RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
New Seminar for RACF Admins Who Want to Learn UNIX
See inside for information on HG06: UNIX (USS) for RACF
The 16th VIP annual Enterprise Security Expo and conference will be held in Anaheim June 23-28, 2002. For more info, go to http://www.go2vanguard.com/expo2002 or call (888) 547-3976.
Extra Date for Class "HG06: UNIX (USS) for RACF Admininistrators"
In response to many comments that December is too long to wait for this class, we are holding an extra session May 14 in Charlotte, NC. See details in seminar listings below.
Southern Florida RUG Marches On
To learn more, contact Manuel Blanco at (305) 661-0363x4452 or contact him at email@example.com.
More Great Websites for RACF:
For RACF administrators and auditors: http://www.loftcam.com/magic.html for a magic trick to test your brain
NEW YORK RUG Meeting Dates
Tuesday, April 23, 2002 from 1 to 5PM with a product demo lunch from Vanguard Integrity Professionals from noon to 1PM. Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday from 1 to 5PM. Please note the NYRUG will meet twice a year from now on.
BALTIMORE/WASHINGTON RUG Meeting Dates
Monday April 22, 2002 from 1 to 5 PM with a product demo lunch from Vanguard Integrity Professionals from noon to 1PM. Our next meeting will be in October, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details. Please note the BWRUG will meet twice a year from now on.
This Newsletter Switching to Twice a Year
Issues will come out in March and in September of each year, just in time to announce the April and October meetings of the BWRUG and NYRUG.
To Get a Free Subscription to the RACF User News
Phone Stu at (301) 229-7187 with your request, leaving your name, postal address (sorry, only US postal addresses; others will need to read issues online), and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: http://www.stuhenderson.com
Nigel Pentland's Website Gets a Better Name
RACF for z/OS 1.3 Supports ACLs for UNIX
So a RACF administrator is saying to his Mom (picture Dilbert's mother), "I wish we had a more flexible and precise way to administer UNIX file security on the mainframe." She replies, "What?". And a strange white duck in the background keeps repeating "ACLS!"
Of course he's talking about ACLs, or Access Control Lists, the neatest way to administer file security in a UNIX operation of any real size. ACLs are like the permit lists of dataset rules: they are made up of entries. Each entry contains a userid or group, and a privilege such as READ, WRITE, or EXECUTE.
("ACLs" is pronounced "ACK-els", similar to "RACF".) ACLs supplement (and do not replace) the RWX security bits in the FSP (File Security Packet, UNIX's answer to the RACF dataset rule). ACLs give us greater precision and flexibility in access control.
Each ACL is associated with a given file (including directories). The ACL is stored in the HFS (Hierarchical File System) with the file, and with the FSP. ACLs are administered with USS commands. Actual checking of ACLs is done by RACF.
There are three types of ACL:
The actual entries in an ACL are called the Extended ACL Entries, in contrast to the Base ACL entries. Each Extended ACL Entry contains: an indicator of whether it applies to a user or group, the UID or GID of the user or group, and the permissions for the entry (RWX).
ACLs are used to control file access only when the RACF resource class FSSEC is active.
The setfacl and getfacl Commands to Administer ACLs
We will not try to provide a comprehensive description of these commands, just enough description to start making you comfortable, with an example or two to illustrate. Please note that most UNIX commands are lower case (not UPPER CASE).
Note further that with UNIX commands, you often set options by specifying flags with the command. You can tell that they are flags because they are preceded by a dash (-). If the command description puts the flags in [square brackets], then they are optional. The trick to learning UNIX commands is to ignore lengthy descriptions of flags and their meanings the first time around. Concentrate on the examples. Remember though that flags can have completely different meanings depending upon whether they are UPPER CASE or lower case.
The format of the setfacl command to edit ACLs for a file named mydata:
setfacl [-ahqv] followed by:
-s and entries and mydata; to replace the ACL for mydata OR
-S and a filename and mydata; to replace mydata's ACL OR
-D followed by a type and mydata; to delete mydata's ACL OR
-m OR -M OR -x OR -X followed by an entry and mydata; to add, alter, or delete an entry in an ACL for mydata. (-m and -M are used to modify or add; -x or -X are used to delete)
Note that some flags have upper and lower case versions, with the lower case (-s) specifying an entry, and the upper case (-S) specifying a filename containing entries.
To issue setfacl, you need either SUPERUSER status, or to be the owner of the file, or READ permission to the RACF UNIXPRIV rule named SUPERUSER.FILESYS.CHANGEPERMS
The format of the getfacl command to view ACLs is:
getfacl [-acdfhmos] [-e user] file
EXAMPLE: To let user MARY be able to read the file named /u/stu/test.dat:
setfacl -m user:MARY:r-- /u/stu/test.dat
EXAMPLE: To list the ACL, and see the owning user (STU) and group (GRPA), as well as the FSP original permission bits and any extended entries, issue:
which will yield output like this:
#file: /u/stu/test.dat #owner: STU #group: GRPA user::rwx group::r-- other::--- user:MARY:r--
The three entries with double colons (::) are the base ACL entries (original FSP RWX bits). The last line (all about MARY) is an extended ACL entry.
New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com
NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting
Our next meeting will be hosted by Vanguard Integrity Professionals. They are also providing a free, pre-meeting lunch and product demo. The product demo preceeds and is completely separate from our regular meeting. At the regular meeting, we'll have speakers from IBM (including the famous Mark Nelson). Art Hatfield-Mihelic of VIP will speak on "RACF Tips and Tricks" and "Protecting General Resources". As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions. Please email if you will be at the lunch so we can have enough food to: firstname.lastname@example.org. Please put "NYRUG Free Lunch" as the subject.
Tuesday, April 23, 2002. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.
Holiday Inn Midtown, 440 West 57th St, NYC, phone (212) 581-8100. Lunch will be at the Via Strada restaurant in the hotel. Please see the sign in the lobby for the meeting room.
BWRUG (Baltimore/Washington RUG):
Our next meeting will be hosted by Vanguard Integrity Professionals. They are also providing a free, pre-meeting lunch and product demo. The product demo preceeds and is completely separate from our regular meeting. At the regular meeting, Art Hatfield-Mihelic of VIP will speak on "RACF Tips and Tricks" and "Protecting General Resources". As always, we will have a question and answer session with some of the keenest RACF minds in the Capital region to answer questions. Please email if you will be at the lunch so we can have enough food to: email@example.com. Please put "BWRUG Free Lunch" as the subject.
Monday, April 22, 2002. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.
Marriott Residence Inn, 7335 Wisconsin Avenue, Bethesda, MD, phone (301) 718- 0200 (Bethesda is northwest of Washington, DC. Take the Red Line on the Metro (which goes quickly from Union Station for MARC and AMTRAK riders) and get off at the Bethesda stop, a 1 block walk. By car, take the Beltway (I495) to Exit 34, Wisconsin Ave. (Wisconsin Avenue is also called Rte 355, and also the Rockville Pike.) Take Wisconsin (355) south about 2.5 miles. Watch for the Hyatt/Bethesda Metro on the right. Just past the Hyatt, take the next left onto Montgomery Avenue. Go one block and take the next right onto Waverly Avenue. Waverly wraps around to the front of the hotel, where there is valet parking. The hotel is on the corner of Wisconsin and Waverly.)
Permanently Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
HG How to Audit Training Schedule:
The Henderson Group now offers its series of "How to Audit.." seminars for IT auditors. These describe clearly how the associated software works, where the control points are, how to collect and interpret data, and how to conduct the audit. The workbooks include complete audit programs. More information is available at our website: www.stuhenderson.com. If you have a class you would like to have added to this series, please let us know. These classes will be held in 2002: A) HG70 How to Audit Cross-Platform Applications ($820) Feb. 27-28, 2002 in Clearwater, FL B) HG71 How to Audit Mainframe/Internet Connections ($820) May (15-16), 2002 in Atlanta, GA C) HG72 How to TCP/IP ($410) Sept. 13, 2002 in Bethesda, MD (near Washington, DC) D) HG73 How to Audit CICS ($410) May 17, 2002 in Atlanta, GA E) HG74 How to Audit RACF ($820) Sept. 5-6, 2002 in Bethesda, MD (near Washington, DC) F) HG75 How to Audit MVS ($410) March 1, 2002 in Clearwater, FL HG RACF and Security Training Schedule: The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog. For more info or to see what students say about these classes, please go to www.stuhenderson.com. (See info on "How to Audit ..." classes above.) 1) HG04 Effective RACF Administration ($1795) Feb. 19-22, 2002 in Clearwater, FL May 7-10, 2002 in Atlanta, GA Sept. (TBD) 2002 in (To Be Determined) Dec. 3-6, 2002 in Bethesda, MD (near Washington, DC) 2) HG05 Advanced RACF Administration ($1790) March 11-14, 2002 in Clearwater, FL June 17-20, 2002 in Denver, CO Sept. (TBD) 2002 in (To Be Determined) 3) HG06 UNIX (USS) for RACF Administrators ($410) May 14, 2002 in Charlotte, NC (NEW SESSION) Dec. 10, 2002 in Bethesda, MD (near Washington, DC) 4) HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, and JES security along with MVS security, SAF, and OS/390) ($1190) Dec. 11-13 2002 in Bethesda, MD (near Washington, DC)
RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:
subscribe racf-l john smith
to the address: firstname.lastname@example.org
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.
The RACF User News is published two times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.
For Back Issues of this Newsletter and Links to Several Useful Web Sites check the Henderson Group website at: www.stuhenderson.com
Other Internet places:
Copyright ©: 2002, Stuart C. Henderson