John Hilman. Vanguard Professional Services BAS08

Transcription

1 John Hilman Vanguard Professional Services BAS08 1

2 2 Legal Notice Copyright 2017 Copyright by Vanguard Integrity Professionals, Inc. All rights reserved. Unauthorized reproduction, modification, publication, display, or distribution of this work in any form is not permitted. Criminal copyright infringement may be punishable by fines and/or incarceration. Recording of live or online presentations is not permitted. The use of session, event, staff, or presenter images is not authorized including but not limited to posting images on social media. With respect to presentation materials such as hand-outs or slide decks, registered participants are permitted to reproduce, distribute, and display such materials internally within their organizations for non-commercial educational purposes only. All other uses must be expressly granted in writing by Vanguard Integrity Professionals, Inc.. Trademarks The following are trademarks of Vanguard Integrity Professionals Nevada: Vanguard Administrator Vanguard Advisor Vanguard Analyzer Vanguard SecurityCenter Vanguard Offline Vanguard Cleanup Vanguard PasswordReset Vanguard Authenticator Vanguard incompliance Vanguard IAM Vanguard GRC Vanguard QuickGen Vanguard Active Alerts Vanguard Configuration Manager Vanguard Configuration Manager Enterprise Edition Vanguard Policy Manager Vanguard Enforcer Vanguard ez/token Vanguard Tokenless Authenticator Vanguard ez/piv Card Authenticator Vanguard ez/integrator Vanguard ez/signon Vanguard ez/password Synchronization Vanguard Security Solutions Vanguard Security & Compliance Vanguard zsecurity University

3 3 Trademarks The following are trademarks or registered trademarks of the International Business Machines Corporation: CICS CICSPlex DB2 eserver IBM IBM z IBM z Systems IBM z13 IMS MQSeries MVS NetView OS/390 Parallel Sysplex RACF RMF S/390 System z System z9 System z10 System/390 VTAM WebSphere z Systems z9 z10 z13 z/architecture z/os z/vm zenterprise Java and all Java-based trademarks are trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group in the United States and other countries. Microsoft, Windows and Windows NT are registered trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, and service names may be trademarks or service marks of others.

4 4 Session Topics What RACF Always Logs What RACF Optionally Logs What RACF Never Logs Logging at the Resource Profile Level Audit Levels Reporting Tools

5 5 What is Logging? Logging is the recording of data about specific events. It is the key to auditing the use of RACF at your installation. RACF uses the system management facilities (SMF) to log data. RACF SMF

6 6 RACF Always Logs USE OF THE RVARY AND SETROPTS COMMANDS RVARY INACTIVE SETR RACLIST(TCICSTRN) REFRESH ALL SYSTEM ENTRY ACTIVITY (LOGONS, BATCH, STC) SMF Type 30 Records ALL SUCCESSFUL ACCESS ATTEMPTS TO RESOURCES IN FAIL-SOFT MODE. SMF Type 80 Process Records ACCESS DUE TO PROTECTALL WARNING SETR PROTECTALL(WARNING)

7 7 RACF Never Logs RACF LIST COMMAND ACTIVITY, INCLUDING COMMAND VIOLATIONS: LISTDSD LISTGRP LISTUSER RLIST SEARCH

8 8 RACF Optionally Logs ALL RACF COMMANDS BY SPECIAL USERS ALL RACF COMMAND VIOLATIONS ACCESS TO RESOURCES USING OPERATIONS ATTRIBUTE ACCESS TO RESOURCES BY CLASS ALL CHANGES TO RACF PROFILES IN A SPECIFIC CLASS ALL RACF ACTIVITIES OF SPECIFIC USERS ACCESSES TO DATA SETS ACCESSES TO GENERAL RESOURCES SETROPTS SAUDIT SETROPTS CMDVIOL SETROPTS OPERAUDIT SETR LOGOPTIONS(audit-level(class)) SETROPTS AUDIT(class-name) ALU userid UAUDIT ALD profile_name AUDIT(ALL(UPDATE)) GLOBALAUDIT(ALL(UPDATE)) RALT class_name profile_name AUDIT(ALL(UPDATE)) GLOBALAUDIT(ALL(UPDATE))

9 9 Resource Logging AUDIT SUBPARAMETER MUST HAVE "SPECIAL", "GROUP-SPECIAL" OR "OWNERSHIP RIGHTS" TO CHANGE LOGGING ALD 'VAN.PROD.**' AUDIT(FAILURES(READ)) GLOBALAUDIT SUBPARAMETER DISPLAYED BY "AUDITOR" MUST HAVE "AUDITOR" OR "GROUP-AUDITOR" TO CHANGE LOGGING ALD 'VAN.PROD.**' GLOBALAUDIT(SUCCESS(UPDATE))

10 10 Audit Levels EXAMPLES: ACCESS ATTEMPT NONE FAILURES SUCCESS ALL ACCESS LEVEL ALTER CONTROL UPDATE READ ALD ALD RALT RALT... AUDIT(SUCCESS(UPDATE) FAILURES(READ))... GLOBALAUDIT(ALL(UPDATE))... AUDIT(NONE)... GLOBALAUDIT(ALL)

11 11 z/os UNIX Optional Logs RACF CLASSES FOR AUDITING UNIX SYSTEMS SERVICES DIRSRCH DIRACC FSOBJ FSSEC PROCESS PROCACT IPCOBJ Directory searches Directory accesses All file and directory accesses Change of FSP and ACLs Change of process UID/GID Functions that look at data from other processes IPC security checks

12 12 Auditing z/os UNIX Security Events Create SMF Record based on attempts to perform the specific request DIRSRCH: Directory searches DIRACC: Access checks for read/write accesses to directories SETROPTS LOGOPTIONS(FAILURES(DIRSRCH, DIRACC))

13 13 Auditing z/os UNIX Security Events Create SMF records based on File System Objects and File Permissions and ACL changes FSOBJ: Successful creation and deletion of file system objects FSSEC: Successful changes to the FSP and ACL file permissions SETROPTS AUDIT(FSOBJ FSSEC) Create SMF records based on PROCESS Dubbing, Undubbing, and Server Registration of Processes for PROCESS Class PROCESS: Successful dubbing and undubbing of z/os UNIX processes SETROPTS AUDIT(PROCESS) Turn off PROCESS audits: SETROPTS NOAUDIT(PROCESS) Could Cause Excessive SMF Records

14 14 Auditing z/os UNIX Security Events Auditing the Superuser Only through RACF UNIXPRIV Class Profiles Only SUCCESSes except for SHARED.IDS RALT UNIXPRIV ** AUDIT(SUCCESS(READ)) SHARED.IDS creates audit records for FAILURES Use default of FAILURES(READ) RACF UAUDIT attribute can be used Could Cause Excessive SMF Records

15 15 RACF Reporting Tools RACF Report Writer RACF SMF Data Unload Utility DFSORT ICETOOL Vanguard Advisor

16 16 The RACF Report Writer RACFRW - RACF REPORT WRITER USES - VIOLATION REPORTS WARNING REPORTS ACTIVITY REPORTS FOR EXTRAORDINARY USERS ACTIVITY REPORTS FOR SELECTED USERS AND DATA SETS INVOKED BY THE RACF RACFRW COMMAND (USE IKJEFT01 IN BATCH MODE) STABILIZED AS OF RACF IN 1992 No longer the recommended utility for processing RACF audit records. WILL NOT REPORT ON NEW EVENTS AND EVENT QUALIFIERS AFTER E.G. UNIX SYSTEM SERVICES, RRSF, AND GENERAL AUDITING

17 17 The RACF SMF Data Unload Utility IRRADU00 - SMF DATA UNLOAD UTILITY USED TO CREATE A SEQUENTIAL DATA SET FROM AN ONLINE SMF DATA SET The RACF SMF data unload utility is the preferred reporting utility. USE THE SEQUENTIAL DATA SET TO VIEW THE SMF RECORDS DIRECTLY AS INPUT TO INSTALLATION-WRITTEN PROGRAMS AS INPUT TO THE SORT/MERGE UTILITY (DFSORT) AS INPUT TO A DATABASE MANAGER TO PRODUCE REPORTS

18 18 The RACF SMF Data Unload Utility DB2 or Other RDMS IRRADU00 Sort/Merge or Utilities SMF Data IFASMFDP Unloaded SMF Data Installation Written Programs IRRADU86 Browse

19 19 IRRADU00 SMF Record Types 30 JOB INITIATION RECORD Subtype 1 for Job Initiation Subtype 5 for Job Termination 80 RACF PROCESSING RECORD Unauthorized system access attempt Successful access or unauthorized attempts to access protected resources. Authorized or unauthorized attempts to modify profiles RVARY Commands SETROPTS Commands 81 RACF STATUS RECORD RACF initialization (IPL) 83 SECURITY EVENTS RECORD MLACTIVE, SECLABEL changes WebSphere audit data Tivoli Key Lifecycle Manager (TKLM) audit data

20 20 Running The RACF SMF Data Unload IRRADU00 SMF Data IFASMFDP Unloaded SMF Data IRRADU86

21 21 DFSORT ICETOOL ICETOOL DFSORT front-end FUNCTIONS Manipulates input data Create reports using DISPLAY and OCCURS operators INPUT DATA Output from IRRADU00 REPORTS Ad Hoc reports using DFSORT record selection control statements and ICETOOL record format control statements

22 22 DFSORT ICETOOL IRRICE Member in SYS1.SAMPLIB FUNCTIONS Provides control statements for 15 sample reports Includes the RACFICE PROC with sample JCL to run ICETOOL SAMPLE REPORTS SUCH AS Count of RACF commands issued by user id Users with excessive incorrect passwords Access allowed because of OPERATIONS attribute Access violations Access allowed due to WARNING mode profiles

23 23 Using SMF Unload Output With DB2 CREATE DB2 DATABASE Installation Defined CREATE DB2 TABLE SPACE Member IRRADUTB in SYS1.SAMPLIB CREATE DB2 TABLES Member IRRADUTB in SYS1.SAMPLIB LOAD THE DB2 TABLES Member IRRADULD in SYS1.SAMPLIB RUN INQUIRIES AGAINST THE TABLES Member IRRADUQR in SYS1.SAMPLIB for SQL samples

24 24 SMF Data Report Scenario - ICETOOL Report request: Find all accesses granted due to the OPERATIONS attribute Solution: Unload SMF data Use ICETOOL for report Choose ACCESS records and key on AUTH_OPER field Was operations authority checking a reason for access being allowed?

25 SMF Event Types & Codes 25

26 SMF Event Types & Codes 26

27 27 Format of Unloaded Header Records The table continues for several more pages.

28 28 The ACCESS Record Extension This table describes the format of a record that is created by the access to a resource. The table continues for several more pages.

29 JCL for ICETOOL Report 29

30 30 Display and Sort Criteria Must Know the Record Layout Must Know the Event Type & Layout

31 Report Output 31

32 32 Other Options Installation written reporting programs Third party products such as Vanguard Advisor

33 33 Live SMF Data or Extract Live SMF Extract Vanguard Advisor gives you a choice.

34 34 SMF Data Report Scenario - Advisor Report request: Find all accesses granted due to the OPERATIONS attribute Solution: Vanguard Advisor Data Set Access report and key on OPERATION for Authority Type Was operations authority checking a reason for access being allowed?

35 Using Advisor for SMF Reports 35

36 Select Resource Access Summary 36

37 Select Data Set Access by Userid 37

38 38 Hmmm. Which Report Do We Want? Press F1 for more info

39 Authority Types Displayed 39

40 Specify OPERATION for Authority Type 40

41 Drill Down for Detail Report 41

42 Detail Report 42

43 What Can I Do With the Report? 43

44 44 Logon Violation Scenario - Advisor Report request: Find all Logon Violations with three or more Failed Logon Attempts Solution: Vanguard Advisor System Entry Report with Exception Criteria

45 Select Standard Reports 45

46 Select System Entry Detail 46

47 Violations Greater than or Equal to 3 47

48 Report of 3 or More Logon Failures 48

49 49 Questions How to Contact Us Vanguard Integrity Professionals 6625 South Eastern Ave., Suite 100 Las Vegas, NV Direct/International: (702) Toll Free: (877)

50 50 Session Evaluation Be sure to rate your experience in the Guidebook app guidebook Using the built-in star rating system, and evaluation forms, you ll be able to share your feedback on sessions and speakers. Your opinions help us to bring you the best possible conference experience. Please let us know your thoughts.

51 51