subject:"Privileged Users \(was\: EXTERNAL\: Re\: \[EXTERNAL\] Re\: smp\/e sha\-2 support\?\)"

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

2016-05-19 Thread Joel C. Ewing

On 05/18/2016 05:16 AM, Elardus Engelbrecht wrote:
> Robert S. Hansel (RSH) wrote:
>
>> OPERATIONS users actually can grant privileges because they can create 
>> dataset profiles for any group. And if they own a profile they create, they 
>> can permit access to it.
> RACF by default will allow that OPERATIONS stunt. IRREVX01 can be used to 
> block those acrobats.
>
> I needed to block them, because 'they' created profiles causing outages. No 
> Production STCs are going to use users own datasets. 
>
> Groete / Greetings
> Elardus Engelbrecht
>
>
Even a non-OPERATIONS user can potentially create RACF profiles for data
sets under their authority that might cause problems in an installation
where data set qualifiers and generic profiles are intended to control
default access and exceptions require justification.

At some point it makes sense to rely on installation standards, some
user education that the foot they shoot may be their own, and maybe some
blocked ISPF panel options to not make it easy for someone not properly
trained in installation RACF conventions to create RACF profiles, even
on their own data sets.

-- 
Joel C. Ewing,Bentonville, AR   jcew...@acm.org 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

2016-05-18 Thread Jesse 1 Robinson

I set up the job a couple of years ago with help from (I think) RACF-L. I did 
what was asked of me. No OMVS info was included. And no, I was not dumb enough 
to ask if they wanted that also. ;-)

.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Robert S. Hansel (RSH)
Sent: Wednesday, May 18, 2016 2:45 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: 
smp/e sha-2 support?)

Hi Skip,

OPERATIONS users actually can grant privileges because they can create dataset 
profiles for any group. And if they own a profile they create, they can permit 
access to it.

In z/OS 2.2, you will be able to replace the assignment of AUDITOR authority 
with ROAUDIT, which truly is benign because it allows a user to look at all 
profiles and SETROPTS options without changing any audit settings.

Just curious, in your 'elevated access' report, do you include users with UID 0 
or access to BPX.SUPERUSER?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - DEC 5-9, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration - SEPT 19-23, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016

-Original Message-
Date:Tue, 17 May 2016 16:37:50 +
From:Jesse 1 Robinson <jesse1.robin...@sce.com>
Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?

An interesting take on ADDSD. We produce a periodic report here on userids with 
'elevated access', which includes SPECIAL, OPERATIONS, and AUDITOR (the benign 
type). OPERATIONS cannot grant privileges but could do a lot of damage. I 
consider AUDITOR vital for sysprogs in order to diagnose--not necessarily 
fix--security problems at odd hours. It's been pointed out to me that AUDITOR 
allows someone to change RACF audit rules. A far-fetched but not inconceivable 
exposure. 

I think that managers here are required now and again to 'confirm' the need for 
elevated access, but no major battles have ensued within my earshot. ;-)

.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John McKown
Sent: Tuesday, May 17, 2016 8:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?

On Tue, May 17, 2016 at 9:41 AM, Mike Schwab <mike.a.sch...@gmail.com>
wrote:

> Any ID that can grant privileges to another ID.
>

By the above definition, _every_ id in RACF which has TSO capability is an 
administrator. How? Suppose that I am BUBBA. I log into TSO. I issue the
commands:

ADDSD MY.DATASET UACC(NONE)
PERMIT MY.DATASET ID(FRED) ACCESS(UPDATE)

I have granted priviliges to another ID, therefore I am an Admin user. I would 
really hope that what the auditor might be satisfied with would be people who 
are RACF SPECIAL or GROUP-SPECIAL. Of course, many of the z/OS sysprogs on 
this list know how to make a joke of any security, short of encrypted data to 
which they don't have the key.

--
The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

2016-05-18 Thread Elardus Engelbrecht

Robert S. Hansel (RSH) wrote:

>OPERATIONS users actually can grant privileges because they can create dataset 
>profiles for any group. And if they own a profile they create, they can permit 
>access to it.

RACF by default will allow that OPERATIONS stunt. IRREVX01 can be used to block 
those acrobats.

I needed to block them, because 'they' created profiles causing outages. No 
Production STCs are going to use users own datasets. 

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

2016-05-18 Thread Robert S. Hansel (RSH)

Hi Skip,

OPERATIONS users actually can grant privileges because they can create dataset 
profiles for any group. And if they own a profile they create, they can permit 
access to it.

In z/OS 2.2, you will be able to replace the assignment of AUDITOR authority 
with ROAUDIT, which truly is benign because it allows a user to look at all 
profiles and SETROPTS options without changing any audit settings.

Just curious, in your 'elevated access' report, do you include users with UID 0 
or access to BPX.SUPERUSER?

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
http://twitter.com/RSH_RACF
www.rshconsulting.com

Upcoming RSH RACF Training
- RACF Audit & Compliance Roadmap - DEC 5-9, 2016
- RACF Level I Administration - MAY 17-20, 2016
- RACF Level II Administration - SEPT 19-23, 2016
- RACF Level III Admin, Audit, & Compliance - JUN 14-16, 2016
- Securing z/OS UNIX  - WebEx - JUL 25-29, 2016

-Original Message-
Date:Tue, 17 May 2016 16:37:50 +
From:Jesse 1 Robinson 
Subject: Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?

An interesting take on ADDSD. We produce a periodic report here on userids with 
'elevated access', which includes SPECIAL, OPERATIONS, and AUDITOR (the benign 
type). OPERATIONS cannot grant privileges but could do a lot of damage. I 
consider AUDITOR vital for sysprogs in order to diagnose--not necessarily 
fix--security problems at odd hours. It's been pointed out to me that AUDITOR 
allows someone to change RACF audit rules. A far-fetched but not inconceivable 
exposure. 

I think that managers here are required now and again to 'confirm' the need for 
elevated access, but no major battles have ensued within my earshot. ;-)

.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler 
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
robin...@sce.com

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John McKown
Sent: Tuesday, May 17, 2016 8:57 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: (External):Re: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?

On Tue, May 17, 2016 at 9:41 AM, Mike Schwab 
wrote:

> Any ID that can grant privileges to another ID.
>

By the above definition, _every_ id in RACF which has TSO capability is an 
administrator. How? Suppose that I am BUBBA. I log into TSO. I issue the
commands:

ADDSD MY.DATASET UACC(NONE)
PERMIT MY.DATASET ID(FRED) ACCESS(UPDATE)

I have granted priviliges to another ID, therefore I am an Admin user. I would 
really hope that what the auditor might be satisfied with would be people who 
are RACF SPECIAL or GROUP-SPECIAL. Of course, many of the z/OS sysprogs on 
this list know how to make a joke of any security, short of encrypted data to 
which they don't have the key.

--
The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Maranatha! <><
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

Re: Privileged Users (was: EXTERNAL: Re: [EXTERNAL] Re: smp/e sha-2 support?)

4 matches

Site Navigation

Mail list logo

Footer information