z/OS Security Administration
Part Three - Challenge #09

Background:

Security Administration roles and security best practices have always been critical. The internet and subsequent self serve capabilities enabled the public's indirect access to critical data sources, such as a bank account. As a result, the intense focus around security has increased. Audit functions and automated monitoring with the ability to take action based upon suspect behavior are also critical. The security administrator will typically conduct audit functions in an attempt to find and address issues. Official auditors conduct regularly scheduled reviews.

IBM Z mainframes have security and data encryption capability beyond other servers. The most significant security issue is sloppy procedures, practices, and inadequate audit reviews.

z/OS is not difficult to understand. However, the vast majority of z/OS technical capabilities in most production environments are nearly impossible to understand as a result of security policies. High z/OS security is a matter of need to know to complete responsibilities. Therefore, access is only permitted to resources that an employee must have and no more. The reason is to mitigate risk where the insiders cannot be trusted as a general practice.

z/OS Resource Security covers data, program execution, transaction execution, network traffic, and more. RACF, Resource Access Control Facility, is available to provide z/OS Resource Security.

The challenge involves:

  1. Allocation of 3 protected data set names
  2. RACF command to list data set name RACF protection information
  3. RACF command to add a fully qualified generic data set name profile with a universal access of none
  4. RACF command to add a fully qualified generic data set name profile with a universal access of read
  5. RACF command to permit a single ID to read fully qualified generic data set name profiles with a universal access of none
  6. RACF command to list RACF protection modifications to the 3 newly allocated data set names

Terminology:

  • RACF Generic data set profile - includes generic characters (%,*,**)
  • RACF Discrete data set profile - is the full data set name without any generic characters
  • RACF Fully qualified generic data set profile - is the full data set name without any generic characters and using the GENERIC keyword on RACF commands

Use of fully qualified generic data set profiles are a best practice over discrete data set profiles because a discrete data profile is deleted when the data set is deleted. A fully qualified generic data set profile is retained when the data set is deleted. If the identical data set name is allocated, then protection characteristics of the existing fully qualified generic data set profile are applied.

RACF commands used in the challenge are:

  1. LISTDSD (LD) - list RACF data set profile
  2.     Finding out how a data set is protected
  3. ADDSD (AD) - add RACF data set profile
  4.     ADDSD (Add data set profile)
  5. PERMIT (PE) - modification of RACF data set profile
  6.     Permit (Maintain resource access lists)
        Permitting an individual or a group to use a data set
  7. DELDSD (DD) - delete RACF data set profile (if needed)
  8.    DELDSD (Delete data set profile)

Challenge

Jump to ISPF Command Shell panel, =6

Enter ld da(**) all
  The output of the above command is equivalent to ld da('hlq.**') all where hlq is the high level qualifier - your ID
  All your personal data sets are protected by this generic data set profile
  Observe your generic data set profile has a UNIVERSAL ACCESS of NONE
  This means ACCESS authority to your data sets is NONE, except the owner, you

submit 'zos.public.jcl(p3ch9)'

Review the output for successful completion

P3CH9 allocated 3 new data sets:

  • hlq.SEQ.HIGH.PRIVACY
  • hlq.SEQ.SEMI.PRIVACY
  • hlq.SEQ.PUBLIC

From the ISPF Command Shell, =6

  1. ADD a fully qualified generic data set profile with universal access (none), warning, and notify for hlq.SEQ.SEMI.PRIVACY
  2. PERMIT ID AUDIT01 read access to hlq.SEQ.SEMI.PRIVACY
  3. ADD a fully qualified generic data set profile with universal access (read), warning, and notify for hlq.SEQ.PUBLIC

For example, you can list any of your RACF data set profiles using the following:
ld da(dataset_profile) all
or for a simple list
search mask(z#####) class(dataset)
  where your id should replace z#####

Once you successfully created the 2 RACF fully qualified generic data set profiles according to above instructions, then
submit 'zos.public.jcl(p3ch9x)'
The above writes your RACF data set profiles to P3.OUTPUT(#09)

If you need to delete a fully qualified generic data set profile -
dd 'fully.qualified_data_set_profile'
However, DO NOT delete your generic data set profile, hlq.**

If you accidently delete your generic data set profile -
ad ** uacc(none)

Next: Challenge #10