RACF (part of OS/390 Security Server) is a trademark of IBM. This newsletter is not affiliated with IBM in any way.
Release 2.9 of RACF Should Be Out by the Time You Read This
Look for more features to support interconnection and UNIX security. Look for clean-up of past RACF clumsiness.
Next Time You List a Dataset Rule
Try adding the operand DSNS to the LD command. You'll see in the output not only the dataset rule, but also the names of all the catalogued datasets which it covers. (If you want to force all datasets to be catalogued, with certain exceptions such as those defined in the FACILITY class, issue SETR CATDSNS. This has a WARNING operand also.)
Stu Henderson Finally Gets a Better URL for His Web Site
You can go to www.stuhenderson.com more easily than to his old name. You end up in the same place. Stu checks his voice mail daily, his e-mail much less often.
NEW YORK RUG Meeting Dates
On Wednesdays, from 1 to 5 PM: this quarter on April 12, 2000. The following meeting will likely be July 12, 2000. Mark your calendars now. See inside for details.
On Thurdays, from 9AM to Noon: This quarter on April 13, 2000. The next meeting will likely be July 13, 2000. Mark your calendars now. See inside for details.
More Change in the RACF Software Industry
A new company named Entact Information Security offers tools for cross- platform administration, auditing, and authentication. Products include: eAudit, eAdmin, eRequest, eRole, eRights, eUniPass, eReset, and eAPI. For info call Brent Phillips at 1-877-368-2281 (toll-free) or see href="http://www.entactinfo.com.">http://www.entactinfo.com.
Vanguard's New QS/390 Solution Suite
includes these tools: Smart Link, Smart Assist, Risk Minder, Find-It-Fix-It-Fast, and Auto Pilot. For more info, see their web site or come to one of the RUG meetings they host (see above).
A Rumor About RACF Support for UNIX File Access Control
Currently UNIX on the mainframe uses RACF to answer the first basic question ("Who is this user?"). It uses native UNIX file security (the three sets of three bits for Read, Write, and eXecute) to answer the second basic question ("Can this user access this file?").
These three sets of three bits are very limiting compared to the flexibility we get with RACF dataset rules. You may expect IBM to enhance RACF by replacing or supplementing the native UNIX file security with calls to RACF. ACF2 and TopSecret support this already. RACF may support it very soon.
(Remember when IBM waited several years after ACF2 had a new feature to add it to RACF? For example, putting TSO information into the security software database, RRSF, and program pathing?) Now RACF seems to lead with new features, and to match the competition's features much sooner.)
One of the Good Guys Passes On
Kurt Meiser, the developer of the original RACF password cracker program, and a staunch supporter of the RACF community, passed away last year. He was a frequent speaker to RACF user groups, and shared generously from his deep technical knowledge. We will miss him.
Password Cracker Program Available Again
Peter Goldis, who worked with Kurt Meiser on the original password cracker program, has added features to it, and is now marketing it at his website: www.goldisconsulting.com. We have not evaluated it, but think that every shop should run some sort of password cracker program at least annually, and before your auditors do. Let us know what you think of the new program, and we'll share the comments in a future issue.
Fifteen Minute Project to Improve Your RACF
Develop a plan and start implementing it to use functional groups (such as "the group of people who can read the payroll data"). Permit these groups to the datasets and resources they need, and then delegate the authority to connect people to these groups. (Consider AUTH(CONNECT) on the CONNECT command.) Stop permitting individual users to individual datasets; rather allow someone to be part of a group or not. PERIOD. Revise your request forms to manage users expectations. ("Here are your choices. Which do you want?") Two signs of overly complicated RACF administration is permit lists with many entries, and many userids in permit lists. Make your access matrix so clean and simple that you can put it on a napkin.
A Big Hole That You Can Plug
When you connect to the Internet from your mainframe, you use the TCP/IP protocol. TCP/IP often has a Telnet server to allow remote logins. This makes it possible for someone on the Internet to logon to a program on your machine unless you put the controls in place to restrict this type of connection.
You need to understand the definition of applid, that is, a program which VTAM lets you sign onto from a terminal. CICS is an applid. So are IMS and TSO. There are certainly many other applids on your system, likely including job scheduling software, tape management software, performance monitors, and others. Unless you KNOW that everyone of these programs calls RACF to check out the userid and password, then you may have a security hole. If you are a Data Security Officer, and you don't know the names of every applid on your system, then you almost certainly have a security hole. However, it is fixable.
You need a policy (and a means to enforce it) requiring every applid to call RACF to check out userids and passwords. If you don't, some system programmers will install applids with vendor supplied userids and passwords (known to every hacker) or with their own list of hard-coded userids and passwords. When this happens, anyone coming into your system through a dial-in port, or through Telnet can ask VTAM to connect his terminal to any applid. There are controls you can implement in VTAM. You can also review the control file for TCP/IP to see the Telnet settings for applids. (They are often set to allow Telnet users to connect to any applid at all.) Your firewall settings can provide additional protection. But the best control is to make sure that RACF controls every path into your system. Take your VTAM system programmer to lunch!
In Case You Wanted to Evaluate Your Company's DataSet Naming Standard
To speed up performance when you open a dataset protected by a generic rule, RACF reads in ALL the generic dataset rules with that High Level Qualifer into your address space. If you have LOTS of these rules (for example, all your production datasets have names beginning PROD.) then there could be a lot of I/O to the RACF database. If another job running at the same time opens a dataset which also has that high level qualifer, then that job has RACF read in all the generic dataset rules with that HLQ. Of course, if the job next opens a dataset with that HLQ, then the rule is already in memory and you don't have to worry about reading it in again.
Since the RACF buffering scheme may make all of this a non-issue, don't worry about it unless you seem to be having a lot of I/O to the RACF database. If you have an opportunity to revise your dataset naming standard, keep this in mind, and try to avoid having all your production datasets rule share the same HLQ.
On a related note, if you have more than three of four production dataset rules per application, your rules may be more complicated than actually needed. Consider simplifying by combining rules for the same application. ("If anyone can read one payroll file, let him read all of them, except of course the officers' bonus file. So let's have two rules, one for the bonus files, and one for all other payroll files.")
New Group of Security Professionals Forming in Northern Florida
Contact Gena Star (904) 854-3128 or Vicki Harris (904) 332-1451 for more info.
Chicagoland RACF User Group First Meeting March 14
Contact Pat Diya at (630) 810-5142 for more info.
Some FACILITY Class Rules You Will Want To Know for UNIX and the Web
These all need READ access unless noted otherwise. See if you can tell which ones should be catching the auditors' attention.
NYRUG (New York RACF Users Group) and BWRUG (Baltimore/ Washington RUG) NEWS
NYRUG: At Our Next Meeting
Our next meeting will be hosted by Vanguard Integrity Professionals, which is also providing members with a free, pre-meeting lunch and product demonstration, as well as providing our mid-meeting break refreshments. Vanguard's product presentation precedes and is completely separate from our regular meeting. The product presentation will describe QS/390 (please see page 1.). Vanguard will hold a drawing for a free Palm Pilot at the regular meeting. Our speakers will be: Peter Goldis on his experiences penetrating RACF systems and Bob Spitz of Vanguard on "RACF Security for DB2". We hope to have a speaker from IBM on the new features of RACF 2.9. As always, we will have a question and answer session with some of the keenest RACF minds in the State to answer questions.
Time: Wednesday, April 12, 2000. The lunch and product presentation will begin at noon. The regular meeting starts at 1PM until it's too late to go back to the office.
Place: The New York Marriott Marquis, 1535 Broadway [between 45th and 46th Streets, at 7th Avenue and Times Square]
BWRUG (Baltimore/Washington RUG):
Our next meeting will be hosted by Vanguard Integrity Professionals, which is also providing members with a free, pre-meeting breakfast and product demonstration, as well as providing our mid-meeting break refreshments. Vanguard's product presentation precedes and is completely separate from our regular meeting. The product presentation will describe QS/390 (please see page 1.). Vanguard will hold a drawing for a free Palm Pilot at the regular meeting. At the regular meeting, our speakers will be Bob Spitz of Vanguard on "RACF Security for DB2" and Stu Henderson on "How to Break Into OS/390 Systems. We hope to have a speaker on the new features of RACF 2.9. As always, we will have a question and answer session with some of the keenest RACF minds in the Capital area to answer questions
Time: Thursday, April 13, 2000. The breakfast and product presentation will be from 8AM to 9AM. The regular meeting will be from 9AM to noon.
Place: Marriott Residence Inn at 7335 Wisconsin Ave in Bethesda, MD, phone (301) 718-0200. This is at the Bethesda stop of the RED LINE of the Metro (which goes quickly to Union Station for MARC and Amtrak riders). By car: Take the beltway I495 to Exit 34 (Wisconsin Ave.) This is NW of DC, near where I270 joins I495. Take Wisconsin Ave South (aka Route 355 South) about 2.5 miles. Watch for the Hyatt/Bethesda Metro on the right. Just past the Hyatt, take the next left onto Montgomery Avenue. Go one block and take the first right onto Waverly Avenue. Waverly wraps around to the front of the hotel where there is valet parking.
Wherever You Live or Work:
Why not see if your organization can host a meeting for your local RUG?
Permanently Interesting Products Column
We have not evaluated these, but think every RACF shop should know about them.
HG RACF and Security Training 1998 Schedule:
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog.
The Henderson Group offers its RACF and computer security/audit seminars around the country and on-site too. See the details below or call (301) 229-7187 for a free seminar catalog. 1) HG04 Effective RACF Administration ($1695) (REVISED) Oct. 23-27, 2000 in New York City Dec. 4-8, 2000 in Bethesda, MD (near Washington, DC) 2) HG05 Advanced RACF Administration ($1185) May 22-24, 2000 in Denver, CO Oct. 4-6, 2000 in Bethesda, MD (near Washington, DC) 3) HG17 How to Be an Effective OS/390 (MVS) Data Security Officer) (covers CICS, VTAM, DB2, JES, and other security along with MVS security, SAF, and OS/390) ($1190) Apl. 5-7, 2000 in New York City Nov. 8-10, 2000 in Bethesda, MD (near Washington, DC) 4) HG40 Mastering Windows 2000 (NT) Security (Windows 2000 is the new name for Windows NT Release 5, or NT5; this class covers NT4 security as well as Windows 2000 security) ($1195) (REVISED) May 31-June 2 2000 in New York City Sept. 27-29, 2000 in Bethesda, MD (near Washington, DC)
RACF User Services (Newsletter Subscriptions / Key Phone Numbers / Addresses)
RACF List Server on the Internet
To join, send E-mail to the administrator for the server. (Don't send it to the server itself or your request will be routed to every subscriber.) For example, if your name is John Smith and you want to subscribe, then send this E-mail:
subscribe racf-l john smith
to the address: firstname.lastname@example.org
The reply will include directions on how to get info such as a list of all subscribers, an index to previous comments, and a command summary.
Other Internet places: