Re: help with REXX code reading RACF LU function
HI Lizette, Why not use the RACF database unload IRRDBU00 output instead? Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Sun, 8 Sep 2024 12:53:31 -0700 From:Lizette Koehler Subject: help with REXX code reading RACF LU function I am coding a REXX to read the output from LU userid I am working on learning IRRXUTIL but that will be a bit later I need to capture the name and installation date The Installation date can be long INSTALLATION-DATA=*** ** ** ** * My challenge is creating a one line entry for my results. It may go into excel later. Output keeps wrapping when I run REXX in batch with SAY commands Output will be USERID dlm NAME dlm Owner dlm Create Date dlm Last Logon dlm Installation-data Since the Installation- data can vary in length - the long lines wrap What is a good solution to create a 200 Lrecl output using SAY using ISIPF/REXX process Lizette -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: AOPSTOP
Hi David, As shown below, an operator group and administrator group are specified with aopsetup when executed. The group names shown are the samples specified in the documentation. Alternative group names can be used instead. Both groups must have GIDs. aopsetup AOPOPER AOPADMIN Had aopsetup been run, the group in the File Security Packet for aopstop would have been set to whatever group was specified for AOPOPER. Assuming ID AOPSTC has been assigned to the AOPSTOP Started Task and is connected to whatever group was specified for AOPOPER, AOPSTC would then have r-x access to aopstop via this group. I recommend aopsetup be rerun with the proper groups specified. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Wed, 24 Jul 2024 13:26:54 -0400 From:David Spiegel Subject: Re: [External] : Re: AOPSTOP Hi Richard, I asked the person who customized on V2.5. He could not remember if he ran AOPSETUP or not. My guess is that he didn't because the script CHMODs aopstop to 4754, but, the file has Permission Bits 750. Regards, David On 2024-07-23 11:02, Richard McIntosh wrote: > Have you run the AOPSETUP to set the permissions for all the AOP files? > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > David Spiegel > Sent: Tuesday, July 23, 2024 9:55 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [External] : Re: AOPSTOP > > Hi Michael, > No, it does not. > > Thanks and regards, > David > > On 2024-07-23 10:09, Michael Babcock wrote: >> Does AOPSTC have access to BPX.SUPERUSER on the 2.5 system? >> >> On Tue, Jul 23, 2024 at 8:43 AM David Spiegel < >> 0468385049d1-dmarc-requ...@listserv.ua.edu> wrote: >> >>> Hi John, >>> Thank you for the suggestion. >>> Unfortunately, the only thing displayed was the Permission Bits. >>> >>> $ getfacl /usr/lpp/Printsrv/bin/aopstop >>> #file: /usr/lpp/Printsrv/bin/aopstop >>> #owner: OMVSKERN >>> #group: OMVSGRP >>> user::rwx >>> group::r-x >>> other::--- >>> >>> Thanks and regards, >>> David >>> >>> On 2024-07-23 07:18, John S. Giltner, Jr. wrote: >>>> If you have not you may want to see if somebody set a file ACL >>>> >>>> getfacl /usr/lpp/Printsrv/bin/aopstop >>>> >>>> On both systems and see if they are the same >>>> >>>> >>>> On Mon, 22 Jul 2024 09:23:32 -0400, David Spiegel < >>> dspiegel...@hotmail.com> wrote: >>>>> Hi, >>>>> In z/OS V3.1, I issued (via SDSF) S AOPSTOP and it failed because >>>>> AOPSTC (taken from STDATA) has UID(1) and GID(24), and >>>>> /usr/lpp/Printsrv/bin/aopstop has its Permission Bits set to 750. >>>>> The file is owned bu UID(0) GID(1). This is expected. >>>>> >>>>> On z/OS V2.5, however, AOPSTOP works (with the same STARTED Class >>>>> Profile and Permission Bits.) Can someone explain why it works on >>>>> 2.5? (Based upon UID/GID and Permission Bits, it seems like it >>>>> shouldn't.) I looked at the DBSYNC output comparing the 2.5 and 3.1 >>>>> RACF Databases and did not notice anything that would explain this >>>>> behaviour. >>>>> >>>>> Thank you in advance. >>>>> >>>>> Regards, >>>>> David -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: TSO PREFIX change
Hi Juan, I've typically seen this done in TSO logon PROCs that execute a CLIST or REXX program that executes the PROFILE command to automatically reset the PREFIX for the user during each logon. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Tue, 25 Jun 2024 16:38:37 + From:"jgmauta...@yahoo.com.ar" Subject: TSO PREFIX change Hi! Is there a way for an administrator to change the TSO PREFIX of another RACF userid? Reason for asking:When a new TSO userid is created, we need to set its TSO PREFIX to a value different from "USERID" (the default). Basically, as we generally dont allow USER datasets, we need to set the TSO PREFIX of any TSO userid to their "default group". In order to achieve this, just after running the ADDUSER RACF command, the administrator enters TSO for the first time using the just-created userid credentials and runs the "PROF PREFIX()" command. Not a very clean solution, indeed... Thanks in advance for your help, Juan Mautalen -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Data Set Commander Monitor (DSCMON) Access Authority
Hi Mike, We occasionally come across undefined-users, and they are usually the result of errors in setting up STARTED profiles. On rare occasions, we encounter installations that have not activated SETROPTS JES(BATCHALLRACF), which, as you point out, if not activated, can allow undefined-user batch jobs to execute. Most installations do not generate daily/weekly reports on undefined users, so they go unnoticed unless the lack of an ID causes a security violation. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Tue, 25 Jun 2024 11:22:17 -0500 From:Mike Cairns Subject: Re: Data Set Commander Monitor (DSCMON) Access Authority Hi Peter, Radoslaw and I probably spend more time over on the RACF_L list than here on IBM-MAIN, but I still like to keep an eye open here. The use of ID(*) ACCESS(READ) is well known among the RACF community as the 'preferred' option to UACC nowadays, and the reason you cite is indeed mentioned in the literature. Though I'm not sure about the NJE port of entry still being able to actually get a batch job running under the JES UNDEFINEDUSER, I have a recollection that the RACF SETROPTS setting BATCHALLRACF(YES) should prevent a batch job from initiating with the UNDEFINEDUSER value, though I have a vague recollection that BATCHALLRACF itself has been redundant also for many years now as well. I'm intrigued generally to ask of this community, just how often does anyone observe work executing on their system *without* a valid RACF (or ACF2 or TopSecret) identity associated with it? I think there might still be one or two started tasks, probably running as TRUSTED or PRIVILEGED, that are initiated in nucleus initialisation that may still run with traditionally either the 8 plusses or the 8 question marks as their ID, we can see them in SDSF, but realistically I don't believe that we see work running under the UNDEFINEDUSER in modern systems for a long time nowadays. I'd be keen to hear otherwise if there is though. Cheers - Mike -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Data Set Commander Monitor (DSCMON) Access Authority
HI Mike, (replying on both RACF-L and IBM-MAIN) I misunderstood what you were proposing in your initial reply on IBM-MAIN. I thought you were advocating setting default access of NONE on all Linklist libraries. I now understand you are advocating setting default access to READ, which I generally agree with. "Default access", as I use the term, can either be UACC(READ) or ID(*) READ. I generally favor the latter. That said, this does need to be evaluated on a case-by-case basis as there can be exceptions. Consider ISMF. It does not run APF-authorized. If you want all users to use ISMF but also want to lock down certain functions, which can only be done with PROGRAM profiles, you put the ISMF libraries in the Linklist but set default access on the libraries to NONE. If default access is READ, users can copy the programs to their own libraries and execute them, thus bypassing PROGRAM profile protection which is tied to specific libraries. Radoslaw also mentioned blocking JOBLIB/STEPLIB to the libraries as allowing this may not always be desirable to certain libraries; although in most cases, its fine. Regards, Bob -Original Message- Date:Sun, 23 Jun 2024 14:15:53 +0200 From:Radoslaw Skorupka Subject: Re: Data Set Commander Monitor (DSCMON) Access Authority W dniu 23.06.2024 o 10:51, Mike Cairns pisze: > No Bob - I meant UACC(READ) or its equivalent. I just don't see what gate is > being closed by insisting that LinkList or LPA libraries must have > UACC(NONE), when, as you confirm, they cannot be fetch protected and > therefore the content is available to anyone on the system anyway. I met the following justification: when you have UACC(NONE) for linklisted library then you enforce use LNKLST instead of STEPLIB/JOBLIB. While I understand the above, I don't agree with the goal as being worth such configuration. And there is another approach: UACC above NONE should not be used at all. Just because mama (auditor) said so. -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Data Set Commander Monitor (DSCMON) Access Authority
Hi Mike, Did you mean to say UACC(NONE) at the end of your second sentence? This isn't a 'best practice' I've heard of or necessarily agree with. At best, it would be a low priority and evaluated on a case-by-case basis. As you no doubt know, all the programs in the Linklist are available to everyone subject to fetch sequence, and all locking them down does is merely stops users from copying them or JOB/STEPLIBing to them. Regards, Bob -Original Message- From: Mike Cairns Sent: Saturday, June 22, 2024 6:37 AM To: IBM-MAIN@LISTSERV.UA.EDU; Robert Hansel Cc: Mike Cairns Subject: Re: Data Set Commander Monitor (DSCMON) Access Authority Hi Rob - is it now considered less than best practice to allow Linklist and LLA etc to fall under UACC(READ) or ID(*) READ profiles? MY recollection is that these libraries are not fetch protected, and therefore there is little common sense in having them anything other than UACC(READ)... Cheers - Mike -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Data Set Commander Monitor (DSCMON) Access Authority
Steve, I just checked the latest z/OS and RACF STIGs v6r60 and can find no mention of DSCMON. Where precisely in the STIGs did you find a reference to it? Regards, Bob -Original Message- Date:Fri, 21 Jun 2024 20:23:09 -0500 From:Steve Beaver Subject: Re: Data Set Commander Monitor (DSCMON) Access Authority Use of DSCMON is a STIG violation Sent from my iPhone No one said I could type with one thumb > On Jun 21, 2024, at 19:59, Mark Schuffenhauer wrote: > > Hello Bob, > > I would not make it trusted, but that is mainly up to the security standards > of the company. > > It depends on the shop and how there datasets are. I have always advocated > that a LLA, LPA, and APF datasets should rarely change and have a standard > nomenclature so that someone doesn't try to shove in > SYS$KA2.NONSTAND.WEIRD.MYLOADLIB > > It really depends on how LLA looks. If the names in there look random and the > member(s) is(are) updated frequently, then it is painful. If there are a lot > of SETPROG LNKLST commands, it's painful. If there is no change control > process required for updates, nor a PARMLIB monitor process to catch any > changes, I would encourage standards and advise them. > > I would let the customer decide about trusted, versus horribly generic > dataset read access, or having to update the STCID security dataset access. I > am working from horribly generic to standards. > > > > ____________ > From: IBM Mainframe Discussion List on behalf of > Robert S. Hansel > Sent: Friday, June 21, 2024 7:50 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Data Set Commander Monitor (DSCMON) Access Authority > > Greetings all, > > > > I posted this on RACF-L a week ago. There were not replies, so I thought I > would try this list. > > > > I am implementing RACF control for DSCMON for the first time and wondering > how others have implemented it. Below is some background information, my > thoughts, and some questions. > > > > DSCMON is a Started Task that can dynamically and, in some cases, > automatically refresh the in-memory copies of Linklist library directories > maintained by LLA (Library Lookaside Facility). To perform this function, > DSCMON needs READ access to all the Linklist libraries. It also needs access > in OPERCMDS to modify LLA. > > > > Ensuring DSCMON is permitted READ access to all Linklist libraries will be > an ongoing administrative burden. It will require constant review of the > list of Linklist libraries to confirm DSCMON has READ access and, if > necessary, permitting DSCMON READ access to any new libraries that are added > to the Linklist. Failure to provide READ access to a Linklist library will > prevent DSCMON from updating the LLA directory for that library. Most > likely, the process of maintaining these permissions could be partially > automated, and maybe an alert could be set for any Linklist library changes, > but it will still require ongoing RACF changes. Note that a computer > operator could still perform a refresh using an operator command, but less > conveniently and not automatically as when done by DSCMON. > > > > The technician installing DSCMON proposed giving it TRUSTED authority and > claims most organizations implement it this way. TRUSTED would certainly > eliminate the need to maintain its access permissions. I suspect its access > activity is likely to be low so I would be inclined to give its ID UAUDIT to > track its access activity if it were made TRUSTED. Nonetheless, I have mixed > feelings about giving it TRUSTED. This is not a product on IBM's sanctioned > TRUSTED list, and I am loath to give any task TRUSTED that is not > sanctioned. > > > > To any of you who currently have DSCMON on your system or previously worked > with it, how have you implemented RACF controls? Has it been given TRUSTED > authority? If so, was its ID also given UAUDIT? If not TRUSTED, how have its > READ permissions to all the Linklist libraries been maintained? Is there an > alert for the addition of libraries to Linklist. Has a RACF exit been > implemented to grant it access? > > > > I look forward to reading your replies. > > > > Regards, Bob > > > > Robert S. Hansel 2024 IBM Champion > > Lead RACF Specialist > > RSH Consulting, Inc. > > 617-969-8211 > > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435%7C1%7C0%7C638545710681029668%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWw
Data Set Commander Monitor (DSCMON) Access Authority
Greetings all, I posted this on RACF-L a week ago. There were not replies, so I thought I would try this list. I am implementing RACF control for DSCMON for the first time and wondering how others have implemented it. Below is some background information, my thoughts, and some questions. DSCMON is a Started Task that can dynamically and, in some cases, automatically refresh the in-memory copies of Linklist library directories maintained by LLA (Library Lookaside Facility). To perform this function, DSCMON needs READ access to all the Linklist libraries. It also needs access in OPERCMDS to modify LLA. Ensuring DSCMON is permitted READ access to all Linklist libraries will be an ongoing administrative burden. It will require constant review of the list of Linklist libraries to confirm DSCMON has READ access and, if necessary, permitting DSCMON READ access to any new libraries that are added to the Linklist. Failure to provide READ access to a Linklist library will prevent DSCMON from updating the LLA directory for that library. Most likely, the process of maintaining these permissions could be partially automated, and maybe an alert could be set for any Linklist library changes, but it will still require ongoing RACF changes. Note that a computer operator could still perform a refresh using an operator command, but less conveniently and not automatically as when done by DSCMON. The technician installing DSCMON proposed giving it TRUSTED authority and claims most organizations implement it this way. TRUSTED would certainly eliminate the need to maintain its access permissions. I suspect its access activity is likely to be low so I would be inclined to give its ID UAUDIT to track its access activity if it were made TRUSTED. Nonetheless, I have mixed feelings about giving it TRUSTED. This is not a product on IBM's sanctioned TRUSTED list, and I am loath to give any task TRUSTED that is not sanctioned. To any of you who currently have DSCMON on your system or previously worked with it, how have you implemented RACF controls? Has it been given TRUSTED authority? If so, was its ID also given UAUDIT? If not TRUSTED, how have its READ permissions to all the Linklist libraries been maintained? Is there an alert for the addition of libraries to Linklist. Has a RACF exit been implemented to grant it access? I look forward to reading your replies. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 <http://www.linkedin.com/in/roberthansel> www.linkedin.com/in/roberthansel <http://www.rshconsulting.com/> www.rshconsulting.com -- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - OCT 7-11, 2024 - RACF Level II Administration - NOV 4-8, 2024 - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 - zSecure Admin - Basic Administration - NOV 19-22, 2024 --- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SDSF and z/OS V2.5
Hi Lizette, In z/OS 2.5, the security settings in ISFPRMxx are ignored and RACF alone governs security. You still need ISFPRMxx for display settings. What we have found in our ISFPRMxx-to-RACF migration work is that, once you strip out the security parameters from all the ISFPRMxx groups, the remaining display parameters for all the SDSF group are almost always nearly identical. Unless you have a requirement to give different sets of users different sets of ISFPRMxx display settings which would necessitate defining multiple SDSF groups and corresponding RACF SDSF GROUP.groupid profiles, you could create a single SDSF group with a common, shared set of display parameters and give everyone access to it. Also see our presentation on this topic. https://www.rshconsulting.com/RSHpres/RSH_Consulting__SDSF_and_RACF__November_2023.pdf P.S., Pay special attention to CONNECT statement parameter AUXSAF. See presentation above for details. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - OCT 7-11, 2024 - RACF Level II Administration - NOV 4-8, 2024 - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 - zSecure Admin - Basic Administration - NOV 19-22, 2024 --- -Original Message- Date:Mon, 17 Jun 2024 10:55:51 -0700 From:Lizette Koehler Subject: SDSF and z/OS V2.5 Dearest List I am trying to understand the changes to SDSF in z/OS 2.5 I want RACF to control all access to functions in SDSF. And I do not want to have to code ISFPRMxx Is there a way to have a minimal ISFPRMxx or do I have to add all GROUP statements and RACF SDSF GROUP.** to make this work? Thanks Lizette -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF permission to INETD OTELNET port?
Binyamin, Along these same lines, see if PORT statements for these reserved ports assign SAF values, and then check the profiles protecting them in the SERVAUTH class. The format of the SAF resource name is EZB.PORTACCESS.sysname.tcpname.resname, where 'resname' is the SAF value assigned by the PORT statement. That said, I would have expected you to have seen ICH408I violation messages if this were the case. Our presentation on SERVAUTH might also be of help in troubleshooting this. https://www.rshconsulting.com/RSHpres/RSH_Consulting__SERVAUTH_Class__June_2021.pdf Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Mon, 17 Jun 2024 15:28:13 -0500 From:Stuart Holland Subject: Re: RACF permission to INETD OTELNET port? Check the PROFILE.TCPIP data set. PORT statements in there reserve ports to specific job names. Anything else trying to use that port will be rejected. On 6/17/24 1:30 PM, Tom Brennan wrote: > Well that destroys my theory that the problem was caused by a non-root > id :) Like you say, there must be something else involved. Sounds > like you're making progress though. > > Just curious, what made you choose port 323? > > On 6/17/2024 9:26 AM, Binyamin Dissen wrote: >> Changed it to 323 and it works. >> >> I cannot figure out which BPX* resource would control this (23) and how. >> >> On Mon, 17 Jun 2024 06:01:03 -0700 Tom Brennan >> >> wrote: >> >> :>I'm not sure if Attila was saying to try this, but if you can >> change the >> :>port to something higher than 1024 and the bind works, that would >> :>indicate you're not really root at the time of the bind. Then if the >> :>userid starting the task is root, maybe somebody is doing a >> setuid() or >> :>similar before the bind. >> :> >> :>On 6/17/2024 1:26 AM, Attila Fogarasi wrote: >> :>> Is INETD configured correctly? Your config is in >> etc/inetd/conf*. *TELNET >> :>> is delivered specifying an ID of OMVSKERN and must be defined >> with both >> :>> superuser and daemon authority. Guessing you are using OMVSKERN >> based on >> :>> uid(0). Your port 722 is presumably defined in the /etc/services >> file >> :>> >> :>> On Mon, Jun 17, 2024 at 6:10?PM Attila Fogarasi >> wrote: >> :>> >> :>>> Brave man running uid(0) for other than the OMVS kernel ... >> usually uid(0) >> :>>> does give superuser authority, but you may need to be in >> group(SYS1) and >> :>>> have a GID. Another possibility is having root as HOME('/'). >> good luck, >> :>>> its frustrating that simply things like getting a reason code for >> :>>> "permission denied" is not so easy. >> :>>> >> :>>> On Mon, Jun 17, 2024 at 5:19?PM Binyamin Dissen < >> :>>> 0662573e2c3a-dmarc-requ...@listserv.ua.edu> wrote: >> :>>> >> :>>>> Took a dump of the address space, and the associated userid has >> UID(0) >> :>>>> >> :>>>> What else would be required for root access? >> :>>>> >> :>>>> On Mon, 17 Jun 2024 06:29:01 +1000 Attila Fogarasi >> :>>>> <05b6fee9abb7-dmarc-requ...@listserv.ua.edu> wrote: >> :>>>> >> :>>>> :>port 722 is a privileged port, usually means your program >> needs root >> :>>>> :>access, all of that is configured outside of RACF. >> :>>>> :> >> :>>>> :>On Mon, Jun 17, 2024 at 6:16?AM Binyamin Dissen < >> :>>>> :>0662573e2c3a-dmarc-requ...@listserv.ua.edu> wrote: >> :>>>> :> >> :>>>> :>> On Sun, 16 Jun 2024 09:47:20 -0500 Walt Farrell >> :>>>> :>> <05bd6dbb44aa-dmarc-requ...@listserv.ua.edu> wrote: >> :>>>> :>> >> :>>>> :>> :>On Sun, 16 Jun 2024 17:20:34 +0300, Binyamin Dissen < >> :>>>> :>> bdis...@dissensoftware.com> wrote: >> :>>>> :>> >> :>>>> :>> :>>Getting >> :>>>> :>> >> :>>>> :>> :>>BPXF024I (TCPIP) Jun 16 06:38:15 inetd 65583 : FOMN0091 >> :>>>> *:otelnet/tcp: >> :>>>> :>> :>>722 bind: EDC5111I Permission denied., rsn=744C7246 >> :>>>> :>> >> :>>>> :>> :>>Not sure where it got 722 - looked in all the /etc places. >> :>>>> :>> >> :>>>> :>> :>>Also, what permission would be required to all;ow access >> to 722? >> :>>>> Don't >> :>>>> :>> seer >> :>>>> :>> :>>anything obvious. >> :>>>> :>> >> :>>>> :>> :>What evidence do you have that it's a RACF issue? >> :>>>> :>> >> :>>>> :>> I am guessing from "permission denied" >> :>>>> >> :>>>> -- >> :>>>> Binyamin Dissen >> :>>>> http://www.dissensoftware.com >> :>>>> >> :>>>> Director, Dissen Software, Bar & Grill - Israel >> :>>>> >> :>>>> -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF/DB2 Search Question?
Hi Terri, Temporarily add the UAUDIT attribute to the ID to generate SMF records for everything it touches, and use this information to help remediate its authority. For DB2-related activity, look in the LOGSTR field of the SMF record as this will often tell you what resource it was originally trying to use for which it needed a high-level authority to access. Permitting the ID access to the resources it is using could eliminate the need for high-level authorities and for the DBA group connection. BTW, you might get more responses to questions like this by posting them on RACF-L. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Level I Administration - APR 22-26, 2024 - RACF Level II Administration - NOV 4-8, 2024 - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 - zSecure Admin - Basic Administration - May 7-10, 2024 - -Original Message- Date:Wed, 3 Apr 2024 12:22:15 + From:"Shaffer, Terri" Subject: RACF/DB2 Search Question? Hi, One wondering if the RACF experts could answer something? We are in the process of upgrading our DB2 from V8 to V13.1, which is actually working great, but they have a PC application that uses JDBC drivers to talk to DB2. Everything works, Except a create tablespace command. So in looking at things I found, I made sure the userid being passed has access to .sysadm rule, which is all it had before, but still failed with SQL -551. Anyhow what I did to fix it was add the DBA group to that userid and everything started to work. However because that is more authority than I would like to give out, is there a way thru a RACF search or something other command I can find all the rules that has this specific GROUP specified? So maybe I can narrow down what Rule or MDSNxx or DSNADM Class that group has access to so I can narrow down that userid access to just what it needs? We are a development shop, and its developers DB2, but I still don’t like giving more access than whats actually required. Thanks. Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide – Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Hi Linda, Short term solution is to implement the RACF password change exit ICHPWX01 and its companion System REXX module IRRPWREX module. Relatively simple to implement and governs all password changes. IRRPWREX has numerous options you can activate, such as disallowing repeating characters and specific character strings, that can address the common password prohibition requirement. The IBM-provided exit code is available on GitHub: https://github.com/IBM/IBM-Z-zOS/tree/main/zOS-RACF/Downloads/RexxPwExit Also, implement KDFAES password encryption if you have not already done so. And I recommend a single SETROPTS PASSWORD RULE of LENGTH(8) MIXEDALL(1:8), which requires a password to be 8 characters in length and have at least one letter, one number, and one special character (e.g., National Characters). This rule alone will block many of the common passwords. Be sure all your resource managers processing logons can handle special characters. Longer term solution is MFA. I recommend you contact the authors of this regulation and ask them to provide you with the list of common passwords they expect you to disallow. Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Thu, 29 Feb 2024 14:53:36 -0600 From:Linda Hagedorn Subject: Re: RACF, external password management The regulations are from NY state, NYDFS. https://www.dfs.ny.gov/system/files/documents/2023/12/rf23_nycrr_part_500_amend02_20231101.pdf 500.7 Access privileges and management. 500.7(c) Each class A company shall monitor privileged access activity and shall implement: (1) a privileged access management solution; and (2) an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts. To automatically block commonly used passwords, a corpus is necessary. For example, Cybernews Investigation team was able to collect 15m passwords.* If they can do it, software vendors will see the opportunity here. It's one option to force all RACF password changes through a single point. However, there's a lot of ways to reach the password change process in MVS, and writing blocks for all of them isn't reasonable. The ZMFA holds promise, if I can find a software company that has bought/collected the same 15m passwords that Cybernews did. I can route all RACF password changes to the software company for validation. *https://cybernews.com/best-password-managers/most-common-passwords/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Hi Linda, How do you define "common password"? Regards, Bob Robert S. Hansel 2024 IBM Champion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Wed, 28 Feb 2024 15:35:54 -0600 From:Linda Hagedorn Subject: RACF, external password management My company wants an external password manager to substitute for RACF. I need to know if anyone has experience with this, or common password matching in RACF. Background Regulations NYDFS require preventing common passwords to be used. Vendor tools (Courion, CyberArk, etc.) have a corpus to match password changes to prevent the use of common passwords. RACF passwords can be changed from TSO, the internal reader, JCL, Candle Session manager, etc., so trying to block password changing through RACF and forcing everyone through one of these 3rd party tools may be near impossible. Any input is appreciated. Thanks! Linda -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
ISVs - Statements of z/OS System Integrity
z/OS Independent Software Vendors (ISVs): I am preparing a presentation on z/OS system integrity protection that will discuss IBM's z/OS System Integrity Statement, available at the following URL: https://www.ibm.com/downloads/cas/OWGOKG40 Does your firm offer a similar integrity statement and can you provide its URL? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Racf Userid
Hi Shelia, First off, in output of the LISTUSER command, find the most recent LAST-CONNECT date/time in the group connect information for all ID's groups. Most likely it will be associated with the ID's default group. If it is the same as the LAST-ACCESS date/time, then the later was updated due to a logon. If the LAST-ACCESS date/time is later, then someone did an ALTUSER RESUME on the ID, in which case you'll want to examine SMF type 80 records for ALTUSER events. If it appears to be a logon, you will want to examine SMF type 80 records for event JOBINIT (logon) and INITOEDP (Unix dub) as well as type 30 subtype 1 records (TSO, Batch, and Started Task logons). Note that successful logons are often not logged. It all depends on how the resource manager processing the logon is designed and configured. The SMF event names I'm referring to appear in the output of RACF's SMF unload utility. This utility converts raw SMF 80 and 30 records into text or XML output. If you have RACF administration add-on product such as zSecure, it will provide its own mechanisms for reporting from SMF data. If the above doesn't yield any useful information, try adding the UAUDIT attribute to the ID to record all its access activity. This activity might provide some clues as to how and from where the ID is being used. If you have zSecure Access Monitor, it can also provide helpful access activity information. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Wed, 10 Jan 2024 21:37:46 + From:"Chalk, Shelia" Subject: Racf Userid Hello, I have a userid abc that was last access in racf on 1/7/24 at 5:06 a.m. Is there a report or something that will tell me who (batch job, script, etc..) is using this userid? Thanks Shelia Chalk Mainframe System Programmer sch...@ssfcu.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: zOSMF install - SDSF ISFPRMxx
Hi Peter, You might also find my presentation on SDSF and RACF helpful, which I just posted on my website. https://www.rshconsulting.com/RSHpres/RSH_Consulting__SDSF_and_RACF__November_2023.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Level I Administration - DEC 4-8, 2023 - RACF Level II Administration - MAR 18-22, 2024 - RACF Level III Admin, Audit, & Compliance - APR 8-12, 2024 - RACF - Securing z/OS UNIX - FEB 26 - MAR 1, 2024 - -Original Message- Date:Sun, 3 Dec 2023 08:39:08 +0400 From:Peter Subject: Re: zOSMF install - SDSF ISFPRMxx Hello Rob Thank you so much for your response Could you please point to your presentation on migrating off from ISFPRMXX to RACF ? Fortunately our shop is very small and we don't have any archiving tool or any automation tool. Peter On Sat, Dec 2, 2023, 9:55 PM Rob Scott wrote: > Peter, > > Can I strongly suggest you instigate a project to activate OPERCMDS (and > JESSPOOL if not already active). > > ISFPRMx just controls actions within SDSF and does not preclude any > semi-capable programmer from writing code to issue operator commands (or > access SYSOUT using the JES SSI). > > Starting with z/OS 2 5, SDSF no longer uses ISFPRMxx to control security > as everything now only goes through SAF authority. We use the SDSF class > for product controls, and also make OPERCMDS and JESSPOOL checks on the > user's behalf when processing actions taken within the product. > > Please be aware that converting your systems to correctly use OPERCMDS and > JESSPOOL can be a lengthy process, and you should allow many weeks for > testing and validation. > > The OPERCMDS and JESSPOOL classes being activated can affect a broad range > of other products including sysout archiving and automated operations. > > I do have some presentations about SDSF security and can point you in the > right direction if you want. > > As a further note, the old ISFACR tool that was written 25+ years ago to > aid in SAF security migration is showing its age a bit. We have some more > recent (and much simpler) tools and processes now. > > Rob Scott > Rocket Software > > Sent from Samsung Mobile on O2 > Sent from Outlook for Android<https://aka.ms/AAb9ysg> > > From: IBM Mainframe Discussion List on behalf > of Peter > Sent: Saturday, December 2, 2023 9:31:26 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: zOSMF install - SDSF ISFPRMxx > > EXTERNAL EMAIL > > > > > > Hello All > > Good morning > > I have planned to install zOSMF in our test LPAR. Our SDSF uses its own > security features using ISFPRMXX and I can see zOSMF has its own IZUSEC > jobs where it activates OPERCMDS class. We never activated OPERCMDS instead > we manage using ISFPRMXX PARMLIB member. > > Is there anyone who have installed zOSMF with above scenario? > > Peter > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACROUTE REQUEST=AUTH problem
John, Are they defining generic profiles to protect resources in this class? If yes, did they remember to activate SETROPTS GENCMD and GENERIC for the class, especially _before_ creating such profiles. Have them execute SEARCH CLASS(class) and examine the resulting profile list to verify all profiles containing generic characters show a '(G)' to the right of the profile. Also look at SETROPTS LIST to confirm the class is listed under both GENERIC PROFILE CLASSES and GENERIC COMMAND CLASSES. Assuming GENERIC is active, have them create a ** catch-all profile in the class to see if this results in a profile being found. Have they RACLISTed the class? If yes, are they remembering to RACLIST REFRESH the class every time they make a profile change? The REFRESH needs to be performed on each system sharing the RACF database, especially on the system where this CICS environment is running. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Wed, 29 Nov 2023 16:18:49 + From:Rob Scott Subject: Re: RACROUTE REQUEST=AUTH problem Yes - so you have a "4,4,0" set of SAF_RC,RACF_RC and RACF_RSN >From the RACROUTE macro docs , the RACF-RC/RSN means : 04 The specified resource is not protected by RACF. If PROTECTALL is active, no profile is found, and the user ID whose authority was checked does not have the SPECIAL attribute, RACF returns a return code X'08' instead of a return code X'04' and denies access. Reason code Meaning 00 One of the following has occurred: • There is no RACF profile protecting the resource. • RACF is not active. • Specified class is not in the RACF class descriptor table. • Specified class (other than DSNR) is not active. • Specified class requires SETROPTS RACLIST option to be active and it is not. • CLASS TEMPDSN was active and the data set is a temporary data set. • A userid of *BYPASS* has been passed on the authorization check. No profile checking will occur. You have at least one of the above conditions Rob -Original Message- From: IBM Mainframe Discussion List On Behalf Of John Blythe Reid Sent: Wednesday, November 29, 2023 4:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: RACROUTE REQUEST=AUTH problem EXTERNAL EMAIL Rob, I'm looking at SAFPRRET and SAFPRREA in a test on our LPAR. After checking a non-existent resource SAFPRRET contains X'0004' and SAFPRREA contains binary zeros. Is the value in SAFPRRET the RACF RC ? The RACROUTE macro return code in R15 is also X'04'. Regards, John. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF ICH408I messages
Hi Shelia, Assuming your RACF monitoring options have been set correctly, the ICH408I messages will likely have corresponding SMF records. You can use RACF's SMF Unload utility to generate text or XML output from these records for research and reporting. If you have an adjunct RACF SMF reporting product (e.g., zSecure Audit or Vanguard Advisor), it will provide ISPF menus for generating reports. For more on setting up RACF monitoring options and using the SMF Unload, see our presentation on this topic. https://www.rshconsulting.com/RSHpres/RSH_Consulting__RACF_Monitoring_&_Reporting__May_2019.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Level I Administration - DEC 4-8, 2023 - RACF Level II Administration - NOV 13-17, 2023 - RACF Level III Admin, Audit, & Compliance - OCT 30 - NOV 3, 2023***Date Change*** - RACF - Securing z/OS UNIX - FEB 26 - MAR 1, 2024 - -Original Message- Date:Wed, 4 Oct 2023 17:38:18 + From:"Chalk, Shelia" Subject: RACF ICH408I messages Hello, Is there a report that I can run to list all the ICH408i messages within a time period? Thanks Shelia Chalk -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: XCFAS and TRUSTED
To add to this discussion, it is my understanding that when IBM tests new version of z/OS, they do so with the tasks named in the documentation with TRUSTED authority. Since they have TRUSTED, IBM does not determine or document what access authorization the tasks require. If you choose to run z/OS with any of these tasks without TRUSTED, you are doing so in a state IBM has not tested nor provided access authorization guidance; hence, you do so at your own risk and may encounter access authorization issues that could be detrimental to the system. I used to advocate for not using PRIVILEGED or TRUSTED for any tasks but relented once I learned of this for the sake of system availability. I now warn clients whenever I discover any of these tasks running without TRUSTED. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Mon, 21 Aug 2023 09:40:20 +1000 From:Andrew Rowley Subject: Re: XCFAS and TRUSTED On 21/08/2023 9:28 am, Lennie Dymoke-Bradshaw wrote: > Secondly, when IBM states that a task should be given the attribute of > Trusted, then I take it to mean that IBM is saying that the task can be > trusted that this attribute cannot be the source of an exposure for that task. I think when IBM says a task should be given trusted, it's a stronger statement than that. I take it to mean that the task should never be denied access by the security system, and any denial of access risks the stability or operation of the system. -- Andrew Rowley Black Hill Software -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: XCFAS and TRUSTED
HI Radoslaw, 1. Here is where the requirement is documented. IBM Manual: MVS Initialization and Tuning Reference (System Tailoring - Assigning the RACF TRUSTED Attribute) https://www.ibm.com/docs/en/zos/2.5.0?topic=tailoring-assigning-racf-trusted-attribute 2. XCFAS will need to be restarted. I do not know if this requires an IPL. 3. Here is mention of a reason why TRUSTED is required. I don't know if this is the only reason. IBM Manual: MVS Setting Up a Sysplex (Planning sysplex availability and recovery - Requirements for participating in automatic restart management) https://www.ibm.com/docs/en/zos/2.5.0?topic=management-requirements-participating-in-automatic-restart What healthcheck reported the issue? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Sat, 19 Aug 2023 23:53:55 +0200 From:Radoslaw Skorupka Subject: XCFAS and TRUSTED I'm setting up some sysplex and found some healthcheck is not OK, the reason was XCFAS was not TRUSTED. Questions: 1. Is the requirement of the TRUSTED status documented anywhere? That's good to know before auditor asked. 2. Is there any way to fix it without reIPL? 3. Somehow related to 2. - IMHO actually it is not matter of the attribute, but the matter of access to some resources. Are the resources needed for XCFAS documented/known ? -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: eliminate use of id(0)
Hi Colin, What is the product? If you share this, perhaps someone who is familiar with the product and may have already addressed this issue can respond. Ask the vendor if access to FACILITY BPX or UNIXPRIV resources could be used in lieu of Superuser authority. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 30th Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Tue, 11 Apr 2023 20:06:02 +0100 From:Colin Paice Subject: eliminate use of id(0) I've been reviewing someone's (ftp like) product documentation, and they say that the userid that runs their product needs id(0) to be able to run. This feels like giving too much authority to the userid. Is there a better way of defining the userid and its access to resources to be able to eliminate the need for id(0)? Colin -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF - SDSF question
Hi Terri, Here are a couple of thoughts to add to what others have mentioned. Since SDSF is issuing a JES2 cancel job $CJ command, the name of the OPERCMDS resource being checked is JES2.CANCEL.BAT. Profile JES2.CANCEL.BAT.C30TCI* is superfluous since the resource name never includes the jobname, so you can delete it. Profile JES2.CANCEL.BAT.** is guarding JES2.CANCEL.BAT because the .** generic suffix applies to zero or more qualifiers, and in this case it is zero qualifiers. The suggestions to lock down MVS cancel job commands won't help in this situation because SDSF is issuing JES2 commands instead of MVS commands, so the OPERCMDS MVS.CANCEL.JOB.jobname resources won't be checked. As was mentioned, to cancel a job typically also requires ALTER access to the JESSPOOL resource guarding the job. Look into setting up appropriate JESSPOOL profiles to isolate and restrict ALTER access to these jobs. Also consider whether users have been (inadvertently) set up as Destination Operators. If they have READ access to SDSF resource ISFOPER.DEST.JES2 and ALTER access to SDSF resources prefixed ISFAUTH.DEST., they can cancel jobs while bypassing JESSPOOL profile checks. If the CONSOLE class is active, you can permit ID(*) UPDATE access to JES2.CANCEL.BAT.** conditionally by adding operand WHEN(CONSOLE(SDSF)) to the PERMIT command so that users can only issue JES2 cancel job commands from within SDSF panels. This would prevent them from cancelling jobs outside of SDSF, to include when using the SDSF / command. You would need to remove UACC(UPDATE) or ID(*) UPDATE permission, whichever applies, for the conditional permission to take effect. Operations and Tech Support staff will need 'regular' UPDATE access permission. (CONSOLE is a Default Return Code 8 class, so don't activate it without first creating a ** profile with UACC(READ).) To see exactly what resource names are being checked that are allowing the unwanted job cancellations, issue the SDSF command SET SECTRACE ON, cancel the job, and then issue the SDSF command ULOG. ULOG will show you all the access checks SDSF is making along with the results of each of these checks. SECTRACE is a phenomenal diagnostic tool that we use often. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 30th Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Tue, 7 Feb 2023 13:31:41 + From:"Shaffer, Terri" Subject: RACF - SDSF question Hi, I know there is a RACF group, but hopefully this is simple and I am just missing something I have done 100 times over with no issues. We run our CICS regions as batch jobs, and I just found out a user instead of them issuing a CEMT PERF SHUT command, they are canceling it. Which then causing a 100 vsam messages on startup with all the verifies, and if something goes wrong they call me... So I tried to stop this habit, I know they are putting a C beside the CICS and a $CJ(x) command So I have 2 rules in RACF under OPERCMDS JES2.CANCEL.BAT.C30TCI* (G) JES2.CANCEL.BAT.** (G) If I restrict the BAT.** then they cant cancel even their own batch jobs, So I always thought more specific is looked at first? One of my previous co-workers implemented SDSF-RACF rules converted from ISFPARMS. Lastly, I understand this doesn’t stop them from canceling any other jobs, but since this is a development shop we allow more access than most. But I don’t want users canceling a CICS or DB2 etc. Any ideas how they are getting the access and not stopped with the more specific rule?? Ms Terri E Shaffer Senior Systems Engineer, z/OS Support: ACIWorldwide – Telecommuter H(412-766-2697) C(412-519-2592) terri.shaf...@aciworldwide.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF - SDSF question
Ed, What you suggest only applies to DATASET profiles. With General Resource profiles such as those for OPERCMDS, the profile is always Discrete if fully spelled out and Generic only if it has masking characters. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 30th Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com -Original Message- Date:Tue, 7 Feb 2023 18:31:46 -0800 From:Ed Jaffe Subject: Re: RACF - SDSF question On 2/7/2023 5:14 PM, Seymour J Metz wrote: > Generic is usually more useful, but you can certainly use specific profiles. Even discrete profiles can be made generic by specifying GENERIC when created. That's what we do here. We have NO discrete profiles, but we do have generic profiles with no wildcard characters in them. -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: rexx and IDCAMS functions
Hi Lizette, What, if any, ICH408I messages do you see in SYSLOG. Do you have the necessary FACILITY STGADMIN profile permissions to perform these functions? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 30th Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 16 Aug 2022 14:18:54 -0700 From:Lizette Koehler Subject: rexx and IDCAMS functions I am going to write a process in REXX using things like DCOLLECT LISTC etc.. I am running into S913-70 I am trying to figure out what I need to do to resolve it Something in RACF? Pads IKJTSOxx?? Anu guidance appreciated Lizette -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Superuser (su) in batch
Hi William, Here are examples of several different ways I found for doing this. //RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID //STEP0010 EXEC PGM=BPXBATCH,PARM='SH' //STDERR DD SYSOUT=* //STDOUT DD SYSOUT=* //STDIN DD PATH='/u/RSH/commands',PATHOPTS=(ORDONLY)<< su in stdin file //RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID //STEP0010 EXEC PGM=BPXBATCH,PARM='SH su' //STDERR DD SYSOUT=* //STDOUT DD SYSOUT=* //STDIN DD PATH='/u/RSH/commands2',PATHOPTS=(ORDONLY) //RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID //STEP0010 EXEC PGM=BPXBATCH,PARM='SH su < /u/RSH/commands2' //STDERR DD SYSOUT=* //STDOUT DD SYSOUT=* //RSHBPXSU JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID //STEP0010 EXEC PGM=BPXBATCH //STDERR DD SYSOUT=* //STDOUT DD SYSOUT=* //STDPARM DD * SH su < /u/RSH/commands3 //RSHSUTST JOB (1),RSH,CLASS=A,MSGCLASS=H,NOTIFY=&SYSUID //STEP0001 EXEC PGM=IKJEFT1B //SYSPROC DD DISP=SHR,DSN=SYS1.SBPXEXEC //SYSOUT DD SYSOUT=* //SYSINDD DUMMY //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * PROF MSGID WTPMSG OSHELL echo id | su OSHELL print 'id' | su Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 30th Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 11 Aug 2022 12:50:49 + From:"Boyer, William" Subject: Superuser (su) in batch My userid on z/OS is not a superuser but I have RACF READ access to BPX.SUPERUSER. Occasionally as a Systems Programmer, I need to have perform something in USS that requires UID=0. In TSO I can switch to EUID=0 by going to 3.17 (Utilities/Udlist) and type a su which seems to stay set for the entire length of the TSO session. Is there a way do a su in batch and then copy files or adjust permits/owner etc. For example interactively, I can set my euid=0 with su in 3.17, then go to =6 and type in OPUT to copy files into USS to directories that my normal uid does not have permission but the OPUT works because I am still euid=0. I am looking for a way to do this in batch. Thanks William Boyer System Engineer Sr Advisor T 410-842-1706 william.bo...@gdit.com One W. Pennsylvania Ave Towson, MD 21204 www.gdit.com<http://www.gdit.com/> -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SDSF & TSS (RACF)
Hi Mark, The option prevents all the violations when you 's' select the entire job. It won't help when you select the job with ? and then select individual SYSOUTs. For the latter, it is WAD. Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- From: Steely.Mark [mailto:steely.m...@aaa-texas.com] Sent: Wednesday, May 25, 2022 12:04 PM To: IBM Mainframe Discussion List Cc: Robert S. Hansel (RSH) Subject: RE: SDSF & TSS (RACF) Importance: High Thanks for the update - yes I did forget the custom parameter. It may work for what I need. When I select the complete report it comes back as unauthorized. If I expand the report with a ? and select a report it still get the violation and after several attempt it suspend the ID. Is there anything for that ? Thank You -Original Message- From: IBM Mainframe Discussion List On Behalf Of Robert S. Hansel (RSH) Sent: Wednesday, May 25, 2022 5:53 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: FW: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Mark, I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in _all_ your GROUP statements that points to the PROPLIST NAME(proplist) statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all the SDSF servers? Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse l&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149 048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI wHQysYGDRo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data =05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c 2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLC JBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=qHDXl9r%2Byff2po89gcCtFs3DsZD%2B5%2Bwv3OSmmgn sek0%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=0 5%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2d d97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJB TiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ZyxHROF4eUWuXPXBbIR8Rls0H8o6qizNf9Ve6E7RWuA%3D& amp;reserved=0 -Original Message- Date:Tue, 24 May 2022 15:02:50 + From:"Steely.Mark" Subject: Re: SDSF & TSS (RACF) Thanks for the link for the output violations - it doesn't appear to work for TSS (Top Secret). -Original Message- From: IBM Mainframe Discussion List On Behalf Of Robert S. Hansel (RSH) Sent: Tuesday, May 24, 2022 8:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2 FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca 2e946e91dd008da3e41120f%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7C TWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&s data=Ri6qk0FquenWot%2B7NtNwp4PQXBlpbgSzxcwFsX8E0UQ%3D&reserved=0 Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthanse l&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C343f2a1ca2e946e91dd008da3e41120f%7Cd5f618ff295149 048f7e999c2dd97ab2%7C0%7C0%7C637890746614106925%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2p%2FVhwtS2wmMiwR5fCqnKzxRS25XLKssI wHQysYGDRo%3D&reserved=0 https://n
FW: SDSF & TSS (RACF)
Mark, I'm surprised it didn't work. Did you code a CUSTOM(proplist) parameter in _all_ your GROUP statements that points to the PROPLIST NAME(proplist) statement with the PROPERTY parameter? And did you refresh the ISFPARMS in all the SDSF servers? Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 24 May 2022 15:02:50 + From:"Steely.Mark" Subject: Re: SDSF & TSS (RACF) Thanks for the link for the output violations - it doesn't appear to work for TSS (Top Secret). -Original Message- From: IBM Mainframe Discussion List On Behalf Of Robert S. Hansel (RSH) Sent: Tuesday, May 24, 2022 8:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: SDSF & TSS (RACF) ATTENTION: This e-mail came from an external source. Do not open attachments or click on links from unknown or unexpected emails. Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rshconsulting.com%2Fracftips%2FRSH_Consulting__RACF_Tips__July_2008.pdf&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ReJ7GWolmeh4hc2MkFDbyahA0i5EVDrdN7qsfXgAKW4%3D&reserved=0 Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=U7odhzAml3JLOoHEPMB0H%2BugsJ0Rls0Z%2Fpk8Ht9KnPc%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.twitter.com%2FRSH_RACF&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=E8kbU8IAtv56Y%2BoiaQn%2BRuFS0IfJ6YswSdVy12zWCUo%3D&reserved=0 https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C01%7CSteely.Mark%40aaa-texas.com%7C09fc8b5679ff48b440c108da3d87b17c%7Cd5f618ff295149048f7e999c2dd97ab2%7C0%7C0%7C637889950261872224%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2BF%2BtoZaedniGmSARZrgDspVsvtLk624fxaEllI4har0%3D&reserved=0 -Original Message- Date:Mon, 23 May 2022 20:55:48 + From:"Steely.Mark" Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID OwnerC Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobIDOwnerPrty C ODisp Dest B100042B JOB09087 TS0242144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL TSS7257E Unauthorized Access Level for JESSPOOL TSS7257E Unauthorized Access Level for JESSPOOL TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLE
Re: SDSF & TSS (RACF)
Hi Mark, When a user attempts to select a job, SDSF does an authorization check for each individual SYSOUT DDNAME associated with the job and can generate multiple violations like this. To address this issue, see article " Avoiding Output Browse Violation Messages in SDSF" in the July 2008 issue of our RACF Tips newsletter. https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__July_2008.pdf Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Mon, 23 May 2022 20:55:48 + From:"Steely.Mark" Subject: SDSF & TSS (RACF) I am trying to convert our SDSF from using ISFPARMS to TSS for security. I need some direction on how to provide security for reports. Currently I am trying to use JESSPOOL to control access. The customer is allowed to view all currently active and held output jobs but may only look at certain JOBS & REPORTS. During testing I have this occurring: The customer is trying to view this job (which the customer is not authorized) COMMAND INPUT ===> PREFIX=* DEST=(ALL) OWNER=* SYSNAME= NP DDNAME StepName ProcStep DSID OwnerC Dest JESMSGLG JES2 2 TS0242 R LOCAL JESJCL JES2 3 TS0242 R LOCAL JESYSMSG JES2 4 TS0242 R LOCAL The above is displayed when I put a ? in the Held output screen. This is just to show you the report has 3 different reports. Then the customer goes back to the screen which shows the job name: SDSF HELD OUTPUT DISPLAY ALL CLASSES LINES 55 LINE 1 COMMAND INPUT ===> PREFIX=B1* DEST=(ALL) OWNER=* SORT=JOBNAME/A SYSNAME= NP JOBNAME JobIDOwnerPrty C ODisp Dest B100042B JOB09087 TS0242144 R HOLD LOCAL Then select the job and receives the following messages: TSS7257E Unauthorized Access Level for JESSPOOL TSS7257E Unauthorized Access Level for JESSPOOL TSS7257E Unauthorized Access Level for JESSPOOL TSS7141E Use of Accessor ID Suspended TSS7191E Job/Session Cancelled - Excessive Violations TSS7192E Session Locked - Excessive Violations: Signoff CS0042 LOGGED OFF TSO AT 14:57:54 ON MAY 23, 2022 IKJ56453I SESSION CANCELLED ** I would hate to think someone would accidently try to look at an output they are not authorized to view and get their ID suspended. Maybe I am going at this all wrong. Is there a different way I should be doing this? Any help would be appreciated. We are currently at z/OS v2.4. Thank You -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SAF without an ESM
@zMan: SAF, itself, has exits that could be used to make security decisions and even overrule those made by the ESM. @coasthermit: You experienced what it known as Failsoft processing. RACF itself wasn't disabled but its databases were, so it turns to the operator for approval of every access authorization check. I've only come across one installation that had an exit to do just what you suggest. Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 5 May 2022 05:45:53 +0800 From:coasthermit Subject: Re: SAF without an ESM Many years back I IPLed my onepak system with RACF disabled to see what happened.Every access of a resource sent a reply prompt to the console for YES/NO.It took a while but I eventually got enough of MVS up that I could logon to TSO/E.I considered writing my own RACF exit that returned OK for every access request, but in the end I just built a default RACF data base for that system to use.Maybe SAF still works the same way. -Original Message- Date:Wed, 4 May 2022 12:50:49 -0400 From:zMan Subject: SAF without an ESM On https://www.ibm.com/docs/en/zos-basic-skills?topic=zos-what-is-saf , IBM says: > System authorization facility or SAF is an interface defined by MVS™ that > enables programs to use system authorization services to control access to > resources, such as data sets and MVS commands. SAF either processes > security authorization requests directly or works with RACF®, or other > security product, to process them. Someone on r/mainframe asks what SAF does without an ESM. I'm thinking "not much", but the last sentence above sort of suggests otherwise--unless "SAF either processes security authorization requests directly" means "returns RC=0 in all cases", in which case it would be accurate but IMHO overly vague. Thoughts? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: What is the audit basis to prevent read access to z/OS PARMLIB's?
The IBM guidelines for protecting PARMLIB in the RACF Security Administrator's Guide indicate that default access of READ is acceptable; however, they qualify this as follows: "UACC should be NONE if any members contain passwords, or other sensitive information, such as the ACBPW password in the TSOKEYxx member." How often does someone review PARMLIB looking for passwords and the like? Most likely never. If you lock it down, there are no worries you've missed something. Whereas most of the configuration information in PARMLIB is in storage for anyone to view (e.g., current list of APF libraries), there are a few things in fetch-protected storage that require authorization to see, one being the PPT. READ access to PARMLIB would let me see what additions and modifications an installation has made to the PPT, in particular whether Bypass Password Protection or a System Key have been assigned to any program that could be exploited. This is a reason for also protecting RACF's DSMON program ICHDSM00 as it provides PPT information. I tend to agree with those advocating for least necessary privilege. If access isn't explicitly needed, don't provide it, or at least monitor activity to discover who is checking you out. Why make it easy for someone to probe your system undetected. The STIG and the RACF SAG should both be amended to indicate the PARMLIB concatenation, not just SYS1.PARMLIB. Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist 2021 #IBMChampion RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Having some challenges with a SORT Utility
Hi Cameron, Generating and processing RACF LISTUSER data is extremely inefficient and is not a sanctioned application programming interface. I recommend you look into processing a RACF database unload file generated by the IRRDBU00 utility, with which you could probably use SORT's JOINKEY to do much of what you are trying to do with less code. Most installations generate an IRRDBU00 unload every day, so there is apt to be one readily available for you to use. Better still, I believe your firm has IBM's RACF add-on product zSecure. It might very well be able to generate the report you are looking for without having to write a single line of code. I suggest you contact your RACF Admin team to ask them about the availability of an IRRDBU00 unload and zSecure. Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist 2021 #IBMChampion RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - APR 4-8, 2022 - RACF Level II Administration - MAR 7-11, 2022 - RACF Level III Admin, Audit, & Compliance - FEB 14-18, 2022 - RACF - Securing z/OS UNIX - JAN 24-28, 2022 --- -Original Message- Date:Wed, 19 Jan 2022 22:23:51 + From:Cameron Conacher Subject: Having some challenges with a SORT Utility Hello folks, Hopefully someone can point me in a correct direction. I can do this in a different manner, but I am stubborn. I have crafted a little sort utility to read a file and then to grab data from a couple of records and include the data with subsequent records. So, I have a record identifying a dataset name. (One record) Then some number of records later, I will have a record identifying an Owner group. (One record) And then after a few records I will have some other record with names. (A number of records- hundreds or perhaps only one) DataSet Name Record Noise records Owner Group record Noise records Name Record Name Record . . . . Noise records DataSet Name Record And so on. My sort eliminate the noise records, and then I try to carry the dataset name and the owner group forward to add it to the name records for final output. When I run my utility, I get the very first name record (with the dataset and owner information). The subsequent name records do not have the additional data on output because somehow I have messed up. Could someone have a peek at my sort control statement and suggest either a fix or tell me DON'T DO IT. Thanks. And here are my sort control statements. ** ** * SCAN THROUGH THE INPUT FILE AND GENERATE AN OUTPUT DETAIL * * FILE COMBINING DATA FROM MULTIPLE RECORDS.* ** * WE ONLY WANT THE RECORDS CONTAINING ONE OF: * * 'LISTDSD DATASET(' IN POSITION 002 * * ' 00' IN POSITION 002 * * ' ALTER ' IN POISITON 011 * * 'CONTROL' IN POISITON 011 * * ' READ ' IN POISITON 011 * * 'UPDATE ' IN POISITON 011 * ** ** INCLUDE COND=(01,20,SS,EQ,C'LISTDSD DATASET', * ONLY LISTDSD RECS OR, 01,20,SS,EQ,C' 00', * OWNER RECORDS OR, 10,20,SS,EQ,C' ALTER ', * ALTER ACCESS OR, 10,20,SS,EQ,C'CONTROL ', * CONTROL ACCESS OR, 10,20,SS,EQ,C' READ ', * READACCESS OR, 10,20,SS,EQ,C'UPDATE ') * UPDATE ACCESS ** * PARSE THE INPUT RECORDS LOOKING FOR THE LITERALS REPRESENTING * * THE LISTDSD, OWNER AND RACF ID/ACCESS (DIFFERENT RECORDS) * * USING A GROUP OF THREE RECORDS (1=LISTDSD 2=OWNER 3=RACF ID) * * OVERLAY THE WORK AREA DATA IN 101-132 WITH: * * 101-104 = 'RACF' * * 105-150 = 45 CHARACTERS FOR LISTDSD NAME * * 151-158 = OWNER NAME * *
Re: Change password
Gadi, Use of the operand REVOKE(date) requires SPECIAL. It might work if the user executing the ALTUSER command is the owner of the user profile (e.g., ). Regards, Bob Robert S. Hansel35 years of RACF Experience Lead RACF Specialist 2021 #IBMChampion RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Level I Administration - APR 4-8, 2022 - RACF Level II Administration - MAR 7-11, 2022 - RACF Level III Admin, Audit, & Compliance - FEB 14-18, 2022 - RACF - Securing z/OS UNIX - JAN 24-28, 2022 --- -Original Message- Date:Wed, 12 Jan 2022 10:28:30 + From:Gadi Ben-Avi Subject: Change password Hi, I would like to allow a user that does not have the special or group special attribute to issue the following command succefully: alu password() resume noexpire revoke ( 01/13/22 ) Is this possible? Right now the command fails with ICH408I USER(OP01) GROUP(OPER) NAME(OPER-01 ) PARTIAL VIOLATION ON COMMAND ALTUSER We are running z/OS v2.4. Gadi -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: LDAP confusion with security settings
Hi Rex, Very strange indeed. This does not seem like a native LDAP issue. Have you looked at the source code of the software that is processing logons to see if this ID is embedded in the code? Is this ID coded as the USERID on any CICS terminal definitions or started transaction EXEC CICS START commands related to this logon process? If you have SETROPTS SAUDIT or AUDIT(USER) active, have you looked at SMF data to see if it is issuing any RACF commands, in particular ALTUSER PASSWORD NOEXPIRE? Have you tried adding UAUDIT to the ID to see what else it might be doing? If you have a product like zSecure Access Monitor, what activity does it show for this ID? What happens if you swap ROAUDIT for SPECIAL? If you define profiles LISTUSER and LU in the PROGRAM class with ADDMEM('SYS1.LINKLIB'//NOPADCHK) UACC(READ) AUDIT(ALL), does SMF data show this ID using these programs? My extreme SWAG is that it is being used to handle password expiration and password changes. Regards, Bob Robert S. Hansel2021 #IBMChampion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Fri, 9 Jul 2021 17:10:22 + From:"Pommier, Rex" Subject: LDAP confusion with security settings Hi list, I don't know if this belongs in the TCP/IP list, RACF list or here so I'm starting here. Here's the situation as best I understand it. First off, LDAP is a black hole as far as I'm concerned. It was set up here long before my time. We're using it to communicate and authenticate to RACF for users coming in from a browser into our CICS regions. The LDAP server runs under a user ID of LDAPSRV. Users coming in from the browser are given a logon screen where they enter their own ID and password which LDAP validates against RACF. LDAP provides the appropriate ICH408I message if they fat-finger a password etc. That part is all OK. The RACF group that LDAPSRV is a member of is LDAPGRP and some of the attributes assigned to LDAPSRV are actually given through the group. The LDAP server is defined within RACF in the APPL class and anybody that tries to log on through LDAP need to have READ access to this APPL. Here's where I'm getting confused. There is another ID on the system, we'll call LDAPU, that has no special privileges except this ID is RACF SPECIAL. The group this ID belongs to (LDAP) also has no special privileges. The ID is not UID0 and the only connection LDAPU has is to the LDAP group, the only permission it has is to the LDAPSRV APPL. The LDAP group actually has no permissions given to it. The only thing strange is that the ID has SPECIAL. Since the ID isn't anything special (or so I thought) I removed SPECIAL from it. As soon as I removed SPECIAL, anybody coming in through the browser started getting invalid userid or password errors on their browser logon page. They were getting NO RACF ICH408I messages being logged either in the SYSLOG or in the LDAPSRV address space. As soon as I gave SPECIAL back to LDAPU everything started working again. I can find nowhere within the LDAP config file that defines LDAPU as any kind of special ID that has magical powers over people trying to log in thru the LDAP. If anybody has any idea where I could go look for what LDAP is using this ID for or where it is defined to use this ID for something, I'd appreciate it. I really don't like the idea of having a RACF SPECIAL user floating around that nobody knows why it has SPECIAL. Apologies if this sounds as confusing to you reading it as it does to me writing it. Thanks, Rex -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Unix Permissions Display Question
HI Fred, ACLs are kept in the File Security Packet (FSP) for each individual file in the Unix file system. They are not stored in RACF. The ACL you show would allow these two users to write (w) to the file but not read (r) or execute(x) it. You might need to add read (r) authority if they are having difficulty accessing the file. Check for ICH408I violation messages as they will show INTENT and ALLOWED. The file ACL should not have effect your ability to rename the file. Rename is controlled by access to the parent directory, and write (w) is required to rename it. Check your permissions to the directory. It, too, might have an ACL. Again, check for ICH408I messages. BTW, the owner appears as a UID and not a RACF ID. Either there is no RACF ID with this UID, or the default group for the RACF ID with this UID doesn't have a GID. I recommend you remediate this. Regards, Bob Robert S. Hansel2021 #IBMChampion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 18-22, 2021 - RACF Level I Administration - DEC 6-10, 2021 - RACF Level II Administration - NOV 15-19, 2021 - RACF Level III Admin, Audit, & Compliance - NOV 1-5, 2021 - RACF - Securing z/OS UNIX - SEPT 20-24, 2021 --- -Original Message- Date:Fri, 2 Jul 2021 14:10:32 + From:fred glenlake Subject: Re: Unix Permissions Display Question Hi List, Amazing response by so many members, very much appreciated. Just to close the loop, I don't have Vista so that's out. The Unix display that I re-typed was with the + in front of the 755. From the follow-on copy and pastes below of your suggested commands it shows I have 2 USER ACL's defined somewhere in RACF that are likely the cause of my access issues when I try to rename this file in a simulated DR test scenario. I issued the GETFACL command as suggested and that display is copied and pasted below. $ getfacl SYSTEM/etc/pagent_TTLS.conf #file: SYSTEM/etc/pagent_TTLS.conf #owner: 30456 #group: SYS1 user::rwx group::r-x other::r-x user:DRTSTCPY:-w- user:DREVTCPY:-w- -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z14 HMC log information
Hi Rex, You might want to protect QUIESCE and a few other similar commands so that they can only be done at a system console and not through SDSF and the like. See article "Protect Shutdown Commands" in our RSH RACF Newsletter: https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__January_2013.pdf Regards, Bob Robert S. Hansel2021 #IBMChampion Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 18-22, 2021 - RACF Level I Administration - APR 12-16, 2021 - RACF Level II Administration - NOV 15-19, 2021 - RACF Level III Admin, Audit, & Compliance - NOV 1-5, 2021 - RACF - Securing z/OS UNIX - SEPT 20-24, 2021 --- -Original Message- Date:Wed, 24 Mar 2021 17:50:07 + From:"Pommier, Rex" Subject: Re: [External] Re: z14 HMC log information Hi Radoslaw, I knew you meant it as a joke and I took it as such. Hence my smiley face. The OPERCMDS class has several entries in it but somehow QUIESCE was missed from way back when for a specific lock down so it was allowed by a more generic profile. I checked the type80 records and there was nothing immediately before the quiesce command was entered. O well, we figured out what happened and put security in place to minimize the possibility of it happening again, and we now know what to do if it does happen so we can get the system back up without issue and be able to find and train the guilty party. Rex -Original Message- From: IBM Mainframe Discussion List On Behalf Of Radoslaw Skorupka Sent: Wednesday, March 24, 2021 10:26 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: z14 HMC log information Obviously the part about killing was only poor joke, but there is some sense hidden in. I mean it is good idea to talk to person who did it. Not to punish, but talk and explain and hear his/her explanations. For RACF admin it is quite obvious the security model should be somehow checked. Again the person can have good explanation of current state of protection. Regarding traces - It is a little bit hard to test, especially without access to mainframe ;-) but I guess SMF80 can be written just before system freeze. Note it is RACF security check - it happens BEFORE the command is interpreted by the system. Simpler example: when you issue CANCEL CICSABC and you don't have such started task, you first will be checked by RACF (and maybe rejected) and then the command is really issued, and you will get answer like "there is no such started task to cancel". BTW: I imagined what would happen after such case on production... -- Radoslaw Skorupka (looking for new job) Lodz, Poland W dniu 24.03.2021 o 14:58, Pommier, Rex pisze: > I'm going to agree with *most* of it. I don't like the part about killing > the RACF admin. I'm not the one who initially set up the OPERCMDS security > but I missed the fact the QUIESCE command wasn't set as "don't let anybody > use". Hari-kari is not on my bucket list. :-) > > On to Radoslaw's comment about logging - it is logged, after the fact. > QUIESCE does exactly that - it stops the LPAR in its tracks. Do not pass Go, > do not collect $200. No z/OS logging at the time it happens. IBM hardware > support found and reported the wait state back to us from some hardware logs > that were forwarded to them from our CE. The z/OS logging takes place after > the PSW restart from the HMC occurs and yes, it shows the console or user > that executed the command. However in our case since the LPAR stopped in the > middle of the day and we had managers breathing down our necks to get the > system back up we didn't have time to properly diagnose until after the fact > - which included an IPL which in turn did not allow the logging of the > quiesce command to take place. > > Rex > > -Original Message- > From: IBM Mainframe Discussion List On Behalf Of > Carmen Vitullo > Sent: Wednesday, March 24, 2021 8:07 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: [External] Re: z14 HMC log information > > agree 100%, when I tested the command on my sandbox system I see my ID in the > syslog as the culprit :) if done from a console, then the console name is > shown. > > Carmen Vitullo > > > > -Original Message- > > From: Radoslaw > To: IBM-MAIN > Date: Wednesday, 24 March 2021 8:01 AM CDT > Subject: Re: z14 HMC log information > > IMHO there should be a trace in a syslog. Maybe that part of syslog is >
Re: SMF Type65 - Determine who Deleted the Dataset
Hi Jasi, You would most likely only see a RACF SMF DELRES event record for the deletion if the DATASET class is included in SETROPTS AUDIT set of classes. If DATASET is set for AUDIT, be sure your RACFRW command specifies EVENT ALLSVC. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - FEB 8-12, 2021 - RACF Level I Administration - APR 12-16, 2021 - RACF Level II Administration - MAR 22-26, 2021 - RACF Level III Admin, Audit, & Compliance - MAR 1-5, 2021 - RACF - Securing z/OS UNIX - JAN 25-29, 2021 --- -Original Message- Date:Thu, 31 Dec 2020 20:32:02 -0600 From:Jasi Grewal Subject: SMF Type65 - Determine who Deleted the Dataset Hi, I have a situation where a user is requesting information in how his datasets got deleted. We tried using SMF and then using RACFRW to generate report but is not reporting on Dataset delete but it has all other information. Is there a Tool available where one can use to read SMF type 65 and generate reports on dataset deletes. Any information would be appreciated. Thank you in advance, Regards, Jasi Grewal. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF and ICHDEX01 Exit
Hi Andy, (cross-posted to IBM-MAIN and RACF-L) I would strongly advise against implementing ICHDEX01 and retaining the masked passwords. If at some point you want to implement KDFAES encryption, which I recommend be your goal, having masked passwords will prevent you from doing so. You'll have to convert them to DES before you can go to KDFAES. Rather than implementing ICHDEX01, I suggest you convert the masked passwords to DES now and be done with it. You can do so either by resetting the passwords as you have done in a few cases or converting the existing masked passwords to DES using PWDCOPY. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - DEC 7-11, 2020 - RACF Level II Administration - NOV 16-20, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --- -Original Message- Date:Mon, 10 Aug 2020 15:08:18 + From:"Pesce, Andy" Subject: RACF and ICHDEX01 Exit Good morning everyone ! I am going to post this over in the RACF Listserv as well. So, I am trying to go to z/OS 2.2 and I found this APAR OA49109. I have a ton of accounts that were created many years ago that are not able to login to z/OS 2.2.Of course once I go and change the password on the account it works fine. These accounts have not had their passwords changed since the late 90's.Anyone have a sample "ICHDEX01" or can point me to a sample of that exit. I want to be able to allow these old passwords that are still using the old encryption. Thanks in advance. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: SMF record
Hi Peter, Try looking at the SMF 30, type 1, records, which you can process with RACF's SMF unload and which zSecure should also be able to report on. There might be other events shown in SYSLOG immediately before and after the ICH408I message that give some clue as to its origins. If JESINPUT and JESJOBS are active, look at associated Access Monitor records as they may provide further details. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - DEC 7-11, 2020 - RACF Level II Administration - NOV 16-20, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --- -Original Message- Date:Mon, 13 Jul 2020 22:27:53 + From:"TenEyck, Peter" Subject: SMF record What SMF record and report/tool could I use to determine the point of origin for this attempted logon? M 008 ABCD 20180 07:40:36.85 JOB03275 0090 ICH408I USER(RACFID ) GROUP() NAME(??? ) 395 E 395 0090LOGON/JOB INITIATION - USER AT TERMINAL NOT RACF-DEFINED //* Peter Ten Eyck //* Senior Systems Programmer //* American National // -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Confirm or deny existence of old masking password?
Hi Dave, This is most likely a masked password. If you know the password, simply reset the password for the ID to the same value. This will DES-encrypt it. Alternatively, make the ID PROTECTED, remove the password from the JOB card, and permit the Started Task SURROGAT access to ID to submit it without a password. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - DEC 7-11, 2020 - RACF Level II Administration - NOV 16-20, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --- -Original Message- Date:Fri, 10 Jul 2020 20:33:53 + From:"Gibney, Dave" Subject: Confirm or deny existence of old masking password? I believed hat all our passwords were at least DES. Recenly upgraded sandbox z/OS 2.1 to z/OS 2.3. Now getting: IRR013I VERIFICATION FAILED. INVALID PASSWORD GIVEN. For an job submitted via an STC with userid and password on the JOB card. Works fine in z/OS 2.1 Is there some way I can confirm that z/OS 2.3 is failing this because the password is sill a "masking" password? Cross-posted RACF-L and IBM-MAIN Dave Gibney Information Technology Services Washington State University -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: JESSPOOL
Hi Bill, In general, users automatically get full ALTER access to their own output, so I doubt JESSPOOL is the issue. If they are attempting to delete output from within SDSF, they also need access to SDSF panels and operator commands. These are controlled by RACF profiles in the SDSF, GSDSF, and OPERCMDS classes, or if they are not protected by RACF, then by SDSF's ISFPARMS. You can use SDSF's SECTRACE to help debug the problem. Have a user execute SET SECTRACE ON or WTP at the SDSF command line (ON sends the results to ULOG; WTP to SYSLOG). Have the user attempt to delete output. Then, assuming they specified ON, have the user execute the ULOG command to see the RACF calls and their results. This assumes the user has authority to use ULOG - SDSF class resource ISFCMD.ODSP.ULOG.jesname or the ISFPARMS equivalent. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --- -Original Message- Date:Thu, 12 Mar 2020 20:09:24 + From:Bill Johnson Subject: JESSPOOL I’m not a RACF expert and need help giving a user the ability to delete their own SDSF output. Not really sure why they don’t have it. Not my setup. Is it an easy 1 command fix or more complex? Thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Restrict users to Purge Jobs in TSO
Hi Gilson, If the CONSOLE class is active, you can use conditional access permissions to limit users to cancelling jobs but only from within SDSF. This works in combination with JESSPOOL profiles, and a user requires ALTER access to the JESSPOOL profile for a job to cancel it. PERMIT JES2.CANCEL.BAT CLASS(OPERCMDS) ID(*) ACCESS(UPDATE) WHEN(CONSOLE(SDSF)) Users will always be allowed full ALTER access to their own output regardless of what the JESSPOOL profiles allow. You can use the Global Access Table to grant this access more efficiently. RDEFINE GLOBAL JESSPOOL ADDMEM(*.&RACUID.**/ALTER) SETROPTS GLOBAL(JESSPOOL) If the CONSOLE class is not active and you want to activate it to use this capability, you must activate it with care as it is a default return code 8 class (no profile = no access). You could do the following. SETROPTS GENERIC(OPERCMDS) RDEFINE CONSOLE ** UACC(READ) <- Optionally add AUDIT(ALL) for future remediation SETROPTS CLASSACT(CONSOLE) SETROPTS RACLIST(CONSOLE) <- Optional, but recommended for performance Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - OCT 19-23, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - NOV 2-6, 2020 - RACF - Securing z/OS UNIX - SEPT 28 - OCT 2, 2020 --- -Original Message- Date:Tue, 18 Feb 2020 06:56:22 -0600 From:Gilson Cesar de Oliveira Subject: Restrict users to Purge Jobs in TSO Hello: Does anyone know how to restrict the option to purge sysouts in JES2 Spool through TSO (SDSF) but only the jobs which the user is the owner? We have profiles in OPERCMDS class like JES2.CANCEL.BAT and we would like to restrict the purge option only for sysouts generated by userA. UserB should not have the permission to purge jobs from UserA. Thanks in advance for any help. Regards, Gilson Cesar -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Rexx or similar to clone a RACF user?
Ituriel, Very clever. However, I recommend using the 0203 record for group connections instead of the 0102 record. If the user is connected to a UNIVERSAL group, there won't be a 0102 record unless the user has an authority greater than USE. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAR 23-27, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - MAR 9-13, 2020 - RACF - Securing z/OS UNIX - FEB 10-14, 2020 --- -Original Message- Date:Mon, 27 Jan 2020 17:39:29 + From:ITURIEL DO NASCIMENTO NETO Subject: RES: Rexx or similar to clone a RACF user? Hi, In the past i've developed a small ICETOOL that uses output from IRRDBU00 to clone a USERID. Here follows the JCL: //TSL1USER JOB (),CLASS=S,MSGCLASS=T,MSGLEVEL=(1,1), // COND=(0,NE), // REGION=0M,NOTIFY=&SYSUID //* //*CLONE RACF USERID //* //*CHANGE "USERID" TO YOUR USERID TO BE COPIED //* // EXEC RACFCLON,DBU=AT.UNLOAD.RACF //SEPARA.SYSIN DD * OPTION COPY,VLSHRT,SPANINC=RC0 OUTFIL INCLUDE=(005,4,CH,EQ,C'0200',AND, 010,8,CH,EQ,C'USERID'),FILES=1, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0220',AND, 010,8,CH,EQ,C'USERID'),FILES=2, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0270',AND, 010,8,CH,EQ,C'USERID'),FILES=3, CONVERT,OUTREC=(5,1100),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0102',AND, 019,8,CH,EQ,C'USERID'),FILES=4, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0404',AND, 062,8,CH,EQ,C'USERID'),FILES=5, CONVERT,OUTREC=(5,300),VLFILL=C' ' OUTFIL INCLUDE=(005,4,CH,EQ,C'0505',AND, 266,8,CH,EQ,C'USERID'),FILES=6, CONVERT,OUTREC=(5,300),VLFILL=C' ' //RACFCLON PROC DBU= //* //*FILTRA REGISTROS //* //SEPARAEXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&DBU,DISP=SHR //SORTOF1 DD DSN=&®200,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF2 DD DSN=&®220,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF3 DD DSN=&®270,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF4 DD DSN=&®102,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF5 DD DSN=&®404,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //SORTOF6 DD DSN=&®505,DISP=(,PASS), // UNIT=(3390),SPACE=(CYL,(1,10),RLSE) //* //ADDUSER EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&®200,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ADDUSER ', 06,8,C' OWNER(',26,8,C') DFLTGRP(',096,8,C') + ', /, C' PASSWORD(',06,8,C') ', C'NAME(''',75,20,C''')') END //* //ALTUTSO EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&®220,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTFIL OUTREC=(C' ALTUSER ', 06,8,C' TSO(PROC(',150,8,C')) ', C' ACCTNUM(',15,8,C') + ', /, C' SIZE(',159,8,C') ', C' MAXSIZE(',172,10,C') ', C' UNIT(',205,8,C') )') END //* //ALTUOMVS EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&®270,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' ALTUSER ', 06,8,C' OMVS(UID(',15,10,C') ', C' HOME(',26,10,C') ', C' PROGRAM(',1050,8,C') )') END //* //CONNECT EXEC PGM=SORT //SYSOUTDD DUMMY //SORTINDD DSN=&®102,DISP=SHR //SORTOUT DD SYSOUT=* //SYSIN DD * SORTFIELDS=COPY OUTREC FIELDS=(C' CONNECT ', 15,8,C'GROUP(',06,8,C') ', C'OWNER(',06,8,C') ',
Re: RACEOUTE REQUEST=RESUME ?
Paul, Is there a reason this has to be done in Assembler? Using TSO batch, you could simply execute command:ALTUSER userid RESUME Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com --- Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAR 23-27, 2020 - RACF Level I Administration - APR 27 - MAY 1, 2020 - RACF Level II Administration - APR 6-10, 2020 - RACF Level III Admin, Audit, & Compliance - MAR 9-13, 2020 - RACF - Securing z/OS UNIX - FEB 10-14, 2020 --- -Original Message- Date:Tue, 17 Dec 2019 21:39:01 GMT From:"esst...@juno.com" Subject: RACEOUTE REQUEST=RESUME ? Hello.I'm Not a RACF person. . I am looking at the RACROUTE macro, and don't see a RACROUTE REQUEST=RESUME option. . I would like to resume an end-users password by submitting a job. Can this be accomplished by using RACROUTE macros or another Assembler interface ? . Any examples would be appreciated. . Paul D'Angelo *. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Tracing RACF?
Sean, Deleting datasets from non-SMS managed volumes without dataset access authority (assuming the datasets are protected by DATASET profiles to which the users do not have ALTER access) may be DASDVOL authorization. See if your users have ALTER access to DASDVOL profiles corresponding to your DASD volsers. DASDVOL also honors OPERATIONS authority, so ensure the non-admin users don't have this authority. See article "RACF SMF Tidbits" in the July 2016 edition of our RACF Tip newsletter. https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__July_2016.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 1 Oct 2019 11:10:21 +0100 From:Sean Gleann Subject: Re: Tracing RACF? Joao: yes, I have tried that, but it really doesn't give the information that I want - I can see the monitored user creating and deleting file, but I don't see anything about the RACF profiles that were used. Having said that, I have managed to move things along. The situation I now have is that an 'ordinary' user of my system(s) - as opposed to an 'administrator' user (there are three of us at this site) - cannot update the MCAT, so creating files that do not have the user's id as the first qualifier is now impossible. 'Administrators', on the other hand, can create and delete files at will. All of which is OK as far as I'm concerned. But (there's always a 'but'...) If an admin user creates a file named 'TEST' (for instance), the file is not covered by my SMS rules, and so it gets placed on one of the 5 non-SMS-controlled disks that my PARMLIB(VATLSTxx) member identifies as being mounted 'PRIVATE'. I'd rather that didn't happen, but we're talking about an 'admin'-type user here, and they're supposed to know what they're doing, so things are OK up to this point. But now it appears that a non-admin user can delete the file, but not uncatalog it. The file disappears from the selected disk's VTOC, but the MCAT entry remains since the user is not allowed to update the MCAT. If this is allowed to continue I'll end up with an MCAT full of orphan entries. As I say, I've managed to move things along a bit, so my original query about 'Tracing RACF' is no longer an issue. Right now, I'm trying to improve my system's security so that users can create/delete their own files, but cannot do that to anyone else's, nor to files that are not covered by SMS. Regards Sean On Tue, 1 Oct 2019 at 04:24, Jon Perryman wrote: > On Wednesday, September 25, 2019, 07:34:05 AM PDT, Allan Staller < > allan.stal...@hcl.com> wrote: > > > That is not considered a good practice in RACF circles. The best > practice would be: > > > MCAT - UACC(NONE) READ(*) ALTER(sysprogs) (note: No update access > except via sysprogs) > > Any system where the master catalog is not tightly controlled is at great > risk and could become unusable. Any user can delete any alias in this > environment. Potentially DB2, CICS, IMS or any number of important aliases > could be lost. > > It's been many years since I've done anything with security. I believe at > that time, IDCAMS DELETE NOSCRATCH for non-sms datasets was not controlled > because it was only catalog services and no actual I/O was occurring. Has > this problem been fixed? If not, then anyone can uncatalog sys1.linklib or > sys1.lpalib thus causing the IPL to fail. > > Why aren't aliases created at the same time as the User? Additionally, > data is out of control on your system. The RACF admin has not reviewed the > security implication for aliases. > > Jon. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Tracing RACF?
Allan, Replacing UACC with ID(*) access is not best practice in every case. If, as Tom suggested, you put entries in the Global Access Table (GAT) for the catalogs, as I too would recommend, such entries allow the equivalent of UACC access. To ensure consistency, I prefer to set profile UACCs to match the access granted by corresponding GAT entries. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Wed, 25 Sep 2019 14:33:40 + From:Allan Staller Subject: Re: Tracing RACF? That is not considered a good practice in RACF circles. The best practice would be: MCAT - UACC(NONE) READ(*) ALTER(sysprogs) (note: No update access except via sysprogs) UCAT - UACC(NONE) UPDATE(*) ALTER(sysprogs) -Original Message- From: IBM Mainframe Discussion List On Behalf Of Tom Conley Sent: Wednesday, September 25, 2019 9:29 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Tracing RACF? On 9/25/2019 9:57 AM, Joao Bentes wrote: > Hi, > > If memory serves me right, as long as you have ALTER to the dataset, > you need update to the catalog in order to create it, but you do not > need any access to the catalog in order to delete it. > > Best Regards > > > "Do the difficult things while they are easy and do the great things > while they are small. A journey of a thousand miles must begin with a > single step." > Laozi > > > > From: Sean Gleann > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 2019-09-25 12:06 > Subject:[EXTERNAL] Tracing RACF? > Sent by:IBM Mainframe Discussion List > > > > Following a set of somewhat distressing events here, I discovered - > the hard way - that our master catalog was poorly protected, and so I > now have to fix it. The situation is that all users of the my system > can create, read, write, update, delete files that are cataloged in the > MasterCat. > > The original intention was that each user-id is defined in the MCat as > an alias that points to one of several User Catalogs, depending on the > user's 'department' within the company. That way, user id 'X1' creates > 'X1.TEST', and it gets cataloged in a UCAT. > > So far, so good. > > Now I've found that if 'X1' creates file 'TEST1', it gets cataloged in > the MCAT. In order to prevent this, I've used existing information to > act as a model for permit 'MASTERV.CATALOG' generic id(X1) > access(read) and specified that. > > Now, if user X1 tries to create 'X1.TEST', the result is a RACF > authorisation failure. > > Again, so far, so good > > Taking the test a bit further though, I've now found that user X1 is > allowed to delete file 'TEST1' from the MCat! > > My conclusion so far is that X1 must be getting the required access > rights from another user id/group/etc, but I can't see anything > apposite in any examination I do of the RACF rules (I use output from > the DBSYNC Rexx procedure for this). > > > So... Can anyone spot my error and suggest a different 'permit' > command, please? > Alternatively, I looked at the idea of tracing RACF activity on behalf > of a specific user with SET TRACE(USERID(X1)) - but I can't see where > generated output goes to nor how to interrogate it. I *have* seen > mention of using GTF for this purpose, along with IPCS, but my > experience with both those tools is so limited that I didn't look much > further in those references - skipped on past them, looking for other > possibilities but not finding any. > > Any help gratefully appreciated > Sean > If you're the owner of the dataset, you will get the authority to delete the catalog entry. You should have your master cat set up with UACC(READ) and all your usercats with UACC(UPDATE). Put them in the global access table for a nice performance boost. Only allow update and alter to the master cat and alter for usercats to your catalog administrators. Good luck. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
RSH Consulting - RACF Survey - June 2019 - Performance - ERV
Greetings all, Those of you who do not participate in RACF-L and are not familiar with RSH's monthly RACF surveys might be interested in the results of our most recent survey on PARMLIB(IEAOPTxx) ERV Enqueue Residency parameter settings since it effects more than just RACF. The results of our survey have been posted to our website. Go to the "RACF Center" webpage, click on "RSH RACF Surveys", and then click on the survey link itself. Many thanks to the 39 individuals who participated. www.rshconsulting.com Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"?
Clark, The answer to your original question is 'yes'. With regard to FDR, see the following article in our RACF Tips newsletter. https://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__January_2008.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com - Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - SEPT 23-27, 2019 - RACF Level I Administration - DEC 9-13, 2019 - RACF Level II Administration - NOV 18-22, 2019 - RACF Level III Admin, Audit, & Compliance - NOV 4-8, 2019 - RACF - Securing z/OS UNIX - SEPT 9-13, 2019 - -Original Message- Date:Tue, 7 May 2019 09:26:58 -0300 From:Clark Morris Subject: Can backup mechanisms be used to steal RACF database? was Re: mainframe hacking "success stories"? [Default] On 6 May 2019 20:10:27 -0700, in bit.listserv.ibm-main 0047540adefe-dmarc-requ...@listserv.ua.edu (Bill Johnson) wrote: >In most shops only 2 people have the required access to the RACF database. > Could someone use DF/DSS, DF/HSM, FDR or FDR/ABR to copy the database and then download the dump of the database? Clark Morris (snip) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Dancing around RMM
Skip, Rather than trying to read the tapes, since you are discarding them, use EDGINERS to erase them. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 20 Dec 2018 19:36:13 + From:Jesse 1 Robinson Subject: Re: Dancing around RMM By way of update, after studying everyone's suggestions, I ran the job with this DD: //TAPEIN DD UNIT=(TAPECR,,DEFER), // LABEL=(EXPDT=98000), // VOL=SER=(nn), // DISP=(OLD,KEEP) and got pretty much the same result: IEF403I TAPEANAL - STARTED - TIME=14.37.42 IEC501A M , nn,BLP,,TAPEANAL,FATAR EDG4020I VOLUME nn REJECTED BY INSTALLATION REJECT DEFINITIONS EDG4006E VOLUME nn ON REJECTED FOR USE BY TAPEANAL, FATAR, TAPEIN, OPEN REQUEST FAILED BY DFSMSrmm IEC502E R ,, ,,TAPEANAL,FATAR IEC145I 413-08,IFG0194K,TAPEANAL,FATAR,TAPEIN,,, 015 SYS18353.T143742.RA000.TAPEANAL.R0161338 IEA995I SYMPTOM DUMP OUTPUT 016 SYSTEM COMPLETION CODE=413 REASON CODE=0008 . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Allan Staller Sent: Thursday, December 20, 2018 5:48 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Dancing around RMM IIRC, there is some RACF work needed to support BLP. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jesse 1 Robinson Sent: Wednesday, December 19, 2018 3:54 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Dancing around RMM We want to discard some very old tapes after making sure there's nothing of value on them. When we run Innovation FATAR to analyze them, the jobs fail with messages like those below using JCL like this: //TAPEIN DD UNIT=TAPECR,LABEL=(,BLP), // DISP=OLD,VOL=SER=(nn) There's a whole slew of STGADMIN profiles in FACILITY class that allow the user to get around 'irregularities', but we can't seem to find one that would allow this usage. The tapes are not defined to RMM. We just want to know what's on the tapes before the trash truck pulls out of the loading dock. EDG4025I VOLUME nn REJECTED. READING OF SCRATCH VOLUMES OR VOLUMES OBTAINED WITH GETVOLUME IS NOT PERMITTED EDG4006E VOLUME nn ON REJECTED FOR USE BY FATARAN1, FATAR, TAPEIN, OPEN REQUEST FAILED BY DFSMSrmm IEC502E R ,, ,,FATARAN1,FATAR IEC145I 413-08,IFG0194K,FATARAN1,FATAR,TAPEIN,,, SYS18352.T164910.RA000.FATARAN1.R0140502 . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office <= NEW robin...@sce.com<mailto:robin...@sce.com> -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Strange JES2 SPOOL Offload issue
Todd, In RACF, if the WRITER class is active, is the UACC set to READ for the profile protecting resource jesname.LOCAL.OFF2.ST, where 'jesname' is the name of your JES subsystem? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018 - RACF Level I Administration - DEC 4-7, 2018 - RACF Level II Administration - NOV 5-9, 2018 - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018 - RACF - Securing z/OS UNIX - OCT 22-26, 2018 -Original Message- Date:Thu, 13 Sep 2018 09:05:40 -0500 From:Todd Burrell Subject: Strange JES2 SPOOL Offload issue I'm playing around with JES2 SPOOL OFFLOAD on our test system and I want to be able to try and offload everything from the spool to test out timing. I have changed both of my transmitters to have DISP=KEEP to make the offload no-destructive. However, once I start the offload it does not select anything, and when I try and do $TOFF2.ST,WS=(/), JES2 just ignores this and keeps the same selection criteria I had before I did the command? I have everything else pretty much blanked out for selection criteria, but for some reason JES2 ignores my $TOFF command to change the WS settings? Has anyone else every seen this just get ignored? I don't see any automation grabbing this, nor do I see any RACF error messages. The command just simply is being ignored by JES2? We are on z/OS 2.2 around RSU1802. Here's the $DOFF2.ST command output: OFF2.ST STATUS=INACTIVE,CREATOR=,DISP=KEEP, OUTDISP=(WRITE,HOLD,KEEP),HOLD=, JOBNAME=,NOTIFY=NO,RANGE=(J1,99), ROUTECDE=(),START=YES,VOLUME=(,,,), WS=(OUTD,Q/),BURST=,FCB=,FLASH=, FORMS=(,,,),LIMIT=(0,*),PLIM=(0, *),PRMODE=(),QUEUE=,UCS=,WRITER= Here's the attempt at the $TOFF2.ST,WS=(/) command: $TOFF2.ST,WS=(/) $HASP886 OFF2.ST 694 $HASP886 OFF2.ST STATUS=INACTIVE,CREATOR=,DISP=KEEP, $HASP886 OUTDISP=(WRITE,HOLD,KEEP),HOLD=, $HASP886 JOBNAME=,NOTIFY=NO,RANGE=(J1,99), $HASP886 ROUTECDE=(),START=YES,VOLUME=(,,,), $HASP886 WS=(OUTD,Q/),BURST=,FCB=,FLASH=, $HASP886 FORMS=(,,,),LIMIT=(0,*),PLIM=(0, $HASP886 *),PRMODE=(),QUEUE=,UCS=,WRITER= Anyone have any ideas? This one is puzzling to me? Thanks -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Yet Another Mainframe z10 Bites the Dust!
Todd, Unfortunately, ERASE only works on DASD datasets. It doesn't do tapes, even virtual ones. Clever idea nonetheless. George, Does your tape management product or VTL hardware vendor provide utilities for this task? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018 - RACF Level I Administration - DEC 4-7, 2018 - RACF Level II Administration - NOV 5-9, 2018 - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018 - RACF - Securing z/OS UNIX - OCT 22-26, 2018 -Original Message- Date:Thu, 13 Sep 2018 15:32:31 + From:"Burrell, Todd" Subject: Re: Yet Another Mainframe z10 Bites the Dust! Not sure if turning on ERASE on SCRATCH in RACF - and then deleting the datasets would work? Just a thought? -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of George Rodriguez Sent: Thursday, September 13, 2018 11:16 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Yet Another Mainframe z10 Bites the Dust! The School District of Palm Beach County is finally shutting down the IBM z10 and all its components. I was wondering if any member the listserve can help me with "wiping out" out VTL. Any help will be greatly appreciated. Thanks! *George Rodriguez* *Specialist II - IT Security* *PX - 47652* *(561) 357-7652 (office)* *(954) 415-7586 (mobile)* *School District of Palm Beach County* *3348 Forest Hill Blvd.* *Room B-332* *West Palm Beach, FL. 33406-5869* *Florida's Only A-Rated Urban District* -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Filemanager and security
Hi Rex, It is beginning to appear as if it is WAD. You might try is putting UAUDIT on your ID and accessing a tape using FM to see if any other profiles are being checked that could provide a control point. Do you have a full set of CA-1 profiles with external security turned on? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Mon, 16 Apr 2018 18:22:32 + From:"Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Bob, Sorry for the delay. RACF is showing "TAPE DATA SET PROTECTION IS ACTIVE" . CA-1 won't allow me to browse the tape using FM if I shrink the DSN or change it to something other than what is recorded in TMS. ICHBLP is defined with UACC(NONE) and no users in the access list. Thanks, Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Robert S. Hansel (RSH) Sent: Friday, April 13, 2018 5:30 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Hi Rex, How have you activated tape protection in your environment - SETROPTS, PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management product do you have? Not that this may matter, but does your ID have READ access to FACILITY ICHBLP or your Tape Management product's equivalent? If it does, have you tried the function with an ID that does not have this access? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 12 Apr 2018 13:08:16 + From:"Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(
Re: Filemanager and security
Hi Rex, How have you activated tape protection in your environment - SETROPTS, PARMLIB(DEVSUPxx), or a Tape Management product option? What Tape Management product do you have? Not that this may matter, but does your ID have READ access to FACILITY ICHBLP or your Tape Management product's equivalent? If it does, have you tried the function with an ID that does not have this access? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 12 Apr 2018 13:08:16 + From:"Pommier, Rex" Subject: Re: [External] Re: Filemanager and security Hi Kolusu, Unfortunately that doesn't do it. According to the FileManager documentation - which I verified on my system - granting any kind of access (read, update, alter, it doesn't matter) either grants you access to the function or denies it (access=none). For example, if I grant READ access to FILEM.TAPE.OUTPUT, I have access to update tapes. Likewise if I grant ALTER access to FILEM.TAPE.INPUT, all that gives me access to is tape browse type functions like tape browse and tape label display. These are just toggles to the function within FileManager. The problem that I am running into is that for example, if I have 2 production datasets on tape, one with GL information and the other with the payroll information on it, and I need to grant an accountant access to the GL information but not the payroll, it appears that I can't. It looks like FileManager doesn't check dataset level access. Once I grant access to FILEM.TAPE.INPUT, a user can browse data on any tape on the system, regardless of whether they have access at a dataset level or not. I'm hoping I just have something set wrong, but I can't seem to get FileManager to look at dataset level RACF protection on tapes. As I mentioned earlier, I have a mixed GDG, with some generations on disk and others on tape. If I grant an ID access to the TB function, whether through FILEM.FUNCTION.TB or through the grouping profile FILEM.TAPE.INPUT, I can look at the data on the tape, even though I can't look at the other generation that's on disk through FileManager. Test I just reran this morning. GDG with 5 generations, 4 on disk, 1 on tape. ISPF edit on one of the disk based generations I got RACF security violation, ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 2 edit on the same generation as ISPF: ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Filemanager option 4.1, Tape Browse: FILEM.FUNCTION.TB CL(FACILITY)ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) Change FILEM.FUNCTION.TB to give me READ access to the FACILITY profile Filemanager option 4.1: I got access to browse the data Filemanager option 2 with the tape generation: I got access. Looks like it's time for a question to IBM FM folks to see if this is WAD. In my mind, this is a security hole. Rex -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Sri h Kolusu Sent: Monday, April 09, 2018 4:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [External] Re: Filemanager and security Pommier Rex, I believe you need to update the following functions FILEM.TAPE.INPUT Tape input functions FILEM.TAPE.OUTPUT Tape output functions FILEM.TAPE.DUPLICATE Tape copy functions FILEM.TAPE.UPDATE Tape update functions If you are only allowing browse function of the tape dataset then you need to do something like this PERMIT FILEM.TAPE.INTPUT CLASS(FACILITY) ID(userid) ACCESS(READ) Check this link which explains in detail about the function https://www.ibm.com/support/knowledgecenter/en/SSXJAV_13.1.0/com.ibm.filemanager.doc_13.1/cust/secracf.html Thanks, Kolusu IBM Mainframe Discussion List wrote on 04/09/2018 12:10:19 PM: > From: " SH19-8163-00, Rex" > To: IBM-MAIN@LISTSERV.UA.EDU > Date: 04/09/2018 12:11 PM > Subject: Filemanager and security > Sent by: IBM Mainframe Discussion List > > Hello list, > > I've been poring through the FileManager manuals and either am > missing something or it doesn't exist regarding security. We're > running FM 13.1 under ISPF so non-APF authorized. I needed to grant > the capability for browsing tape datasets to a developer. I did > this granting READ access to FILEM.FUNCTION.TB. This granted the > access to the tape browse function. However, it appears that > FileManager bypasses dataset name SAF checking if the user has > access to the TB function. To wit: a particular GDG has a mix of > tape and disk generations. I specifically denied access to this GDG > to my ID. I get a RACF violation when trying to browse the disk > based gen
Re: Problem with dataset authorization
Hi Keith, No REFRESH should be necessary. The developers are running batch jobs, and every job will get a fresh copy of the Generic dataset profiles. Others raised the issue of Enhanced Generic Naming (EGN). It appears Ron's system has NOEGN. I don't believe this is a factor in this case as it has no effect on the behavior of a fully-qualified Generic dataset profile. Regards, Bob -Original Message- Date:Thu, 15 Mar 2018 07:00:31 -0400 From:Keith Smith Subject: Re: Problem with dataset authorization Replies are, of course, assuming that a REFRESH was done. If you are new to RACF some changes require the "in memory" copy to be refreshed before the change takes effect. On Thu, Mar 15, 2018 at 6:05 AM, Robert S. Hansel (RSH) < r.han...@rshconsulting.com> wrote: > Hi Ron, > > Here are a couple of thoughts. > > When you created the profile MAC.JSF40.TEMP.JOBHIST, did you define it as > a Discrete profile (protects a single dataset by this name on a specific > VOLSER) or as a full-qualified Generic profile (protects any dataset by > this name on any VOLSER)? If the later, a (G) will appear next to the > profile when you list it. If it's a Discrete, try deleting and recreating > it as a Generic. To do so, you'll need to add the keyword GENERIC to the > ADDSD command. > > Are the developers attempting to access the dataset via a z/OS system that > has a different RACF database than the one where you created the profile? > > Regards, Bob > > Robert S. Hansel > Lead RACF Specialist > RSH Consulting, Inc. *** Celebrating our 25th Year *** > 617-969-8211 > www.linkedin.com/in/roberthansel > https://urldefense.proofpoint.com/v2/url?u=https-3A__ > twitter.com_RSH-5FRACF&d=DwIFaQ&c=7f1YSuqIGbgL_Gzm5POfng&r=unuy1IauTT8_ > BnXaEWJu99tLgShEyROqbi1xNCvlPGQ&m=hGjSKRhcHOylV0rl6qrThdZRFx_ > nQ2nWkFuOU9yUkw4&s=_4bxIlGFU_Xdqti9jvaqNq_hqTjXZRWgB_JGyAyeYts&e= > www.rshconsulting.com > > > Upcoming RSH RACF Training - WebEx > - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018 > - RACF Level I Administration - APR 10-13, 2018 ** Date Change ** > - RACF Level II Administration - JUN 4-8, 2018 > - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018 > - RACF - Securing z/OS UNIX - APR 23-27, 2018 > > > > -Original Message- > Date:Wed, 14 Mar 2018 23:32:49 + > From:"McCabe, Ron" > Subject: Problem with dataset authorization > > Hello List, > > I'm having a problem where one of my developers is getting "INSUFFICIENT > ACCESS AUTHORITY" on a dataset that I have defined in RACF and the issue is > that it is reporting on the generic definition. > > I have defined in RACF a generic dataset definition of MAC.* (this > definition has a UACC of READ and only a couple of groups have update > access), I also have defined a complete dataset name of > MAC.JSF40.TEMP.JOBHIST (this definition has a UACC of READ and allows > update access for my developers). When my developers run a job that wants > to update the MAC.JSF40.TEMP.JOBHIST dataset they get the "INSUFFICIENT > ACCESS AUTHORITY" FROM MAC.* (G). > > Why isn't the system checking for the complete dataset which is the way I > thought RACF was supposed to work? > > Thanks, > Ron McCabe > Mutual of Enumclaw > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Keith Smith Engineer-Enterprise Sys Sr.-IT Capacity & Performance Shaw Industries Inc. Subsidiary of Berkshire Hathaway 616 E Walnut Ave Mail Drop 072-04 Dalton, GA 30721 Email: keith.sm...@shawinc.com Office: 706.532.3244 Please consider the environment before printing. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Problem with dataset authorization
Hi Ron, Here are a couple of thoughts. When you created the profile MAC.JSF40.TEMP.JOBHIST, did you define it as a Discrete profile (protects a single dataset by this name on a specific VOLSER) or as a full-qualified Generic profile (protects any dataset by this name on any VOLSER)? If the later, a (G) will appear next to the profile when you list it. If it's a Discrete, try deleting and recreating it as a Generic. To do so, you'll need to add the keyword GENERIC to the ADDSD command. Are the developers attempting to access the dataset via a z/OS system that has a different RACF database than the one where you created the profile? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018 - RACF Level I Administration - APR 10-13, 2018 ** Date Change ** - RACF Level II Administration - JUN 4-8, 2018 - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018 - RACF - Securing z/OS UNIX - APR 23-27, 2018 -Original Message- Date:Wed, 14 Mar 2018 23:32:49 + From:"McCabe, Ron" Subject: Problem with dataset authorization Hello List, I'm having a problem where one of my developers is getting "INSUFFICIENT ACCESS AUTHORITY" on a dataset that I have defined in RACF and the issue is that it is reporting on the generic definition. I have defined in RACF a generic dataset definition of MAC.* (this definition has a UACC of READ and only a couple of groups have update access), I also have defined a complete dataset name of MAC.JSF40.TEMP.JOBHIST (this definition has a UACC of READ and allows update access for my developers). When my developers run a job that wants to update the MAC.JSF40.TEMP.JOBHIST dataset they get the "INSUFFICIENT ACCESS AUTHORITY" FROM MAC.* (G). Why isn't the system checking for the complete dataset which is the way I thought RACF was supposed to work? Thanks, Ron McCabe Mutual of Enumclaw -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Health Check JES_NJE_SECURITY
Hi Skip, If you define &RACLNDE and add the name of a node to it, JES will 'trust' and accept any job coming from that node and propagate the submitter's ID and group as is. Adding a node to &RACLNDE is the equivalent of creating NODES profiles of node.USERJ.* UACC(UPDATE), node.GROUPJ.* UACC(READ), and node.SECLJ.* UACC(READ). Note that NODES profiles are ignored for nodes listed in &RACLNDE, so you can't do any submitting user or group translations using NODES profiles. &RACLNDE is very powerful, and nodes should only be defined to it that are under your control. If a job is received from an &RACLNDE trusted node, and on the receiving system (a) the submitting user isn't defined, (b) the submitter's group isn't defined, or (c) the submitting user isn't connected to the group, the submitter is treated as an undefined user and the job may fail. This is why, as Walt indicated, you should only define nodes to &RACLNDE whose RACF databases are aligned for users, groups, and connects. For systems that aren't so aligned, don't include their nodes in &RACLNDE and use NODES profiles instead. I recommend you define &RACLNDE in each of your RACF databases and in each such profile include only the nodes for the systems sharing that particular database. Do so even on standalone systems or Multi-Access Spool configurations. This will facilitate spool reloads. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - SEPT 10-14, 2018 - RACF Level I Administration - APR 10-13, 2018 ** Date Change ** - RACF Level II Administration - JUN 4-8, 2018 - RACF Level III Admin, Audit, & Compliance - OCT 1-5, 2018 - RACF - Securing z/OS UNIX - APR 23-27, 2018 -Original Message- Date:Wed, 28 Feb 2018 19:38:33 + From:Jesse 1 Robinson Subject: Health Check JES_NJE_SECURITY APAR OA49171 introduces a new health check called Date:Thu, 1 Mar 2018 03:14:36 + From:Jesse 1 Robinson Subject: Re: Health Check JES_NJE_SECURITY Ouch. I never saw Walt's proviso mentioned in the doc. Yes, these nodes are all totally under our control. However each node (sysplex) constitutes a different business environment supported by a different RACF data base. A person may have the same userid on sandbox and on production, but they do not necessarily have the same authority on both. Both represent the same person but not necessarily the same role. We need to reassess our goal here. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Walt Farrell Sent: Wednesday, February 28, 2018 5:21 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Health Check JES_NJE_SECURITY On Wed, 28 Feb 2018 18:21:03 -0500, Tom Conley wrote: >I ran these on 1/5/18 to fix this check: > >RDEFINE RACFVARS &RACLNDE UACC(NONE) OWNER() RALTER >RACFVARS &RACLNDE ADDMEM() (add one for each >node) >SETROPTS CLASSACT(RACFVARS) RACLIST(RACFVARS) You should be careful with that, Tom. &RACLNDE should only contain the names of nodes whose RACF databases are identical to each other, at least with respect to the users, groups, and user-group connections that are defined. Having a node listed in &RACLNDE will have a strong effect on security processing (mainly the propagation of submitter identity) for jobs submitted from that node to other nodes in your JES2 network. -- Walt -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to find what performed an OMVS unmount?
Peter, There are multiple RACF audit options that might come into play as discussed in our presentation on this topic. See (beware the line wrap): http://www.rshconsulting.com/RSHpres/RSH_Consulting__RACF_Monitoring_&_Reporting__August_2017.pdf Event Code 55 (UMNTFSYS) comes under Unix audit class FSOBJ. Use caution in auditing Unix events because of the potential high volume of SMF records. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 28 Dec 2017 09:37:17 -0600 From:Peter Ten Eyck Subject: Re: How to find what performed an OMVS unmount? Thanks for setting me straight on the difference between sub type and event code in the context of RACF. I will look into if there is a RACF unload for that time period and perhaps check with MXG about the handling of event codes as opposed to sub types. You mentioned RACF auditing options that would control which RACF event codes are cut? Where is that controlled? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to find what performed an OMVS unmount?
Peter, The type 80 record doesn't have subtypes. 55 is an event code, and event code is a field in the 80 record. I do not know if MXG is aware of and can select records based on type 80 event codes. If your RACF team converts SMF 80 records to text format using RACF's SMF unload utility, you can try searching the unload file for UMNTFSYS events - the text equivalent of event code 55. Various RACF auditing options determine whether such an event would be logged, and such options may not have been in effect when the event occurred, hence no record. Since the NOTYPE ranges do not exclude 80 records, you are correct that they are being collected. Also look for SUBSYS settings that might be excluding them for certain subsystems. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Wed, 27 Dec 2017 13:03:41 -0600 From:Peter Ten Eyck Subject: Re: How to find what performed an OMVS unmount? Thanks for the suggestion on this topic. I have discovered that the LPAR that this un-mount occurred on does not cut type 92 (USS) records so I will be unable to use them to figure what un-mounted my file. Setting: SYS(NOTYPE(16:19,62:69,92) With the help of MXG staff, I was able to run a MXG report looking for type 80 (RACF) sub type 55 records, I did not find any. To me this means that either there were no un-mounts during the time period of the input or no sub type 55 records are cut. Is the above setting what controls the sub type records cut? Type 80 is not excluded so it’s being cut, is the default all 80 sub types? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to find what performed an OMVS unmount?
Peter,(Resending with a proper Subject) If this is a RACF protected system and depending on what audit settings were in effect, you might see an SMF 80 record for the unmount. The event code is 55. If you have SMF unload records available, look for event UMNTFSYS. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 19 Dec 2017 18:10:10 -0600 From:Peter Ten Eyck Subject: How to find what performed an OMVS unmount? I have an OMVS dataset that was mounted via a batch job on a z/OS 2.2 LPAR: //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * PROF MSGID WTPMSG MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') + MODE(RDWR) TYPE(ZFS) NOAUTOMOVE + MOUNTPOINT('/usr/lpp/cicsts53') This job was run after the CICS region was already up and is used for CICS TS 5.3 web services. The web services were dynamically installed from this successfully mounted dataset and worked fine. Sometime over night the dataset (file) became un-mounted. How can I determine what un-mounted the file? I do not see anything in the syslog or the CICS log. Can I use SMF to determine this, what record type would be used? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM-MAIN Digest - 18 Dec 2017 to 19 Dec 2017 (#2017-353)
Peter, If this is a RACF protected system and depending on what audit settings were in effect, you might see an SMF 80 record for the unmount. The event code is 55. If you have SMF unload records available, look for event UMNTFSYS. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 19 Dec 2017 18:10:10 -0600 From:Peter Ten Eyck Subject: How to find what performed an OMVS unmount? I have an OMVS dataset that was mounted via a batch job on a z/OS 2.2 LPAR: //SYSTSPRT DD SYSOUT=* //SYSTSIN DD * PROF MSGID WTPMSG MOUNT FILESYSTEM('CICSTS53.CICS.ESA1.HFS.FF') + MODE(RDWR) TYPE(ZFS) NOAUTOMOVE + MOUNTPOINT('/usr/lpp/cicsts53') This job was run after the CICS region was already up and is used for CICS TS 5.3 web services. The web services were dynamically installed from this successfully mounted dataset and worked fine. Sometime over night the dataset (file) became un-mounted. How can I determine what un-mounted the file? I do not see anything in the syslog or the CICS log. Can I use SMF to determine this, what record type would be used? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSORT: RACFICE query - how to extract all commands containing some text value
Kolusu, I would not recommend the use of RACFRW. It was stabilized in 1992 and won't report on the use of newer command operands such as NOEXPIRE. Bruce is better off using ICETOOL. Bruce, Our presentation on DFSORT and ICETOOL and its use with RACF might be of help. You'll find it on our "RACF Center" webpage along with other useful RACF information. http://www.rshconsulting.com/racfres.htm Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - FEB 5-9, 2018 - RACF Level I Administration - APR 3-6, 2018 - RACF Level II Administration - JUN 4-8, 2018 - RACF Level III Admin, Audit, & Compliance - FEB 26-MAR 2, 2018 - RACF - Securing z/OS UNIX - APR 23-27, 2018 -Original Message- Date:Wed, 13 Dec 2017 10:20:41 -0700 From:Sri h Kolusu Subject: Re: DFSORT: RACFICE query - how to extract all commands containing some text value Bruce, You extract the SMF80 records and process it thru DFSORT. You can also use RACFRW to report https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm Example : This file produces a report of failed logons for user Smith. RACFRW TITLE('REPORT ON FAILED LOGONS FOR USER SMITH') SELECT PROCESS USER(DUMMY) EVENT LOGON SUMMARY USER NEWPAGE END You can use EVENT to list all of your event and generate a report https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha800/racfrw.htm#racfrw__eventsub If you still need help please feel free to send your questions to DFSORT hotline (dfs...@us.ibm.com) along with a sample input file and desired output report. Thank you Lizette for directing the users to our hotline Thanks, Kolusu DFSORT Development IBM Corporation From: Bruce Hewson To: IBM-MAIN@LISTSERV.UA.EDU Date: 12/13/2017 02:50 AM Subject:DFSORT: RACFICE query - how to extract all commands containing some text value Sent by:IBM Mainframe Discussion List A query for the ICETOOL/RACFICE experts, I have been asked to extract all RACF commands issued relating to a specific USERID. I am not knowledgable enough with ICETOOLS to code this myself quickly. The current RACFICE examples do not provide a sample for this. example. Extract and report all commands, ADDUSER/ALTUSER/PASSWORD/PERMIT that reference USER(xyzzy) Hopefully someone can help. Thanks Bruce Hewson -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Finding OMVS Files with Owner IDs for Deleted Owners?
Hi Lionel,(cross-posted IBM-MAIN and MVS-OE) Here are a couple of things to keep in mind. 1) I've found it necessary to specify the path as /* with the find command. 2) Check the extended ACLs too if there are any. find path -acl_nouser find path -acl_nogroup 3) As an alternative to the find command, consider using IBM's IRRHFSU utility for this task. Our presentation on this utility, which includes a sample ICETOOL job for this very task, is available on our website. http://www.rshconsulting.com/racfres.htm 4) If there is a USERID assigned an Owner or ACL UID, but the USERID's Default Group does not have a GID, find will consider the UID as being unassigned. Same with the ls command and IRRHFSU. Verify a UID is truly unassigned before changing it. 2) If this is a RACF installation, to avoid an SMF tsunami do not execute find or IRRHFSU for the entire file system with a USERID having the UAUDIT attribute. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - FEB 5-9, 2018 - RACF Level I Administration - DEC 5-8, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -Original Message- Date:Fri, 1 Dec 2017 15:51:02 + From:"Dyck, Lionel B. (TRA)" Subject: Re: Finding OMVS Files with Owner IDs for Deleted Owners? Thank you - that is just what I need. -- Lionel B. Dyck < Mainframe Systems Programmer - TRA -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Styles, Andy (ITS zPlatform Services) Sent: Friday, December 01, 2017 9:49 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: [EXTERNAL] Re: Finding OMVS Files with Owner IDs for Deleted Owners? Classification: Public Assuming their id has been deleted: find . -nouser -rw-r--r--1 5 10 Jul 17 09:09 test.txt Where '5' is the id of the deleted user (actually just me issuing chown 5 test.txt - but users without ids show up as numerics in ls). 01/12/17 15:45:50 /u/xxx $ find . -nouser ./test.txt There's a -nogroup equivalent too. Andy Styles z/Series Systems Programmer -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Dyck, Lionel B. (TRA) Sent: 01 December 2017 15:33 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Finding OMVS Files with Owner IDs for Deleted Owners? -- This email has reached the Bank via an external source -- Is there a tool that can find and report out all files that are owned by users who have departed? Just ran into a few that were owned by someone who left several years ago. Thank you -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Batch TSO command (ADDUSER) tracing and diagnostics
Hi Nick, As a way to avoid problems to begin with, does your routine first check to see if there is an existing user ID or group that matches the ID it is about to create, that the ID is syntactically correct, and that the default group exists? What RACF authority is the IMS address space using to create IDs? What if any segments is it creating along with the ID? There may be other pre-command checks we can recommend. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. *** Celebrating our 25th Year *** 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - FEB 5-9, 2018 - RACF Level I Administration - DEC 5-8, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -Original Message- Date:Thu, 26 Oct 2017 07:30:07 + From:"Baguley, Nicholas: Absa" Subject: Batch TSO command (ADDUSER) tracing and diagnostics Hi List We need to echo or trace the TSO commands processed in a batch TSO process... We are issuing an ADDUSER command under TSO and it returns a RC=8. In itself not a "biggie". We run TSO via an ATTACH of IKJEFTnn(1B in this case) so it is a subtask of an IMS address space. The ADDUSER command is passed to IKJEFT as a PARM on the attach svc/macro as opposed to SYSTSIN. We don't see the command "echoed" to SYSTSPRT as you "normally" do when using SYSTSIN. Is anyone aware of a mechanism of switching on tracing or diagnosing PARM= input to IKJ? NB - this works fine in 99% of cases. We suspect either we are not building up the ADDUSER command correctly(syntax error) or we have a RACF issue. Unfortunately my next opportunity to make a program change and the command to the syslog is a couple of weeks away. Maybe the assumption within the the bowels of TSO was that if input is via PARM then there would be a jcl deck or job output to inspect. TIA Nick -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Database
Hi Skip, I usually assign a group as the owner of a profile. In the case of datasets, I typically assign the user or group matching the dataset's high level qualifier as the owner. There are exceptions such as when you specifically want a user to be able to administer a particular profile or you want to exclude groups or users from a Group-SPECIAL administrator's scope-of-groups. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Wed, 24 May 2017 19:22:23 + From:Jesse 1 Robinson Subject: Re: RACF Database A fallout of this thread is that we're looking to assign a new owner to profiles that cover the RACF data sets. I'd like something truly permanent. The RACF STC runs with user SYSRACF, which is a valid userid that no one could log on to. Does that seem reasonable? Then only someone with RACF SPECIAL could make profile changes. . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Database
Hi Skip, Point of clarification. IRRDBU00 no longer required UPDATE access with NOLOCKINPUT as of z/OS 2.2. Regards, Bob -Original Message- From: Robert S. Hansel (RSH) [mailto:r.han...@rshconsulting.com] Sent: Wednesday, May 24, 2017 6:07 AM To: 'IBM Mainframe Discussion List' Subject: RE:RACF Database Hi Skip, I very much doubt the security folks need UPDATE access. At one time, the database unload utility IRRDBU00 required UPDATE, but this is no longer the case if using PARM NOLOCKINPUT, and besides, they should only be creating unloads from an offline IRRUT200 copy of the database and not the live one. READ access to generate IRRUT200 copies is the most they should need. Other utilities that require UPDATE access, which I would not expect them to be using, are IRRMIN00 to apply template updates, IRRIRA00 for converting the database to the AIM structure, IRRUT400 to copy/reorg the database, and BLKUPD to repair the database. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 23 May 2017 21:57:21 + From:Jesse 1 Robinson Subject: Re: RACF Database So it turns out that the number of folks here with ALTER access to RACF data sets is way smaller than I expected. There are however several userids with UPDATE access; they seem to be mostly in the 'security management' department. Do the standard RACF utilities require UPDATE for housekeeping? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Database
Hi Skip, I very much doubt the security folks need UPDATE access. At one time, the database unload utility IRRDBU00 required UPDATE, but this is no longer the case if using PARM NOLOCKINPUT, and besides, they should only be creating unloads from an offline IRRUT200 copy of the database and not the live one. READ access to generate IRRUT200 copies is the most they should need. Other utilities that require UPDATE access, which I would not expect them to be using, are IRRMIN00 to apply template updates, IRRIRA00 for converting the database to the AIM structure, IRRUT400 to copy/reorg the database, and BLKUPD to repair the database. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 23 May 2017 21:57:21 + From:Jesse 1 Robinson Subject: Re: RACF Database So it turns out that the number of folks here with ALTER access to RACF data sets is way smaller than I expected. There are however several userids with UPDATE access; they seem to be mostly in the 'security management' department. Do the standard RACF utilities require UPDATE for housekeeping? . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-543-6132 Office ⇐=== NEW robin...@sce.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Database (was: Sample JCL for file transfer using NJE/TCPIP)
Todd, Restricting access to the RACF database is essential, but it isn't enough to save you if the database is not allocated as unmovable. DFSMSdss' data management utility ADRDSSU, when used with the ADMINISTRATOR keyword, ignores dataset profiles and can perform functions such as compress on any dataset. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 23 May 2017 18:36:52 + From:"Burrell, Todd" Subject: Re: RACF Database (was: Sample JCL for file transfer using NJE/TCPIP) Wouldn't a simpler solution to protecting the RACF database simply be to give pretty much no one ALTER access to it? I know that at most shops only one or two folks had ALTER or UPDATE to the actual file and that seems like the best course of action to avoid accidental deletion? And we backed up the RACF DB 4 times a day as well - just in case. Todd Burrell | Sr. Mainframe Systems Administrator -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Database (was: Sample JCL for file transfer using NJE/TCPIP)
Gil, The RACF database is BDAM (Basic Direct Access Method) and has, to my knowledge, always been so since it was first released in 1976. The index records are stored in the database with the profile (data) records, so it is completely self-contained. I know of no other product using this structure. Live databases should be allocated as PSU. Unmovable prevents the database from being moved while in use. RACF is weird. It opens its databases at IPL and then immediately closes them. RACF uses direct disk address I/O to read and update its databases thereafter. If databases are not allocated as U, a data management utility, seeing they are not "open", might compress or move the databases, unaware they are in use - with disastrous results. Live databases should be copied/backed up using the IRRUT200 utility. This utility freezes update activity to the database before making a copy. The offline copy can be copied using IEBGENER or the like, or it can be FTPed. I haven't tried FTPing a RACF database, but I suspect you would want to do so using BIN. It is generally best to pre-allocate the disk dataset to which the database it is to be copied, and it must have exactly the same UNIT, SPACE, and DCB characteristics as the source database, including CONTIG. The copy needn't be PSU unless you plan to RVARY SWITCH to it so that it becomes live. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - SEPT 11-15, 2017 - RACF Level I Administration - DEC 5-8, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -Original Message- Date:Sun, 21 May 2017 14:19:39 -0500 From:Paul Gilmartin Subject: Re: Sample JCL for file transfer using NJE/TCPIP On Sun, 21 May 2017 05:12:00 -0500, Elardus Engelbrecht wrote: > >>RACF (I'm less sure) is VSAM. > >No, it is PSU (PS and Unmovable). Other attributes are mandated by IBM. > "Unmovable" would seem to imply uncopyable; the copy would have to go in a different place. But there must be some provision for backing it up, and little point in trying to move it to another system with such as FTP. Why not VSAM? Performance? Antiquity? It feels as if RACF has a built-in DB engine. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Issue with SK4T-4949-13 - IBM Online Library: z/OS V2R2 Collection, March 2017
Greetings all, In the past, the SK4T-4949 online library could be downloaded as a single zip file with manuals for all the z/OS components in one set. Not so with this newest release -13. It appears you now have to download the manuals for each and every component individually. This is horribly inconvenient. I'm hoping the IBMers monitoring this list will take note and have this rectified. I complained through the website, but got no response. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAY 15-19, 2017 - RACF Level I Administration - APR 25-28, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Erase on Scratch
Bill, Here are the results of a survey I did on RACF ERASE a few years ago. http://www.rshconsulting.com/surveys/RSH_Consulting__RACF_Survey_019__ERASE.pdf Most installations don't use ERASE because they think there will be performance problems. There have been significant improvements in the performance of ERASE in z/OS 2.1 and 2.2. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAY 15-19, 2017 - RACF Level I Administration - APR 25-28, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -Original Message- Date:Fri, 21 Apr 2017 05:14:38 -0500 From:Bill Wilkie Subject: Erase on Scratch I have been looking into the Erase on Scratch capability to erase all extents of a data set but much of my research indicates that: 1. You must set up the data set names individually. 2. It will not erase &&Temp data set names unless you: a. Make the &&TEMP name a permanent name. b. Map the temp name to a permanent name already being erased. c. SETROPS ERASE(ALL) to erase all deleted data sets, which is very slow. My question is "Is anyone using it" and if so how is it working out? If you are not using it Why not? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF TEMPDSN improvement with the zOS 1.13
HI Roger, Beginning with z/OS 1.13, the activation of TEMPDSN no longer interferes with currently running processes, and it is safe to activate TEMPDSN without waiting for an IPL. If you compare the description of TEMPDSN in the 1.12 version of the RACF Security Administrator's Guide with its description in the 1.13 version, you'll find following verbiage has been dropped from the 1.13 version. (quote) Avoid activating the TEMPDSN class when current users or jobs are using temporary data sets. Otherwise, you could cause users or jobs to receive an ABEND, as shown in the following scenario: 1. The job or user allocates a temporary data set. 2. You activate the TEMPDSN class. 3. The job or user opens the data set. 4. Because activating the TEMPDSN class restricts the authority to open a temporary data set, the user or job receives an abend. (end-quote) Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAY 15-19, 2017 - RACF Level I Administration - APR 25-28, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - OCT 2-6, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -Original Message- Date:Tue, 18 Apr 2017 20:25:30 + From:Rogério Camargo Subject: RACF TEMPDSN improvement with the zOS 1.13 Hello! I've heard about improvements with the zOS 1.13 (some year ago) related to the RACF TEMPDSN, however it is being just impossible to me to find that information in any 1.13 manual/migration guide... I've just read and searched several of these manual, but I simply could not find it. Would any of you have any material about it that could share with me ?! Tks Roger -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF Non-expiring passwords
Hi Elaine, When you reset the password, be sure to use the NOEXPIRED operand on your ALU command like so: ALU userid PASSWORD(password) NOEXPIRE This will require the password to conform to your current password syntax rules. If the former password no longer conforms to your rules, you'll need to temporarily remove the rules in order to reinstate the former password. After successfully reinstating the prior password, try logging on with the ID and password to confirm they work. I usually use FTP for this purpose. Since this involves a non-expiring password, I assume this ID is being used to log on from another platform for a task like file transfer or remote DB2 calls. It has been my experience that when a non-expiring password stops working, it is never RACF's fault. Instead, it is because the person responsible for the process on the other platform from which the logons are originating has inadvertently changed the password or tried installing the same ID from yet another platform and didn't enter the password correctly. I suggest you look at RACF SMF records for JOBINIT events related to this ID to see where these logons are originating from and verify it is the correct source for these logons. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAY 15-19, 2017 - RACF Level I Administration - APR 25-28, 2017 - RACF Level II Administration - NOV 13-17, 2017 - RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -Original Message- Date:Mon, 20 Mar 2017 11:44:01 -0500 From:Elaine Beal Subject: RACF Non-expiring passwords We have a non-expiring password that we've used for years and somehow failed the other night. I reset with an alu line command but the new password doesn't work. When I go through the panels it says the current password isn't valid. We have changed password rules but I don't see where that matters. I set the new password to existing rules and do not get any errors on the alu. Thanks, Elaine -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Problem Generating CA-7 SASSBSTR Batch LJOB Output
Hi Jeffrey, I did read the documentation, several times, but unbeknownst to me at the time, it was the wrong version - v11.3. Your reply prompted me to look for more recent documentation, and in the documentation for v12, CA added the following sentence to the description of DSNPFX='batch.dsn.prefix.': "This hlq must match the hlq for the BATCHI#x and BATCHO#x data sets that are defined to the CA 7 started task." IMHO, it seems nonsensical that the program would let you specify a prefix that didn't match the started tasks ones and not give some sort of a warning or error message. Why else would you have such an option if not to specify your own datasets (and perhaps this is how it worked prior to v12). Regards, Bob -Original Message- Date:Wed, 8 Mar 2017 10:43:15 -0600 From:Jeffrey Holst Subject: Re: Problem Generating CA-7 SASSBSTR Batch LJOB Output If you read the documentation, DSNPFX must match the DSNPFX for the BATCHI#n and BATCHO#n datasets that are defined to the CA7 started task. If DSNPFX is not specified, the prefix specified for the COMMDS is used. DSNPFX need only be specified if those prefixes do not match. There is no intent that one can create his own BATCHI#n and BACTHO#n datasets. That it gives RC=0 shows it is probably working as designed, What is documented is that it copies the SYSIN to the BATCHI#n dataset that you specified, and puts something in the COMMDS to tell CA-7 to process the BATCHI#n that it has defined. There is nothing there, so it quickly writes something to its BATCHO#n and puts something in COMMDS to tell your BTI that it is done processing, and with what return code. (It is documented that unless there is a message table defined, most results produce RC=0). Finally BTI reads your BATCHO#n (which is empty) and writes it contents to SYSPRINT. Jeffrey Holst On Tue, 7 Mar 2017 14:14:37 -0500, Robert S. Hansel (RSH) wrote: >Greetings all, > >I was able to get SASSBSTR running successfully, but in the process may have >discovered a bug in the program. SASSBSTR allows you to specify your own >pair of BATCHIN DD and BATCHOUT DD datasets using PARM DSNPFX. SASSBSTR >allocates datasets for BATCHIN and BATCHOUT using the prefix specified by >DSNPFX and appending .BATCHI#n and BATCHO#n ('n' is a pseudo terminal ID >number). If you don't specify DSNPFX, SASSBSTR by default uses the BATCHIN >and BATCHOUT datasets specified in CA7's configuration. When I run the job >with my own DSNPFX, I get no output. When I use the ones in CA7's >configuration, I get output as expected. Yet, the job runs successfully with >RC=0 in both cases, and there are no error messages of any sort. > >Thank you to all who offered suggestions and advice. > >Regards, Bob > >Robert S. Hansel *** Celebrating 30 years working with RACF *** >Lead RACF Specialist >RSH Consulting, Inc. >617-969-8211 >www.linkedin.com/in/roberthansel >http://twitter.com/RSH_RACF >www.rshconsulting.com > >-Original Message- >From: Robert S. Hansel (RSH) [mailto:r.han...@rshconsulting.com] >Sent: Friday, March 03, 2017 3:16 PM >To: IBM-MAIN (ibm-m...@bama.ua.edu) >Subject: Problem Generating CA-7 SASSBSTR Batch LJOB Output > >Greetings all, > >I am trying to generate listings of job information from CA-7 with the LJOB >command using the Batch Terminal Interface (BTI) program SASSBSTR (PROC >CA7BTI). The job runs successfully, but the output in SYSPRINT simply shows >the LJOB command I executed and not, as I'd hoped, the output from the LJOB >command. I've searched the manuals and cannot figure out how to the get the >output I desire and was hoping someone could be of assistance. TIA. > >Regards, Bob > >Robert S. Hansel *** Celebrating 30 years working with RACF *** >Lead RACF Specialist >RSH Consulting, Inc. >617-969-8211 >www.linkedin.com/in/roberthansel >http://twitter.com/RSH_RACF >www.rshconsulting.com > >Upcoming RSH RACF Training - WebEx >- RACF Audit & Compliance Roadmap - MAY 15-19, 2017 >- RACF Level I Administration - APR 25-28, 2017 >- RACF Level II Administration - FEB 27 - MAR 3, 2017 >- RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017 >- RACF - Securing z/OS UNIX - OCT 23-27, 2017 > > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Problem Generating CA-7 SASSBSTR Batch LJOB Output
Greetings all, I was able to get SASSBSTR running successfully, but in the process may have discovered a bug in the program. SASSBSTR allows you to specify your own pair of BATCHIN DD and BATCHOUT DD datasets using PARM DSNPFX. SASSBSTR allocates datasets for BATCHIN and BATCHOUT using the prefix specified by DSNPFX and appending .BATCHI#n and BATCHO#n ('n' is a pseudo terminal ID number). If you don't specify DSNPFX, SASSBSTR by default uses the BATCHIN and BATCHOUT datasets specified in CA7's configuration. When I run the job with my own DSNPFX, I get no output. When I use the ones in CA7's configuration, I get output as expected. Yet, the job runs successfully with RC=0 in both cases, and there are no error messages of any sort. Thank you to all who offered suggestions and advice. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message----- From: Robert S. Hansel (RSH) [mailto:r.han...@rshconsulting.com] Sent: Friday, March 03, 2017 3:16 PM To: IBM-MAIN (ibm-m...@bama.ua.edu) Subject: Problem Generating CA-7 SASSBSTR Batch LJOB Output Greetings all, I am trying to generate listings of job information from CA-7 with the LJOB command using the Batch Terminal Interface (BTI) program SASSBSTR (PROC CA7BTI). The job runs successfully, but the output in SYSPRINT simply shows the LJOB command I executed and not, as I'd hoped, the output from the LJOB command. I've searched the manuals and cannot figure out how to the get the output I desire and was hoping someone could be of assistance. TIA. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAY 15-19, 2017 - RACF Level I Administration - APR 25-28, 2017 - RACF Level II Administration - FEB 27 - MAR 3, 2017 - RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Problem Generating CA-7 SASSBSTR Batch LJOB Output
Greetings all, I am trying to generate listings of job information from CA-7 with the LJOB command using the Batch Terminal Interface (BTI) program SASSBSTR (PROC CA7BTI). The job runs successfully, but the output in SYSPRINT simply shows the LJOB command I executed and not, as I'd hoped, the output from the LJOB command. I've searched the manuals and cannot figure out how to the get the output I desire and was hoping someone could be of assistance. TIA. Regards, Bob Robert S. Hansel *** Celebrating 30 years working with RACF *** Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - WebEx - RACF Audit & Compliance Roadmap - MAY 15-19, 2017 - RACF Level I Administration - APR 25-28, 2017 - RACF Level II Administration - FEB 27 - MAR 3, 2017 - RACF Level III Admin, Audit, & Compliance - APR 3-7, 2017 - RACF - Securing z/OS UNIX - OCT 23-27, 2017 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: ICHPWX01 sample problem
Hi Ed, If you are curious as to what RACF exits installations are using, see our survey of a few years ago. (Beware of line wrap.) http://www.rshconsulting.com/surveys/RSH_Consulting__RACF_Survey_013__Exits.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Thu, 1 Sep 2016 10:47:57 -0700 From:Ed Jaffe Subject: Re: ICHPWX01 sample problem On 9/1/2016 10:18 AM, Tom Conley wrote: > On 9/1/2016 12:48 PM, Ed Jaffe wrote: >> >> "If you change an exit, except IRREVX01 and IRRVAF01, you must re-IPL >> MVS™ for the changes to take effect. IRREVX01 and IRRVAF01 are defined >> to the dynamic exits facility, and you can update them without >> re-IPLing." >> > > Baby steps. Haha! I ain't never messed with EVX01 or VAF01 ... only PWX01. Good thing I gotta sandbox and lotsa time... :-\ Dynamic exit capability doesn't help much (or at all) if it's not implemented for the exits you actually need. Design Thinking might suggest a customer survey to find out which exits folks are _actually_ using and make those dynamic. -- Edward E Jaffe Phoenix Software International, Inc 831 Parkview Drive North El Segundo, CA 90245 http://www.phoenixsoftware.com/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)
Hi Skip, OPERATIONS users actually can grant privileges because they can create dataset profiles for any group. And if they own a profile they create, they can permit access to it. In z/OS 2.2, you will be able to replace the assignment of AUDITOR authority with ROAUDIT, which truly is benign because it allows a user to look at all profiles and SETROPTS options without changing any audit settings. Just curious, in your 'elevated access' report, do you include users with UID 0 or access to BPX.SUPERUSER? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - DEC 5-9, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration - SEPT 19-23, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 -Original Message- Date:Tue, 17 May 2016 16:37:50 + From:Jesse 1 Robinson Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? An interesting take on ADDSD. We produce a periodic report here on userids with 'elevated access', which includes SPECIAL, OPERATIONS, and AUDITOR (the benign type). OPERATIONS cannot grant privileges but could do a lot of damage. I consider AUDITOR vital for sysprogs in order to diagnose--not necessarily fix--security problems at odd hours. It's been pointed out to me that AUDITOR allows someone to change RACF audit rules. A far-fetched but not inconceivable exposure. I think that managers here are required now and again to 'confirm' the need for elevated access, but no major battles have ensued within my earshot. ;-) . . . J.O.Skip Robinson Southern California Edison Company Electric Dragon Team Paddler SHARE MVS Program Co-Manager 323-715-0595 Mobile 626-302-7535 Office robin...@sce.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Tuesday, May 17, 2016 8:57 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support? On Tue, May 17, 2016 at 9:41 AM, Mike Schwab wrote: > Any ID that can grant privileges to another ID. > By the above definition, _every_ id in RACF which has TSO capability is an administrator. How? Suppose that I am BUBBA. I log into TSO. I issue the commands: ADDSD MY.DATASET UACC(NONE) PERMIT MY.DATASET ID(FRED) ACCESS(UPDATE) I have granted priviliges to another ID, therefore I am an Admin user. I would really hope that what the auditor might be satisfied with would be people who are RACF SPECIAL or GROUP-SPECIAL. Of course, many of the z/OS sysprogs on this list know how to make a joke of any security, short of encrypted data to which they don't have the key. -- The unfacts, did we have them, are too imprecisely few to warrant our certitude. Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OA49446 on RSU1603 - RACF / DFSMS change
(Cross-posting to RACF-L) Mark, I have not worked with this APAR and PTF. Below is my interpretation of it. I agree this is a huge change. I think careful testing is needed to confirm this, and as I don't have access to a system with the change, I would be happy to help you with the test out of curiosity. This 'enhancement' appears to address an oft heard desire to be able to grant access to an alias, as these tend to be permanent, as an alternative to having to granting access to the underlying dataset, which tends to change, with the goal of simplify security administration. With this change, one will now be able to permit access to alias PRODUCT.LINKLIB instead of the related dataset PRODUCT.VERSION1.LINKLIB. Then, whenever a new version arrives, you simply point alias PRODUCT.LINKLIB at PRODUCT.VERSION2.LINKLIB and everyone will have access to the new version without you having to create a new profile for PRODUCT.VERSION2.LINKLIB. It might be possible to permit ordinary users access only to aliases and never permit them access to the underlying datasets. This might enable you to consolidate and streamline existing profiles. As for 'required action 1.' , I believe what they are alluding to is that if your aliases are currently named something like PRODVER.PRODUCT.LINKLIB and there are no RACF profiles for PRODVER, you will experience denial of access if RACF's SETROPTS PROTECTALL is in FAILURE mode (as is generally the case). If your aliases use existing High Level Qualifiers, and most likely they use the same HLQ as the related datasets, then you may not experience access problems because they'll already be covered by a profile. However, even if the latter is true, an existing alias might be covered by a profile like PRODUCT.** while the real dataset might be protected by profile PRODUCT.V*.**, and they could have very different access permissions. An exhaustive analysis of profiles and permissions is in order to ensure that the sudden switch in access authority checking from the dataset to the alias doesn't result in a loss of access. When first applying this PTF, I'd also be tempted to temporarily change PROTECTALL from FAILURE to WARNING just in case I'd missed something. If this works as per my interpretation, then I think the concerns raised by others are valid. If I can create an alias with a name to which I have access that points to a dataset to which I do not have access, I've now circumvented access controls for the latter. This is somewhat akin to having ALTER access to a catalog which lets you delete VSAM and SMS datasets without having ALTER to the dataset profiles. It appears, however, that IBM has addressed this concern. Googling APAR OA47269 (APAR OA49446 is essentially an addendum to this APAR) brings up links discussing new restrictions on DFSMSdfp DEFINE. To create an ALIAS, PATH, OR ALTERNATEINDEX, you will need ALTER access to the related dataset. This is going to make protecting sensitive datasets more complicated. I wonder if IBM's Health Check for APF library protection will now include aliases as well. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - DEC 5-9, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration -MAY 3-5, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 -Original Message- Date:Thu, 28 Apr 2016 12:01:17 -0500 From:Mark Zelden Subject: OA49446 on RSU1603 - RACF / DFSMS change I'm applying z/OS 2.1 RSU1603 and came across this PTF. Is anyone running with it in production and has it caused you any grief? This seems to change a behavior that has been around "forever", so it concerns me a bit even though there is a work around by defining a special RACF profile in the Facility class. ++ HOLD(UA80146) SYS FMID(HDZ2210) REASON(ACTION) DATE(15356) COMMENT ( * FUNCTION AFFECTED: DFSMS (OA49446) * * DESCRIPTION : Update security definition* * TIMING : Pre-APPLY *
Re: List user's
Hi Hilario, What security software product is implemented on your system? If it's RACF, others have given you the answers you need. If it is CA's ACF2 or Top Secret, you will need to use their access activity reporting facilities to create your report. If you send your SMF data to a SIEM product, you may be able to use its capabilities to generate your report. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - APR 11-15, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration -MAY 3-5, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 -Original Message- Date:Fri, 15 Apr 2016 07:39:09 -0500 From:Hilario Garcia Subject: List user's Hello, I need to obtain a list of users that access to the Z/OS (CICS, TSO, Batch) in a specific date. ¿ Is there any job to obtain this data from RACF or SMF ? Thanks in advance. Hilario -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: How to log or trace BCPII activity on the SE?
Hi Thomas, Is the FACILITY class RACLISTed on the system where you are having the problem? Look for it in the section titled "SETR RACLIST CLASSES" in the output from a RACF "SETROPTS LIST" command. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - APR 11-15, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration -MAY 3-5, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 -Original Message- Date:Fri, 18 Mar 2016 13:15:01 + From:"Ambros, Thomas" Subject: How to log or trace BCPII activity on the SE? I have a puzzling situation. Receiving HWI022I with APPLDATA matching SE SNMP community name when HWIBCPII attempts to start at IPL. Machine has one standalone partition with its own RACF DB, this one fails. The other partitions on the machine work fine, with their own RACF DB. RLIST of the profile involved shows that it appears to be identical on the two RACF DB. Userids appear identical. Cross partition authority etc etc is validated. PMR open, a couple of dumps taken show that the resource requested and returned have all the right lengths and so on. Suggestion is to check logs at the SE but the default logs don't appear to capture the BCPII traffic or API information. I am searching for documentation because I believe I have all the admin authority on that machine to enable detailed information myself but will be contacting my hardware support team for their advice as well. Anybody happen to know how to enable detailed logging or tracing of the BCPII traffic? I would be grateful for advice because I haven't turned up any decent info in searches yet. Thanks... Thomas Ambros zEnterprise Operating Systems zEnterprise Systems Management 518-436-6433 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Outsourcing Stories Good or Bad!
Hi Mark, See the article "Outsource Risk" in the October 2014 edition of our RACF Tips newsletter. http://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__October_2014.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - APR 11-15, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration -MAY 3-5, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 -Original Message- Date:Wed, 24 Feb 2016 10:31:14 + From:Mark Wilson Subject: Outsourcing Stories Good or Bad! I am working with a client in Europe that is being requested by his senior management team to look at outsourcing their IT systems, including their system z platform. Would anyone be willing to share any war stories of their experiences with Outsourcing good or bad? Offline from the list via email or for anyone attending Share in Texas willing to have a coffee/beer and discuss face to face. Mark -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)
Hi Radoslaw, It is fine to copy an off line RACF database using the tools you named. For a live RACF database, however, by not using IRRUT200, you risk copying the database while RACF is in the midst of updating it, in which case the copy may have integrity errors. A copy of a live database made using some other tool will be fine as long as no updates were being made at that particular point in time. IRRUT200 is much safer because it ensures no updates are in progress when making its copy. I wouldn't recommend using anything other than IRRUT200 (preferably) or IRRUT400 for making backups or copies of a live RACF database. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com -Original Message- Date:Tue, 16 Feb 2016 21:48:37 +0100 From:"R.S." Subject: Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5) W dniu 2016-02-15 o 12:48, Robert S. Hansel (RSH) pisze: > I wholeheartedly agree with Joel's recommendation for having a backup copy of > the RACF database readily available for recovery. I just want to add that it > is crucial to use RACF utilities to create the backup and to allocate it with > the proper characteristics. The preferred utility to use to create the backup > is IRRUT200 which momentarily serializes the database, thereby preventing > updates, while it copies the database. IRRUT400 can also be used, but it > locks the database which you then have to unlock. The backup should be > allocated as one extent, contiguous, and non-movable and, if using IRRUT200, > with the exact same size as the source. While I still support to use UT200 to perform copy of RACF db, I have to admit I did many tests in the past when I intentionally used RACF db done by ICEGENER, IEBGENER or ADRDSSU DUMP. With no "luck", that mean I never got inconsistent result. At least none of RACF utilities detected the inconsistency. In other words even such copy was usable. Of course I still recommend to use proper tool for that. BTW: all my tests were done against monoplex configurations. BTW2: the tests had some reason behind, it wasn't just "hey, let's put egg to microwave owen and see". ;-) -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5)
I wholeheartedly agree with Joel's recommendation for having a backup copy of the RACF database readily available for recovery. I just want to add that it is crucial to use RACF utilities to create the backup and to allocate it with the proper characteristics. The preferred utility to use to create the backup is IRRUT200 which momentarily serializes the database, thereby preventing updates, while it copies the database. IRRUT400 can also be used, but it locks the database which you then have to unlock. The backup should be allocated as one extent, contiguous, and non-movable and, if using IRRUT200, with the exact same size as the source. As determine by one of our RACF surveys and as found in our numerous RACF reviews, many organizations are not using RACF utilities to back up their databases and risk having a corrupted backup. If you are interested, the survey "RACF Database Backup" can be found on the RACF Center webpage of our website at the following URL. For those unfamiliar with our website, you'll find lots of other useful RACF information there as well. http://www.rshconsulting.com/racfres.htm Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com Upcoming RSH RACF Training - RACF Audit & Compliance Roadmap - APR 11-15, 2016 - RACF Level I Administration - MAY 17-20, 2016 - RACF Level II Administration -MAY 3-5, 2016 - RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016 - Securing z/OS UNIX - WebEx - JUL 25-29, 2016 -Original Message- Date:Sun, 14 Feb 2016 15:53:07 -0600 From:"Joel C. Ewing" Subject: Re: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5) But the only way to "fix"an unusable RACF database is to have a fairly recent backup copy of the RACF data base that can be restored. I would contend that is easier, and possibly safer, to do this from a fully functional "one-drive" tech support emergency z/OS system accessing production drives than to do it from a UADS-defined TSO user on a crippled production system without RACF or with a known-damaged database -- and there are so many other unanticipated problems such an emergency system can address that it doesn't make sense to be without one. If the only problem that can be solved by having a UADS-defined TSO user can be better addressed by a "must have" alternative, why persist with any UADS-defined TSO users once the alternative is available? Joel C. Ewing On 02/14/2016 01:04 PM, Skip Robinson wrote: > This problem occurs so seldom that I never thought of automating a response. > As of R12 or so, we now have AUTORxx, which can reply to WTORs very early in > the IPL. Not sure who here would have to approve such a change. The chances > of mischief being perpetrated are minimal, but it does open a very small > window for a clever miscreant. > > . > . > . > J.O.Skip Robinson > Southern California Edison Company > Electric Dragon Team Paddler > SHARE MVS Program Co-Manager > 323-715-0595 Mobile > jo.skip.robin...@att.net > > >> -Original Message- >> From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] >> On Behalf Of Ed Jaffe >> Sent: Sunday, February 14, 2016 07:37 AM >> To: IBM-MAIN@LISTSERV.UA.EDU >> Subject: [Bulk] Re: [Bulk] UADS (was Re: [Bulk] Re: COBOL v5) >> >> On 2/13/2016 8:04 PM, Skip Robinson wrote: >>> This opinion is based on (thankfully) limited experience. If you are >>> forced to IPL without a usable RACF data base, you are totally >>> scr*wed. During IPL, operator will be prompted to allow even READ >>> access to *every* data set opened by *every* task except for a tiny >>> handful like JES that bypass integrity. By the time you get to the >>> point of actually logging on to TSO, operator's fingers will be >>> bleeding profusely. If at any time during this process, you are >>> god-forbid required to start over, yet more finger tips will have to >>> sacrificed. >> We solved this with an MPF exit that would always reply 'Y' to each of those >> prompts (except for the first few IIRC). >> >> -- >> Edward E Jaffe >> Phoenix Software International, Inc >> 831 Parkview Drive North >> El Segundo, CA 90245 >> http://www.phoenixsoftware.com/ -- Joel C. Ewing,Bentonville, AR jcew...@acm.org -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF reporting tool
Sharon, In addition to the products others have mentioned, also consider EKC's products - www.ekcinc.com Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com --- 2015 RACF Training - Securing z/OS UNIX - WebEx - SEPT 22-25, 2015 - Audit & Compliance Roadmap - Boston - NOV 10-13, 2015 - Intro & Basic Admin - WebEx - DEC 7-11, 2015 --- -Original Message- Date:Tue, 14 Jul 2015 19:18:19 + From:"Lopez, Sharon" Subject: RACF reporting tool What do most companies use for their RACF reporting/analysis tool? Are there any others that are comparable to Vanguard? Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS segments created on demand
Dave, You've touched on the one concern I have with using BPXMODEL to automatically set up a HOME for every user coupled with an automount policy that automatically creates the home file system. While it certainly is convenient, it potentially turns every ordinary CICS and IMS user into a telnet, ssh, or putty user. For this reason, the installations we've been working with to implement BPX.UNIQUE.USER have chosen to create a BPXMODEL user having an OMVS segment with PROGRAM(/bin/echo -or- /bin/false) and/or HOME that specifies a non-existing directory so as to deny use of telnet. A proper PROGRAM and HOME are assigned only to those relatively few individuals who need to access Unix files and directories, and this is done either manually or via ID provisioning scripts. While this technique blocks use of telnet and the like, it does not address use of other TCPIP applications such as FTP. FTP does not use PROGRAM or HOME. Most installations have not been aware that BPX.DEFAULT.USER made every ordinary CICS and IMS user an FTP user, and this realization has only come about as a result of its replacement. To restrict use of FTP and other such applications, you need to employ APPL and/or SERVAUTH profiles. I do not think it necessary to assign OMVS(NOUID) to all your ordinary users. This would simply trip them up and add to your administrative burden if they need legitimate access to a Unix service. Besides, they'd previously been getting such assess all along via BPX.DEFAULT.USER. But you don't want them all to be telnet users either. Properly securing both the data (as John McKown wisely points out) and system entry points is the better way to go. P.S. While we're on the subject of FTP, now is a good time to review its JESINTERFACELEVEL configuration parameter and related RACF controls. See our RSH RACF Tips article on this topic: http://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__April_2010.pdf Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com --- 2015 RACF Training - Intro & Basic Admin - WebEx - JUN 22-26, 2015 - Securing z/OS UNIX - WebEx - SEPT 22-25, 2015 - Audit & Compliance Roadmap - Boston - NOV 10-13, 2015 - Intro & Basic Admin - WebEx - DEC 7-11, 2015 --- -Original Message- Date:Fri, 5 Jun 2015 08:27:24 -0500 From:David Magee Subject: OMVS segments created on demand Environment: running z/OS V2R1, using profiles BPX.NEXT.USER and BPX.UNIQUE.USER, the BPXMODEL profile is set up correctly (with HOME as /u/&racuid), and all users are automount manged under /u/ and the system dynamically creates and mounts the OMVS user's file system. New userid is added to RACF with no OMVS segment and neither it nor its GROUP is in any access list. Using an ssh client, I attempt to sign in to my z/OS host and it succeeds. The userid now has an OMVS segment and a mounted file system. That's great for adding new users that are members of our IT department, etc. But there are thousands of non-IT userids that exist in RACF for business purposes (users of CICS or IMS, etc.) and they have been in RACF for years with no OMVS segment. These days, a lot of that access is via browser or TN3270 clients on a PC of some type. A PC where an ssh client or putty could be used to attempt to access the z/OS host. Have I missed something? This seems to be a security issue to me. Other than going out and adding OMVS(NOUID) to a LOT of RACF USER profiles (which disables the dynamic creation of a new OMVS segment), what else is available to control this? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: A Total Eclipse of the Spool
Hi Ed, If you will be using the FTP JES interface, I suggest you review our RACF Tips newsletter article on this topic. http://www.rshconsulting.com/racftips/RSH_Consulting__RACF_Tips__April_2010.pdf Regards, Bob -Original Message- Date:Fri, 17 Apr 2015 01:34:16 -0400 From:Rob Schramm Subject: Re: A Total Eclipse of the Spool AFAIK z/OS explorer uses ftp to interface with JES for retrieving output. Rob Schramm On Apr 13, 2015 6:56 AM, "Steve Austin" wrote: > Hello Ed, > Do you use any Macro 4 products (Tubes, DumpMaster, TraceMaster, InSync, > to name a few)? > If you do then our z/Explorer Eclipse offering is free to use. It > provides access to z/OS datasets and Unix files, allows jobs to be > submitted and the JES spool to be viewed without SDSF as a pre-req, and > it even has a 3270 emulator. Please contact your local Macro 4 or UNICOM > rep who will be only too happy to assist. If you don't use any of our > products then I am sure they can help you if you cannot find an > alternative resolution. > Regards > Keith Banham > R&D Manager > Macro 4 Ltd > > > Thanks > Keith Banham > Manager and Lead Engineer > Research and Development > Macro 4 Limited > > -Original Message- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Ed Long > Sent: 12 April 2015 03:47 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: A Total Eclipse of the Spool > > I have been tasked with deploying Data Studio, the DB2 no charge > offering in the IBM Eclipse product set. z/OS, CICS and IMS explorers > round out the no charge offerings. > The target audience is not the long time, old time, 3270 types, but the > short time, new time Java, C# types who need to access z/OS data or > resources sometimes. They are not going to go through a 12 week master > the mainframe course since 90% of their work is off host. > I can get Data Studio working, even sort of compatibly with z/OS > explorer. At least both of these 2 will be deployed together. > I can get z/OS explorer to submit jcl, a requirement for some database > activities envisioned. Its builtin sysout retrieval function requires > SDSF and fairly heavy RACF configuration work. > However, we don't have SDSF; we have IOF. None of the necessary JES/RACF > stuff has been set up, even if IOF supports the function, to get z/OS > explorer to download the sysout. While SDSF and doing the configuration > stuff is the obvious answer, getting there would take an unplanned major > effort. > My question: What other options do I have to be able to retrieve > listings from within Eclipse? > For specific use cases, we could write reports to datasets and then use > the z/OS explorer to browse the dataset. This approach would mean the > listing would be unavailable but any reports would be. > We can assume that their jcl will be comparatively simple (Less than 10 > steps and much of it generated and heavily reliant on procedures). > I've been considering FTP which has a JES interface. > For phase 1 of this activity we assume there might be 100 target > developers. > Comments and suggestions most appreciated. > > Edward Long > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > This e-mail message has been scanned and cleared by Postini / Google > Message Security and the UNICOM Global security systems. This message is > for the named person's use only. If you receive this message in error, > please delete it and notify the sender. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: APF-authorized calling non-authorized
Charles, What we did in a similar situation was have the front-end program perform only those tasks that needed to be APF-authorized and then turn off its APF-authorization and call the remaining programs that did not need authorization. I believe the latest version of MVS Planning: Security is circa 1984. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com --- 2014-2015 RACF Training - Audit & Compliance Roadmap - Boston - APR 21-24, 2015 - Intro & Basic Admin - WebEx - JUN 22-26, 2015 --- -Original Message- Date:Sun, 15 Mar 2015 11:37:30 -0700 From:Charles Mills Subject: Re: APF-authorized calling non-authorized Okay. I hear you. Here is the business problem. I need to develop program X. It must run APF-authorized to do one of the things it needs to do. I have written APF-authorized programs before and I more or less know what I am doing. I know enough to ask (some of?) the right questions and have the proper concerns. It also needs to do something we will call "processing A." It just so happens that there is an IBM program Y that does exactly A. (In fact, the real purpose of program X is front-ending program Y and doing some additional things, one of which requires authorization). The IBM program is AC=0 in an authorized library. I of course do not have the source for Y and so cannot inspect it for potential integrity issues. What do you suggest? Must I re-write Y from scratch so I may be relatively certain of its integrity? The only alternative I see is calling (LINK, etc.) Y from X. I agree with you. While we can be relatively confident that Y does nothing "bad" intentionally its authors presumably never intended it to run authorized. They may have said "oh, don't worry about that -- it will ABEND if anyone tries to do THAT" and that assumption will no longer be valid. Suggestions? No, there does not appear to be a V2R1 manual called MVS Planning: Security. Charles -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Has Anyone Seen this in ISPF before?
Unfortunately, IRRDBU00 does not unload PROFILE options, including PREFIX, and therefore, it is unlike to detect an error in this field. I doubt any of the RACF utilities would detect this error. IRRUT200 performs checks on the integrity of the index and block availability masks but not on the content of the profiles. My advice to the OP would be to delete the TSO segment and recreate it just in case there are other problems with the information stored in RACF for this user. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com --- 2014-2015 RACF Training - Intro & Basic Admin - WebEx - DEC 8-12, 2014 - Securing z/OS UNIX - WebEx - FEB 3-6, 2015 - Intro & Basic Admin - WebEx - MAR 23-27, 2015 - Audit & Compliance Roadmap - Boston - APR 21-24, 2015 --- -Original Message- Date:Wed, 29 Oct 2014 11:45:35 -0400 From:Thomas Conley Subject: Re: Has Anyone Seen this in ISPF before? On 10/29/2014 11:35 AM, parke...@gmail.com wrote: > OK. Thanks. We are using RACF. What would dump? I will forward this to my > boss to see what he wants to do. > > IRRDBU00 will unload your RACF database to a flat file. Also, look at the IRRUT100, IRRUT200, and IRRUT400 utilities. One of them has a function to test the integrity of your RACF database. Good luck. Regards, Tom Conley -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Handle RACF abend in LE C
Gabor, It may be crashing because your ID apparently has access to FACILITY resource BPX.SERVER, which requires a 'clean' program environment (i.e., all programs must either be in LPA or defined by a PROGRAM class profile), and it is trying to load undefined programs. See the ICH422I messages. You'll either need to define the programs with their associated libraries to RACF or, unless you are specifically trying to create a daemon that needs BPX.SERVER authority, remove your access to the latter. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com --- 2014 RACF Training - Audit & Compliance Roadmap - Boston - OCT 27-30, 2014 - Intro & Basic Admin - WebEx - JUN 9-13, 2014 - Intro & Basic Admin - WebEx - DEC 8-12, 2014 - Securing z/OS UNIX - WebEx - SEPT 30 - OCT 3, 2014 --- -Original Message- Date:Sat, 10 May 2014 13:27:28 +0200 From:Gabor Hoffer Subject: Handle RACF abend in LE C Hello, I have a LE C program that crashes if I try to open a dataset that is not allowed to read with my user. How can I catche and ( handle in C) this type of error? 13.19.56 JOB08022 ICH408I USER(GAH2) GROUP(SYS1) NAME(GAH2 064 GAH.NOACCESS.PDS CL(DATASET ) VOL(DSK30E) 064 INSUFFICIENT ACCESS AUTHORITY 064 FROM GAH.NOACCESS.PDS (G) 064 ACCESS INTENT(READ ) ACCESS ALLOWED(NONE ) 13.19.56 JOB08022 IEC150I 913-38,IFG0194E,GEX1,AGENT,SYS00079,030E,DSK30E,GAH.N 13.19.56 JOB08022 CEE0374C CONDITION = CEE3250C TOKEN = 00040CB2 61C3C5C5 0 066 WHILE RUNNING PROGRAM UCXJM25 066 AT THE TIME OF INTERRUPT 066 PSW 078D0400 800A3FCC 066 GPR 0-3 00166D14 001667D8 00166A98 066 GPR 4-7 0008 0004 0BA47038 066 GPR 8-B 0D02E220 000207F0 0D02E220 000A3650 066 GPR C-F 00166D20 00166760 800A3F74 066 FLT 0-2 4E81536E0B5C 066 FLT 4-6 13.19.56 JOB08022 BPXP011I THREAD 0BD5D9B80003, IN PROCESS 50397294, WAS 0 072 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2. 13.19.56 JOB08022 BPXP011I THREAD 0BD5E644, IN PROCESS 50397294, WAS 0 073 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2. 13.19.56 JOB08022 BPXP011I THREAD 0BD5F2C80005, IN PROCESS 50397294, WAS 0 074 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2. 13.19.56 JOB08022 BPXP011I THREAD 0BD5A7980002, IN PROCESS 50397294, WAS 0 075 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2. 13.19.56 JOB08022 BPXP011I THREAD 0BD59B11, IN PROCESS 50397294, WAS 0 076 TERMINATED DUE TO A PTHREAD QUIESCE OF TYPE 2. 13.19.56 JOB08022 ICH422I THE ENVIRONMENT CANNOT BECOME UNCONTROLLED. 13.19.56 JOB08022 CSV042I REQUESTED MODULE IEAVTRP2 NOT ACCESSED. THE MODULE IS 13.19.56 JOB08022 BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR SERVER (BPX.S 13.19.56 JOB08022 CSV042I REQUESTED MODULE IEAVTRF4 NOT ACCESSED. THE MODULE IS 13.19.56 JOB08022 ICH422I THE ENVIRONMENT CANNOT BECOME UNCONTROLLED. 13.19.56 JOB08022 BPXP014I ENVIRONMENT MUST REMAIN CONTROLLED FOR SERVER (BPX.S Thanks and reagrds, Gabor -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: OMVS UID display
Venkat, Does this system have its own RACF database or does it share its database with other systems? If it shares its database, do commands like id display properly on those other systems? What is the AIM level of this database? Run the following job to find out. //jobname JOB (account),'username',CLASS=x,MSGCLASS=x //STEP EXEC PGM=IRRIRA00 //SYSPRINT DD SYSOUT=* If AIM is at level 0 or 1, is the UNIXMAP class active? Check SETROPTS LIST. If it is active, are there any UNIXMAP profiles? Execute SEARCH CLASS(UNIXMAP) to find out. Specifically, is there a profile U12345 in which your USERID is in the access list? Execute RLIST UNIXMAP U12345 ALL to check. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com - 2013-2014 RACF Training - Audit & Compliance Roadmap - Boston - APR 22-25, 2014 - Intro & Basic Admin - WebEx - FEB 3-7, 2014 - Intro & Basic Admin - WebEx - JUN 9-13, 2014 - Securing z/OS UNIX - WebEx - MAR 4-7, 2014 - -Original Message- Date:Sun, 15 Dec 2013 09:35:30 +0530 From:venkat kulkarni Subject: Re: OMVS UID display Issue is only with this LPAR. I tried checking on other LPAR, all are fine. On Sun, Dec 15, 2013 at 9:04 AM, venkat kulkarni wrote: > This issue is not with single user. I am facing this with all RACF users. > > > > On Sun, Dec 15, 2013 at 9:02 AM, Jon Perryman wrote: > >> I think that the first user assigned to OMVS UID 12345 was deleted, or >> it's OMVS segment was deleted or it was assigned to a new UID. My >> suggestion is that you modify the user to which you want displayed. >> >> Jon Perryman. >> >> > >> > From: venkat kulkarni >> > >> > >> >Hello, >> > I have RACF id associated with all UID and this problem is with >> >all users anf getting *"Error for uid".* >> >I tried with many of the RACF user having diff access level and getting >> >same issue even with UID 0 . I really don't think that my RACF is >> corrupted. >> > >> > >> >Is there any other possibility. Who am i command gives me >> >RACFID@SYSNAME. I tried looking at many of the manual for this error >> >but somehow failed. >> >Still looking into maual. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
z/OS 2.1 DVD Collection - Software Products
Greetings all, In recent years, IBM provided a z/OS DVD Collection download which contained copies of both z/OS and software product manuals (e.g., SK3T-4271-31). Prior to z/OS 1.11, these were provided as two separate collections. The newest collection for 2.1 (SK4T-4949-00) only contains the z/OS manuals and not those for software products. I haven't been able to find an updated collection for software products. Is IBM still providing such a collection and what is the publication number is? Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel http://twitter.com/RSH_RACF www.rshconsulting.com - 2013-2014 RACF Training - Audit & Compliance Roadmap - Boston - APR 22-25, 2014 - Intro & Basic Admin - WebEx - FEB 3-7, 2014 - Intro & Basic Admin - WebEx - JUN 9-13, 2014 - Securing z/OS UNIX - WebEx - MAR 4-7, 2014 - -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF User ID resumed without an SMF record?
Greg, If the RACF database is shared across several LPARs, does the input to your daily RACFRW report include SMF data from all the LPARs? If SETROPTS AUDIT is not active for class USER and the OWNER of this CICS ID is a non-SPECIAL USERID, the later could execute an ALTUSER that wouldn't be logged. Another possibility is this ID was being listed as REVOKED by LU because it had crossed the threshold set by SETROPTS INACTIVE but was able to logon via some mechanism that circumvented the INACTIVE limit. Here are some related questions. 1) Do you have SETROPTS INACTIVE set and to what number of days? 2) Was this ID listed as REVOKED prior to July 8? 3) Do you have a backup copy of the RACF database prior to July 8 from when the ID was showing up as REVOKED, and if you generate an IRRDBU00 database unload from this copy, does it show the ID as REVOKED? (An ID displayed as REVOKED by LU due to INACTIVE will not show up as REVOKED in the unload.) 4) What is the nature of this ID and how is it likely to be used? Is it hardcoded in any CICS CSD resource definitions such as those for SESSION, CONNECTION, TDQUEUE, or TERMINAL? Is it coded as the USERID in any EXEC CICS START commands within a program? Might Digital Certificates or PassTickets be involved in logging it on? 5) Do you have multiple RACF databases and is this ID defined and active on these other databases? Was it active on another system around the time of this logon? 6) What are the full details of its logon on the 9th. Does it show an associated TERMINAL, APPL, or JESINPUT node? (If it shows JESINPUT, then we might want to explore your RACFVARS &RACLNDE profile and NODES profiles.) Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel https://twitter.com/RSH_RACF www.rshconsulting.com - 2013 RACF Training - Audit & Compliance Roadmap - Boston - NOV 5-8 - Intro & Basic Admin - WebEx - OCT 21-25 - Securing z/OS UNIX - WebEx - SEPT 17-20 - Securing z/OS UNIX - WebEx - DEC 3-6 - -Original Message- Date:Wed, 7 Aug 2013 11:33:24 -0500 From:Greg Shirey Subject: RACF User ID resumed without an SMF record? Hello group, Does anyone know of a method to resume a RACF revoked ID without having an SMF record be written? We produce a daily listing of RACF commands from our SMF type 80s (using RACFRW) and we list ADDUSER ADDGROUP ALTUSER ALTGROUP CONNECT DELUSER DELGROUP PASSWORD PERMIT RALTER RDEFINE REMOVE. We also produce a daily listing of our CICS user IDs and their RACF status. On July 8 we had a user ID on our report that was listed as REVOKED and a LAST-ACCESS date and time of 07/17/07 17:01:28. On July 9, the report showed the ID was no longer revoked and the LAST-ACCESS reported as 07/08/13 19:24:14. However, our SMF report listed no ALTUSER command or any other command against this ID. (No DELUSER or ADDUSER, for instance). I dumped the SMF records for both July 7 and July 8 and ran a RACFRW to list all the records and there is no reference to this User ID. I'm a sysprog, so I can't blame it on magic or elves - I could try blaming it on the software, but I'm finding that hard to believe - so I have to think there's something I'm missing. I've just looked at everything I know to look at. (Did someone modify SMF for a period? No. Does the COBOL program that lists the RACF users have a bug in it? No.) If anyone has a suggestion for what to look for, I'd appreciate hearing about it. Thanks, Greg Shirey Ben E. Keith Company -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: z/OS Configuration for Security - Not RACF or other ESM
Ken, The reference that perhaps comes closest to what you want is the book "OS/390-z/OS Security Audit and Control Features". It used to be available from ISACA but is now out of print. It is a bit dated (2004), somewhat verbose, and mostly focused on RACF. Also from ISACA is the 2009 checklist publication "z/OS Security Audit/Assurance Program". It is a free download for members. May not give you much more than you already have. At a glance, It appears is a slightly updated checklist from that available in the aforementioned book. You might also find the DISA STIG for RACF helpful. It includes controls for z/OS. http://iase.disa.mil/stigs/os/mainframe/z_os.html To add to your list, also offhand, include PARMLIBs, catalogs, JESPARMs (governing entry of operator commands), TSO parms, installation SVCs and Program Calls, Exits, I/O Appendages, PROCLIBs, and IPLPARMs. So much of z/OS control is tightly coupled with RACF protection (how do you protect APF libraries without RACF) that I would be inclined to combine their respective security best practices into a single document. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2013 RACF Training - Audit & Compliance Roadmap - Boston - NOV 5-8 - Intro & Basic Admin - WebEx - OCT 21-25 - Securing z/OS UNIX - WebEx - JUL 23-25 - Securing z/OS UNIX - WebEx - SEPT 17-20 - Securing z/OS UNIX - WebEx - DEC 3-6 - -Original Message- Date:Fri, 28 Jun 2013 18:46:51 + From:Ken Porowski Subject: z/OS Configuration for Security - Not RACF or other ESM I have been tasked with documenting 'best practice' for configuring z/OS for security. This does not include RACF (or other ESM) practices. The scope is limited to what I can do in configuring z/OS to ensure no one can bypass RACF/ESM. What I can think of offhand is keeping tight control of LPALIST, LINKLIST, APFLIST, SCHEDxx/PPT Does anyone know of a book/paper/guide/reference that would outline a 'best practice' for z/OS security configuration. I've been searching this list, redbooks, Google, but not finding much that isn't RACF/ESM specific. TIA Ken Ken Porowski VP Mainframe Engineering CIT Information Technology +1 973 740 5459 (tel) One CIT Drive Livingston, NJ 07039 ken.porow...@cit.com www.cit.com -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: BYPASSING RECALL OF MIGRATED DSNS WHILE ATTEMPTING ALTER
Esmie, One possible solution would be to define group ARCCATGP to RACF, connect your ID to it, and logon with this group when you are about to execute IDCAMS. ARCCATGP is intended to allow you to perform catalog operations on migrated datasets without having to recall them. To log on with the group in TSO, enter ARCCATGP on the TSO/E Logon panel in the field labeled "Group Ident". In batch, code GROUP=ARCCATGP on the JOB card. I'm not certain it will work with IDCAMS ALTER, but it worth a try. For more details, see IBM's z/OS DFSMShsm Implementation and Customization Guide. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2013 RACF Training - Audit for Results - Boston - APR 24-26 - Intro & Basic Admin - Boston - MAY 21-23 - Securing z/OS UNIX - WebEx - JUL 23-25 - -Original Message- Date:Thu, 31 Jan 2013 10:45:04 -0800 From:esmie moo Subject: BYPASSING RECALL OF MIGRATED DSNS WHILE ATTEMPTING ALTER Good Afternoon Gentle Readers, I am altering a large amount of gdg dsns which are migrated. : /* //STEP1 EXEC PGM=IDCAMS //SYSPRINT DD SYSOUT=* //SYSIN DD * ALTER 'SMF.ZWA6PWG.DRAP0.RPT.G0999V00' ROLLIN /* // The dsns are presently is ML2 with a STATUS--DEFERRED How can I bypass the recall of the dsns (4,340) in order to alter them/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: DFSMRCL0 usermod - was: I broke it
Peter, Suggest to the ADCD owners that they make an IRRDBU00 unload of the RACF database and then run the IRRRID00 Remove ID utility with the unload as input to find and remove references to deleted users and groups. Instructions, examples, guidelines, and tips for running these utilities are provided in our presentation "RACF Utilities", available on our website via the RACF Center webpage. Also suggest the them that they run ICHDSM00 (a.k.a. DSMON) to identify system datasets that may not be properly protected and incomplete STARTED profiles. The aforementioned presentation has information on DSMON. Further suggest to them that they make an IRRHFSU unload of the entire Unix file system and examine the results to identify orphaned Owner UIDs and Group GIDs. Information for obtaining and running the IRRHFSU utility are provided in our presentation "IRRHFSU", also available on our website. This presentation includes a sample ICETOOL report for finding orphaned IDs. If the ADCD owners have any problems or questions when trying to run the reports or need help interpreting the results, have them contact me directly. We have use of an ADCD system in Dallas, so helping them clean this up would benefit us as well. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2013 RACF Training - Securing z/OS UNIX - WebEx - JAN 15-17 - Intro & Basic Admin - WebEx - FEB 4-8 - Audit for Results - Boston - APR 24-26 - Intro & Basic Admin - Boston - MAY 21-23 - Securing z/OS UNIX - WebEx - JUL 23-25 - -Original Message- Date:Fri, 4 Jan 2013 08:13:24 -0500 From:Peter Relson Subject: Re: DFSMRCL0 usermod - was: I broke it The ADCD owners confirm that they do now have plans to run IBM HealthChecker for z/OS against the ADCD (at least for the newer releases of z/OS that they support). Whether that was a direct result of this thread or not, I am not sure. It remains to be seen how much they take advantage of the exceptions that initially are reported. Once that is underway, I expect, at least, that the DFSMRCL0 usermod will not be applied when a z/OS 1.13 ADCD system is subsequently built. I mention 1.13 only because that is the release where the HC of IEAVTRML is introduced and thus that is the release where the presence of DFSMRCL0 usermod would be flagged. Quite possibly they will be able to apply that "knowledge" to earlier releases that have IMS V9 or later (that being the release where the need for DFSMRCL0 went away, and knowing that earlier IMS versions are no longer supported). If any of you care to "contribute" by running HC yourself on the ADCD system and reporting things that both are flagged as exceptions and that in all likelihood would help just about the entire ADCD community to have changed, feel free to send me a note (but not that IEAVTRML one, please!). I mention the "entire ADCD community" only because I can imagine some exception situations being left alone in order to accommodate a subset of users who might need the flagged behavior. I have no specific examples of such things with respect to ADCD. I do also have hope that some information would accompany the distribution, setting the "expectation" for what exceptions one might see if running HC. Peter Relson z/OS Core Technology Design -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: I broke it - programcontrolled programs
Barbara, This is in regards to your statement "Asking about it here (and eventually finding where DFSMRCL0 is located) helped me when I had to get RDz running. Which insisted on a program-controlled environment despite BPX.DAEMON not being defined. According to the books and your explanation, the need for a program-controlled environment should not have been there. This was true for ftp, but not for RDz." IBM documentation states that Rational should be permitted UPDATE access to FACILITY class profile BPX.SERVER, and on our ADCD system, BPX.SERVER is defined and the Rational Started Task ID STCRSE has been permitted the required access. BPX.SERVER also requires a program-controlled environment. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2013 RACF Training - Securing z/OS UNIX - WebEx - JAN 15-17 - Intro & Basic Admin - WebEx - FEB 4-8 - Audit for Results - Boston - APR 24-26 - Intro & Basic Admin - Boston - MAY 21-23 - Securing z/OS UNIX - WebEx - JUL 23-25 - -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF AIM level
Jeff, A job like the following should do it. // JOB card // EXEC PGM=IRRIRA00 //SYSPRINT DD SYSOUT=* Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc.*** Celebrating our Twentieth Anniversary *** 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com - 2012 - 2013 RACF Training - Audit for Results - Boston - OCT 30 - NOV 1 - Securing z/OS UNIX - WebEx - JAN 15-17 - Intro & Basic Admin - WebEx - OCT 15-19 - Intro & Basic Admin - WebEx - FEB 4-8 - -Original Message- Date:Wed, 12 Sep 2012 16:11:30 -0500 From:Jeff Holst Subject: RACF AIM level I have inherited a system where I don't know the level of AIM indexing. I am certain it is less than 2, since I am getting an error message that tells me I need to be at that level do perform the actions I want to perform. But is the indexing 0 or 1? Hpw can I tell? I would imagine that there is a command or utility that wil tell me. My system is z/OS 1.11, so the health check that I have found to exist in 1.12 and later is not available. Jeff Holst Fiserv -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN