPLIANCE 2016
Who is the Job Owner?
©2016 Vanguard Integrity Professionals, Inc. 12
USER= from JOBCARD Propagated USER via INTRDR Undefined User
JES Input Services
RACROUTE VERIFY/X
ACEE
UTOKEN userid
groupid userid
.
.
. SETR JES(BATCHALLRACF)
VANGUARD SECURITY & COMPLIANCE 2016
Determining the Job's Owner
©2016 Vanguard Integrity Professionals, Inc. 13
Internal
Reader
Local
Devices
RJE / RJP
Devices
USER / PASSWORD
coded on Job Statement Coded Value Coded Value Coded Value
USER / PASSWORD
not coded on Job
Statement
Submitting
User ID is
propagated
++++++++ ????????
VANGUARD SECURITY & COMPLIANCE 2016
Preventing JES Propagation
©2016 Vanguard Integrity Professionals, Inc. 14
CICSPRD
JES
TRNA
//TRNA JOB acctnum,USER=CICSPRD
- - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - -
//TRNA JOB acctnum,
- - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - -
TRNA
ARTM
SETR CLASSACT(PROPCNTL)
RDEF PROPCNTL CICSPRD UA(NONE)
SETR RACLIST(PROPCNTL)
PROPCNTL class profile
CICSPRD UA(NONE)
RACF Database
VANGUARD SECURITY & COMPLIANCE 2016
Control of Job Submission
©2016 Vanguard Integrity Professionals, Inc. 15
//Jobname JOB . . .
Which Jobs?
From Who?
From Where?
JES
VANGUARD SECURITY & COMPLIANCE 2016
Steps to Protect Job Input
©2016 Vanguard Integrity Professionals, Inc. 16
Decide
Job Name
Standards
Decide
What Jobs
are to be
Restricted
Decide
Who is
Allowed to
Submit
Each Job &
From
Where
Define
Profiles:
JESJOBS
JESINPUT
FACILITY
SURROGAT
Activate
Classes &
Test
VANGUARD SECURITY & COMPLIANCE 2016
‘Nasty Class’ RC=8
Controlling Job Names –
JESJOBS
©2016 Vanguard Integrity Professionals, Inc. 17
Job name control based on "who" and "from where"
JES
//VANPAY1 JOB . . .
SUBMIT.node.job.owner UACC Access List
CANCEL.node.owner.job UACC Access List
RACF Database
JESJOBS Profiles
Issue SETR GENERIC(JESJOBS) GENCMD(JESJOBS) before defining any profiles
VANGUARD SECURITY & COMPLIANCE 2016
Defining JESJOBS Class Profiles
• To allow only the PAYROLL group to submit any
VANPAY job from node LVPROD:
• To allow only KAREN to cancel any VANPAY job
from LVPROD:
• To allow anyone to submit and cancel all other jobs:
©2016 Vanguard Integrity Professionals, Inc. 18
RDEF JESJOBS SUBMIT.LVPROD.VANPAY*.* UACC(NONE)
PERMIT SUBMIT.LVPROD.VANPAY*.* CL(JESJOBS)
ID(PAYROLL) AC(READ)
RDEF JESJOBS CANCEL.LVPROD.*.VANPAY* UACC(NONE)
PERMIT CANCEL.LVPROD.*.VANPAY* CL(JESJOBS)
ID(KAREN) AC(ALTER)
RDEF JESJOBS ** UACC(READ)
VANGUARD SECURITY & COMPLIANCE 2016
Controlling Job Class –
JESJOBS
©2016 Vanguard Integrity Professionals, Inc. 19
JESJOBS profiles determine who can use a certain JOB Class.
FACILITY profiles determine who is checked – Submitter, Owner or NO check made.
JES
//VANPAY1 JOB . . .
JOBCLASS.node.jobclass.jobname UACC Access List
RACF Database
JESJOBS Profiles
‘Nasty Class’ RC=8
// CLASS=X
FACILITY Profiles
JES.JOBCLASS.OWNER UACC N/A
JES.JOBCLASS.SUBMITTER UACC N/A
VANGUARD SECURITY & COMPLIANCE 2016
Defining JESJOBS JOB Class Profiles
User PETERR submits a CLASS=X job named PETERRA with USER=BOB in the
JOBCARD. The local node is VANLV. Of course SURROGAT profile is checked. If
there is a JES.JOBCLASS.OWNER profile in the FACILITY class, a check is made if
user BOB has READ access to JESJOBS profile:
If there is a JES.JOBCLASS.SUBMITTER profile in the FACILITY class, a check is
made if user PETERR has READ access to JESJOBS profile:
If both FACILITY class profiles exist, then PETERR and BOB must both have READ
access to the JESJOBS class profile
Note: The FACILITY class profiles are basically ON/OFF switches
©2016 Vanguard Integrity Professionals, Inc. 20
RDEF JESJOBS JOBCLASS.VANLV.X.PETERRA OWNER(SECADMN) UACC(NONE)
PE JOBCLASS.VANLV.X.PETERRA CLASS(JESJOBS) ID(BOB) ACC(R)
RDEF JESJOBS JOBCLASS.VANLV.X.PETERRA OWNER(SECADMN) UACC(NONE)
PE JOBCLASS.VANLV.X.PETERRA CLASS(JESJOBS) ID(PETERR) ACC(R)
VANGUARD SECURITY & COMPLIANCE 2016
Defining JESJOBS JOB Class Profiles
• You probably want to define a backstop profile to allow all users access to all job classes.
• Then define profiles to limit certain classes.
• If JESJOBS was not previously active, be sure to define SUBMIT.** and/or CANCEL.** before activating the class. Remember JESJOBS is a “nasty” class.
• Create the Facility class profiles after the JESJOBS profiles.
©2016 Vanguard Integrity Professionals, Inc. 21
RDEF JESJOBS JOBCLASS.** OWNER(SECADMN) UACC(READ)
RDEF JESJOBS JOBCLASS.*.P.* OWNER(SECADMN) UACC(NONE)
PE JOBCLASS.*.P.* CLASS(JESJOBS) ID(PRODJOBS) ACC(R)
VANGUARD SECURITY & COMPLIANCE 2016
Defining GLOBAL JESJOBS Profile
• Optional: Define GLOBAL JESJOBS profile to allow
users to submit and cancel their own jobs without
creating specific SMF records:
• RDEF GLOBAL JESJOBS ADDMEM( +
– CANCEL.*.&RACUID.*/ALTER +
– SUBMIT.*.*.&RACUID/READ +
– SUBMIT.*.&RACUID.&RACUID/READ)
©2016 Vanguard Integrity Professionals, Inc. 22
VANGUARD SECURITY & COMPLIANCE 2016
Port-of-Entry Control –
JESINPUT Class
©2016 Vanguard Integrity Professionals, Inc. 23
DEVICE JES2 POE NAME JES3 POE NAME
JES reader RDRnn Jname of reader
Disk reader n/a DR member name
RJE/RJP reader Rnnnn.RDn Workstation name
NJE reader Adjacent Nodename NJERDR
Dump Job n/a DUMPJOB
Spool Offload OFFn.JR n/a
Internal Reader INTRDR INTRDR
TSO SUBMIT INTRDR INTRDR
Started tasks STCINRDR STCINRDR
TSO logons TSUINRDR TSO terminal name
RDEF JESINPUT R124.RD1 UACC(NONE)
PE R124.RD1 CL(JESINPUT) ID(PAYROLL) AC(READ)
RDEF JESINPUT ** UA(READ)
‘Nasty Class’ RC=8
VANGUARD SECURITY & COMPLIANCE 2016
Surrogate Job Submission
©2016 Vanguard Integrity Professionals, Inc. 24
RDEF SURROGAT JILL.SUBMIT OWNER(SECADMN) UACC(NONE)
PE JILL.SUBMIT CLASS(SURROGAT) ID(JACK) AC(READ)
JES
//jobname JOB USER=JILL
JACK
RACF Database
SURROGAT class profile
JILL.SUBMIT JACK / READ
VANGUARD SECURITY & COMPLIANCE 2016
Steps to Protect Job Output
©2016 Vanguard Integrity Professionals, Inc. 25
Decide
Printers to
Protect
Decide
Who Can
Use Which
Printers
Decide
Who Can
View or
Purge
Other
User’s
Spool Data
Define
Profiles:
WRITER
JESSPOOL
Activate
Classes &
Test
VANGUARD SECURITY & COMPLIANCE 2016
Printer Access –
WRITER Class
©2016 Vanguard Integrity Professionals, Inc. 26
jesx.LOCAL.devn UACC Access List
jesx.RJE/RJP.devn UACC Access List
RACF Database
WRITER Profiles
JES
JES2 PARMS
PRT(n) . . .
JES3 PARMS
DEVICE JNAME=
‘Nasty Class’ RC=8
VANGUARD SECURITY & COMPLIANCE 2016
Defining WRITER Class Profiles
• To allow only the PAYROLL group to use local printer
PRT45:
• To allow only the PAYROLL group to use the remote printer
R5:
• To allow all users to use all other printers:
©2016 Vanguard Integrity Professionals, Inc. 27
RDEF WRITER JES%.LOCAL.PRT45 UACC(NONE)
PE JES%.LOCAL.PRT45 CL(WRITER) ID(PAYROLL) AC(READ)
RDEF WRITER JES%.RJE.R5 UACC(NONE)
PE JES%.RJE.R5 CL(WRITER) ID(PAYROLL) AC(READ)
RDEF WRITER JES%.*.** UACC(READ)
VANGUARD SECURITY & COMPLIANCE 2016
Access Control to SYSOUT –
JESSPOOL
©2016 Vanguard Integrity Professionals, Inc. 28
JES
SPOOL
node.user.jobname.job#.Dsid.dsname UACC Access List
RACF Database
JESSPOOL Profiles
‘Nasty Class’ RC=8
VANGUARD SECURITY & COMPLIANCE 2016
Access to SYSOUT
©2016 Vanguard Integrity Professionals, Inc. 29
Requirement Auth. JESSPOOL Profile Name
Allow viewing of CAROL's
data for the ACCOUNT
job on LVPROD
READ LVPROD.CAROL.ACCOUNT.**
Allow deletion of all spool
data for the BACKUP job
on LVPROD
ALTER LVPROD.*.BACKUP.**
Allow only FRANK to use
the TSO RECEIVE
command for the
BLKMAIL job, MAILDATA
data set on LVPROD
ALTER LVPROD.FRANK.BLKMAIL.*.*.MAILDATA
VANGUARD SECURITY & COMPLIANCE 2016
Steps to Protect NJE
©2016 Vanguard Integrity Professionals, Inc. 30
Control
JOBS /
SYSOUT?
Control
Inbound /
Outbound
Work?
Control
Whose
Work is
Sent and
Received?
Define
Profiles:
WRITER
NODES
Activate
Classes,
RACLIST
& Test
VANGUARD SECURITY & COMPLIANCE 2016
NJE – WRITER and NODES Class
©2016 Vanguard Integrity Professionals, Inc. 31
To Control Sending:
WRITER Class
To Control Receipt:
NODES Class
JOBS JES%.NJE.node node.USERJ.userid
node.GROUPJ.groupid
SYSOUT JES%.NJE.node node.USERS.userid
node.GROUPS.groupid
Target node Sending node
VANGUARD SECURITY & COMPLIANCE 2016
Controlling Outgoing Jobs
and SYSOUT
©2016 Vanguard Integrity Professionals, Inc. 32
JES%.NJE.VEGAS
NANCY(READ)
RACF Database
USER Profile
NANCY
WRITER Class Profile at Orange
WRITER Class Profile at Vegas
WRITER Class Profile at Dallas
JES%.NJE.DALLAS
NANCY(READ)
RACF Database
USER Profile
NANCY
RACF Database
USER Profile
NANCY
JES%.LOCAL.PRT1
NANCY(READ)
PRT on Dallas
XEQ on Vegas
// ..... JOB
USER=NANCY
ORANGE
Submitting Node
VEGAS
Execution Node
DALLAS
Output Node
Nancy's
Output
VANGUARD SECURITY & COMPLIANCE 2016
Controlling Entry of Jobs –
NODES Class
©2016 Vanguard Integrity Professionals, Inc. 33
NODES Class Profile at Vegas
ORANGE.USERJ.NANCY
RACF Database
USER Profile
NANCY
NODES Class Profile at Dallas
RACF Database
USER Profile
NANCY
VEGAS.USERS.NANCY
PRT on Dallas
XEQ on Vegas
// ..... JOB
USER=NANCY
ORANGE
Submitting Node
VEGAS
Execution Node
DALLAS
Output Node
Nancy's
Output
VANGUARD SECURITY & COMPLIANCE 2016
NODES Class Profile – UACC
©2016 Vanguard Integrity Professionals, Inc. 34
Requirement Regard for Sending
Node/User ID Needed UACC
No Need to Re-verify
Password on Incoming Jobs
(No Password Needed) TRUSTED CONTROL / UPDATE
Re-verify User ID and
Password on Incoming Jobs
(Password Needed) SEMI-TRUSTED READ
No Jobs Accepted from
Node/User/Group UNTRUSTED NONE
VANGUARD SECURITY & COMPLIANCE 2016
USERID Translation
©2016 Vanguard Integrity Professionals, Inc. 35
ORANGE
Submitting Node
VEGAS
User ID Translation
Execution Node
Ricky's
Output
USERID=RICKY
SUSER=RICKY
PRT on Orange
XEQ on Vegas
// ..... JOB
submitted in
Orange
USERID=RICKY
SUSER=RICKY
Output Node
USERID=LUCY
SUSER=RICKY
USERID=&SUSER
= RICKY
SUSER=RICKY
User Profile
RICKY
RACF DB
User Profile
LUCY
RACF DB
RDEF NODES ORANGE.USERJ.RICKY
UA(UPDATE) ADDMEM(LUCY)
RDEF NODES VEGAS.USERS.*
UA(UPDATE) ADDMEM(&SUSER)
Translate userid
RICKY to LUCY
Translate userid
to submit user
=LUCY
VANGUARD SECURITY & COMPLIANCE 2016
Identifying the node name
• Defined in JES initialization parameters
• A node is a specific location in a network
• JES JOB Log can identify the node name
©2016 Vanguard Integrity Professionals, Inc. 36
VANGUARD SECURITY & COMPLIANCE 2016
Using RACF Variables
• Used like generic characters in profile names
• Must be defined in the RACFVARS Class
• Only applicable to General Resource Classes not
Dataset profiles
• Profile names must be 1 to 8 characters and must
start with an ampersand (&)
• See RACF Security Administrator’s Guide, Chapter
7 for complete details
©2016 Vanguard Integrity Professionals, Inc. 37
VANGUARD SECURITY & COMPLIANCE 2016
Using RACF Variables
• &RACLNDE is a RACF reserved profile name
• Use &RACLNDE profile name to represent multiple
node names in the RACFVARS Class
• RACFVARS is a Group Class not a Member Class
• Allows use of a single profile to represent multiple
nodes in a network where the resource protection is
the same for all nodes
– E.g. ORANGE, VEGAS, DALLAS
• Useful for NODES, JESJOBS, JESSPOOL
©2016 Vanguard Integrity Professionals, Inc. 38
VANGUARD SECURITY & COMPLIANCE 2016
Using RACF Variables
RDEF RACFVARS &RACLNDE UA(N) OW(SECADMN)
RALT RACFVARS &RACLNDE +
ADDMEM(ORANGE, VEGAS, DALLAS)
RDEF JESSPOOL &RACLNDE.*.PAY*.**
UA(N) OW(SECADMIN)
PE &RACLNDE.*.PAY*.** CL(JESSPOOL) AC(A) ID(PAYGROUP)
RDEF NODES &RACLNDE.USERJ.ARTM UA(C)
OW(SECADMIN)
SETR RACLIST(RACFVARS JESSPOOL NODES) [REFRESH]
©2016 Vanguard Integrity Professionals, Inc. 39
VANGUARD SECURITY & COMPLIANCE 2016
That’s all for JES Folks!
©2016 Vanguard Integrity Professionals, Inc. 40
SECURITY & COMPLIANCE CONFERENCE 2016