NOTE: This process is not to be used for Grouping/ Member Classes. Those will be covered in another White Paper.

Similar documents
Removing ID. The Solution: The Issue: The Problem:

Analyzer runs thousands of integrity checks for both RACF and z/os Security Server.

DATA SHEET. ez/piv CARD KEY FEATURES:

VANGUARD Policy Manager TM

VANGUARD POLICY MANAGERTM

POLICY MANAGER VANGUARD POLICY MANAGER (AUDIT/COMPLIANCE)

DATA SHEET VANGUARD CONFIGURATION MANAGER TM KEY FEATURES: VANGUARD TAKES THE TARGET OFF YOUR

SOLUTIONS BRIEFS. ADMINISTRATION (Solutions Brief) KEY SERVICES:

VANGUARD WHITE PAPER VANGUARD INSURANCE INDUSTRY WHITEPAPER

WHITE PAPERS. INSURANCE INDUSTRY (White Paper)

VANGUARD INTEGRITY PROFESSIONALS Page 1

VANGUARD WHITE PAPER VANGUARD GOVERNMENT INDUSTRY WHITEPAPER

DATA SHEET. VANGUARD ez/tokentm KEY FEATURES:

PROFESSIONAL SERVICES (Solution Brief)

DATA SHEET VANGUARD AUTHENTICATORTM KEY FEATURES:

Insurance Industry - PCI DSS

Performing a z/os Vulnerability Assessment. Part 2 - Data Analysis. Presented by Vanguard Integrity Professionals

Are Your Auditors and NIST Security Configuration Controls Driving You Crazy? Configuration Manager Implementation

Vanguard Advisor TM Your Way: Enhanced Masking, Report Formatting and Exception Criteria. Presented by Vanguard Integrity Professionals

Jim McNeill. Vanguard Professional Services VSS10 & VSS13

Vanguard Configuration Manager Customization and Use

Is Your z/os System Secure?

Performing a z/os Vulnerability Assessment. Part 3 - Remediation. Presented by Vanguard Integrity Professionals

Vanguard Active Alerts. Jim McNeill Sr Consultant

John Hilman. Vanguard Professional Services BAS08

Eleven Steps to Make Mainframe Security Audits More Effective and Efficient

Developing Legacy Platform Security. Philip Young, Information Security Specialist, Visa, Inc. Professional Techniques T21

Federal Agency Firewall Management with SolarWinds Network Configuration Manager & Firewall Security Manager. Follow SolarWinds:

NIST Standards and a VCM Implementation

MANEWS Issue Number 21 the Mainframe Audit News

VANGUARD Compliance Manager VANGUARD Policy Manager VANGUARD Security Manager VANGUARD Enforcer

How Vanguard Solves. Your PCI DSS Challenges. Title. Sub-title. Peter Roberts Sr. Consultant 5/27/2016 1

Securing Mainframe File Transfers and TN3270

How to Go About Setting Mainframe Security Options

Challenges and Issues for RACF Systems

Version 9 Release 1. IBM InfoSphere Guardium S-TAP for IMS on z/os V9.1 User's Guide IBM

Rocket Software Strong Authentication Expert

Firewall Configuration and Management Policy

RACF Groups. John Hilman BAS02. Vanguard Professional Services

Concurrent VSAM access for batch and CICS

Performing a z/os Vulnerability Assessment. Part 1 - Data Collection. Presented by Vanguard Integrity Professionals

16898: A Forensic Analysis of Security Events on System z, Without the Use of SMF Data

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

=============================================== ===============================================

ProjectPlus. Implementations, Upgrades WHITE PAPER. Table of Contents SCOPE OF THIS PAPER... 2 PROJECTPLUS... 3 MENU SET-UP AND MANAGEMENT...

zenterprise zenteprise Usage Scenarios

Concurrent VSAM access for batch and CICS: A white paper series

What is PCI/DSS and What s new Presented by Brian Marshall Vanguard Professional Services

IBM Tivoli OMEGAMON XE for Storage on z/os Version Tuning Guide SC

CA Dynam /T Tape Management for z/vse

RACFVARS RUGONE October 2013

Auditing and Protecting your z/os environment

Enhancing Virtual Environments

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

Introduction to AWS GoldBase

CICS insights from IT professionals revealed

Splunking Your z/os Mainframe Introducing Syncsort Ironstream

Security Enterprise Identity Mapping

Vanguard ez/signon Client Installation and User Guide

Group Policy change monitoring, reporting, and alerting

Quick Start Your zsecure Suite - LAB

Overview. Business value

Managing the Risk of Privileged Accounts and Passwords

maxecurity Product Suite

bt-webfilter Administrator s Guide: Access Rules & Custom Access Policies

CA Workload Automation CA 7 Edtion CA RS 1502 Service List

LOWER THE COST OF PROVIDING z/os SERVICES

CA Software Change Manager for Mainframe

Version 10 Release 1.3. IBM Security Guardium S-TAP for IMS on z/os User's Guide IBM SC

HyTrust government cloud adoption survey

To Audit Your IAM Program

Auditing in an Automated Environment: Appendix B: Application Controls

Enhancing Virtual Environments

THE HOME BUILDER S GUIDE TO. Mastering New Home Marketing with Your CRM

New Security Options in DB2 for z/os Release 9 and 10

FairWarning Mapping to PCI DSS 3.0, Requirement 10

IBM Security SiteProtector System SecureSync Guide

USING QUALYSGUARD TO MEET SOX COMPLIANCE & IT CONTROL OBJECTIVES

Hands-on Lab: Setting up the z/os LDAP Server with the dsconfig utility.

SQL Server Solutions GETTING STARTED WITH. SQL Secure

UMD: UTAH MASTER DIRECTORY

DATA PROTECTOR FOR Z SYSTEMS(ZDP) ESSENTIALS

Cisco CCNA ACL Part II

IBM i (iseries, AS/400) Security: the Good, the Bad, and the downright Ugly

What s Cool About the CONNECT Command in RACF

The 10 Disaster Planning Essentials For A Small Business Network

emeasures 2.0 USERS MANUAL

COURSE OUTLINE MOC : PLANNING AND ADMINISTERING SHAREPOINT 2016

Mapping BeyondTrust Solutions to

Comparing buffers above and below the bar

whitepaper: Whitelisting Without The Complexity

Demonstrating HIPAA Compliance

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

Oracle Database Security - Top Things You Could & Should Be Doing Differently

Instructions 1 Elevation of Privilege Instructions

Concurrent VSAM access for batch and CICS: A white paper series

SHARE Session Protecting Critical Data on a z/os Mainframe: A New Attitude

Information Technology Risks & Controls for Financial Systems PEM-PAL Treasury CoP Workshop 2011 Kristin Lado Tufan

SAS Metadata Security 201: Security Basics for a New SAS Administrator

AKAMAI WHITE PAPER. Security and Mutual SSL Identity Authentication for IoT. Author: Sonia Burney Solutions Architect, Akamai Technologies

Transcription:

How to use Vanguard security products to remove s greater than NONE or READ to create a more secure mainframe RACF database without risking an operational outage due to removing required access. NOTE: This process is not to be used for Grouping/ Member Classes. Those will be covered in another White Paper. Permissions According to over 300 audits of different RACF databases and environments, a recurring problem is that too many data sets have RACF (Universal Access) permissions with READ or greater. The Issue Most organizations have no idea who or what processes rely upon the permission in order to gain access to a needed resource. Additionally even with AUDIT(ALL) specified on the profile, it is nearly impossible, very time consuming and very CPU intensive to gather 365 days or more worth of SMF data in order to even begin the process of determining who or what process gained access to a resource (including Datasets) via a Universal Access. The Problem With the increased scrutiny by auditors of security on the mainframe and the realization that access provides ALL users (authenticated and not authenticated) access to resources, the removal of this permissions has become a requirement that requires resolution. The Solution There is one fool proof method to identify and remediate all access in a RACF database. Vanguard Administrator and Vanguard Offline can be used to find and remediate the accesses while Vanguard Policy Manager can be used to maintain the RACF database once remediated. After all, fixing the database only provides relief until someone modifies it and changes the profiles back to an undesirable state. The How (The technical details of how to resolve this problem) With the Vanguard Offline and Vanguard Administrator solution, it is possible to determine any and all access to all resource via a and then remove that access Here is how the process works: Page 1

First: You must install the Vanguard Cleanup product and allow it to collect data for a period of time. The length of time depends on the customer installations desire for complete reporting. 365 days is a recommended value but a smaller amount of time can be used as long as end of year processing has been completed. Second: Go into Vanguard Administrator and either against a current Vanguard Extract File or the LIVE database, go into option 3: Security Server Reports and then Option 10: Universal Access. On the next panel specify the Level of of N and GT (for Greater Then), this will result in a report of all s greater than NONE. You should do this BY CLASS (No need to try and boil the ocean) so add further Masking below to do one class at a time (such as specifying DATASET on the CLASS Line), you will also need to do DISCRETE and GENERIC Datasets separately. It is recommended that GENERIC datasets be done first. Do this ONLINE as we will use QuickGen to create the commands in the next step, so specify O on the BATCH/One-Line. Generate Heading should be set to N. Third: Create the commands to change the on all results to NONE. Once the report comes back online, Type QG on the command line and then specify either one of the following on line 1: For the DATASET CLASS for GENERIC profiles: ALTDSD &PROFILE (NONE) &TYPE For the DATASET CLASS for DISCRETE profiles: ALTDSD &PROFILE (NONE) For NON DATASET CLASSES RALTER &CLASS &PROFILE (NONE) Then on the command line type : GEN This will create a temporary file of all the commands you will needs for testing, that you should now copy to a permanent file (call it anything you want, it can be a flat file or a member in a PDS, but remember the name of this file). This file will be later in this document as the COMMANDFILE. NOTE: DO NOT ISSUE the VRAEXEC, VRABATCH or VRASCHED command or in any way submit this set of commands to your RACF database as: YOU DO NOT WANT to remove access yet. DON T DO IT. Page 2

Fourth: Now that we have the commands to change the to NONE, we need to find out what the effect of the commands will have given actual accesses (those captured by the Vanguard Cleanup Started task from the First Step) that occurred to the production RACF database so that we can find what users will lose access, given the changes. What we do here in Targeted Impact Analysis Option 4 is take every access Request from that Offline HMF that could be affected by the Commands in the COMMANDFILE and test them against the Test RACF database (the Offline version) and store the results (no we don t use RACF to do this, it is all Vanguard Processing) and then we execute the Commands in the COMMANDFILE against the Test RACF database (the Offline version) and then rerun the Same set of Access Requests against the now modified test RACF database (now having the effect of the COMMANDFILE run against it) and then we compare the two resultant sets of access. Any difference found is directly due to the effect of the commands in the COMMANDFILE and ONLY those commands. it executes upon). The History Master File is determined based on the VCLOPT00 and MUST point to your production Offline History Master File (This can be found in VCLOPT00 specified as VOFMAST). Next, On the Targeted Impact Analysis Screen you will see a CREATE EXTRACT FILE option, please specify this as YES, provide it a meaningful name as this flat file dataset will be used later. This file will be used later as RESULTSET in this white paper. Hit Enter to get to the next screen where it allows for specification of one or more Offline HMFs. If you are running Offline on multiple systems against different Offline HMFs within a SYSPLEX against the same RACF database, you should specify the names of the other HMFs here. Hit Enter and then submit the generated JCL after making any necessary JOBCARD modifications. The Job may run awhile depending on the size of the RACF database and more importantly the number of access requested contained in the Vanguard Offline History Master File. To accomplish this go into Vanguard Offline, Specifying Option 7 for Targeted Impact Analysis reports and then chose Option 4. On the Option 4 panel, you will need to provide the COMMANDFILE name on the Command Input Dataset Line and you will specify the name of the offline copy of the RACF database (Option 4, will delete, define and create the copy at run time of the RACF database based on the system Page 3

Fifth: Now it is time to see the effect of the COMMANDFILE and generate permits for users that would lose access due to their use of the to gain access to resources. Once the batch FILE from the previous step is completed, go back into Vanguard Offline and chose Option 6: Target Impact Analysis Report Online and then option 7 Impact Detail All Access Changes (which if you only issued commands that will lower access, then all records reflected will be denied access as lowering a cannot provide additional Access). Once you view the report, first make sure that *UNDEF* does not show in the USER column. This would indicate that one or more unauthenticated users gained access to resources via a. It is not possible to generate commands to permit these users as they are UNKNOWN. This should not be the case, but if there are *UNDEF* users then these MUST be investigated first to ensure that these unknown users or processes (usually an STC) do not lose access. On the command line put a Q for QUICKGEN and on line 1: Type one of the following: For the generic profile datasets: (&USERID) ACCESS(&LACCREQ) GEN For discrete profile datasets: (&USERID) ACCESS(&LACCREQ) For General Resource class members: (&USERID) ACCESS(&LACCREQ Take the resultant set of commands and save them as a new set of commands, this file will be the PERMITTOREMOVE referred to below. Last: Now, once you are ready to actually remediate your RACF database by changing the s, take the PERMITTOREMOVE commands and the COMANDFILE and run them against your RACF database back to back running the PERMITTOREMOVE first. You can do this in a batch job or online. TO PREVENT s being changed in the future. Vanguard Policy Manager should be implemented on the target system to prevent undesirable changes from being reintroduced back into the RACF database by well-intentioned Administrators. Install Policy Manager on the system and then implement the following Best Practice Policy. BP..NONE.REQUIRED This best practice policy is easily implemented by simply selecting the Policy under the Policy Manager Option 1 Best Practices. It will interrogate every command issued to the RACF database and prevent any Administrator from issuing a command that creates or alters a profile to elevate the above NONE. Vanguard Policy Manager contains a number of other best practices and user defined policies that can be used to ensure that the site s implementation of security is adhered to by even the most authorized system special users. See the Policy Manager manual for more details. Page 4

Why Vanguard to Secure Your Enterprise? Almost half of the Fortune 1000 companies in the world spanning banking, retail, insurance, as well as numerous government agencies trust Vanguard with their enterprise security. About Vanguard Security Solutions Vanguard offers the most advanced and integrated portfolio of enterprise security products and services in the world. The portfolio was the first to offer fully automated baseline configuration scanner for Mainframe DISA STIGs the Gold Standard for Security. For More Information To learn more about Vanguard Security Solutions please call 702.794.0014 or visit www.go2vanguard.com Corporate Headquarters 6625 S. Eastern Avenue Suite 100 Las Vegas, NV 89119-3930 Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback