Beruflich Dokumente
Kultur Dokumente
Copyright
py g IBM Corp.,
p , 2006. All rights
g
reserved.
Objectives
In this chapter you will learn to:
Key terms
authorized
th i d lib
libraries
i
authorized program facility
(APF)
encryption
SAF
SVC
PASSWORD
firewall
h
hacker
k
page protection bit
Resource Access Control
Facility (RACF)
security policy
separation of duties
system integrity
user ID
Introduction
A
An iinstallations
ll i data
d
and
d programs are among its
i most valuable
l bl
assets and must be protected
At one time data was secure because no one knew how to
access it
As more people become computer literate and able to use simple
tools unprotected data is becoming more accessible
Data security is now more important than ever including the
prevention of inadvertent destruction
Why security?
A
Any system security
i must allow
ll
authorized
h i d users the
h access
they need and prevent unauthorized access.
Many
y companies
p
critical data is now on computer
p
and is easily
y
stolen if not protected
z/OS Security Server provides a framework of services to protect
data
RACF
RACF (part
(
off Security
S
i Server)
S
) and
d the
h other
h available
il bl packages
k
are add-on products which provide the basic security framework
on a z/OS mainframe
Identify and authenticate users
Authorize users to access protected resources
Log
L
and
d reportt attempted
tt
t d unauthorized
th i d access
Control means of access to resources
Security
administration
RACF
RACF
RACF
database
User identification
and authorization
Resource
authorization
checking
and system
control
Protection Levels
RACF works on a hierarchical structure
Protecting a dataset
A data
d
set profile
fil is
i created
d and
d stored
d in
i the
h database
d b
It will give users or groups an access level
A universal access level will also be set
The profile can be specific or generic, with or without wild cards
10
OWNER
UNIVERSAL ACCESS
-------- -----------------------------SYS1
READ
WARNING
------NO
ERASE
----NO
AUDITING
-------FAILURES(READ)
NOTIFY
-------NO USER TO BE NOTIFIED
YOUR ACCESS
----------------------ALTER
CREATION GROUP
-------------------------SYS1
DATASET TYPE
-----------------NON-VSAM
11
ACCESS
------ALTER
ALTER
ALTER
ALTER
UPDATE
UPDATE
NONE
ALTER
ALTER
UPDATE
UPDATE
READ
Copyright IBM Corp., 2006. All rights reserved.
12
DASD volumes
Tapes
CICS or IMS transactions
JES spool
p
datasets
System commands
Application resources and many more
13
Resource
manager
RACF
4
SAF
5
or
storage
data
14
RESOURCE MANAGER
SECURITY PRODUCT
RACROUTE
Optional exits
Exit
Check
Exit RC
SAF CALLABLE
SERVICE
S
C
S
AA
FF
databases
RACF call
RACF
Check
RACF RC
Yes / no
.
15
SAF is
i part off z/OS
/OS
Uses RACF if it is present
Can also use an optional exit routine
SAF is a system service and is a common focal point for all
products providing resource control.
SAF is invoked at control points within the code of the resource
manager
16
RACF Structure
Userid
U
id
Group
o Every userid belongs to at least one group
o Group structures are often used for access to resources
Resource
Resource classes
Class descriptor table used to customize
17
RACF ADMINISTRATION
RESOURCE
RESOURCE
CLASSES
CLASSES
SYSTEM OPTIONS
OPTIONS
SYSTEM
DATASET AND
DATASET
AND GENERAL
GENERAL
RESOURCEPROFILES
PROFILES
RESOURCE
GROUP
GROUP
PROFILES
PROFILES
USER
USER
PROFILES
PROFILES
18
RACF Functions
Security
administration
RACF
RACF
RACF
database
User identification
and authorization
Resource
authorization
checking
and system
control
19
User Identification
RACF identifies
id ifi you when
h you logon
l
Userid and password are required
Each RACF userid has a unique password
Password is one way encrypted so no one else can get your
password not even the administrator
Userid is revoked after a preset number of invalid password
attempts
20
Protected
Resource?
Yes
Valid user
&
group?
Yes
Access
authority?
Yes
granted
No
No
No
denied (*)
denied
denied
21
Issuing of commands
22
Security Administration
Interpret the security policy to:
23
24
Authorized programs
A
Authorized
h i d tasks
k running
i
authorized
h i d programs are allowed
ll
d to
access sensitive system functions
Unauthorized p
programs
g
may
y only
y use standard functions to
avoid integrity problems
25
APF
+
List of installation defined
libraries
26
Authorized Libraries
A task is authorized when the executing program has the
following characteristics:
27
Problem Programs
N
Normall programs are known
k
as problem
bl
programs as they
h run in
i
problem state (as opposed to supervisor state)
They
y run in the p
problem key
y8
They may or may not be in an APF library
28
APF Libraries
A
Authorized
h i d libraries
lib i are d
defined
fi d by
b the
h APF list
li in
i
SYS1.PARMLIB
SYS1.LINKLIB,, SYS1.SVCLIB and SYS1.LPALIB are
automatically authorized
Installation libraries are defined in PROGxx
By
B d
default
f lt all
ll libraries
lib i iin th
the linklist
li kli t are authorized
th i d but
b t many
installations set LNKAUTH=APFTAB, often prompted by
auditors, so that this is no longer the case and only those in the
list are authorized
29
Authorizing a program
Th
The first,
fi
and
d only
l the
h first,
fi
load
l d module
d l off the
h program must be
b
linked with the authorization code AC=1
It and all subsequent
q
modules must be loaded from an
authorized library
APF libraries must be protected so that only authorized users
can store programs there
30
Authorizing libraries
A th i d lib
Authorized
libraries:
i
S t
System
programs usually:
ll
SYS1.LINKLIB
SYS1.LPALIB
SYS1.SVCLIB
List of installation
defined libraries
reside in APF-authorized
libraries
execute in supervisor state
use storage key 0 to through 7
APF
authorized
p g
programs
Unauthorized
ibraries.
non-authorized
programs
31
Authorizing libraries
Th
The APF list
li is
i built
b il during
d i IPL using
i those
h
libraries
lib i listed
li d in
i the
h
PROGxx parmlib member
If a dynamic
y
list is specified
p
then it may
y be updated
p
by
y operator
p
command
32
33
Dynamic APF
U
Update
d
a PROG
PROGxx member
b and
d then
h activate
i
it
i with
i h operator
command
SET PROG=xx
Use the SETPROG APF command
DISPLAY PROG,APF command will display the current list
34
D PROG,APF
D PROG
PROG,APF
APF
CSV450I 12.46.27 PROG,APF
FORMAT=DYNAMIC
ENTRY
VOLUME
1
Z04RE1
2
Z04RE1
3
Z04RE1
4
Z04RE2
5
Z04RE1
6
Z04RE1
7
Z04RE1
8
TOTDBZ
9
TOTDBZ
10
TOTDBZ
11
TOTPT1
12
TOTPT1
DISPLAY 027
DSNAME
SYS1.LINKLIB
SYS1.SVCLIB
ANF.SANFLOAD
ANF SANFLOAD
AOP.SAOPLOAD
AOP.SAOPLOAD
ARTURO
ARTURO.BFSLMOD
BFSLMOD
ASMA.V1R2M0.SASMMOD1
ASN.V7R1M0.SASNALNK
ASN.V7R1M0.SASNLLNK
ASN.V8R1M0.SASNLOAD
ASNA.V5R1M0.SASNALNK
ASNL.V5R1M0.SASNLLNK
35
36
Consoles
37
Security Roles
38
Summary
z/OS
/OS Security
S
i Server
S
RACF
SAF
Authorized Programs
APF list
Console security
39
Backup
Node E
Node D
System D2
System D1
System E
RACF
database
RACF
database
Node C
Node B
Node A
System C
System B
System A
RACF
database
RACF
database
RACF
database
40