Re: APF Libraries (Was ADRDSSU protection)
The RACF checks that are part of IBM Health Checker for z/OS might provide more information than its DSMON report. In particular, but not necessarily limited to, look at the RACF_SENSITIVE_RESOURCES check. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Libraries (Was ADRDSSU protection
I had a problem once with an APF library not being RACF protected. I set up a library for something, I can't even remember what, and put it in the APF list. Unfortuneatly, it was the only APF library that had RACF protection allowing update by anyone. We had an audit about 2 years or so before the datacenter closed for good, and the audit tool that was used pointed out that problem. Of course, it was fixed within minutes of finding it. I can't remember the name of the tool, but I know it was very good, and expensive, although we finally bought it only after my boss negotiated a really good deal. It really seemed funny that about 2 years before the datacenter was closed, we started doing things that should have been done all along. We had our first disaster recovery test, and our first real audit of z/OS. Of course, that was the time that Sarbanes Oxley really hit the fan. On another note, the job front is looking up. I've got several possibilities for jobs now, although none of them may pan out. Eric Eric Bielefeld Sr. Systems Programmer Milwaukee, Wisconsin 414-475-7434 - Original Message - From: Ed Gould ps2...@yahoo.com Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@bama.ua.edu Sent: Friday, May 08, 2009 12:50 AM Subject: Re: ADRDSSU protection Rick, I think I am going to disagree a little with you on this. Where the disagreement comes in is where companies hand out APF libraries like candy. I actually had a programmer that was smart enough to copy amaspzap into an authorized library and figure out where AMASPZAP was issuing the resource (right term?calls to RACF) and essentially no-oping it and the same for the place in amaspzap where it asks the operator to reply U and one or two other places. Companies need to control APF libraries at all costs, IMO. In this case the person could have called it something else and no one would have been any wiser. They also need to go through the libraries every so often and delete anything un-identifiable. Ed -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Libraries (Was ADRDSSU protection
Eric Bielefeld pisze: I had a problem once with an APF library not being RACF protected. I set up a library for something, I can't even remember what, and put it in the APF list. Unfortuneatly, it was the only APF library that had RACF protection allowing update by anyone. We had an audit about 2 years or so before the datacenter closed for good, and the audit tool that was used pointed out that problem. Of course, it was fixed within minutes of finding it. I can't remember the name of the tool, but I know it was very good, and expensive, although we finally bought it only after my boss negotiated a really good deal. DSMON. *Free* (part of z/OS with RACF). Shows several reports including protection of important datasets. BTW: DSMON and possibly other tools only shows partial security information about datasets. In case of DSMON you will know whether dataset is RACF protected (*) and what is UACC of the profile. THAT'S NOT ENOUGH! I remember I found an APF library with UACC(NONE), but on the access list there was a group everyone with ACCESS(ALTER). In other words you have to assess whether the protection is right - what teams (groups) have access to it. IMHO no tool can do it. -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Libraries (Was ADRDSSU protection
On Fri, 8 May 2009 16:26:02 +0200, R.S. r.skoru...@bremultibank.com.pl wrote: Eric Bielefeld pisze: I had a problem once with an APF library not being RACF protected. I set up a library for something, I can't even remember what, and put it in the APF list. Unfortuneatly, it was the only APF library that had RACF protection allowing update by anyone. We had an audit about 2 years or so before the datacenter closed for good, and the audit tool that was used pointed out that problem. Of course, it was fixed within minutes of finding it. I can't remember the name of the tool, but I know it was very good, and expensive, although we finally bought it only after my boss negotiated a really good deal. DSMON. *Free* (part of z/OS with RACF). Shows several reports including protection of important datasets. Hopefully DSMON (ICHDSM00) is program protected since it does show security related information. I'm not even allowed to run it in some of our environments. BTW: DSMON and possibly other tools only shows partial security information about datasets. In case of DSMON you will know whether dataset is RACF protected (*) and what is UACC of the profile. THAT'S NOT ENOUGH! I remember I found an APF library with UACC(NONE), but on the access list there was a group everyone with ACCESS(ALTER). In other words you have to assess whether the protection is right - what teams (groups) have access to it. IMHO no tool can do it. Health Checker RACF_SENSITIVE_RESOURCES check helps. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:mark.zel...@zurichna.com z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Libraries (Was ADRDSSU protection
Eric Bielefeld pisze: I had a problem once with an APF library not being RACF protected. I set up a library for something, I can't even remember what, and put it in the APF list. Unfortuneatly, it was the only APF library that had RACF protection allowing update by anyone. We had an audit about 2 years or so before the datacenter closed for good, and the audit tool that was used pointed out that problem. Of course, it was fixed within minutes of finding it. I can't remember the name of the tool, but I know it was very good, and expensive, although we finally bought it only after my boss negotiated a really good deal. Radoslaw Skorupka said: DSMON. *Free* (part of z/OS with RACF). Shows several reports including protection of important datasets. BTW: DSMON and possibly other tools only shows partial security information about datasets. In case of DSMON you will know whether dataset is RACF protected (*) and what is UACC of the profile. THAT'S NOT ENOUGH! I remember I found an APF library with UACC(NONE), but on the access list there was a group everyone with ACCESS(ALTER). In other words you have to assess whether the protection is right - what teams (groups) have access to it. IMHO no tool can do it. The other free tool to check APF RACF access is the Health Checker routine RACF_SENSITIVE_RESOURCES however, as Radoslaw said about DSMON, it only looks at UACC, (*), or warn mode. It will also tell you if the APF library doesn't have a profile unless you have protectall(fail) invoked. It does not check the access list for standard access entries READ and it doesn't check the Global Access Table. It will, via the Modify command, check for a userid's has access to any one of the APF libraries listed by Health Checker that is greater than READ. For example, to see if userid USR001 has access to any APF library greater than READ then use the console command: f hzsproc,update,check=(ibmracf,RACF_SENSITIVE_RESOURCES),parm(USR001) If the user USR001 has READ in any standard access list in any APF library profile then it will show READ in the USER column of the report. George Fogg -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Libraries (Was ADRDSSU protection
I couldn't remember what DSMON was, so I looked it up on ASK.COM. I keep seeing ads for ASK.COM whenever I watch Nascar races, as one of the cars has ASK.COM as a sponser. The first hit had a good explanation, and now I remember just what it was. I don't know if DSMON(ICHDSM00) was protected or not, however it don't matter no more, as the datacenter has been gone for over 3 years now. I'm sure the guy that did the audit would have had me protect DSMON if it wasn't under RACF control, as he was very good. I was going to say I still can't think of the tool that I used to audit RACF, but then I decided to do a search. Neither google or Ask.com came up with the company, but I saw Vanguard in the explanation of one of the hits, and I remembered the name of the product. (Getting old is hell). The tool was Vanguard Administrator, Eric Bielefeld Sr. Systems Programmer Milwaukee, Wisconsin 414-475-7434 - Original Message - From: Mark Zelden mark.zel...@zurichna.com Newsgroups: bit.listserv.ibm-main To: IBM-MAIN@bama.ua.edu DSMON. *Free* (part of z/OS with RACF). Shows several reports including protection of important datasets. Hopefully DSMON (ICHDSM00) is program protected since it does show security related information. I'm not even allowed to run it in some of our environments. Health Checker RACF_SENSITIVE_RESOURCES check helps. Mark -- Mark Zelden Sr. Software and Systems Architect - z/OS Team Lead Zurich North America / Farmers Insurance Group - ZFUS G-ITO mailto:mark.zel...@zurichna.com z/OS Systems Programming expert at http://expertanswercenter.techtarget.com/ Mark's MVS Utilities: http://home.flash.net/~mzelden/mvsutil.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: APF Libraries (Was ADRDSSU protection
Mark Zelden pisze: On Fri, 8 May 2009 16:26:02 +0200, R.S. r.skoru...@bremultibank.com.pl wrote: Eric Bielefeld pisze: I had a problem once with an APF library not being RACF protected. I set up a library for something, I can't even remember what, and put it in the APF list. Unfortuneatly, it was the only APF library that had RACF protection allowing update by anyone. We had an audit about 2 years or so before the datacenter closed for good, and the audit tool that was used pointed out that problem. Of course, it was fixed within minutes of finding it. I can't remember the name of the tool, but I know it was very good, and expensive, although we finally bought it only after my boss negotiated a really good deal. DSMON. *Free* (part of z/OS with RACF). Shows several reports including protection of important datasets. Hopefully DSMON (ICHDSM00) is program protected since it does show security related information. I'm not even allowed to run it in some of our environments. This is tool for auditors. You can run it under one of circumstances: a) you are AUDITOR OR b) ICHDSM00 is program-controlled and you have READ to it. It is important to mention that unprotected ICHDSM00 is not dangerous: it requires AUDITOR attr. BTW: DSMON and possibly other tools only shows partial security information about datasets. In case of DSMON you will know whether dataset is RACF protected (*) and what is UACC of the profile. THAT'S NOT ENOUGH! I remember I found an APF library with UACC(NONE), but on the access list there was a group everyone with ACCESS(ALTER). In other words you have to assess whether the protection is right - what teams (groups) have access to it. IMHO no tool can do it. Health Checker RACF_SENSITIVE_RESOURCES check helps. Unfortunately not. The same problem as with DSMON. You have to assess whether group ABC on access list is good idea or not. However Health Checker shows much more resources, whis is good. Regards -- Radoslaw Skorupka Lodz, Poland -- BRE Bank SA ul. Senatorska 18 00-950 Warszawa www.brebank.pl Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237 NIP: 526-021-50-88 Wedug stanu na dzie 01.01.2009 r. kapita zakadowy BRE Banku SA (w caoci wpacony) wynosi 118.763.528 zotych. W zwizku z realizacj warunkowego podwyszenia kapitau zakadowego, na podstawie uchway XXI WZ z dnia 16 marca 2008r., oraz uchway XVI NWZ z dnia 27 padziernika 2008r., moe ulec podwyszeniu do kwoty 123.763.528 z. Akcje w podwyszonym kapitale zakadowym BRE Banku SA bd w caoci opacone. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html