It isn't just UACC(READ) or UID(*). Why does ~anyone~ have read access to the database? (To say nothing of update.)
At a client I served a while back, I pointed out that a lot of people had read access, and quite a few had update. They argued that it was necessary so that their admins could do their jobs. Apparently they believed that the admin needed update access to change permissions, create profiles etc. Now, it happened that was a TSS shop. But surely the answer is the same in RACF? I don't need update (or even read) access to the RACF database; when I issue a RACF command, RACF determines whether I have the authority and then executes the command under the authority of its own ID, whichever one runs the STC. My own rule (when I'm allowed my way) is that NO ONE has access to the database, except a system programmer doing migrations to a new version; for that purpose I'll grant the necessary access for a defined period, say two months, extendible upon request, but expiring automatically. The Logica breakin, as I understand it, started with the theft of the password of an ID that had read access to the RACF database. The bad guys then downloaded it and applied CRACF to it. Forensic investigators afterward tested the same utility and were able to get 10 or 20 thousand passwords from it in the first day of running on an ordinary PC. (Going by memory, but I think it's about right.) --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* We must picture Hell as a state where everyone is perpetually concerned about his own dignity and advancement, where everyone has a grievance, and where eveyone lives the deadly serious passions of envy, self-importance, and resentment. -C S Lewis, preface to _The Screwtape Letters_ */ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Charles Mills Sent: Monday, January 11, 2021 11:44 https://en.wikipedia.org/wiki/John_the_Ripper There is a downloadable plugin for RACF -- old RACF hashing only, I *think*. No one "gives" their RACF DB to anyone (I would hope). The problem -- and everyone reading this who is not sure about their RACF DB should go check right now -- is UACC or USERID(*) READ access to the RACF DB *or its backup*. If I can download your RACF DB and attack it off-platform I can defeat any "revoke the userid after 'n' tries" that you have in place. -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of R.S. Sent: Monday, January 11, 2021 10:07 That's what we call brute force attack. There is no way to protect against it ...or maybe there are some things to help. 1. Do not give your RACF db to hackers. Never.... --- W dniu 11.01.2021 o 15:39, Tom Brennan pisze: > Isn't there a program someone wrote (talked about here many years ago) > that can try various passwords until something matches the hashed > value? If that's the case, hashing doesn't really do as much good as > people think it does, once someone gets hold of the RACF dataset of > course. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
