Re: APF Libraries (Was ADRDSSU protection)

[Peter Relson]

The RACF checks that are part of IBM Health Checker for z/OS might provide
more information than its DSMON report. In particular, but not necessarily
limited to, look at the RACF_SENSITIVE_RESOURCES check.

Peter Relson
z/OS Core Technology Design

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: APF Libraries (Was ADRDSSU protection

[Eric Bielefeld]

I had a problem once with an APF library not being RACF protected.  I set up 
a library for something, I can't even remember what, and put it in the APF 
list.  Unfortuneatly, it was the only APF library that had RACF protection 
allowing update by anyone.  We had an audit about 2 years or so before the 
datacenter closed for good,  and the audit tool that was used pointed out 
that problem.  Of course, it was fixed within minutes of finding it.  I 
can't remember the name of the tool, but I know it was very good, and 
expensive, although we finally bought it only after my boss negotiated a 
really good deal.


It really seemed funny that about 2 years before the datacenter was closed, 
we started doing things that should have been done all along.  We had our 
first disaster recovery test, and our first real audit of z/OS.  Of course, 
that was the time that Sarbanes Oxley really hit the fan.


On another note, the job front is looking up.  I've got several 
possibilities for jobs now, although none of them may pan out.


Eric

Eric Bielefeld
Sr. Systems Programmer
Milwaukee, Wisconsin
414-475-7434


- Original Message - 
From: Ed Gould ps2...@yahoo.com

Newsgroups: bit.listserv.ibm-main
To: IBM-MAIN@bama.ua.edu
Sent: Friday, May 08, 2009 12:50 AM
Subject: Re: ADRDSSU protection



Rick,

I think I am going to disagree a little with you on this. Where the 
disagreement comes in is where companies hand out APF libraries like 
candy.


I actually had a programmer that was smart enough to copy amaspzap into an 
authorized library and figure out where AMASPZAP was issuing the resource 
(right term?calls to RACF) and essentially no-oping it and the same for 
the place in amaspzap where it asks the operator to reply U and one or two 
other places.


Companies need to control APF libraries at all costs, IMO. In this case 
the person could have called it something else and no one would have been 
any wiser. They also need to go through the libraries every so often and 
delete anything un-identifiable.


Ed 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: APF Libraries (Was ADRDSSU protection

[R.S.]

Eric Bielefeld pisze:
I had a problem once with an APF library not being RACF protected.  I 
set up a library for something, I can't even remember what, and put it 
in the APF list.  Unfortuneatly, it was the only APF library that had 
RACF protection allowing update by anyone.  We had an audit about 2 
years or so before the datacenter closed for good,  and the audit tool 
that was used pointed out that problem.  Of course, it was fixed within 
minutes of finding it.  I can't remember the name of the tool, but I 
know it was very good, and expensive, although we finally bought it only 
after my boss negotiated a really good deal.


DSMON.
*Free* (part of z/OS with RACF).
Shows  several reports including protection of important datasets.



BTW: DSMON and possibly other tools only shows partial security 
information about datasets.
In case of DSMON you will know whether dataset is RACF protected (*) and 
what is UACC of the profile.

THAT'S NOT ENOUGH!
I remember I found an APF library with UACC(NONE), but on the access 
list there was a group everyone with ACCESS(ALTER).
In other words you have to assess whether the protection is right - what 
teams (groups) have access to it. IMHO no tool can do it.



--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: APF Libraries (Was ADRDSSU protection

[Mark Zelden]

On Fri, 8 May 2009 16:26:02 +0200, R.S. r.skoru...@bremultibank.com.pl wrote:

Eric Bielefeld pisze:
 I had a problem once with an APF library not being RACF protected.  I
 set up a library for something, I can't even remember what, and put it
 in the APF list.  Unfortuneatly, it was the only APF library that had
 RACF protection allowing update by anyone.  We had an audit about 2
 years or so before the datacenter closed for good,  and the audit tool
 that was used pointed out that problem.  Of course, it was fixed within
 minutes of finding it.  I can't remember the name of the tool, but I
 know it was very good, and expensive, although we finally bought it only
 after my boss negotiated a really good deal.

DSMON.
*Free* (part of z/OS with RACF).
Shows  several reports including protection of important datasets.




Hopefully DSMON (ICHDSM00) is program protected since it does show
security related information.  I'm not even allowed to run it in some
of our environments.


BTW: DSMON and possibly other tools only shows partial security
information about datasets.
In case of DSMON you will know whether dataset is RACF protected (*) and
what is UACC of the profile.
THAT'S NOT ENOUGH!
I remember I found an APF library with UACC(NONE), but on the access
list there was a group everyone with ACCESS(ALTER).
In other words you have to assess whether the protection is right - what
teams (groups) have access to it. IMHO no tool can do it.


Health Checker RACF_SENSITIVE_RESOURCES check helps.

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group - ZFUS G-ITO
mailto:mark.zel...@zurichna.com
z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: APF Libraries (Was ADRDSSU protection

[George Fogg]

 Eric Bielefeld pisze:
 I had a problem once with an APF library not being RACF protected.  I
 set up a library for something, I can't even remember what, and put it
 in the APF list.  Unfortuneatly, it was the only APF library that had
 RACF protection allowing update by anyone.  We had an audit about 2
 years or so before the datacenter closed for good,  and the audit tool
 that was used pointed out that problem.  Of course, it was fixed within
 minutes of finding it.  I can't remember the name of the tool, but I
 know it was very good, and expensive, although we finally bought it only
 after my boss negotiated a really good deal.

 Radoslaw Skorupka said:
 DSMON.
 *Free* (part of z/OS with RACF).
 Shows  several reports including protection of important datasets.



 BTW: DSMON and possibly other tools only shows partial security
 information about datasets.
 In case of DSMON you will know whether dataset is RACF protected (*) and
 what is UACC of the profile.
 THAT'S NOT ENOUGH!
 I remember I found an APF library with UACC(NONE), but on the access
 list there was a group everyone with ACCESS(ALTER).
 In other words you have to assess whether the protection is right - what
 teams (groups) have access to it. IMHO no tool can do it.


The other free tool to check APF RACF access is the Health Checker routine
RACF_SENSITIVE_RESOURCES however, as Radoslaw said about DSMON, it only
looks at UACC, (*), or warn mode. It will also tell you if the APF library
doesn't have a profile unless you have protectall(fail) invoked. It does not
check the access list for standard access entries  READ and it doesn't check
the Global Access Table.

It will, via the Modify command, check for a userid's has access to any one of
the APF libraries listed by Health Checker that is greater than READ.
For example, to see if userid USR001 has access to any APF library greater
than READ then use the console command:
 f hzsproc,update,check=(ibmracf,RACF_SENSITIVE_RESOURCES),parm(USR001)

If the user USR001 has  READ in any standard access list in any APF library
profile then it will show READ in the USER column of the report.

George Fogg

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: APF Libraries (Was ADRDSSU protection

[Eric Bielefeld]

I couldn't remember what DSMON was, so I looked it up on ASK.COM.  I keep 
seeing ads for ASK.COM whenever I watch Nascar races, as one of the cars has 
ASK.COM as a sponser.  The first hit had a good explanation, and now I 
remember just what it was.


I don't know if DSMON(ICHDSM00) was protected or not, however it don't 
matter no more, as the datacenter has been gone for over 3 years now.  I'm 
sure the guy that did the audit would have had me protect DSMON if it wasn't 
under RACF control, as he was very good.  I was going to say I still can't 
think of the tool that I used to audit RACF, but then I decided to do a 
search.  Neither google or Ask.com came up with the company, but I saw 
Vanguard in the explanation of one of the hits, and I remembered the name of 
the product.  (Getting old is hell).  The tool was Vanguard Administrator,


Eric Bielefeld
Sr. Systems Programmer
Milwaukee, Wisconsin
414-475-7434


- Original Message - 
From: Mark Zelden mark.zel...@zurichna.com

Newsgroups: bit.listserv.ibm-main
To: IBM-MAIN@bama.ua.edu

DSMON.
*Free* (part of z/OS with RACF).
Shows  several reports including protection of important datasets.



Hopefully DSMON (ICHDSM00) is program protected since it does show
security related information.  I'm not even allowed to run it in some
of our environments.


Health Checker RACF_SENSITIVE_RESOURCES check helps.

Mark
--
Mark Zelden
Sr. Software and Systems Architect - z/OS Team Lead
Zurich North America / Farmers Insurance Group - ZFUS G-ITO
mailto:mark.zel...@zurichna.com
z/OS Systems Programming expert at 
http://expertanswercenter.techtarget.com/
Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html 


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: APF Libraries (Was ADRDSSU protection

[R.S.]

Mark Zelden pisze:

On Fri, 8 May 2009 16:26:02 +0200, R.S. r.skoru...@bremultibank.com.pl wrote:


Eric Bielefeld pisze:

I had a problem once with an APF library not being RACF protected.  I
set up a library for something, I can't even remember what, and put it
in the APF list.  Unfortuneatly, it was the only APF library that had
RACF protection allowing update by anyone.  We had an audit about 2
years or so before the datacenter closed for good,  and the audit tool
that was used pointed out that problem.  Of course, it was fixed within
minutes of finding it.  I can't remember the name of the tool, but I
know it was very good, and expensive, although we finally bought it only
after my boss negotiated a really good deal.

DSMON.
*Free* (part of z/OS with RACF).
Shows  several reports including protection of important datasets.





Hopefully DSMON (ICHDSM00) is program protected since it does show
security related information.  I'm not even allowed to run it in some
of our environments.


This is tool for auditors. You can run it under one of circumstances:
a) you are AUDITOR
OR
b) ICHDSM00 is program-controlled and you have READ to it.

It is important to mention that unprotected ICHDSM00 is not dangerous: 
it requires AUDITOR attr.






BTW: DSMON and possibly other tools only shows partial security
information about datasets.
In case of DSMON you will know whether dataset is RACF protected (*) and
what is UACC of the profile.
THAT'S NOT ENOUGH!
I remember I found an APF library with UACC(NONE), but on the access
list there was a group everyone with ACCESS(ALTER).
In other words you have to assess whether the protection is right - what
teams (groups) have access to it. IMHO no tool can do it.



Health Checker RACF_SENSITIVE_RESOURCES check helps.


Unfortunately not. The same problem as with DSMON. You have to assess 
whether group ABC on access list is good idea or not.

However Health Checker shows much more resources, whis is good.


Regards
--
Radoslaw Skorupka
Lodz, Poland


--
BRE Bank SA
ul. Senatorska 18
00-950 Warszawa
www.brebank.pl

Sd Rejonowy dla m. st. Warszawy 
XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, 
nr rejestru przedsibiorców KRS 025237

NIP: 526-021-50-88
Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci 
wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego 
podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 
2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec 
podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym 
BRE Banku SA bd w caoci opacone.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html