Re: APF Libraries (Was ADRDSSU protection

Fri, 08 May 2009 11:14:18 -0700 

Mark Zelden pisze:

On Fri, 8 May 2009 16:26:02 +0200, R.S. <r.skoru...@bremultibank.com.pl> wrote:


Eric Bielefeld pisze:

I had a problem once with an APF library not being RACF protected.  I
set up a library for something, I can't even remember what, and put it
in the APF list.  Unfortuneatly, it was the only APF library that had
RACF protection allowing update by anyone.  We had an audit about 2
years or so before the datacenter closed for good,  and the audit tool
that was used pointed out that problem.  Of course, it was fixed within
minutes of finding it.  I can't remember the name of the tool, but I
know it was very good, and expensive, although we finally bought it only
after my boss negotiated a really good deal.

DSMON.
*Free* (part of z/OS with RACF).
Shows  several reports including protection of "important" datasets.





Hopefully DSMON (ICHDSM00) is program protected since it does show
security related information.  I'm not even allowed to run it in some
of our environments.


This is tool for auditors. You can run it under one of circumstances:
a) you are AUDITOR
OR
b) ICHDSM00 is program-controlled and you have READ to it.
It is important to mention that unprotected ICHDSM00 is not dangerous: it requires AUDITOR attr. 





BTW: DSMON and possibly other tools only shows partial security
information about datasets.
In case of DSMON you will know whether dataset is RACF protected (*) and
what is UACC of the profile.
THAT'S NOT ENOUGH!
I remember I found an APF library with UACC(NONE), but on the access
list there was a group "everyone" with ACCESS(ALTER).
In other words you have to assess whether the protection is right - what
teams (groups) have access to it. IMHO no tool can do it.



Health Checker RACF_SENSITIVE_RESOURCES check helps.
Unfortunately not. The same problem as with DSMON. You have to assess whether group ABC on access list is good idea or not. 
However Health Checker shows much more resources, whis is good.


Regards
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 0000025237 
NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Reply via email to