> Eric Bielefeld pisze: >> I had a problem once with an APF library not being RACF protected. I >> set up a library for something, I can't even remember what, and put it >> in the APF list. Unfortuneatly, it was the only APF library that had >> RACF protection allowing update by anyone. We had an audit about 2 >> years or so before the datacenter closed for good, and the audit tool >> that was used pointed out that problem. Of course, it was fixed within >> minutes of finding it. I can't remember the name of the tool, but I >> know it was very good, and expensive, although we finally bought it only >> after my boss negotiated a really good deal. > > Radoslaw Skorupka said: > DSMON. > *Free* (part of z/OS with RACF). > Shows several reports including protection of "important" datasets. > > > > BTW: DSMON and possibly other tools only shows partial security > information about datasets. > In case of DSMON you will know whether dataset is RACF protected (*) and > what is UACC of the profile. > THAT'S NOT ENOUGH! > I remember I found an APF library with UACC(NONE), but on the access > list there was a group "everyone" with ACCESS(ALTER). > In other words you have to assess whether the protection is right - what > teams (groups) have access to it. IMHO no tool can do it. >
The other free tool to check APF RACF access is the Health Checker routine "RACF_SENSITIVE_RESOURCES" however, as Radoslaw said about DSMON, it only looks at UACC, (*), or warn mode. It will also tell you if the APF library doesn't have a profile unless you have "protectall(fail)" invoked. It does not check the access list for standard access entries > READ and it doesn't check the Global Access Table. It will, via the Modify command, check for a userid's has access to any one of the APF libraries listed by Health Checker that is greater than READ. For example, to see if userid "USR001" has access to any APF library greater than READ then use the console command: f hzsproc,update,check=(ibmracf,RACF_SENSITIVE_RESOURCES),parm(USR001) If the user USR001 has > READ in any standard access list in any APF library profile then it will show ">READ" in the USER column of the report. George Fogg ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
