Sunteți pe pagina 1din 57
Auditing Auditing the the RACF RACF Environment Environment Topic 1: Auditing RACF Eberhard Klemens Co.
Auditing Auditing the the RACF RACF Environment Environment Topic 1: Auditing RACF Eberhard Klemens Co.
Auditing Auditing the the RACF RACF Environment Environment Topic 1: Auditing RACF Eberhard Klemens Co.

AuditingAuditing thethe RACFRACF EnvironmentEnvironment

Topic 1: Auditing RACF

RACF RACF Environment Environment Topic 1: Auditing RACF Eberhard Klemens Co. Experts in Computer Systems -

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

1: Auditing RACF Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000,

TopicTopic 11 ObjectivesObjectives

Topic Topic 1 1 Objectives Objectives  The Audit Environment  Sample Audit Points  Audit

The Audit Environment

Sample Audit Points

Audit Controls

Audit Data

Audit Reporting

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 2

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

SeparationSeparation ofof PowersPowers

Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer
SPECIAL
SPECIAL
Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer
Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer
Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer
Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer
Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer
Separation Separation of of Powers Powers SPECIAL AUDITOR www.ekcinc.com Eberhard Klemens Co. Experts in Computer

AUDITOR

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 3

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

ConductingConducting thethe AuditAudit

Conducting Conducting the the Audit Audit  Judge how effectively RACF has been implemented to handle

Judge how effectively RACF has been implemented to handle security at the installation.

has been implemented to handle security at the installation.  Identify any security exposures.  Recommend

Identify any security exposures.

Recommend ways to improve the system.

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 4

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TheThe AuditAudit CycleCycle

The The Audit Audit Cycle Cycle  Establish Benchmark  Check loggings regularly  Re-examine security

Establish Benchmark

Check loggings regularly

Re-examine security implementation and compare against last benchmark

Establish new benchmark

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 5

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TwelveTwelve PointPoint ApproachApproach

Twelve Twelve Point Point Approach Approach  Point 1 -  Point 2 -  Point

Point 1 -

Point 2 -

Point 3 -

Point 4 -

Point 5 -

Point 6 -

System Controls - Level of Implementation

Change Control Over Options and Software

Protection for Database and SMF Files

Enforcement of Security Policy

Password Administration

Approach to Access Profiles

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 6

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TwelveTwelve PointPoint ApproachApproach

Twelve Twelve Point Point Approach Approach  Point 7 -  Point 8 -  Point

Point 7 -

Point 8 -

Point 9 -

Point 10 -

Point 11 -

Point 12 -

Ability to Bypass Controls

Control of Non-Owned Ids

Controls Over Production Ids

Controls for Key System Components

Ability to Gain Unauthorized Access

Security Reporting and Follow-Up

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 7

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

11 -- SystemSystem ImplementationImplementation

1 1 - - System System Implementation Implementation Limit / Control / Review W h e

Limit / Control / Review

Where to Look

RACF Release level

System Release level

RACF Exits

PROTECTALL settings

DSMON System Report

DSMON System Exits Report

SETROPTS LIST

shows zOS and RACF Release / FMID levels

shows module names and lengths of installed exits

shows PROTECTALL level and options

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 8

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

22 AdministrationAdministration // ChangeChange ControlControl

Administration / / Change Change Control Control Limit / Control / Review W h e r

Limit / Control / Review

Where to Look

assignment of system-SPECIAL

use of RVARY command

use of SETROPTS REFRESH command

DSMON Selected User Attribute Report

SETROPTS LIST

DSMON SUAR

shows number of users and user IDs given system-SPECIAL

shows if there is an RVARY password specified

shows number of users and user IDs with SPECIAL and AUDITOR

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 9

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

33 SecuringSecuring accessaccess toto RACFRACF && SMFSMF

access access to to RACF RACF & & SMF SMF Limit / Control / Review W

Limit / Control / Review

Where to Look

Access to RACF database carefully controlled

Access to SMF files limited

Regularly scheduled backups of RACF database files

LISTDSD

LISTDSD

Site specific

shows access lists for primary and backup RACF databases

shows access lists for primary and backup RACF databases

Review procedures and schedule for backup of RACF database(s)

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 10

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

44 SecuritySecurity PolicyPolicy ReviewReview

4 4 – – Security Security Policy Policy Review Review Limit / Control / Review W

Limit / Control / Review

Where to Look

Determine existence of security policy

Procedures in place for PASSWORD changes, makeup.

Handeling of deleted userids

Interviews with Security management staff.

Review site specific procedures, SETROPTS LIST

Review site specific procedures

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 11

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

55 PasswordPassword PolicyPolicy ReviewReview

5 5 – – Password Password Policy Policy Review Review Limit / Control / Review W

Limit / Control / Review

Where to Look

Periodic required password change

PASSWORD

length

PASSWORD

“hacking”

SETROPTS LIST

SETROPTS LIST

SETROPTS LIST

Review change interval.

Review site specific procedures,

Review unsuccessful password attempts

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 12

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

66 AccessAccess HierarchyHierarchy

6 6 – – Access Access Hierarchy Hierarchy Limit / Control / Review W h e

Limit / Control / Review

Where to Look

Verify access lists for individuals and groups

Verify appropriate UACC access

Verify OWNER data for profiles and groups

DSMON GROUP TREE

LISTDSD

DSMON GROUP TREE

LISTDSD

Review groups to determine definition and use of functional groups.

Review dataset profiles for apropriate UACC access.

Review owner data to determine inheritance of data / application ownership

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 13

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

77 AbilityAbility toto BypassBypass ControlsControls

Ability Ability to to Bypass Bypass Controls Controls Limit / Control / Review W h e

Limit / Control / Review

Where to Look

Verify SETROPTS PROTECTALL active in FAILURE mode

Ensure SETROPTS NOADDCREATOR is applied

Minimize use of OPERATIONS attribute

SETROPTS LIST

SETROPTS LIST

DSMON

shows if PROTECTALL FAILURE is in effect

shows if profile creator is automatically added with ALTER to access list

shows number of users with OPERATIONS

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 14

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

88 NonNon--OwnedOwned UseridsUserids

8 8 – – Non Non - - Owned Owned Userids Userids Limit / Control /

Limit / Control / Review

Where to Look

Use of region IDs for batch jobs submitted on behalf of users

Review use of surrogate profiles

Search for PROPCNTL profiles

Search for SURROGAT profiles

SEARCH CLASS(PROPCNTL) NOMASK

SEARCH CLASS(SURROGAT) NOMASK

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 15

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

99 ControlsControls overover ProductionProduction IDsIDs

Controls Controls over over Production Production IDs IDs Limit / Control / Review W h e

Limit / Control / Review

Where to Look

Review rationale used to associate production IDs with jobs

Verify controls over production JCL libraries

Review SURROGAT use to ensure only authorized use

Site specific

Dataset

profiles

SURROGAT

profiles

Review profiles to ensure appropriate access

RL userid.SUBMIT CL(SURROGAT) AU

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 16

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

1010 KeyKey SystemSystem ComponentsComponents

10 10 – – Key Key System System Components Components Limit / Control / Review W

Limit / Control / Review

Where to Look

Review inventory of products requiring security interface

Verify adequacy of access controls in place

Assure adequate use of SAF-based controls

Site specific- List of installed products

Review general resource profiles for vendor products.

DSMON Authorized Caller Report

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 17

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

1111 AbilityAbility toto gaingain unauthorizedunauthorized accessaccess

to to gain gain unauthorized unauthorized access access Limit / Control / Review W h e

Limit / Control / Review

Where to Look

User IDs which have never been used or not used for an extended period of time

Default userids (IBMUSER)

RACF default password

SEARCH CLASS(USER) AGE(120)

LU IBMUSER

Review procedures for changing passwords

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 18

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

1212 SecuritySecurity ReportingReporting andand FollowFollow--upup

Reporting Reporting and and Follow Follow - - up up Limit / Control / Review W

Limit / Control / Review

Where to Look

Review types and frequency of reports

Review report distribution

Determine actions from violation attempts

Site specific procedures

Site specific procedures

Site specific procedures

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 19

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

AuditorAuditor ControlsControls

Auditor Auditor Controls Controls  General Controls  SETROPTS Commands – SETR AUDIT(*)  Specific Controls

General Controls

SETROPTS Commands – SETR AUDIT(*)

Specific Controls

User activity – ALU … Dataset activity – ALTDSD Resource activity – RALTER

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 20

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

AuditAudit ControlsControls --SETROPTSSETROPTS

Audit Audit Controls Controls - - SETROPTS SETROPTS  APPLAUDIT and NOAPPLAUDIT  AUDIT and NOAUDIT

APPLAUDIT and NOAPPLAUDIT

AUDIT and NOAUDIT

CMDVIOL and NOCMDVIOL

LIST

LOGOPTIONS

OPERAUDIT and NOOPERAUDIT

REFRESH GENERIC

REFRESH RACLIST

SAUDIT and NOSAUDIT

SECLABELAUDIT and NOSECLABELAUDIT

SECLEVELAUDIT and NOSECLEVELAUDIT

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 21

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.
ControllingControlling LoggingLogging Application Owner Auditor SYS1.MANx
ControllingControlling LoggingLogging
Application
Owner
Auditor
SYS1.MANx

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 22

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

OwnerOwner--ControlledControlled LoggingLogging

Owner Owner - - Controlled Controlled Logging Logging Profile Name ALTDSD 'PAYROLL.MASTER.*'

Profile Name

- - Controlled Controlled Logging Logging Profile Name ALTDSD 'PAYROLL.MASTER.*' AUDIT(FAILURES(READ))
ALTDSD 'PAYROLL.MASTER.*' AUDIT(FAILURES(READ))
ALTDSD 'PAYROLL.MASTER.*'
AUDIT(FAILURES(READ))

AUDIT

GLOBALAUDIT

PAYROLL.MASTER.*

.

.

.

FAILURES(READ)

PAYROLL.MASTER.* . . . FAILURES(READ)

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 23

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

AuditorAuditor ControlsControls LoggingLogging

Auditor Auditor Controls Controls – – Logging Logging SETR LOGOPTIONS(ALWAYS(DASDVOL)) SETR

SETR LOGOPTIONS(ALWAYS(DASDVOL)) SETR LOGOPTIONS(FAILURES(TERMINAL))

ALU STAN UAUDIT

ALTDSD 'PAYROLL.MASTER.*' GLOBALAUDIT(SUCCESS(UPDATE))

'PAYROLL.MASTER.*' GLOBALAUDIT(SUCCESS(UPDATE)) Profile Name AUDIT GLOBALAUDIT PAYROLL.MASTER.* . .

Profile Name

AUDIT

GLOBALAUDIT

PAYROLL.MASTER.*

.

.

.

FAILURES(READ)

SUCCESS(UPDATE)

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 24

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TwoTwo TypesTypes ofof AuditAudit DataData

Two Two Types Types of of Audit Audit Data Data  Snapshot Data – The Implementation

Snapshot Data – The Implementation

RACF Commands – L…, SETR LIST

Data Security Monitor – DSMON

RACF Database Unload – IRRDBU00

Event Data – Wazhappnin???

RACF Commands – LOGOPTIONS, GLOBALAUDIT…

SMF Data Unload Utility – IFASMFDP

Reporting Tools – SAMPLIB

RICE reports – ICEMAN statements for DB & SMF unloaded data

DB2 queries – RACDBUxx, IRRADUxx

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 25

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

ICHDSM00

RunningRunning thethe DSMONDSMON ProgramProgram

Running Running the the DSMON DSMON Program Program Hardware Software DSMON Reports //stepname EXEC
Running Running the the DSMON DSMON Program Program Hardware Software DSMON Reports //stepname EXEC

Hardware

Running the the DSMON DSMON Program Program Hardware Software DSMON Reports //stepname EXEC PGM=ICHDSM00

Software

the the DSMON DSMON Program Program Hardware Software DSMON Reports //stepname EXEC PGM=ICHDSM00 //SYSPRINT DD
the the DSMON DSMON Program Program Hardware Software DSMON Reports //stepname EXEC PGM=ICHDSM00 //SYSPRINT DD
DSMON Reports //stepname EXEC PGM=ICHDSM00 //SYSPRINT DD SYSOUT=A //SYSUT2 DD SYSOUT=A //SYSIN DD * LINECOUNT
DSMON
Reports
//stepname EXEC PGM=ICHDSM00
//SYSPRINT DD SYSOUT=A
//SYSUT2 DD SYSOUT=A
//SYSIN DD *
LINECOUNT 55
FUNCTION ALL
USEROPT USRDSN PAY.MASTER.FILE
www.ekcinc.com
Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 26

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

DSMONDSMON ReportsReports

DSMON DSMON Reports Reports Selected Data Sets Report Group Tree Report RACF Global Access Table Report
Selected Data Sets Report Group Tree Report RACF Global Access Table Report RACF Class Descriptor
Selected Data Sets Report
Group Tree Report
RACF Global Access Table Report
RACF Class Descriptor Table Report
RACF Started Procedures
Table Report
Selected User Attribute Summary Report
Selected User Attribute Report
RACF Exits Report
RACF Authorized Caller Table
Report
Program Properties Table
Report
System Report
CPU-ID
DSMON
CPU MODEL
Reports
OPERATING SYSTEM/LEVEL
SYSTEM RESIDENCE VOLUME
z/OS
www.ekcinc.com
RACF FMID HRF7709 IS ACTIVE
Eberhard Klemens Co.
Experts in Computer
Systems - Software - Security
Auditing 27
Copyright 2000, 2006 EKC Inc.

SystemSystem ReportReport

System System Report Report   CPU-ID CPU MODEL OPERATING SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID
 
 
 
  CPU-ID CPU MODEL OPERATING SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606
  CPU-ID CPU MODEL OPERATING SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606
CPU-ID CPU MODEL OPERATING SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606

CPU-ID CPU MODEL OPERATING SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE

111606

CPU-ID CPU MODEL OPERATING SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606
2064

2064

2064

z/OS 1.6.0

DR250B

DR250B

DR250B
ZOSR

ZOSR

ZOSR
SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606 2064 z/OS 1.6.0 DR250B ZOSR
SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606 2064 z/OS 1.6.0 DR250B ZOSR
 
 
 
SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606 2064 z/OS 1.6.0 DR250B ZOSR
SYSTEM/LEVEL SYSTEM RESIDENCE VOLUME SMF-ID RACF FMID HRF7709 IS ACTIVE 111606 2064 z/OS 1.6.0 DR250B ZOSR

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 28

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

ProgramProgram PropertiesProperties TableTable ReportReport

PROGRAM BYPASS PASSWORD PROTECTION SYSTEM

PROGRAM

BYPASS PASSWORD PROTECTION

SYSTEM

PROGRAM BYPASS PASSWORD PROTECTION SYSTEM
NAME KEY

NAME

KEY

NAME KEY
---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

IEDQTCAM

NO

YES

ISTINM01 YES YES

ISTINM01

YES

YES

ISTINM01 YES YES
IKTCAS00 NO YES
IKTCAS00 NO YES

IKTCAS00

NO

YES

IKTCAS00 NO YES
IKTCAS00 NO YES

AHLGTF HHLGTF IHLGTF IEFIIC

NO

NO

YES

YES

NO YES

NO

YES

NO YES
NO YES

NO

YES

NO YES

IEEMB860

YES

YES

IEEVMNT2 NO YES

IEEVMNT2

NO

YES

IEEVMNT2 NO YES
IASXWR00 NO YES
IASXWR00 NO YES

IASXWR00

NO

YES

IASXWR00 NO YES
IASXWR00 NO YES

CSVVFCRE

HASJES20

NO

YES

YES

YES

DFSMVRC0 NO YES

DFSMVRC0

NO

YES

DFSMVRC0 NO YES
IATINTK YES YES

IATINTK

YES

YES

IATINTK YES YES

DXRRLM00

NO

YES

 

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 29

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

RACFRACF AuthorizedAuthorized CallerCaller TableTable ReportReport

Authorized Caller Caller Table Table Report Report   MODULE RACINIT RACLIST NAME AUTHORIZED
 
 
 
  MODULE RACINIT RACLIST NAME AUTHORIZED AUTHORIZED
  MODULE RACINIT RACLIST NAME AUTHORIZED AUTHORIZED
MODULE RACINIT RACLIST

MODULE

RACINIT

RACLIST

MODULE RACINIT RACLIST

NAME

AUTHORIZED AUTHORIZED

---------------------------------------------------------------------------

---------------------------------------------------------------------------

---------------------------------------------------------------------------
DFHSIP NO YES

DFHSIP

NO

YES

DFHSIP NO YES
 
 
 
AUTHORIZED --------------------------------------------------------------------------- DFHSIP NO YES  
AUTHORIZED --------------------------------------------------------------------------- DFHSIP NO YES  
AUTHORIZED --------------------------------------------------------------------------- DFHSIP NO YES  
AUTHORIZED --------------------------------------------------------------------------- DFHSIP NO YES  
AUTHORIZED --------------------------------------------------------------------------- DFHSIP NO YES  
AUTHORIZED --------------------------------------------------------------------------- DFHSIP NO YES  

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 30

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

RACFRACF ExitExit ReportReport

RACF RACF Exit Exit Report Report   EXIT MODULE NAME MODULE LENGTH
 
 
 
  EXIT MODULE NAME MODULE LENGTH ---------------------------------------------------------- ICHPWX01 1354
  EXIT MODULE NAME MODULE LENGTH ---------------------------------------------------------- ICHPWX01 1354
EXIT MODULE NAME MODULE LENGTH

EXIT MODULE NAME

MODULE

LENGTH

EXIT MODULE NAME MODULE LENGTH
----------------------------------------------------------

----------------------------------------------------------

----------------------------------------------------------
ICHPWX01 1354

ICHPWX01

1354

ICHPWX01 1354
ICHDEX01 224

ICHDEX01

224

ICHDEX01 224
 
 
 
NAME MODULE LENGTH ---------------------------------------------------------- ICHPWX01 1354 ICHDEX01 224  
NAME MODULE LENGTH ---------------------------------------------------------- ICHPWX01 1354 ICHDEX01 224  
NAME MODULE LENGTH ---------------------------------------------------------- ICHPWX01 1354 ICHDEX01 224  
NAME MODULE LENGTH ---------------------------------------------------------- ICHPWX01 1354 ICHDEX01 224  

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 31

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

SelectedSelected UserUser AttributeAttribute ReportReport

Selected User User Attribute Attribute Report Report USERID ---------------- ATTRIBUTE TYPE
USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------
USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------
USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ----------------------

USERID ---------------- ATTRIBUTE TYPE ----------------------------------------- ASSOCIATIONS ---------------------- SPECIAL OPERATIONS AUDITOR REVOKE NODE.USERID PASSWORD ASSOCIATION

ASSOCIATIONS ---------------------- SPECIAL OPERATIONS AUDITOR REVOKE NODE.USERID PASSWORD ASSOCIATION
  SYNC TYPE
 

SYNC

TYPE

  SYNC TYPE

---------------------------------------------------------------------------------------------------------------------------------------------------

BIGBIRD SYSTEM SYSTEM

BIGBIRD

SYSTEM

SYSTEM

BIGBIRD SYSTEM SYSTEM

BERT

SYSTEM

ELMO GROUP GROUP

ELMO

GROUP

GROUP

ELMO GROUP GROUP

ERNIE

SYSTEM

SYSTEM

GROVER SYSTEM SYSTEM

GROVER

SYSTEM

SYSTEM

GROVER SYSTEM SYSTEM

GROUCH

GROUP

IBMUSER SYSTEM SYSTEM SYSTEM

IBMUSER

SYSTEM

SYSTEM

SYSTEM

IBMUSER SYSTEM SYSTEM SYSTEM

SNUFFY

GROUP

ZOE GROUP

ZOE

GROUP

ZOE GROUP
 
 
 

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 32

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

SelectedSelected UserUser AttributeAttribute SummarySummary

Selected User User Attribute Attribute Summary Summary  
  --------------------------------------------------------------------------------------------------------------
  --------------------------------------------------------------------------------------------------------------
 

--------------------------------------------------------------------------------------------------------------

TOTAL DEFINED USERS: 563

TOTAL DEFINED USERS:

563

TOTAL DEFINED USERS: 563

TOTAL SELECTED ATTRIBUTE USERS:

 
ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR REVOKE -------------------------- ------------- --------------------

ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR REVOKE -------------------------- ------------- -------------------- -------------- -------------

OPERATIONS AUDITOR REVOKE -------------------------- ------------- -------------------- -------------- -------------
SYSTEM 4 3 1 2

SYSTEM

4

3

1

2

SYSTEM 4 3 1 2
GROUP 1 2 1 1

GROUP

1

2

1

1

GROUP 1 2 1 1
 
 
 
-------------------- -------------- ------------- SYSTEM 4 3 1 2 GROUP 1 2 1 1  
-------------------- -------------- ------------- SYSTEM 4 3 1 2 GROUP 1 2 1 1  
-------------------- -------------- ------------- SYSTEM 4 3 1 2 GROUP 1 2 1 1  
-------------------- -------------- ------------- SYSTEM 4 3 1 2 GROUP 1 2 1 1  
-------------------- -------------- ------------- SYSTEM 4 3 1 2 GROUP 1 2 1 1  
-------------------- -------------- ------------- SYSTEM 4 3 1 2 GROUP 1 2 1 1  

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 33

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

StartedStarted ProceduresProcedures TableTable ReportReport

FROM THE STARTED PROCEDURES TABLE (ICHRIN03):  

FROM THE STARTED PROCEDURES TABLE (ICHRIN03):

 
FROM THE STARTED PROCEDURES TABLE (ICHRIN03):  
FROM PROFILES IN THE STARTED CLASS:

FROM PROFILES IN THE STARTED CLASS:

FROM PROFILES IN THE STARTED CLASS:

------------------------------------------------------------------------------------------------------------------------------------------------

PROFILE ASSOCIATED ASSOCIATED

PROFILE

ASSOCIATED

ASSOCIATED

PROFILE ASSOCIATED ASSOCIATED

NAME

USER

GROUP

PRIVILEGED

TRUSTED

TRACE

------------------------------------------------------------------------------------------------------------------------------------------------

CICS.REGIONA CICS.REGIONB DCEKERN.* (G) EZAFTPAP.* (G) FTPD.* (G) MVSNFS.* (G) OMVS.* (G) PORTMAP.* (G) FTPSERVE.* (G) INETD.* (G) SMF.* (G) IRRDPTAB.* (G) JES2.* (G) LLA.* (G) TSO.* (G) VTAM.* (G) LOGREC.* (G) ** (G)

CICSA

NO

NO

NO

CICSB NO NO NO

CICSB

NO

NO

NO

CICSB NO NO NO

DCEKERN

DCEGRP

NO

NO

NO

TCPIP OMVSGRP NO YES NO

TCPIP

OMVSGRP

NO

YES

NO

TCPIP OMVSGRP NO YES NO

OMVSKERN

OMVSGRP

NO

NO

NO

TCPIP OMVSGRP NO NO NO

TCPIP

OMVSGRP

NO

NO

NO

TCPIP OMVSGRP NO NO NO

OMVSKERN

OMVSGRP

NO

NO

NO

TCPIP OMVSGRP NO YES YES

TCPIP

OMVSGRP

NO

YES

YES

TCPIP OMVSGRP NO YES YES
TCPIP OMVSGRP NO YES NO

TCPIP

OMVSGRP

NO

YES

NO

TCPIP OMVSGRP NO YES NO

INETD

SYS1

NO

NO

NO

STCUSR SYS1 NO YES NO

STCUSR

SYS1

NO

YES

NO

STCUSR SYS1 NO YES NO

STCUSR

SYS1

NO

YES

NO

STCUSR SYS1 NO YES NO

STCUSR

SYS1

NO

YES

NO

STCUSR SYS1 NO YES NO

STCUSR

SYS1

NO

YES

NO

TSO TSOGRP NO NO NO

TSO

TSOGRP

NO

NO

NO

TSO TSOGRP NO NO NO

VTAM

VTAMGRP

NO

YES

NO

LOGREC SYS1 NO NO NO

LOGREC

SYS1

NO

NO

NO

LOGREC SYS1 NO NO NO

=MEMBER

STCGRP

NO

NO

YES

   

www.ekcinc.com

 

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 34

  Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC

ClassClass DescriptorDescriptor TableTable ReportReport

 

CLASS  DEFAULT OPERATIONS

DEFAULT OPERATIONS

  CLASS DEFAULT OPERATIONS

NAME STATUS AUDITING STATISTICS UACC ALLOWED

STATUS

AUDITING STATISTICS

UACC

ALLOWED

NAME STATUS AUDITING STATISTICS UACC ALLOWED

----------------------------------------------------------------------------------------------------------------------------

SECLABEL RACFVARS DASDVOL ACTIVE INACTIVE ACTIVE NO NO NONE NO RACFVARS DASDVOL ACTIVE INACTIVE ACTIVE NO NO NONE NO

RACFVARS

DASDVOL

ACTIVE

INACTIVE

ACTIVE

NO

NO

NONE

NO

SECLABEL RACFVARS DASDVOL ACTIVE INACTIVE ACTIVE NO NO NONE NO
SECLABEL RACFVARS DASDVOL ACTIVE INACTIVE ACTIVE NO NO NONE NO

NO

NO

NO

NO

NONE

ACEE

NO

YES

 

TAPEVOLGDASDVOL ACTIVE ACTIVE

GDASDVOL

ACTIVE

ACTIVE

NO

NO

ACEE

YES

  TAPEVOL GDASDVOL ACTIVE ACTIVE NO NO ACEE YES

NO

NO

ACEE

YES

 

TERMINALINACTIVE

INACTIVE

NO

NO

ACEE

NO

  TERMINAL INACTIVE NO NO ACEE NO

GTERMINL

APPLGTERMINL INACTIVE ACTIVE

INACTIVE

ACTIVE

NO

NO

ACEE

NO

GTERMINL APPL INACTIVE ACTIVE NO NO ACEE NO

NO

NO

NONE

NO

 

TIMSGIMS INACTIVE INACTIVE

GIMS

INACTIVE

INACTIVE

NO

NO

NONE

NO

  TIMS GIMS INACTIVE INACTIVE NO NO NONE NO

NO

NO

NONE

NO

 

AIMSINACTIVE

INACTIVE

NO

NO

NONE

NO

  AIMS INACTIVE NO NO NONE NO

TCICSTRN GCICSTRN ACTIVE ACTIVE NO NO NONE NO

GCICSTRN

ACTIVE

ACTIVE

NO

NO

NONE

NO

TCICSTRN GCICSTRN ACTIVE ACTIVE NO NO NONE NO

NO

NO

NONE

NO

GLOBAL PCICSPSB GMBR INACTIVE ACTIVE INACTIVE NO NO NONE NO PCICSPSB GMBR INACTIVE ACTIVE INACTIVE NO NO NONE NO

PCICSPSB

GMBR

INACTIVE

ACTIVE

INACTIVE

NO

NO

NONE

NO

GLOBAL PCICSPSB GMBR INACTIVE ACTIVE INACTIVE NO NO NONE NO

NO

NO

NO

NO

NONE

NONE

NO

NO

NO NO NO NO NONE NONE NO NO
 

DSNRFACILITY INACTIVE ACTIVE

FACILITY

INACTIVE

ACTIVE

NO

NO

ACEE

NO

  DSNR FACILITY INACTIVE ACTIVE NO NO ACEE NO

NO

NO

NONE

NO

   

www.ekcinc.com

   

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 35

  Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC

GlobalGlobal AccessAccess CheckingChecking TableTable ReportReport

CLASS ACCESS ENTRY LEVEL  
CLASS ACCESS ENTRY LEVEL  

CLASS

ACCESS ENTRY LEVEL

 
CLASS ACCESS ENTRY LEVEL  
CLASS ACCESS ENTRY LEVEL  

NAME

NAME

---------------------------------------------------------------------------------------- DATASET

----------------------------------------------------------------------------------------

DATASET

---------------------------------------------------------------------------------------- DATASET
  ALTER READ UPDATE -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES
 

ALTER READ UPDATE -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES --

&RACUID.* ISPF.*

-- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES -- -- NO ENTRIES --
SYS1.BRODCAST

SYS1.BRODCAST

SYS1.BRODCAST
RVARSMBR

RVARSMBR

RVARSMBR

SECLABEL

DASDVOL

DASDVOL

DASDVOL
TAPEVOL

TAPEVOL

TAPEVOL

TERMINAL

APPL

APPL

APPL
TIMS AIMS

TIMS

AIMS

TIMS AIMS
TCICSTRN

TCICSTRN

TCICSTRN
PCICSPSB

PCICSPSB

PCICSPSB

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 36

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

GroupGroup TreeTree ReportReport

LEVEL GROUP (OWNER)

LEVEL

GROUP

(OWNER)

LEVEL GROUP (OWNER)
---------------------------------------------------------

---------------------------------------------------------

---------------------------------------------------------
1 SYS1 (IBMUSER)

1

SYS1

(IBMUSER)

1 SYS1 (IBMUSER)
  |
 

|

  |
2 | DATASETG (TOMC)

2

|

DATASETG (TOMC)

2 | DATASETG (TOMC)

|

|

3 | | | ABA |  

3

|

|

| ABA

|

 
3 | | | ABA |  
3 | | ARP

3

|

| ARP

3 | | ARP
| | |

|

|

|

| | |

4

|

| | ARPLST

 
|
|

|

|
|

2

|

CICSADM

 

|

|

3 | | | TRANA |  

3

|

|

| TRANA

|

 
3 | | | TRANA |  
3 | | TRANB

3

|

| TRANB

3 | | TRANB
|

|

|

2

|

DATACTRL

 
 

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 37

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

SelectedSelected DataData SetsSets ReportReport

Selected Selected Data Data Sets Sets Report Report VOLUME SELECTION RACF RACF DATA SET NAME SERIAL
VOLUME SELECTION RACF RACF DATA SET NAME SERIAL CRITERION INDICATED PROTECTED UACC
VOLUME
SELECTION
RACF
RACF
DATA SET NAME
SERIAL
CRITERION
INDICATED
PROTECTED
UACC
------------------------------------------------------------------------------------------- -------------------------------------------------------
PAY.MASTER.FILE
USER23
USERDSN
NO
YES
NONE
PAY.SALARY.FILE
USER23
USERDSN
NO
YES
NONE
ISP.PPLIB.ISPLLIB M80LIB LNKLST - APF
NO
YES
READ
ISP.V3R1M0.ISPLOAD M80LIB APF
N.F
YES
READ
ISP.V3R2M0.ISPLOAD M80LIB APF
NO
YES
READ
LNKLST - APF
JES2311.STEPLIB SMS036 APF
N.C
YES
READ
JES2313.STEPLIB
SMS036
APF
NO
YES
READ
JES2410.STEPLIB
SMS036
APF
NO
YES
READ
JES2420.STEPLIB
SMS036
APF
NO
YES
READ
SYS1.CMDLIB
JS2RES
APF
NO
YES
READ
SYS1.COBLIB
M80LIB
LNKLST - APF
SYSTEM
LNKLST - APF
NO
YES
READ
SYS1.LINKLIB
MVSRES
LNKLST - APF
N.F
YES
NONE
SYS1.NCATLG
M80PGE
SYSTEM
MASTER CATALOG
NO
YES
READ
SYS1.NUCLEUS
MVSRES
SYSTEM
NO
YES
NONE
SYS1.PROCLIB
M80PGE
SYSTEM
NO
YES
NONE
SYS1.RACF.BACKUP
SMS124
RACF BACKUP
NO
YES
NONE
SYS1.RACF.PRIMARY SMS073 RACF PRIMARY
NO
YES
NONE
SYS1.UADS
M80PGE
SYSTEM
NO
YES
NONE

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 38

M80PGE SYSTEM NO YES NONE Experts in Computer Systems - Software - Security Copyright 2000, 2006

ReportingReporting onon thethe UnloadedUnloaded DatabaseDatabase

on on the the Unloaded Unloaded Database Database IRRDBU00 Output Data Reports Auditing 39 SQL Queries
on on the the Unloaded Unloaded Database Database IRRDBU00 Output Data Reports Auditing 39 SQL Queries
IRRDBU00 Output Data
IRRDBU00
Output Data
Reports
Reports

Auditing 39

SQL Queries or ICETOOLs

Valid users Selected groups Connections MVS Open Edition

Valid users Selected groups Connections MVS Open Edition www.ekcinc.com Eberhard Klemens Co. Experts in Computer

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

www.ekcinc.com Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC

SMFSMF DataData UnloadUnload UtilityUtility

DB2 or Other RDMS ICETOOL or Utilities IFASMFDP Unloaded SMF Data USER2(IRRADU00) SMF Data Installation
DB2 or
Other
RDMS
ICETOOL
or Utilities
IFASMFDP
Unloaded
SMF Data
USER2(IRRADU00)
SMF Data
Installation
USER3(IRRADU86)
Written
Programs
SMF Data Installation USER3(IRRADU86) Written Programs Browse www.ekcinc.com Eberhard Klemens Co. Auditing 40
Browse www.ekcinc.com Eberhard Klemens Co. Auditing 40 Copyright 2000, 2006 EKC Inc.
Browse
www.ekcinc.com
Eberhard Klemens Co.
Auditing 40
Copyright 2000, 2006 EKC Inc.

Experts in Computer Systems - Software - Security

SMFSMF UnloadUnload JCLJCL ExampleExample

//SMFUNLD JOB ,'SMF DATA UNLOAD', // MSGLEVEL=(1,1),TYPRUN=HOLD //SMFDUMP EXEC PGM=IFASMFDP

//SYSPRINT DD SYSOUT=A //ADUPRINT DD SYSOUT=A //OUTDD DD DISP=SHR,DSN=USER01.RACF.IRRADU00 //SMFDATA DD DISP=SHR,DSN=USER01.RACF.SMFDATA

//SMFOUT

DD DUMMY *

DD

//SYSIN

INDD(SMFDATA,OPTIONS(DUMP))

OUTDD(SMFOUT,TYPE(000:255))

ABEND(NORETRY)

USER2(IRRADU00)

USER3(IRRADU86)

/*

 

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 41

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

SamplibSamplib ToolsTools AvailableAvailable

Samplib Samplib Tools Tools Available Available  IRRICE Collection – Uses DFSORT and ICETOOL to produce

IRRICE Collection

Uses DFSORT and ICETOOL to produce reports based on Unloaded Database data and SMF data.

IRRADULD,

QR,

TB

Uses SQL to define (TB), Load (LD), and Query (QR) auditing (unloaded SMF) data.

RACDBULD,

QR,

TB

Uses SQL to define (TB), Load (LD), and Query (QR) security definition data.

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 42

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

SampleSample IRRDBU00IRRDBU00 ReportReport

- 1 - UAGR: GR Profiles with a UACC Other Than None 06/09/28

-

1 -

UAGR: GR Profiles with a UACC Other Than None

06/09/28

- 1 - UAGR: GR Profiles with a UACC Other Than None 06/09/28
 
 
 

Class

General Resource Profile Name

Generic

Owner

UACC

-------- ----------------------------- ------- -------- --------

-------- ----------------------------- -------

--------

--------

-------- ----------------------------- ------- -------- --------
DSNR DSN.WLM_REFRESH.DB8GENV1 NO 0 P390A READ

DSNR

DSN.WLM_REFRESH.DB8GENV1

NO

0

P390A

READ

DSNR DSN.WLM_REFRESH.DB8GENV1 NO 0 P390A READ
DSNR SYSPROC.WLM_REFRESH.DB8GRFSH NO 0 P390A READ

DSNR

SYSPROC.WLM_REFRESH.DB8GRFSH

NO

0

P390A

READ

DSNR SYSPROC.WLM_REFRESH.DB8GRFSH NO 0 P390A READ

DSNR

SYSPROC.WLM_REFRESH.WLMENV1

NO

0

IBMUSER

READ

DSNR SYSPROC.WLM_REFRESH.WLMENV2 NO 0 IBMUSER READ

DSNR

SYSPROC.WLM_REFRESH.WLMENV2

NO

0

IBMUSER

READ

DSNR SYSPROC.WLM_REFRESH.WLMENV2 NO 0 IBMUSER READ

FIRECALL

FIRECALL

NO

0

SYS1

READ

FACILITY DITTO.* YES 0 IBMUSER READ

FACILITY

DITTO.*

YES

0

IBMUSER

READ

FACILITY DITTO.* YES 0 IBMUSER READ

FACILITY

MVSADMIN.WLM.POLICY

NO

0

IBMUSER

READ

 
 
 
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
0 IBMUSER READ FACILITY MVSADMIN.WLM.POLICY NO 0 IBMUSER READ     www.ekcinc.com  
 

www.ekcinc.com

 

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 43

  Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC

SampleSample IRRADU00IRRADU00 ReportReport

 
 
 

-

1 -

CADU: Number of IRRADU00 Events 09:57:32 am

06/09/28

06/09/28

06/09/28
 
 
 
Type Count ---------------

Type

Count ---------------

Type Count ---------------

--------

ACCESS 1842

ACCESS

1842

ACCESS 1842
ALTUSER 6

ALTUSER

6

ALTUSER 6
CONNECT 3

CONNECT

3

CONNECT 3

DACCESS

1

DEFINE 4

DEFINE

4

DEFINE 4
DIRSRCH 15

DIRSRCH

15

DIRSRCH 15

JOBINIT

2951

PERMIT 1

PERMIT

1

PERMIT 1
RDEFINE 2

RDEFINE

2

RDEFINE 2
REMOVE 3

REMOVE

3

REMOVE 3

SETROPTS

1

 
 
 
 

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 44

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

ConductingConducting thethe AuditAudit

Conducting Conducting the the Audit Audit  We’ve checked the RACF implementation for appropriate security controls.

We’ve checked the RACF implementation for appropriate security controls.

Identified security exposures.

Made our recommendations.

What’s this 18 hour “Special”?

recommendations.  What’s this 18 hour “Special”? www.ekcinc.com Eberhard Klemens Co. Experts in Computer

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 45

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.
Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security
Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security
Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security
Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security
Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security
Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security

Part 2: Emergency Access

Part 2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

2: Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000,

WhatWhat isis EmergencyEmergency Access?Access?

What What is is Emergency Emergency Access? Access?  Non-standard access  Storage fixes  General

Non-standard access

Storage fixes

General Error fixes

System upgrades

Testing the Recovery Plan

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 47

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TypicalTypical MethodsMethods

Typical Typical Methods Methods  May I have the envelope please?  Temporary connect  Scheduled

May I have the envelope please?

Temporary connect

Scheduled connect

Always on, just in case security

Secondary accounts

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 48

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TheThe PrePre--loadedloaded AccountAccount

The The Pre Pre - - loaded loaded Account Account  All the access in the

All the access in the world

Keeping it relevant

Turning it off / Re-loading

Not tied to an individual

Accounting for use

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 49

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TemporaryTemporary ConnectionConnection

Temporary Temporary Connection Connection  Connect at 5pm  Disconnect at 9am  Is it enough?

Connect at 5pm

Disconnect at 9am

Is it enough?

Less difficult to audit

Request/approval trace

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 50

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TemporaryTemporary ConnectionConnection

Temporary Temporary Connection Connection  Scheduled connect at 3am  Disconnect at 9am  Is it

Scheduled connect at 3am

Disconnect at 9am

Is it enough?

Less difficult to audit

Request/approval trace

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 51

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TheThe TrustedTrusted ProfessionalProfessional

The The Trusted Trusted Professional Professional  Extra access for the normal fixer  Enough access

Extra access for the normal fixer

Enough access for typical emergencies

May not be enough

Difficult to audit

What paper trail?

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 52

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

DualDual AccountsAccounts

Dual Dual Accounts Accounts  Secondary account for the normal fixer  Enough access for typical

Secondary account for the normal fixer

Enough access for typical emergencies

May not be enough

Less difficult to audit

After the fact request/approval

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 53

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TheThe BusinessBusiness RecoveryRecovery PlanPlan

The The Business Business Recovery Recovery Plan Plan  Most companies use “test” data, right? 

Most companies use “test” data, right?

DRP accounts do everything

Minimum alteration risk

Maximum disclosure risk

Auditing the Recovery Test

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 54

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

TheThe BRPBRP RealityReality

The The BRP BRP Reality Reality > -----Original Message----- > From: RACF Discussion List On Behalf

>

-----Original Message-----

>

From: RACF Discussion List On Behalf Of XXXX XXXXXXXX

>

>

We want to give users testing programs in a D/R LPAR the

>

authority to run production jobs. The production jobs run

>

under the USERID of SYSMANT. What's the RACF command to allow

>

this to happen.

PERMIT SYSMANT.SUBMIT CLASS(SURROGAT) ACCESS(READ) ID(userID) .

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 55

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.

EmergencyEmergency AccessAccess RecommendationsRecommendations

Emergency Access Access Recommendations Recommendations  Keep a good trail of request & authorization. 

Keep a good trail of request & authorization. For periodical needs, use 2 accounts, log access used by second account. (UAUDIT) Rip up the envelope, get rid of the pre-loaded account. Collect and examine SMF data from DRP Restrict or remove software capable of editing raw SMF data.

www.ekcinc.com

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Auditing 56

Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006 EKC Inc.
Audit Reporting & Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software -
Audit Reporting & Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software -
Audit Reporting & Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software -
Audit Reporting & Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software -

Audit Reporting & Emergency Access

Audit Reporting & Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security

Eberhard Klemens Co.

Experts in Computer Systems - Software - Security

Copyright 2000, 2006 EKC Inc.

Emergency Access Eberhard Klemens Co. Experts in Computer Systems - Software - Security Copyright 2000, 2006