RACF Users' News # 61

April, 2003 Newsletter

Issue No. 61

RACF (part of z/OS Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.

The First Step In Breaking Into a Computer Over the Internet
is to learn the IP address (like a phone number) of its computer. This will be four numbers separated by dots. The tool to find out an IP address is called whois. This tool lets you (or anyone else) ask the Internet, "what is the IP address for this name: www.somename.com?"

If you have a program to issue whois over the Internet for you, you can use it. If not, go to Google, and enter whois as a keyword. You'll find lots of sites that will do the whois for you. (Note that many of these sites will do a whois only for the names that they have registered. You may have to look a while for names ending in .gov and some others. But the info is out there for the asking.)

Step 2 is to send a message to each port number at that IP address to see which ports are active. (A port is a number which corresponds to an application, such as email.) The ports that reply to the message are active, and will include in the reply information about what version of what software they are.

Step 3 is to Google to find which of those software packages has security flaws.

NEW YORK RUG Meeting Dates
Tuesday, April 29, 2003 from 12:30 to 4PM. PLEASE NOTE CHANGE IN TIMES AND THAT YOU MUST HAVE A PHOTO ID TO ENTER THE BUILDING. Speakers' initials include: RH, RH (the other one), and WF (the only one). Mark your calendars now. See inside for details. The meeting after that will be in October, probably on a Tuesday from 1 to 5PM. Please note the NYRUG will meet twice a year from now on.

The BWRUG will not meet this season. Our next meeting will be in October, likely on a Monday from 1 to 5PM. Mark your calendars now. See inside for details. Please note the BWRUG will meet twice a year from now on. -------------------------------------------

If You Aren't Familiar With These Web Sites That Offer Free Stuff for RACFers, You Should Check Them Out
(Please see back page for addresses.)

To Get a Free Subscription to the RACF User News
Phone Stu at (301) 229-7187 with your request, leaving your name, postal address (sorry, only US postal addresses; others will need to read issues online), and phone. For back issues and articles on topics like the SERVAUTH resource class, check his website: http://www.stuhenderson.com.

How to Tighten Up Your RACF Implementation
Suppose you've already got the basic stuff in place. You've already turned on PROTECTALL, BATCHALLRACF, XBMALLRACF, TAPEDSN. You've even put just a few datasets under EOS (Erase-On-Scratch). You don't even worry about dealing with auditors because you are so far past them. Now you really want to ice the cake. What do you do next to make your RACF implemention even better. Here are some ideas:

How RACF Admins Should Be Thinking About TCP/IP

TCP/IP (alright, Transmission Control Protocol / Internet Protocol, aren't you glad you asked?) is the communications protocol of choice when connecting two dissimilar computers, especially over the Internet. It introduces two new, simple concepts: IP addresses and ports. An IP address is like a phone number; it identifies a computer so that messages can be routed to it. It often corresponds to one of those names that ends in .com, .gov, etc.

A port is a number that identifies a program which supports some application. For example, port 25 is often assigned to the email program. To send email to a user at some computer, you send the message to the IP address of the computer, specifying port 25. When the message arrives at that computer, the computer looks at the port number, and hands the message to the email program. The email program processes the message by routing it to the correct recipient.

This is all important to RACF admins, because RACF can control access to your computer by IP address and/or by port number. For example, if you wanted to permit only a certain IP address to download files from your computer (using FTP [File Transport Protocol] on ports 20 and 21), you could use RACF to control those ports.

Control of IP addresses and ports is handled differently for out- bound and for in-bound messages. You need to control both, since TCP/IP represents a path into the system you are charged with securing.

Before describing the RACF controls, we should note that other people, and other tools, will have a hand in securing TCP/IP in your organization. Find out who they are. Buy them lunch. Learn what IP addresses are used, and what ports, on your mainframe. Learn what firewalls are in use, and how they filter messages based on IP address, port number, and whether in-bound or out-bound. Learn who administers the control files and what RACF specifications they put in them.

To use RACF to control out-bound TCP/IP, use the SERVAUTH resource class. By "out-bound", we mean from your computer to the Internet. If some programmer writes a program which executes on your computer and tries to bind to a given IP address and port, you can control this with RACF.

To control in-bound TCP/IP, your first line of defense should be a firewall, which can filter messages on the basis of IP address, port number, and other criteria. The TCP/IP control file, and the control files used by its daemons, can provide additional protection. In particular, these control files can require that a user be identified (for example by means of a RACF userid and password) before the user is allowed access.

For FTP, you can use the TERMINAL resource class to control access by IP address, and you can use the APPL class to control access to FTP.

You can also use the APPL class to control access to USS (use a rule named OMVSAPPL in the APPL class).

[Did we mention that TCP/IP on the mainframe is the most secure TCP/IP commonly available (when the available security tools are properly implemented)?]

How to Tell What Release of RACF You Are On

Recent releases of RACF have contained what many consider a bug on the first page of the DSMON report, which tells you what release of RACF you are on. The report does not give a useful release number. But, thanks to Russ Hardgrove of IBM and the RACF-L, we now have the following chart which summarizes: release number, what DSMON says, and what the FMID is. (FMID is the number IBM uses to identify a piece of software and its release number.)

RACF Release What DSMON Says FMID
OS/390 2.8 RACF VERSION 2 RELEASE 6.0.8 HRF2608
OS/390 2.9 RACF VERSION 2 RELEASE 6.0.8 HRF2608
OS/390 2.10 RACF VERSION 7 RELEASE 70.3 HRF7703
z/OS 1.2 RACF (FMID HRF7705) HRF7705
z/OS 1.3 RACF (FMID HRF7706) HRF7706
z/OS 1.4 RACF (FMID HRF7707) HRF7707

You should now be able to predict these values for futures RACF releases, based on IBM's policy of consistancy in naming things. Note: You may find that RACF release numbers don't correspond one for one with operating system release numbers. We have seen a new release every Spring and every Fall for some time now, but IBM is smart enough not to put out a new release if they don't have real, new function to offer at the time.

New Security Seminars from DelCreo: HIPAA Workshop, CISSP Prep, Other
DelCreo Inc. offers the classes listed below and others.

Check them out at http://www.delcreo.com  or call Cheryl Jackson at (281) 844-4715

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website: http://www.stuhenderson.com 

Interesting Products Column
We have not evaluated these products, but think they might be of interest to RACF administrators:

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com 

This Issue's Wish
Wouldn't it be nice if IBM gave us a switch in RACF to prevent users from creating dataset rules beginning with their own userids? This would protect against the following hilarious prank: Set up a CLIST which goes into an infinite loop creating RACF dataset rules (with the ADDSD command) whose names start with your userid. Then execute the CLIST, which will keep running until it fills up the RACF database. [Until IBM gives us such a switch, the next best way to prevent this problem likely be a RACDEF pre-exit.] (Such a prank should be considered grounds for termination and worse.)

NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting

The meeting is free, but you must register in advance by sending an email to Mark Nelson of IBM at:
as the subject and your name and company in the text.
You must get on the list by Noon, Monday, April 28th to get into the meeting. (Also be sure to bring a photo id.)
Our next meeting will is at IBM, 590 Madison Avenue, in the Eastside Theatre, Room 976. Attendees must present a photo ID to enter the building. Please note the early start and finish times. We will have three great speakers: Bob Hansel of RSH Consulting will speak on "RACF & REXX" (how to get reports from the RACF Database Unload Utility using REXX). Russ Hardgrove of IBM RACF Level 2 will speak on "SAFTRACE" (the nifty tool that lets us view all the calls to RACF). Walt Farrell from IBM RACF Development willl speak on "The World of RACF Program Control and PADS" (important stuff you need to know about using the PROGRAM class in any release and enhancements in z/OS R4).

Tuesday, April 29, 2003 from 12:30-4PM. Please note the early times, photo id requirement, and registration requirement.

IBM, 590 Madison Avenue in the Eastside Theatre, Room 976. Attendees must present a photo ID to enter the building.


BWRUG (Baltimore/Washington RUG):
The BWRUG will not meet this season. See you in October.

Simplified Approach to UNIXPRIV Rules
The UNIXPRIV resource class is used to control delegation of authority within USS (UNIX under MVS). [Other UNIXs only allow delegation of authority as follows: You are either SUPERUSER or nobody. Did we mention that USS is the most secure UNIX commonly available, and that it has the most precise delegation of authority?] The UNIXPRIV rules are so numerous, and have such funny names, that we thought we would simplify things by describing some of the rules whose names begin SUPERUSER.FILESYS and the power they give over USS files:

HG How to Audit Training Schedule: (includes new Fall dates)

         The Henderson Group now offers its series of "How to Audit.." 
seminars for IT auditors. These describe clearly how the associated software 
works, where the control points are, how to collect and interpret data, and 
how to conduct the audit.  The workbooks include complete audit programs.  
More information is available at our website: www.stuhenderson.com.  If you 
have a class you would like to have added to this series, please let us know.  
(See info on "RACF and Security" classes below.) 

  A)     HG70 How to Audit Cross-Platform Applications ($820)  
                  Nov. 3-4,        2003 in Clearwater, FL 

  B)     HG71 How to Audit Mainframe/Internet Connections ($820)  
                  Oct. 9-10,       2003 in Bethesda, MD (near Washington, DC)

  C)     HG72 How to Audit TCP/IP ($410)  
                  Apl. 9,          2003 in Bethesda, MD (near Washington, DC)

  D)     HG73 How to Audit CICS ($410)  
                  Oct. 8,          2003 in Bethesda, MD (near (Washington, DC) 

  E)     HG74 How to Audit RACF ($820)  
                  Nov. 5-6,        2003 in Clearwater, FL

  F)     HG75 How to Audit MVS ($410)  
                  Nov. 7,          2003 in Clearwater, FL 

HG RACF and Security Training Schedule:

         The Henderson Group offers its RACF and computer security/audit 
seminars around the country and on-site too.  See the details below or call 
(301) 229-7187 for a free seminar catalog.  For more info or to see what 
students say about these classes, please go to www.stuhenderson.com.  (See 
info on "How to Audit ..." classes above.) 

  1)     HG04 Effective RACF Administration    ($1895)  
                  May     5-8,              2003 in Seattle, WA
                  Sept. 16-19,              2003 in New York City
                  Oct.  20-23,              2003 in Cape Code, MA
                  Mar.   9-12,              2004 in Clearwater, FL

  2)     HG05 Advanced RACF Administration  ($1890)                             
                  May   12-15,              2003 in Seattle, WA
                  Sept. 23-26,              2003 in New York City
                  Feb.  17-20,              2004 in Clearwater, FL

  3)     HG06 UNIX (USS) for RACF Administrators  ($410)                                
                  May       9,              2003 in Seattle, WA
                  Sept.    22,              2003 in New York City
                  Mar.      8,              2004 in Clearwater, FL

  4)     HG17 How to Be an Effective z/OS or OS/390 (MVS) Data Security Officer)
         (covers CICS, VTAM, DB2, and JES security along with MVS security, SAF,
         OS/390, and z/OS)  ($1190)                  
                  Nov.  17-19               2003 in Bethesda, MD (near Washington, DC)

Another Trick From the RACF-L Server
To find out basic information about your RACF, MVS, system symbols, and other info, use a CLIST like this:

         PROC 0
You will want to learn what system symbols have been defined in your installation, since some of them like &SYSNAME might be reflected in the names of RACF rules, especially in the SERVAUTH resource class.

Permanently Interesting Products Column
This column has been permanently moved from this newsletter to Stu's website. You can find it at: www.stuhenderson.com/XINFOTXT.HTM 

RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)

RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:

subscribe racf-l john smith

to the address: listserv@listserv.uga.edu

The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary. You will want to set up a filter for incoming emails to direct mail from the list server to a dedicated folder or directory.

New Free Email Newsletter for Mainframe Auditors
To learn more about the Mainframe Audit News (MA News), check Stu's website at: http://www.stuhenderson.com 

The RACF User News
is published two times a year (December, March, and September) to share information about RACF. All information in it is offered on an "as is" basis, and should be used at your own risk, and with your own testing.

Other Internet places:

Stuart Henderson
(301) 229-7187
5702 Newington Road Bethesda, MD 20816-1282

Copyright ©: 2003, Stuart C. Henderson