Security policy management on IBM z/VM
Most organizations have a security policy that typically states the rules for controlling access to data. Statements for data ownership and rules about granting the least access that is necessary for each role also are in place.
However, few instructions might be available about the practical scenario of implementation. Little mention often is made of any of the IT platforms that are involved. Therefore, little or no link exists between that policy and the security procedures that must exist.
Organizations find a great benefit in having documentation that relates the policy to the platform, and for each software product that needs security-related configuration. It should be possible to see the line from policy to procedures, and see that the policy is enforced in the implementation environment.
This chapter provides an overview of how to implement some of the common statements that are defined on a security policy.
This chapter includes the following topics:
5.1 User ID management
User ID management is closely related to how the security policy is described. All of the management of user ID identity, access, and entitlement should be in accordance with each of the policies that are described in the company’s security policy.
This section describes some mechanisms that are available on z/VM to control user IDs and their accesses and entitlements.
5.1.1 Least privilege principle
In an operating system, some operations are privileged and the permission to perform these operations are restricted to authorized users. These privileged operations usually include tasks, such as restarting the system, adding and modifying privileges to other users, adding and deleting users, and modifying the system date and time.
A system that is secure requires that each user is granted only those privileges that are necessary to complete their task. Privileges provide the advantage that only users that require certain privileges must be granted these privileges.
This restriction of privileges is known as the principle of least privilege, and it is useful in limiting damage to the system that can result from an accident, error, or malicious administrators and operators. It also is useful when the system must be audited. The audit of a privileged task is reduced to those users that are allowed to run that task.
CP privilege classes
As described in 3.2.8, “Role-based access controls and CP privilege classes” on page 37, one of the ways to control privileges for a user is through z/VM privilege classes. Every user that is defined in the z/VM User Directory has one or more privilege classes.
When the system security policy follows the enterprise security policy, privilege classes represent jobs or roles on the system and are associated with an enterprise security policy job or role. The privilege classes are used in z/VM to implement role-based access control (RBAC).
Seven privilege classes are defined by default in z/VM, which are represented by A - G. These letters represent the specific roles in the z/VM operating environment, ranging from System Operator to General User. By using the default classes, a privileged user is any user with a class other than class G authority on the system.
It is possible to create privilege classes that meet the enterprise security policy according to the roles that are described in it. These classes can be represented by I - Z, or 1 - 6. Example 5-1 shows changing the SHUTDOWN command from privilege class A to privilege class S. In this situation, only users with privilege class S are authorized to shut down the system.
Example 5-1 Changing the SHUTDOWN command to privilege class S
q cpcmd shutdown
Command: SHUTDOWN
Status: Enabled Not Silent
IBM Class: A PrivClasses: A
CMDBK Address: 009EEBF0 Entry Point: HCPSHUTD
Ready;
 
cp modify command shutdown privclasses s
Ready;
 
q cpcmd shutdown
Command: SHUTDOWN
Status: Enabled Not Silent
IBM Class: A PrivClasses: S
CMDBK Address: 009EEBF0 Entry Point: HCPSHUTD
Command: ------------
Status: Enabled Not Silent
IBM Class: A PrivClasses: A
CMDBK Address: 01E00020 Entry Point: HCPSHUTD
Ready;
In Example 5-1 on page 108, the privilege class modification was done dynamically. If a restart is done on the system, the change is lost. To make the change permanent, update SYSTEM CONFIG to reflect the changes. The entry in the SYSTEM CONFIG file looks like the following string:
Modify cmd SHUTDOWN ibm A priv A
To determine which classes to which a user has access, run the QUERY PRIVCLASS command. To determine what CP commands and diagnostic instructions to which a user has access, run QUERY COMMANDS. Example 5-2 shows user EDI privilege class and the commands that are available to it.
Example 5-2 Privilege class and commands that are available for default classes G and ANY
query privclass
Privilege classes for user EDI
Currently: G
Directory: G
Ready; T=0.01/0.01 16:43:49
 
query commands
ADJUNCT ADSTOP ATTN BEGIN CHANGE CLOSE
COMMANDS COUPLE CPFORMAT CPU DEFINE DETACH
DIAL DISCONNECT DISPLAY DUMP ECHO EXTERNAL
FOR INDICATE IPL LINK LOADVFCB LOCATEVM
LOGON LOGOFF MESSAGE NOTREADY ORDER PURGE
QUERY READY REDEFINE REQUEST RESET RESTART
REWIND SCREEN SEND SET SIGNAL SILENTLY
SLEEP SMSG SPOOL SPXTAPE STOP STORE
SYSTEM TAG TERMINAL TRACE TRANSFER UNCOUPLE
UNDIAL VDELETE VINPUT VMDUMP XAUTOLOG XSPOOL
DIAG00 DIAG08 DIAG0C DIAG10 DIAG14 DIAG18
DIAG20 DIAG24 DIAG28 DIAG40 DIAG44 DIAG48
DIAG4C DIAG54 DIAG58 DIAG5C DIAG60 DIAG64
DIAG68 DIAG70 DIAG7C DIAG88 DIAG8C DIAG90
DIAG94 DIAG98 DIAG9C DIAGA0 DIAGA4 DIAGA8
DIAGB0 DIAGB4 DIAGB8 DIAGBC DIAGC8 DIAGD0
DIAGDC DIAGE0 DIAGE4 DIAGEC DIAGF0 DIAGF8
DIAG204 DIAG210 DIAG214 DIAG218 DIAG220 DIAG224
DIAG238 DIAG23C DIAG240 DIAG244 DIAG248 DIAG250
DIAG254 DIAG258 DIAG260 DIAG264 DIAG268 DIAG26C
DIAG270 DIAG274 DIAG278 DIAG27C DIAG280 DIAG288
DIAG29C DIAG2A0 DIAG2A4 DIAG2A8 DIAG2C4 DIAG2E0
DIAG2FC DIAG308
Ready; T=0.01/0.01 16:46:09
COMMAND directory statement
In some cases, a user might need to run a privileged command during logon to set up a user, but does not need to have authorization to run all the commands of the privilege class of this command. One of the solutions is to move this command to a new privilege class and grant access to this new class for the user.
Another solution where you do not need to create a privilege class is to place the COMMAND statement into the user directory. The COMMAND statement is part of a user directory entry. This statement, which supports up to 255 characters, can run a privileged command after the instantiation of a VM but before the guest formally undergoes an IPL. This command bypasses the need to give a user a specific clearance level while allowing flexibility in configuration.
When the COMMAND statement is used, make sure it is defined before any device statement and any command operands are specified uppercase. In Example 5-3, user EDI has QUERY LPAR specified at its directory. This command is available to only privilege classes B and E. The user can run the command during the logon process.
Example 5-3 Running the COMMAND directory statement
USER EDI LNX4ITSO 64M 96M G
COMMAND QUERY LPAR
SPOOL 000C 2540 READER *
SPOOL 000D 2540 PUNCH A
SPOOL 000E 1403 A
CONSOLE 009 3215 T
 
Log on process:
 
LOGON EDI
z/VM Version 7 Release 1.0, Service Level 1801 (64-bit),
built on IBM Virtualization Technology
There is no logmsg data
FILES: 0001 RDR, NO PRT, NO PUN
LOGON AT 14:10:36 EDT TUESDAY 06/11/19
No LPAR data is available
ctive partition: MUSCA13
Ready; T=0.01/0.01 10:04:35
Although the COMMAND statement is limited to 255 characters, multiple statements can exist for a single user definition.
IBM Resource Access Control Facility optional user attributes
When a system is IBM Resource Access Control Facility (RACF) protected, it is possible to assign attributes to users by running RACF commands. User attributes describe various extraordinary privileges, restrictions, and processing environments that can be assigned to specified users.
It is possible to assign attributes at the system level or group level. When assigned at the system level, attributes are effective for the entire RACF-protected system. When assigned at the group level, their effect is limited to profiles that are within the scope of the group. The scope of control of a group-level attribute is inherited to the group-ownership structure to its subgroups until a subgroup is owned by a user, rather than a superior group.
Figure 5-1 shows an example of how the attributes are inherited through subgroups. As shown in Figure 5-1, GROUP1 owns GROUP2, GROUP2 owns GROUP3 and USER1, and so on. A user who is connected to GROUP1 with the group-SPECIAL attribute has an explicit scope of control as shown in the figure. That is, the user cannot modify any profiles that are owned by GROUP5.
Figure 5-1 Scope of control of an attribute at group level
Following the least privilege principle, SPECIAL, AUDITOR, and OPERATIONS attributes are assigned to a minimum number of people in the system to administer security.
Table 5-1 lists the user attributes that are available in RACF and its descriptions.
Table 5-1 User attributes
User attribute
Description
SPECIAL
The SPECIAL attribute gives the user full control over all the RACF profiles in the RACF database when assigning it at the system level. At the system level, the SPECIAL attribute allows the user to issue all RACF commands. When you assign the SPECIAL attribute at the group level, the group-SPECIAL user has full control over all resources that are within the scope of the group, and cannot issue RACF commands that have a global effect on RACF processing.
AUDITOR
When assigning the AUDITOR attribute at the system level, it gives the user full responsibility for auditing the security controls and the use of system resources across the entire system. With it, the user can specify logging options on the RACF commands, list the auditing options of any profiles by using the RACF commands, and control other logging to SMF for detecting changes and attempts to change the RACF database or for detecting accesses and attempted accesses of RACF-protected resources.
 
When assigning the AUDITOR attribute at the group level (that is, when assigning the group-AUDITOR attribute), authority is restricted to resources that are within the scope of the group.
ROAUDIT
The user with the ROAUDIT attribute (read-only auditor) has the same primary responsibility as the user with the AUDITOR attribute; that is to monitor the system. The difference between the AUDITOR attribute and the ROAUDIT attribute is that a user with the AUDITOR attribute can monitor the system and set auditing controls. A user with the ROAUDIT attribute can monitor only the system with the set of auditing controls
OPERATIONS
When assigning this attribute at the system level, it allows the user to perform any maintenance operations, such as copying, reorganizing, cataloging, and scratching, on RACF-protected resources. At the group-OPERATIONS level, the authorization to perform these operations is restricted to the resources that are within the scope of the group.
CLAUTH
The CLAUTH (class authority) attribute allows the user to define profiles in a specific RACF class. A user can have class authority for the USER class and any of the classes that are defined in the class descriptor table (CDT).
REVOKE
This attribute excludes the RACF defined user from entering the system. Revoke can be assigned at the group level, in which case the user cannot enter the system that is connected to that group.
PROTECTED
A protected user ID cannot be used to enter the system by any method that uses a supplied password, such as CP logon, rlogin, or FTP. Also, a protected user ID cannot be revoked through inactivity or unsuccessful attempts to access the system by using an incorrect password or password phrases. A protected user ID is defined by assigning the NOPASSWORD and NOPHRASE attributes through the ADDUSER or ALTUSER command.
To show the attributes of a user, list the user’s profile. Example 5-4 show attributes SPECIAL and OPERATIONS that are assigned to user EDI.
Example 5-4 Displaying attributes on a user
rac lu edi
USER=EDI NAME=UNKNOWN OWNER=IBMUSER CREATED=19.167
DEFAULT-GROUP=SYS1 PASSDATE=19.167 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=SPECIAL OPERATIONS
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=19.172/15:14:17
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
To give an attribute to a user, run the ALTUSER command. Example 5-5 shows the attribute SPECIAL being added to user EDI.
Example 5-5 Adding attribute SPECIAL to user EDI
rac lu edi
USER=EDI NAME=UNKNOWN OWNER=IBMUSER CREATED=19.167
DEFAULT-GROUP=SYS1 PASSDATE=19.167 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=19.168/15:26:13
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=IBMUSER CONNECT-DATE=19.167
CONNECTS= 02 UACC=NONE LAST-CONNECT=19.168/15:26:13
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
Ready;
 
rac alu edi special
Ready;
 
rac lu edi
USER=EDI NAME=UNKNOWN OWNER=IBMUSER CREATED=19.167
DEFAULT-GROUP=SYS1 PASSDATE=19.167 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=SPECIAL
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=19.168/15:26:13
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=IBMUSER CONNECT-DATE=19.167
CONNECTS= 02 UACC=NONE LAST-CONNECT=19.168/15:26:13
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
Ready;
To remove an attribute from a user, run the ALTUSER command. Example 5-6 shows the removal of the SPECIAL attribute from user EDI.
Example 5-6 Removing the SPECIAL attribute from user EDI
rac lu edi
USER=EDI NAME=UNKNOWN OWNER=IBMUSER CREATED=19.167
DEFAULT-GROUP=SYS1 PASSDATE=19.167 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=SPECIAL
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=19.168/15:26:13
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=IBMUSER CONNECT-DATE=19.167
CONNECTS= 02 UACC=NONE LAST-CONNECT=19.168/15:26:13
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
Ready;
 
rac alu edi nospecial
Ready;
 
rac lu edi
USER=EDI NAME=UNKNOWN OWNER=IBMUSER CREATED=19.167
DEFAULT-GROUP=SYS1 PASSDATE=19.167 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=19.168/15:26:13
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=IBMUSER CONNECT-DATE=19.167
CONNECTS= 02 UACC=NONE LAST-CONNECT=19.168/15:26:13
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
Ready;
For more information about RACF attributes, see RACF Security Server Security Administrator’s Guide, SC24-6311.
5.1.2 RACF passwords and password phrases
Since RACF FL 530, password phrases can be defined for z/VM user IDs.
It is important to understand that passwords and password phrases are two different things. Passwords are uppercase by default or can be mixed case, if enabled by using the RAC SETROPTS PASSWORD(MIXEDCASE) command, and password phrases are mixed case by default. Passwords are 1 - 8 characters, and password phrases that use the default installation can be 14 - 100 characters. A user can be assigned a password, a password phrase, or both.
The default operation when creating a user profile is to not have a default value that is assigned to the password or the password phrase. The user is a protected user and cannot log on. This configuration is the preferable situation for disconnected service machines or guests user IDs.
For human IDs, the enterprise security policy defines what kind of authenticator is used. The initial password or password phrase of a user is not assigned by them.
When assigned a password or password phrase, the user can change that value at any time, but cannot remove it. When assigning the value for a user for the first time, make sure it is difficult to guess so the user has enough time to change it before someone else changes it. By default, the user ID is forced to change this initial value the first time it is used.
This section describes how to implement both functions.
Password and password phrases rules
Your organization’s security policy is likely to have a section that describes the rules that govern system passwords. On z/VM with RACF installed, these rules are implemented with the RACF SETROPTS commands by a user with the SPECIAL attribute. The following parameters control password requirements:
Password change interval
Inactive virtual machine (VM) intervals
When access is revoked because of unsuccessful login attempts
Password history (password reuse)
For example, the following password and password phrases policies are available:
RAC SETROPTS PASSWORD(INTERVAL(90) defines the change interval to 90 days.
RAC SETROPTS PASSWORD(MINCHANGE(5) specifies that users cannot change their passwords more than once in 5 days, for example.
RAC SETROPTS INACTIVE(30) revokes a user ID if it is unused for more than 30 days.
RAC SETROPTS PASSWORD(REVOKE(4)) defines the limit of successive incorrect use of passwords or password phrases before revoking the user.
RAC SETROPTS PASSWORD(HISTORY(6)) defines the number of previous passwords and password phrases that RACF saves for each user to avoid duplication.
Password syntax rules
Password syntax rules include (up to eight syntax rules) the following items:
Password length
Password character requirements (vowels, numbers, and so on)
Password in mixed case
For example, the following password policies are available:
RAC SETROPTS PASSWORD(MIXEDCASE) allows mixed-case passwords.
RAC SETROPTS PASSWORD(SPECIALCHARS) allows special characters.
The following rules pertain to password verification and control to define the syntax of the new passwords for your installation:
RAC SETROPTS PASSWORD(RULE1(LENGTH(6:8) ALPHA(1) ALPHANUM(3:8)) and RAC SETROPTS PASSWORD(RULE2(LENGTH(8))
RAC SETROPTS PASSWORD(RULE1(LENGHT(8) VOWEL(1,3,5:8) NUMERIC(2,4))) and RAC SETROPTS PASSWORD(RULE2(LENGHT(8) MIXEDALL(1:8)))
The RACF SETROPTS LIST command displays the password settings that are shown in Example 5-7.
Example 5-7 RACF SETROPTS LIST to display password settings
PASSWORD PROCESSING OPTIONS:
PASSWORD CHANGE INTERVAL IS 90 DAYS.
MIXED CASE PASSWORD SUPPORT IS IN EFFECT
6 GENERATIONS OF PREVIOUS PASSWORDS BEING MAINTAINED.
AFTER 4 CONSECUTIVE UNSUCCESSFUL PASSWORD ATTEMPTS,
A USERID WILL BE REVOKED.
NO PASSWORD EXPIRATION WARNING MESSAGES WILL BE ISSUED.
INSTALLATION PASSWORD SYNTAX RULES:
RULE 1 LENGTH(6:8) A*LLLLLL
RULE 2 LENGTH(8) ********
 
LEGEND:
A-ALPHA C-CONSONANT L-ALPHANUM N-NUMERIC V-VOWEL W-NOVOWEL *-ANYTHING
c-MIXED CONSONANT m-MIXED NUMERIC v-MIXED VOWEL $-NATIONAL
Although the password verification is done by RACF when it is active, some user CP directory entries still have meaning, including the following examples:
NOLOG: The user cannot log on to the system.
AUTOONLY: The user can be only XAUTOLOGed. Having a user who is defined with NOPASSWORD and NOPHRASE attributes has the same effect.
NOPASS: The user can log on without the use of a password. When the FACILITY class is not activated, or the IRR.NOPASS profile is not defined on the FACILITY class, any NOPASS user can log on without specifying a password. The security administrator should take extra care when the NOPASS statement is used.
Password phrases
A password phrase is a character string that consists of mixed-case letters, numbers, and any special characters, including blanks. Consisting of all those possibilities, password phrases have security advantage over passwords.
The NOPASSWORD attribute can be specified in ADDUSER or ALTUSER so that a user can authenticate only with a password phrase, which is stronger than a password.
Password phrases are implemented by default in RACF with a basic set of syntax rules. These syntax rules apply to all password phrases and cannot be altered or removed. However, the rules that install the ICHPWX11 exit can be enhanced. This section provides information about how to implement the exit.
RACF can use the new password phrase exit, ICHPWX11, to enhance RACF function when validating a new password phrase. This exit runs a REXX exec IRRPHREX. A sample is included by IBM in source form on the RACFVM 305 disk and consists of the exit, ICHPWX11, and a REXX exec named IRRPHREX.
ICHPWX11 must be installed as described in RACF Security Server System Programmer’s Guide, SC24-6312. As included, all the checks are disabled and the exec is functionally equivalent to having no exit, but the following checks can be enabled in the REXX exec:
Minimum length
Maximum length
List of allowable characters
Leading blanks that are allowed or not
Trailing blanks that are allowed or not
Words in user name that is allowed or not
Triviality checks
Minimum unique characters by position from old password phrase
Minimum unique words from old password phrase
Dictionary check (hardcoded list of words)
The exit gains control when a new password phrase is processed. It can examine the value that is specified for the password phrase and enforce installation rules in addition to the RACF rules. For example, although RACF does not allow the user ID to be part of the password phrase, the exit can perform more complex tests such disallow the company name, the names of months, and the current year in the password phrase.
The user of the new password phrase exit augments the RACF rules, but cannot override them. Be sure that the exit and the RACF rules do not contradict each other. For example, if the exit requires that the pass phrases contain all alphabetic characters, users cannot create password phrases because RACF requires at least two non-alphabetic characters. If you attempt to assign a phrase that conflicts the password rules, RACF does not accept the new phrase and displays the following message:
ICH21039I NEW PASS PHRASE REJECTED BY RACF RULES
The interval value that is specified on the PASSWORD command applies to passwords and password phrases. It continues to be processed by the new password exit, ICHPWX01, and is not passed to the ICHPWX11 exit.
For more information about implementing password phrases for RACF, see RACF Security Server System Programmer’s Guide, SC24-6312. The HLASM product is required to assemble the ICHPWX11 file. If HLASM is not available, IBM provides a TEXT file that is assembled that can be used, as described in step 4 of the process.
Complete the following steps on the 7VMRAC10 VM:
1. Run access 590 t.
2. Run vmfsetup 7vmrac10 racf.
3. Run copy ichpwx11 assemble k = = e.
4. If HLASM is not available, complete the following steps:
a. Run copy ichpwx11 text k = txt00000 e.
b. Go to step 11.
5. Remove the following comments by running rpibllpa exec v:
*:OBJNAME. ICHPWX11 LEPARMS RENT REUS LET NCAL XREF SIZE 100K,80K
*:OPTIONS. IGNORE
*:PARTID. ICHPWX11 TXT
*:EOBJNAME.
6. Run vmfhlasm ichpwx11 7vmrac10 racf ($select outmode e.
7. Run rename ichpwx11 txt00000 e = txtl0001 e.
8. Run rename ichpwx11 assemble e = asml0001 e.
9. Run vmfsim logmod 7VMRAC10 vvtlcl e tdata :mod lcl0001 :part ichpwx11 txt.
10. Run mfsim logmod 7VMRAC10 vvtlcl e tdata :mod lcl0001 :part ichpwx11 asm.
11. Run vmfbld ppf 7vmrac10 racf (serviced.
Put the code into production (the copy files are created by VMFBLD to the RACFVM 305 disk).
 
Note: The process that is described in RACF Security Server System Programmer’s Guide, SC24-6312, does not work as documented. When you link to the RACFVM 305 disk, you cannot get it in write mode because RACFVM has the disk in write mode. If you force off the RACFVM, you have no external security manager (ESM) and you cannot autolog RACMAINT after you forced RACFVM. This section describes how you can put the code into production.
For this process, you must give 7VMRAC10 the privilege class A or C so that it can run the set secuser command. You can use your normal processes to change the privilege class and then place the directory online. You must log off and then log on to the 7VMRAC10 VM to pick up the directory change. Then, run the vmfsetup 7vmrac10 racf command to reestablish your disk search order.
Perform the task that is shown in Example 5-8 to gain write access to the RACFVM 305 disk.
Example 5-8 Write access to the RACFVM 305 disk
set secuser racfvm 7vmrac10
HCPCFX6768I SECUSER of RACFVM initiated.
Ready; T=0.01/0.01 15:07:06
send cp racfvm det 305
Ready; T=0.01/0.01 15:07:14
RACFVM : DASD 0305 DETACHED
link racfvm 305 305 mr
RACFVM : (OPERATOR) ICH408I USER(7VMRAC10) GROUP(SYS1 ) NAME(#######
#######)
RACFVM : (OPERATOR) RACFVM.305 CL(VMMDISK )
RACFVM : (OPERATOR) INSUFFICIENT ACCESS AUTHORITY
RACFVM : (OPERATOR) ACCESS INTENT(CONTROL) ACCESS ALLOWED(NONE)
RPIMGR032E YOU ARE NOT AUTHORIZED TO LINK TO RACFVM.305
HCPLNM298E RACFVM 0305 not linked; request denied
Ready(00298); T=0.01/0.01 15:07:22
send cp racfvm link * 305 305 mr
RACFVM : DASD 0305 LINKED R/W
Ready; T=0.01/0.01 15:07:53
send racfvm acc 305 b/a
RACFVM : DMSACC724I 305 replaces B (305)
Ready; T=0.01/0.01 15:08:03
As shown in Example 5-8, a security violation with the link command. To solve it, use one of your systems RACF administrators and run the racf permit command to allow 6VMRAC30 to have control access to the RACFVM 305 disk:
rac permit racfvm.305 class(vmmdisk) id(7vmrac10) ac(control)
Now, you can complete the task of moving files to the RACFVM 305 disk, as shown in Example 5-9.
Example 5-9 Moving files to the RACFVM 305 disk
send racfvm det 305
RACFVM : DASD 0305 DETACHED
RACFVM : CST
Ready; T=0.01/0.01 15:17:45
link racfvm 305 305 mr
Ready; T=0.01/0.01 15:17:55
acc 305 z
Ready; T=0.01/0.01 15:18:01
vmfcopy * * k = = z (prodid 7vmrac10%racf oldd replace
Ready; T=0.25/0.33 15:19:35
det 305
DASD 0305 DETACHED
Ready; T=0.01/0.01 15:19:46
send racfvm link * 305 305 mr
RACFVM : CST
Ready; T=0.01/0.01 15:19:57
send racfvm access 305 b/a
RACFVM : DMSACC724I 305 replaces B (305)
Ready; T=0.01/0.01 15:20:07
RACFVM : DMSACP723I B (305) R/O
RACFVM : CST
Then, run the RACFVM ipl 490 command that restarts RACF, as shown in Example 5-10. You cannot perform an IPL of CMS or 190 in RACFVM, or RACF does not start correctly.
Example 5-10 RACF performs an IPL of 490
send cp racfvm ipl 490 clear parm autocr
Ready;
RACFVM : RACFVM CMS XA Rel. 27 2011-10-18
RACFVM : DMSACP723I B (305) R/O
RACFVM : DMSACP723I T (190) R/O
RACFVM : RACF is defined to the Z/VM system and the current product status is E
NABLED
RACFVM :
RACFVM : RACF
RACFVM : Feature for z/VM
RACFVM : Version 7.1.0
RACFVM :
RACFVM : Licensed Materials - Property of IBM
RACFVM : 5741-A07
RACFVM : (C) Copyright IBM CORP. 1981, 2012 All Rights Reserved.
RACFVM :
RACFVM : DMSACC723I R (0200) R/W - OS
RACFVM : DMSACC723I Q (0300) R/W - OS
RACFVM : CSTSET001I CMS SUB-TASKING SUPERVISOR INITIALIZED.
RACFVM : CSTINT003I INITIATOR ACTIVATED.
RACFVM : ICH508I ACTIVE RACF EXITS: ICHRCX02
RACFVM : ICH520I RACF 7.1.0 IS ACTIVE.
RACFVM : RPISTR001I Program CSTDYNST Initiated.
15:37:15 * WNG FROM RACFVM : RACF/VM SERVICES ARE NOW AVAILABLE.
RACFVM : * WNG FROM RACFVM : RACF/VM SERVICES ARE NOW AVAILABLE.
RACFVM : RPISTR002I Program CSTDYNST Ended. Completion code = 000000.
RACFVM : RPISTR003I Subtask RPIMSG Initiated.
RACFVM : RPISTR003I Subtask RPIINIT Initiated.
RACFVM : RPICLS104W - DEFAULT SETTINGS WERE MADE FOR ALL AUDITABLE AND
RACFVM : CONTROLLABLE VM EVENTS.
RACFVM : RPICLS123I RACF Extended password support registered with CP
RACFVM : RPIMGR003I 15:37:15: CONNECTION COMPLETE TO CP ON PATHID 0000
RACFVM : RACF AUTHORIZATION COMMUNICATION INTERFACE READY
set secuser racfvm reset
RACFVM : HCPCFX6768I Your SECUSER set to RACFVM by EDI.
HCPCFX6769I SECUSER of RACFVM terminated.
Ready; T=0.01/0.01 15:38:03
 
Note: This process was the only way that you can allow the RACFVM 305 disk to be updated without a system outage. If you can accept the outage, you shut down the system and perform an IPL with the NOAUTOLOG parameter. Then, start RACMAINT as described.
At this point, the sample exit does not perform any other functions compared to having no exit. You now adjust the exit to reflect your installation requirements.
Password phrase syntax rules
Password phrase syntax must adhere to the following rules:
Maximum length: 100 characters
Minimum length:
 – Nine characters when ICHPWX11 is present and allows the new value.
 – A total of 14 characters when ICHPWX11 is not present.
Must not contain the user ID (as sequential uppercase or sequential lowercase characters).
Must contain at least two alphabetic characters (A - Z, a - z).
Must contain at least two non-alphabetic characters (numerics, punctuation, or special characters).
Must not contain more than two consecutive characters that are identical.
Must be enclosed in single quotation marks, with single quotation marks within the password phrase doubled. The quotation marks must be removed from the password phrases when RACF prompts at logon.
Must not contain forward slashes, nulls (X’00’), or leading or trailing blanks.
Only a RACF administrator can assign the initial phrase. When assigned, the user can modify the phrase, and is prompted to change it by default the first time it is used to log on.
To disable the password function and enable a phrase, run the following command:
rac alu edi nopassword phrase('it is friday')
When the VM EDI logs on to the system, it is prompted to change the password. When changing the password from the logon prompt, do not use the quotation marks (for example, ‘red white blue’ should be red white blue).
If the VM wants to change the phrase while logged on to the system, run the following command:
rac phrase phrase(‘red white blue’ ‘howdy to everyone in vm land’)
Although it looks like a mistake, the command is correct. It is phrase and it includes an operand of phrase.
It is possible to adjust the z/VM logo to accept more than eight characters in the password field, so the use of the command line is not needed for password phrases. IBM provides a utility program that is called DRAWLOGO and a sample XEDIT macro called X$DRWL$X at CP sample disk, 2C2, on the MAINT710 user. To use the utility, rename DRAWLOGO SAMPEXEC to DRAWLOGO EXEC and X$DRWL$X SAMPXEDI to X$DRWL$X XEDIT.
Open the input file (the default is INPTAREA SAMPLE on PMAINT CF0 disk) with the DRAWLOGO utility:
drawlogo INPTAREA SAMPLE B
Press PF5 and use the Settings menu to select the length of use ID and password input area. Place the cursor in the position you want the password input field to start and use PF4 to access the Input menu. Pressing PF4 again fills the password input area with the characters for password input. Press PF11 to display the results.
RACF user passwords encryption
RACF provides the following algorithms for authenticating passwords and password phrases:
Masking
Data Encryption Standard (DES) algorithm
Key Derivation Function with AES256 (KDFAES) algorithm for passwords
The masking algorithm is the original algorithm that is provided with RACF. The RACF DES algorithm provides a higher level of security than the masking algorithm and is identified in the Federal Information Processing Standard 46-1 of the Computer Systems Laboratory in Gaithersburg, Maryland, of the National Institute of Standards and Technology of the United States Government.
DES is accepted as a national and international standard. The KDFAES algorithm provides the highest level of security, and is resistant to offline attacks. When installing RACF on your system, the DES algorithm is the default algorithm.
RACF also supports an installation-defined method that is implemented that uses the ICHDEX01 exit. For more information about ICHDEX01, see “RACF Installation Exits”, in RACF Security Server System Programmer’s Guide, SC24-6312.
To display the current enabled algorithms, use the RACF SETROPTS LIST command. Example 5-11 show an excerpt from the command output.
Example 5-11 Password excerpt from RACF SETROPTS LIST command
PASSWORD PROCESSING OPTIONS:
THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS LEGACY
PASSWORD CHANGE INTERVAL IS 30 DAYS.
PASSWORD MINIMUM CHANGE INTERVAL IS 0 DAYS.
MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECT
SPECIAL CHARACTERS ARE NOT ALLOWED.
NO PASSWORD HISTORY BEING MAINTAINED.
USERIDS NOT BEING AUTOMATICALLY REVOKED.
NO PASSWORD EXPIRATION WARNING MESSAGES WILL BE ISSUED.
NO INSTALLATION PASSWORD SYNTAX RULES ARE PRESENT.
In general, encryption programs are a two-way process: encryption and decryption.
Encryption processes use the data and an encryption key to create the encrypted form of the data.
Decryption is the reverse operation, and uses the encryption key and the encrypted form of the data to re-create the original data.
When configured to do so, RACF uses the encryption algorithms to encrypt the password and store it on the database. Because RACF does not store the password that is used as the encryption key, until now, the original data cannot be reconstructed. That is, meaning that the password that is encrypted and stored in the RACF database cannot be decrypted. With this one-way process, RACF provides a high level of security.
This fact does not mean that any user on the system can have READ access to the RACF database. Use the Least Privilege Principle and give READ access only to the users that really need it for their jobs.
By default, RACF uses the password or password phrase as an encryption key to encrypt the user ID and store it in the RACF database by using the DES algorithms to authenticate a user on the system. When a user must log in, RACF again encrypts the user ID by using the password or password phrase that is provided during the login and compares it with the encrypted data in the RACF database. If the data matches, the password or passphrase is valid.
RACF KDFAES algorithm
The KDFAES algorithm is one of the available encryption algorithms in RACF that is used to encrypt password and password phrases. It requires enablement of CPACF, which is a no-charge feature on your hardware (FC 3863). This algorithm is preferred among others that are available because it is more secure to offline attacks because it incorporates the following properties:
Each instance of a RACF password uses randomly generated text in the encryption process, which prevents the use of pre-computed password hashes. An offline attack must perform the full encryption process for every password guess, as opposed to comparing the password hash against a list of pre-computed values. This configuration slows down the attack, which makes it take much longer to guess passwords.
Thousands of hash operations are performed against the password and random text to generate a key. That key is then used to encrypt the user ID. An offline attack also is slowed, which must perform the same number of operations for each password guess. However, the authorized user logging on to the system that uses their clear text password does not notice the increased processing effect.
To enable the KDFAES algorithm for password and password phrases, run the SETROPTS command, as shown in Example 5-12.
Example 5-12 Enabling the KDFAES encryption algorithm
rac setropts password(algorithm(kdfaes))
Ready;
 
rac setropts list
...
PASSWORD PROCESSING OPTIONS:
THE ACTIVE PASSWORD ENCRYPTION ALGORITHM IS KDFAES
PASSWORD CHANGE INTERVAL IS 30 DAYS.
PASSWORD MINIMUM CHANGE INTERVAL IS 0 DAYS.
MIXED CASE PASSWORD SUPPORT IS NOT IN EFFECT
SPECIAL CHARACTERS ARE NOT ALLOWED.
NO PASSWORD HISTORY BEING MAINTAINED.
USERIDS NOT BEING AUTOMATICALLY REVOKED.
NO PASSWORD EXPIRATION WARNING MESSAGES WILL BE ISSUED.
NO INSTALLATION PASSWORD SYNTAX RULES ARE PRESENT.
...
Ready;
Make sure that you review “Planning Considerations for Enabling KDFAES” in RACF Security Server System Programmer’s Guide, SC24-6312 before you enable KDFAES.
After enabling the KDFAES algorithms, passwords that are encrypted with the DES algorithm continue to be evaluated properly by RACF. User passwords do not need to be changed.
When the users change their passwords, the process is encrypted by using the KDFAES algorithm. The PWCONVERT operand of the ALTUSER command can be used to transform a password that is encrypted with the DES algorithm (but not a password phrase) into a password that is encrypted with KDFAES without requiring the password to be changed.
If you have backups of the RACF database containing passwords that were encrypted by using DES or masking, they are more susceptible to offline attacks. If the hash represents the same clear text password as the user’s current password, and an attacker can guess the value, it can be used to log on to the user’s account, even if the current password is encrypted by using KDFAES.
The EXPIRED operand of the ALTUSER command can be used to mark a password as expired, which requires it to be changed at the next logon. This operand can help accelerate the password change process.
If previous passwords were encoded by using the masking algorithm, they must be changed. They are not be properly evaluated when KDFAES is enabled, and cannot be converted to KDFAES by using the PWCONVERT function.
5.1.3 Implementing RACF LOGONBY
RACF supports the LOGONBY function with the SURROGAT class facility, but is not limited to the maximum of eight surrogate VMs. The RACF LOGON BY acts the same way as the CP LOGONBY function, which allows authorized VMs to log on to a shared VM by using their own password.
To implement the RACF LOGON BY facility, complete the following steps:
1. Run the setropts command to activate the CLASSACT(SURROGAT) class:
rac setropts class(surrogat)
2. Verify that the SURROGAT class is active:
rac setr list
Example 5-13 shows the output of the command.
Example 5-13 Enabling the SURROGAT class
rac setropts class(surrogat)
Ready;
rac setr list
ATTRIBUTES = INITSTATS NOWHEN(PROGRAM)
STATISTICS = NONE
ACTIVE CLASSES = DATASET USER GROUP VMMDISK VMRDR VMBATCH VMLAN VMSEGMT
FACILITY SURROGAT VXMBR VMXEVENT XFACILIT GXFACILI
3. Define the profiles of the form LOGONBY.shared_userid in the SURROGAT class for each user ID that is shared.
4. Permit specific users for the appropriate SURROGAT profiles.
5. List the information by running the RLIST command.
LOGON BY processing
As a preferred practice, create a sample file from which to copy to implement the LOGON BY function, as shown in Example 5-14, where you change shrduser and surrogat-id1.
Example 5-14 RPIDIRCT SURROGAT
RPIDIRCT SURROGAT A1 F 80 Trunc=80 Size=5 Line=0 Col=1 Alt=0
====>
0 * * * Top of File * * *
1 RDEFINE SURROGAT LOGONBY.shrdusr UACC(NONE) AUDIT(ALL)
2 PERMIT LOGONBY.shrdusr CL(SURROGAT) RESET(ALL)
3 PERMIT LOGONBY.shrdusr CL(SURROGAT) ACC(READ) ID(surrogat-id1)
4 PERMIT LOGONBY.shrdusr CL(SURROGAT) ACC(READ) ID(surrogat-id2)
5 RL SURROGAT LOGONBY.shrdusr AUTH
6 * * * End of File * * *
When you must add surrogate users to the RACF database, copy this file to RPIDIRECT SYSUT1 on your A disk and then modify that file, as shown in Example 5-15.
Example 5-15 RPIDIRCT SYSUT1 before the changes
RPIDIRCT SYSUT1 A1 F 80 Trunc=80 Size=5 Line=0 Col=1 Alt=0
===> ch /shrdusr/MAINT/* *
0 * * * Top of File * * *
1 RDEFINE SURROGAT LOGONBY.shrdusr UACC(NONE) AUDIT(ALL)
2 2 PERMIT LOGONBY.shrdusr CL(SURROGAT) ACC(ALTER) ID(shrdusr) RESET(ALL)
3 PERMIT LOGONBY.shrdusr CL(SURROGAT) ACC(READ) ID(surg-id1)
4 PERMIT LOGONBY.shrdusr CL(SURROGAT) ACC(READ) ID(surg-id2)
5 RL SURROGAT LOGONBY.shrdusr AUTH
6 * * * End of File * * *
If you want to add SURROGAT support for the MAINT VM, tailor the file to look like Example 5-16.
Example 5-16 RPIDIRCT SYSUT1 after the changes
RPIDIRCT SYSUT1 A1 F 80 Trunc=80 Size=8 Line=0 Col=1 Alt=0
===>
0 * * * Top of File * * *
1 ALTUSER MAINT NOPASSWORD NOPHRASE
2 RDEFINE SURROGAT LOGONBY.MAINT UACC(NONE) AUDIT(ALL)
3 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(ALTER) ID(MAINT) RESET(ALL)
4 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(PWNOVAK)
5 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(PACOSTA)
6 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(BADER)
7 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(EDI)
8 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(VIC)
9 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(KLAUSM)
10 PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(WILLIANR)
11 RL SURROGAT LOGONBY.MAINT AUTH
12 * * * End of File * * *
ALTUSER MAINT NOPASSWORD NOPHRASE is a good way to protect the MAINT user ID from being revoked because of too many attempts with the wrong password. Before z/VM 5.3, MAINT was revoked by logging on directly with too many incorrect passwords. Since the 5.3 release, the ID is protected from this type of attack if you set MAINT NOPASSWORD.
In our example, we show the PERMIT for each user, although defining the permission by group (for example, ITSOGRP) is a preferred practice. Run RPIBLDDS EXEC again to run these definitions, as shown in Example 5-17.
Example 5-17 Output of RPIBLDDS
rpibldds rpidirct sysut1
Processing batch file RPIDIRCT SYSUT1 using "RAC" command interface
=> RDEFINE SURROGAT LOGONBY.MAINT UACC(NONE) AUDIT(ALL)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(ALTER) ID(MAINT) RESET(ALL)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(PWNOVAK)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(PACOSTA)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(BADER)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(EDI)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(VIC)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(KLAUSM)
=> PERMIT LOGONBY.MAINT CL(SURROGAT) ACC(READ) ID(WILLIANR)
=> RL SURROGAT LOGONBY.MAINT AUTH
CLASS NAME
----- ----
SURROGAT LOGONBY.MAINT
LEVEL OWNER UNIVERSAL ACCESS YOUR ACCESS WARNING
----- -------- ---------------- ----------- -------
00 IBMUSER NONE READ NO
INSTALLATION DATA
-----------------
NONE
APPLICATION DATA
USER ACCESS ACCESS COUNT
---- ------ ------ -----
IBMUSER ALTER 000000
PWNOVAK READ 000000
PACOSTA READ 000000
BADER READ 000000
EDI READ 000000
VIC READ 000000
KLAUSM READ 000000
WILLIANR READ 000000
To use the LOGON BY function, log on with the BY keyword, as shown in Example 5-18.
Example 5-18 Log on by using the BY option
z/VM ONLINE Welcome to the IBM z/VM Enterprise Virtualization Platform
ESM: RACF/VM / VV VVV MM MM
/ VV VVV MMM MMM
ZZZZZZ / VV VVV MMMM MMMM
ZZ / VV VVV MM MM MM MM
ZZ / VV VVV MM MMM MM
ZZ / VVVVV MM M MM
ZZ / VVV MM MM
ZZZZZZ / V MM MM
built on IBM Virtualization Technology www.ibm.com/vm
_____ _______ ____ ____
|_ _|__ __|' ___| / __ International Technical
| | | | : (___ | | | | Support Organization
| | | | \___ | | | |
_| |_ | | ____) : |__| | www.ibm.com/redbooks
|_____| |_| |_____/ \____/
Fill in your USERID and PASSWORD and press ENTER
(Your password will not appear when you type it)
USERID ===>
PASSWORD ===>
COMMAND ===> l maint by edi
RUNNING ITSOZVM4
When you are prompted for the password, the password for the VM EDI is supplied (see Example 5-19), although the VM MAINT is logged on.
Example 5-19 Logon complete
l maint by edi
Enter your password,
or
To change your password, enter: ccc/nnn/nnn
where ccc = current password, and nnn = new password
ICH70001I MAINT LAST ACCESS AT 11:20:40 ON TUESDAY, JUNE 11, 2019
HCPLNM102E DASD 0123 forced R/O; R/W by DIRMSAT4
z/VM Version 7 Release 1.0, Service Level 1801 (64-bit),
built on IBM Virtualization Technology
There is no logmsg data
FILES: 0023 RDR, NO PRT, 0002 PUN
LOGON AT 16:27:39 EDT TUESDAY 06/11/19
z/VM V7.1.0 2019-05-18 16:18
For more information, see RACF Security Server System Programmers’s Guide, SC24-6312, and RACF Security Server Administrator’s Guide, SC24-6311.
5.2 Communication encryption
Correctly implementing and managing security controls for the z/VM hypervisor is a mandatory cornerstone, no matter how large or small your enterprise is. Your security posture is only as strong as the weakest point, which means that the correct encryption of traffic must be implemented at all layers.
Connectivity to the hypervisor layer and well-secured guests on an unsecured hypervisor are critical exposures. Furthermore, in nearly all circumstances, encrypting traffic as a default practice is common sense. Encryption requirements might also be mandated by company policy, clients, partners, vendors, industry regulations, or governing bodies.
The use of encrypted communication can increase the security of the IT infrastructure and should always be listed in the company security policy. By default, Telnet 3270 session data flows decrypted over the network, in clear text, meaning that anyone who dumps the network traffic can see what is happening between the Telnet client and the z/VM 3270 connection.
Transport Layer Security (TLS), and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols to provide end-to-end encrypted communication. Digital certificates and trust hierarchies can be implemented to use encrypted communication. Dynamic SSL/TLS connections are supported by the following z/VM TCP/IP application servers and clients, which are updated to accommodate this support:
TCP/IP server
SSL server
FTP server
FTP client
Telnet server (internal to the TCP/IP server)
Telnet client
Simple Mail Transfer Protocol (SMTP) server
When discussing SSL/TLS for z/VM, SSL* is a pool of CMS VMs that provide encrypted communication to clients that are connecting to z/VM. Its code is preinstalled as part of a standard z/VM installation and can be customized and enabled to provide SSL/TLS connections.
Most of the TCP/IP stack service machines can have security that is controlled by RACF. This configuration allows RACF to process user ID authentication and authorization to the system and to resources, which increases the level of security on the system.
For more information about how to customize and enable encrypted communications to and from z/VM, see Chapter 4, “Installing and configuring z/VM”, in The Virtualization Cookbook for IBM z Systems Volume 1: IBM z/VM 6.3, SG24-8147.
5.3 Single System Image Security
This section covers the security implications of using z/VM 7.1 with Single System Image (SSI) and live guest relocation (LGR).
This z/VM feature was introduced with z/VM 6.2 and it provides more flexibility for your environment by allowing Linux guests to be moved from one logical partition (LPAR) to another. It also provides a set of shared resources for member systems and their Linux guests.
Rather than managing security of a single implementation on a single device, administrators can manage the security of two or more operating systems. This control of access is a useful mechanism for helping to protect your data. In your SSI cluster, use storage area network (SAN) zoning and logical unit number (LUN) masking to ensure that data is available only for servers that should access it.
This section also explains the concept of relocating domains to control the relocation of Linux on IBM LinuxONE guests to provide flexibility and availability to meet user demands for security and manageability.
5.3.1 Overview
VMs allow quick turnaround and flexibility for multiple projects andenvironments. To benefit from VMs, z/VM uses virtualization and gives administrators the power to manage their resources on the IBM LinuxONE platform.
With the IBM z/VM SSI, which was introduced with z/VM v6.2, a running Linux on IBM LinuxONE VM can be relocated from one member system to any other, a process known as LGR. Support for LGR allows you to move Linux virtual servers without disruption to the business, which helps you to avoid planned outages. The z/VM systems are aware of each other and can benefit from their combined resources.
LGR enables clients to avoid loss of service because of planned outages by relocating guests from a system requiring maintenance to a system that remains active during the maintenance period. This capability can be used to move workloads from one z/VM LPAR to another when needed. It also helps to reduce planned outages during hardware changes or a z/VM initial program load (IPL). However, the environment becomes more complex and requires special attention with the shared resources. With this feature in place, it is important to know how to manage efficiently the configuration in a secure manner.
LGR brings more flexibility to your environment, not just Linux availability. Now, you can use this new feature to build a reliable and secure infrastructure for Linux guests running under z/VM by workload balancing. Also, hardware and z/VM changes can be run without affecting service availability.
 
Note: SSI is included in the base of z/VM V7.1 at no extra cost. Previously, it was a priced feature of z/VM V6, and is withdrawn. Integrating and making SSI available at no charge is intended to help more clients reduce or shorten planned outages of their Linux workloads as they adopt the z/VM Continuous Delivery model for their z/VM systems.
 
5.3.2 Equivalency identifiers
With an SSI cluster, you use EQIDs. EQIDs are used to ensure that all members of the cluster use both the same physical devices and the devices that are attached over IBM Fibre Channel Connection (IBM FICON). During z/VM IPL, the EQID number is automatically generated and assigned to various devices, such as DASDs. However, for Fibre Channel Protocol (FCP) devices, you must explicitly set the EQID on the system config file on the PMAINT CF0 disk so that all cluster members can see the device as one device.
Before a Linux guest is relocated to a different z/VM LPAR, the guest configuration is checked on the destination LPAR (Device condition) to ensure that the devices have the same EQIDs. Ensure that all necessary FCP configuration is planned to avoid problems when relocating your Linux guests. To update the NPIV devices, review and if necessary update your EQIDs as well.
For the list of conditions, see z/VM: CP Planning and Administration, SC24-6271.
5.3.3 Relocation domains
A relocation domain defines a set of members of an SSI cluster among which VMs can relocate freely. A domain can be used to define the subset of members of an SSI cluster to which a particular guest can be relocated. Relocation domains can be defined for business or technical reasons.
For example, a domain can be defined that has all of the architectural facilities necessary for a particular application, or a domain can be defined to allow access only to systems with a particular software tool. Whatever the reason for the definition of a domain, CP allows relocation among the members of the domain without any change to architectural characteristics or CP functions as seen by the guest.
The relocation domain for a VM can be defined with the VMRELOCATE directory statement. When the user ID logs on, CP assigns a virtual architecture level to the VM that is the maximal common subset of the architectural features (hardware architecture facilities and CP-supplied features) of all the members of the SSI cluster that belong to that relocation domain. The guest cannot use architectural features that are not included in this virtual architecture level. This ensures that the guest can be freely relocated to other members of the domain because they provide the same architectural features. A feature must be supported in every relevant component (processor, channel, and device hardware, and the z/VM software level) on every domain member to be usable to the guest.
The following types of relocation domains are defined implicitly:
A domain that includes all of the members of the SSI cluster. The name of this domain is SSI.
A domain that includes one member of the SSI cluster. A single-member domain is defined for each member. The name of the domain is the member’s system name.
When a user ID that is defined by a single-configuration VM definition logs on, the default associated relocation domain is the entire SSI cluster (domain SSI), unless a different relocation domain is set by a VMRELOCATE statement in the user’s VM definition.
If relocation of the VM is disabled on the VMRELOCATE statement and no relocation domain is specified, the default relocation domain is the single-member domain of the system where the user logs on, and the user is assigned a virtual architecture level that is the set of all the architectural features of that system.
 
Note: When a Linux guest is allowed to relocate to only a subset of the members in a cluster with the respective relocation domain, it can be overruled by using the force option of the vmrelocate command.
5.3.4 RACF in an SSI cluster
When RACF is installed in a z/VM SSI environment, it is mandatory that the RACF database is shared. To ensure database integrity, the following requirements must be met:
The RACF database DASD is defined as shared in the I/O configuration.
The primary RACF database (device 200) and the backup database (device 300) are defined on full-pack minidisks.
These devices include virtual reserve/release as enabled.
Use the DEVNO operand of the MDISK directory statement to define the DASD as full-pack minidisks.
If you are following the preferred practice of using the same real device numbers across LPARs to reference DASD, the MDISK statements for the RACF database disks can be placed in the identity entry for the RACF server. If the real device numbers are not the same across LPARs, the MDISK statements must be placed in the relevant subconfiguration entries.
5.4 Auditing
A defined information security policy is worthless if you cannot assess whether the policies are effective, meaning that it was adhered to by all employees and they are playing the roles of which they are expected.
Tracking changes and authorized and unauthorized accesses is a way to make sure that the information security policy is followed. But again, with the increase of servers that are managed on the IT infrastructure, the amount of audit data that is generated makes it impossible for a human to analyze all of it, find a threat, and act on it while the intrusion is still occurring. For that reason, define during the planning stage of the IT infrastructure which actions must be logged for audits.
The complexity in auditing is reduced when defined roles are available in the information security policy. Users under one role should not have access to override the mandatory access controls (MACs) and should not manipulate the controls that are under the jurisdiction of another job role. With the separation of duties, the functions of the systems and integrity of audit logs are not compromised.
In z/VM, audit trails are generated by several CP command journaling options. They can be used to identify unsuccessful attempts of a CP command use. When journaling is turned on, more information is recorded with unsuccessful and successful attempts of specific CP commands.
For a comprehensive audit trail, the use of an ESM is recommended. In this book, we cover the auditing with the use of RACF/VM. It can audit every command and security-relevant event happening within the hypervisor, in accordance with a predefined security policy.
5.4.1 Auditing with journaling
z/VM offers a mechanism to track unauthorized LOGON attempts and unauthorized LINK commands. By enabling journaling, it is possible to configure how the system records LOGON and LINK attempts. Although it is fine for exploring LOGON attempts and unauthorized LINK commands, it really is not sufficient for the modern enterprise.
Enabling journaling
To use z/VM journaling, you must enable it in SYSTEM CONFIG and the system must have an IPL performed with the new configuration.
Example 5-20 shows an excerpt from a SYSTEM CONFIG file that is used to enable journaling (line numbers are not part of the SYSTEM CONFIG and are used to explain the statements on the lines).
Example 5-20 Configure journaling in SYSTEM CONFIG
1. Journaling,
2. Facility on,
3. Set_and_Query on,
4. Logon,
5. Message after 3 attempts to willianr,
6. Account after 5 attempts,
7. VM_Logo after 7 attempts,
8. Lockout after 9 attempts for 10,
9. Link,
10. Message after 3 attempts to willianr,
11. Account after 4 attempts,
12. Disable after 5 attempts
Example 5-20 features the following lines:
Line number 1 starts the journaling configuration statement in the SYSTEM CONFIG file.
Line number 2 enables or disables journaling when the system undergoes an IPL.
Line number 3 enables or disables the ability to set and query journaling. When disabled, the only configuration that takes effect is the configuration in the SYSTEM CONFIG file. It is not possible to use query journaling or set journaling commands, as shown in Example 5-21.
Example 5-21 Query and set journaling when Set_and_Query is off
q journal
HCPJRL003E Invalid option - JOURNAL
Ready(00003);
 
set journal link off
HCPJRL003E Invalid option - JOURNAL
Ready(00003);
 
set journal logon off
HCPJRL003E Invalid option - JOURNAL
Ready(00003);
The journaling statement of z/VM allows the CP to control two kinds of actions: LOGON and LINK. The LOGON parameter starts on line 4 of Example 5-20 on page 131 and the LINK parameter starts on line 9 of the same example. Although the parameter is called LOGON, it also tracks successive tentatives of AUTOLOG and XAUTOLOG with an incorrect password in addition to the LOGON command.
For both parameters, it is possible to configure two options: MESSAGE and ACCOUNT. The MESSAGE parameter sets up the number of possible tries before a user receives an information message. Although any user can be set to receive the information message, setting a user that has the console logged is preferred as it is possible to look for the information later after the event happened.
In Example 5-22, user EDI tries to log on repeatedly with an incorrect password. The MESSAGE parameter was set to user BOB.
Example 5-22 Repeated logon attempts with incorrect password
#Logon tried repeatedly, but just one output is shown:
 
l edi
ENTER PASSWORD (IT WILL NOT APPEAR WHEN TYPED):
HCPLGA050E LOGON unsuccessful--incorrect password
Enter one of the following commands:
LOGON userid (Example: LOGON VMUSER1)
DIAL userid (Example: DIAL VMUSER2)
MSG userid message (Example: MSG VMUSER2 GOOD MORNING)
LOGOFF
 
#After third try, user bob receives the information message:
 
HCPJRL145I User EDI at 9.12.5.143 issued a LOGON command with an invalid password
003 times. The limit is 003.
The same happens with successive LINK command attempts with an incorrect password to access a protected minidisk. Example 5-23 shows user EDI trying to link to the 191 protected minidisk of user BOB with an incorrect password.
Example 5-23 User EDI try to link a protected minidisk
link bob 191 191 rr
ENTER READ PASSWORD:
HCPLNM114E BOB 0191 not linked; mode or password incorrect
Ready(00114); T=0.01/0.01 16:30:21
link bob 191 191 rr
ENTER READ PASSWORD:
HCPLNM114E BOB 0191 not linked; mode or password incorrect
Ready(00114); T=0.01/0.01 16:30:30
link bob 191 191 rr
ENTER READ PASSWORD:
HCPLNM114E BOB 0191 not linked; mode or password incorrect
Ready(00114); T=0.01/0.01 16:30:35
 
#After third try, user bob receives the information message:
 
HCPJRL145I User EDI at 9.12.5.143 issued a LINK command with an invalid password
003 times. The limit is 003.
 
#All successive try will generate an information message:
 
HCPJRL145I User EDI at 9.12.5.143 issued a LINK command with an invalid password
004 times. The limit is 003.
HCPJRL145I User EDI at 9.12.5.143 issued a LINK command with an invalid password
005 times. The limit is 003.
The ACCOUNT parameter sets up the number of possible tries before CP detects that a user entered enough LINK commands to a protected minidisk that is not owned by the user with an invalid password that reaches or exceeds an installation-defined threshold value recording a type 06 accounting record and a type 04 accounting record. Then, CP detects that a user entered enough LOGON, AUTOLOG, or XAUTOLOG invocations with an invalid password that reaches or exceeds an installation-defined threshold value. A type 05 accounting record is generated when CP detects that a user successfully entered a LINK command to a protected minidisk that is not owned by the user.
In Example 5-24, user EDI continues repeatedly to try to log on with an incorrect password. The accounting record is created after the fifth try.
Example 5-24 Repeatedly try to log on and generate type 04 accounting records
#Logon tried repeatedly, but just one output is shown:
 
l edi
ENTER PASSWORD (IT WILL NOT APPEAR WHEN TYPED):
HCPLGA050E LOGON unsuccessful--incorrect password
Enter one of the following commands:
LOGON userid (Example: LOGON VMUSER1)
DIAL userid (Example: DIAL VMUSER2)
MSG userid message (Example: MSG VMUSER2 GOOD MORNING)
LOGOFF
 
#All the successive logon attempts generate an information message:
 
HCPJRL145I User EDI at 9.12.5.143 issued a LOGON command with an invalid password
004 times. The limit is 003.
HCPJRL145I User EDI at 9.12.5.143 issued a LOGON command with an invalid password
005 times. The limit is 003.
HCPJRL145I User EDI at 9.12.5.143 issued a LOGON command with an invalid password
006 times. The limit is 003.
 
#After the fifth try, an accounting record is created:
 
EDI 060916170056L00412 0505 TCPIP 090C058F04
EDI 060916170118L004TESTE 0605 TCPIP 090C058F04
In Example 5-25, user EDI continues repeatedly to try to link to the 191 protected minidisk of user BOB with an incorrect password.
Example 5-25 Repeatedly try to link to a protected minidisk and generate type 06 accounting records
link bob 191 191 rr
ENTER READ PASSWORD:
HCPLNM114E BOB 0191 not linked; mode or password incorrect
Ready(00114); T=0.01/0.01 16:30:35
 
#After the fourth try, an accounting record is created:
 
EDIO060916163447L006PASSBOB 0404 0191 TCPIP 090C058F06
For more information about the accounting record format, see Chapter 7, “Setting Up Service Virtual Machines”, in Accounting Record Formats z/VM V7.1 CP Planning and Administration, SC24-6271.
The LOGON statement includes two more parameters: VM_Logo and Lockout. When VM_Logo is set, after the number of attempts that are specified by using the wrong password to log on, the user is redirected back to the z/VM Logo panel. When the number of attempts by using the wrong password reaches the LOCKOUT number, this user ID cannot be logged on for the number of minutes specified on the LOCKOUT parameter.
In our example, after nine uses of the wrong password, the user ID cannot be logged on for 10 minutes. The accounting record is still recorded, the information message is sent to the listed user, and the user trying to log on receives a message stating the maximum number of attempts were exceeded, as shown in Example 5-26.
Example 5-26 User who is locked out after excessive logon attempts
l edi
HCPJRL780E Maximum password attempts exceeded, try again later.
 
Accounting records:
 
EDI 060916170126L004123 0705 TCPIP 090C058F04
EDI 060916170142L005 0805 TCPIP 090C058F04
EDI 060916170148L005123 0905 TCPIP 090C058F04
Analogous to the LOCKOUT parameter for LOGON, it is possible to set the parameter DISABLE for LINK to disable the link command for the user that reached the maximum number of incorrect passwords while trying to link a protected minidisk. Accounting information is still recorded and information message sent to the user ID listed on the Message parameter. The user that is disabled from running a LINK command receive a message like the one shown in Example 5-27.
Example 5-27 User who is disabled from running LINK command after excessive link attempts
link bob 191 191 rr
HCPLNM115E LINK invalid; excessive incorrect passwords
Ready(00115); T=0.01/0.01 16:35:04
 
Accounting records:
 
EDI060916163453L006PASSBOB 0504 0191 TCPIP 090C058F06
When a user reaches the maximum number of attempts with a wrong password when trying to link a protected minidisk, this user cannot use the LINK command during the current session.
When the Set_and_Query parameter is set to onin SYSTEM CONFIG file, it is possible to control the Journaling by using the set CP command. Example 5-28 shows some examples of query and set journal.
 
Note: The SET JOURNAL command can be used only if the FACILITY ON operand and SET_AND_QUERY ON operand are specified on the JOURNALING statement in the system configuration file.
Example 5-28 Query and set journal
q journal
Journal: LOGON- on , LINK- on
Ready;
set journal logon off
Ready;
q journal
Journal: LOGON- off, LINK- on
Ready;
set journal link off
Ready;
q journal
Journal: LOGON- off, LINK- off
Ready;
set journal logon on
Ready;
q journal
Journal: LOGON- on , LINK- off
Ready;
set journal link on
Ready;
q journal
Journal: LOGON- on , LINK- on
Ready;
For more information about CP Journaling, see CP Planning and Administration, SC24-6271.
5.4.2 Auditing with RACF
Certain user roles or tasks are common to all users. At any installation, different users have different levels of responsibility for security or different needs to access resources. Some people might have extensive responsibility for security, and others might have little or none. Some users might require almost unlimited access to resources, and others might need only limited access. Some might be barred from entering the system at all.
The primary means of defining a user’s responsibility for security is the RACF user attribute. The separation of powers is necessary because it is the security administrator’s job to establish RACF controls, and it is the auditor’s job to test the adequacy and effectiveness of these controls.
The auditor’s responsibility is to verify that RACF is meeting the installation’s security goals, such as access control and accountability. The job of a RACF auditor is essentially the same, regardless of whether it is the AUDITOR attribute (with responsibility for checking RACF controls on a user or system-wide, level) or the group-AUDITOR attribute (with responsibility for checking RACF controls for a group and its subgroups).
An effective audit of security goals depends on how the events are logged. Logging all the necessary information and events improves the effectiveness of an audit.
Enabling auditing
You can enable (audit) or disable (noaudit) functions dynamically to meet the needs of your installation. When you enable collection of the audit records, SMF records are generated. This optional step is part of the configuration of your RACF environment, as described in “Customizing the processing of SMF records” on page 72. If you elected not to perform that step previously, you must implement it now before continuing.
RACF always logs information about certain events that are essential to an effective data-security mechanism. RACF always logs the following events:
Every use of the RVARY or SETROPTS command.
Whenever a RACROUTE REQUEST=VERIFY request fails.
Whenever the console operator grants access to a resource as part of the failsoft processing that is performed when RACF is inactive.
RACF never logs some events because knowing about these events is not essential to effective data security. RACF never logs any use of the following RACF commands:
LISTDSD
LISTGRP
LISTUSER
RLIST
LDIRECT
LFILE
SRFILE
SRDIR
SEARCH
In addition to the events that RACF always logs and never logs, RACF can optionally log other events. Optional logging is under the control of a resource-profile owner or the auditor.
The first step in establishing the auditing environment is to activate the RACF class for auditing with the SETROPTS command. With this command, you specify what functions within the AUDIT facility you want to monitor (above what RACF always monitors). The following functions are included:
USERS
VMMDISK
VMLAN
VMRDR
VMCMD
VMNODES
SURROGAT
Use the SETROPTS LIST command as a user with the AUDITOR attribute to determine your current AUDIT environment, as shown in Example 5-29 on page 137.
Example 5-29 AUDIT CLASS functions
rac lu edi
USER=EDI NAME=UNKNOWN OWNER=IBMUSER CREATED=19.167
DEFAULT-GROUP=SYS1 PASSDATE=19.167 PASS-INTERVAL= 30 PHRASEDATE=N/A
ATTRIBUTES=AUDITOR
REVOKE DATE=NONE RESUME DATE=NONE
LAST-ACCESS=16.174/15:00:22
CLASS AUTHORIZATIONS=NONE
NO-INSTALLATION-DATA
NO-MODEL-NAME
LOGON ALLOWED (DAYS) (TIME)
---------------------------------------------
ANYDAY ANYTIME
GROUP=SYS1 AUTH=USE CONNECT-OWNER=IBMUSER CONNECT-DATE=19.167
CONNECTS= 06 UACC=NONE LAST-CONNECT=19.174/15:00:22
CONNECT ATTRIBUTES=NONE
REVOKE DATE=NONE RESUME DATE=NONE
SECURITY-LEVEL=NONE SPECIFIED
CATEGORY-AUTHORIZATION
NONE SPECIFIED
SECURITY-LABEL=NONE SPECIFIED
Ready; T=0.01/0.01 15:14:44
 
rac setropts list
ATTRIBUTES = INITSTATS NOWHEN(PROGRAM) SAUDIT CMDVIOL NOOPERAUDIT
STATISTICS = NONE
AUDIT CLASSES = NONE
ACTIVE CLASSES = DATASET USER GROUP VMMDISK VMRDR VMBATCH VMLAN VMSEGMT
FACILITY SURROGAT VXMBR VMXEVENT XFACILIT GXFACILI
GENERIC PROFILE CLASSES = NONE
GENERIC COMMAND CLASSES = NONE
GENLIST CLASSES = NONE
GLOBAL CHECKING CLASSES = NONE
RACLIST CLASSES = NONE
As shown in Example 5-29, auditing for RACF classes is not enabled. Before enabling any of the functions, you must start the RACFSMF VM and update the PROFILE EXEC for the AUTOLOG2 VM to start RACFSMF when the system is IPLed.
The following main utilities are used to manage the RACF generated SMF records in the z/VM environment:
RACF Report Writer
RACF SMF Data Unload
The Report Writer utility supports audit records for RACF 1.9.2 and earlier. It does not support most of the audit records that were introduced in RACF 1.10 for z/VM or later releases. RACF Report Writer requires the use of tdisk space on your system. You must discuss with your z/VM system programmer whether tdisk space was defined on your system. If it was not defined, it must be added.
These utilities are on the RACFVM 305 disk, and the disk must be linked and accessed before execution.
You start by turning on a few other AUDIT features on the z/VM system before running these programs. Enable AUDIT on classes on which you intend to log security events. An example is shown in Example 5-30.
Example 5-30 Enabling AUDIT
rac setropts audit (user group vmmdisk vmrdr vmlan surrogate)
OUTPUT FROM RACFVM ON SYSTEM ITSOZVM3
ICH14004I UNABLE TO OPEN RACF DATA SET RACF.DATASET.
END OF OUTPUT FROM RACFVM ON SYSTEM ITSOZVM3
OUTPUT FROM RACFVM ON SYSTEM ITSOZVM2
ICH14004I UNABLE TO OPEN RACF DATA SET RACF.DATASET.
END OF OUTPUT FROM RACFVM ON SYSTEM ITSOZVM2
Ready; T=0.01/0.01 15:24:28
 
rac setropts list
ATTRIBUTES = INITSTATS NOWHEN(PROGRAM) SAUDIT CMDVIOL NOOPERAUDIT
STATISTICS = NONE
AUDIT CLASSES = USER GROUP VMMDISK VMRDR VMLAN SURROGAT
ACTIVE CLASSES = DATASET USER GROUP VMMDISK VMRDR VMBATCH VMLAN VMSEGMT
FACILITY SURROGAT VXMBR VMXEVENT XFACILIT GXFACILI
GENERIC PROFILE CLASSES = NONE
GENERIC COMMAND CLASSES = NONE
GENLIST CLASSES = NONE
GLOBAL CHECKING CLASSES = NONE
RACLIST CLASSES = NONE
RACF Data Security Monitor Utility
RACF Data Security Monitor Utility (RACDSMON) is a program that produces reports on the status of the security environment of your installation and the status of resources that RACF controls. You can use the reports to audit the status of your installation’s system security environment by comparing the system characteristics and resource-protection levels with the intended characteristics and levels. You can also control the reporting that RACDSMON does by specifying control statements that request certain functions for user input.
Before running the RACDSMON EXEC, the following requirements must be met:
Have READ access to the RACF service’s 305 and 490 minidisks and the primary and backup RACF databases.
Have the AUDITOR attribute.
Have at least 20 MB of virtual storage available for your user ID.
Perform an IPL of the 490 disk.
Access the 305 disk.
Perform the steps that are shown in Example 5-31 when you perform an IPL of the 490 disk. Depending upon what CMS commands are run from the PROFILE EXEC, you might receive some errors. You can disregard those error messages.
Example 5-31 Preparing to run RACDSMON EXEC
link racfvm 490 490 rr
DASD 0490 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 15:37:47
 
link racfvm 305 305 rr
DASD 0305 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 15:38:12
 
ipl 490
RACFVM CMS XA Rel. 27 2011-10-18
Ready; T=0.01/0.01 15:38:50
 
acc 305 l
DMSACP723I L (305) R/O
Ready; T=0.01/0.01 15:39:28
 
acc 190 t
DMSACP723I T (190) R/O
Ready; T=0.01/0.01 11:42:47
During the example tests, the exec ran with some problems:
In the example environment, no temp disk was available that was large enough to hold the same disk size of the RACF database. The environment was created with four SSI members, which means you must allocate a full pack DASD for the RACF database.
To overcome this situation, and knowing that the size that the RACF database uses is less than the full pack disk, create a smaller copy of the RACF database on a temporary disk by using DDR. Example 5-32 shows the output of this process.
Example 5-32 Creating a smaller copy of the RACF database
def t3390 200 100
DASD 0200 DEFINED
Ready; T=0.01/0.01 10:27:41
 
def t3390 300 100
DASD 0300 DEFINED
Ready; T=0.01/0.01 10:27:45
 
link racfvm 200 f200 rr
DASD F200 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 10:29:06
 
link racfvm 300 f300 rr
DASD F300 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 10:29:13
 
ddr
z/VM DASD DUMP/RESTORE PROGRAM
ENTER:
in f200 dasd
ENTER:
out 200 dasd
ENTER:
sys cons
ENTER:
copy 0 99
HCPDDR711D VOLID READ IS RACF
DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD:
yes
ENTER NEXT EXTENT OR NULL LINE
ENTER:
HCPDDR716D NO VOL1 LABEL FOUND
DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD:
yes
COPYING RACF
COPYING DATA 06/23/16 AT 14.32.50 GMT FROM RACF
INPUT CYLINDER EXTENTS OUTPUT CYLINDER EXTENTS
START STOP START STOP
0 99 0 99
END OF COPY
ENTER:
END OF JOB
Ready; T=0.01/0.02 10:33:26
 
ddr
z/VM DASD DUMP/RESTORE PROGRAM
ENTER:
in f300 dasd
ENTER:
out 300 dasd
ENTER:
sys cons
ENTER:
copy 0 99
HCPDDR711D VOLID READ IS RACFBK
DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD:
yes
ENTER NEXT EXTENT OR NULL LINE
ENTER:
HCPDDR716D NO VOL1 LABEL FOUND
DO YOU WISH TO CONTINUE? RESPOND YES, NO OR REREAD:
yes
COPYING RACFBK
COPYING DATA 06/23/16 AT 14.34.08 GMT FROM RACFBK
INPUT CYLINDER EXTENTS OUTPUT CYLINDER EXTENTS
START STOP START STOP
0 99 0 99
END OF COPY
ENTER:
END OF JOB
Ready; T=0.01/0.02 10:34:25
 
det f200
DASD F200 DETACHED
Ready; T=0.01/0.01 10:34:44
 
det f300
DASD F300 DETACHED
Ready; T=0.01/0.01 10:34:48
The RACDSMON EXEC must be run while RACFVM 490 disk is running, but this program uses some utilities on CMS 190 disk. When 490 is running, 190 is not accessed. If the 190 minidisk is not accessed, you might receive the error messages that are shown in Example 5-33.
Example 5-33 Error messages when 190 disk is not accessed while running RACDSMON
Program ICHDSM00 is being executed - Please wait
223 +++ extents = C2D(Storage(load_address,1)) /* save RACF db xtnt
*/
DMSREX475E Error 40 running RACONFIG EXEC, line 223: Incorrect call to routine
An Error occurred during ICHDSM00 processing
Return code from ICHDSM00 = 20040
Ready(20040); T=0.01/0.01 10:38:17
To overcome this situation, after you perform an IPL of 490, access 190. The full output is shown in Example 5-31 on page 138.
When RACDSMON EXEC runs, the generated output is placed in your virtual printer. You should run the cp spool print * command so that you can receive the files when this process completes. (You might want to add this command to your PROFILE EXEC.)
The RACFVM 200 and 300 disks in this case are the copy of the original locations of the RACF database. The RACDSMON generated reports are pulled from those disks. When the exec is run, it creates a tdisk of the same disk type as the 200 and 300 disks. You can issue the CP commands query virtual 200 and query virtual 300 to determine this information.
You can install the z/VM system on 3390 DASD or on a simulated 9330 Fixed Block SCSI disk. Therefore, one of these is the type of tdisk space that you must define. In this example, install the system on 3390 DASD.
To run the RACDSMON utility, enter the CP command racdsmon. It displays several panels. The first panels are only informational in nature. You can use one of them to go into a CMS SUBSET environment, where you can perform tasks such as linking to the disk that you should have linked before running the exec. The first panels where you must provide information is the panel that prompts you for the address of the INPUT RACF database device (see Example 5-34). When the exec runs, these prompts are displayed on three separate panels.
Example 5-34 RACF database input
Enter the INPUT RACF dataset device address one at a time.
Enter END when all input data sets are entered.
or
Enter QUIT to terminate processing.
200
Enter the NEXT INPUT RACF dataset device address .
Enter END when all input data sets are entered.
or
Enter QUIT to terminate processing.
300
Enter the NEXT INPUT RACF dataset device address .
Enter END when all input data sets are entered.
or
Enter QUIT to terminate processing.
end
The next prompt from the exec asks whether you want to use a tdisk or a minidisk. If your system does not have tdisk space that is defined, then you can use minidisks. These disks must be defined in the system directory and must be the same size and geometry as the 200 and 300 disk that is owned by RACFVM. In our example, we use tdisk, as shown in Example 5-35. Then, you see panels that display messages about the copy of the 200 and 300 disks to the 5FD and 5FE disks.
Example 5-35 Use of temporary disk
DMSACC723I H (0200) R/W - OS
Would you like to use TDISK or existing disks for the file to scan?
Enter "T" to TDISK or "E" for existing disk(s)
T
The input RACF data set - 200 is being copied over to 5FE
...Please wait...
DMSACC724I 300 replaces H (200) - OS
DMSACC723I H (0300) R/W - OS
The input RACF data set - 300 is being copied over to 5FD
...Please wait...
You should receive a message about the ICHDSM00 SYSIN file and have an opportunity to edit the file (see Example 5-36). If it is not the first time you are running RACDSMON on this machine, you receive a message saying that the file exists and if you want to overlay it. Answering YES deletes the file on the disk and creates a new file. Accept the default on this panel, and edit the file.
Example 5-36 ICHDSM00 SYSIN file message
The ICHDSM00 SYSIN file will initially contain all DSMON FUNCTION
control statements that are applicable to VM .
XEDIT will be invoked in order to tailor the ICHDSM00 SYSIN file.
Please be sure to issue the FILE command when edits are completed.
Press Enter to go into XEDIT
You must modify the ICHDSM00 SYSIN file. It features one option that is not supported on RACF for z/VM. Example 5-37 on page 143 shows the correct modifications for this file. Save the file after you modify it. When running RACDSMON in the future, you can respond to the question about editing this file with NO (which then uses the file on your A disk).
Example 5-37 Updating ICHDSM00 SYSIN
===== * * * Top of File * * *
|...+....1....+....2....+....3....+....4....+....5....+....6....+....7...
===== FUNCTION SYSTEM
===== FUNCTION RACGRP
===== FUNCTION RACCDT
==d== FUNCTION RACEXT
===== FUNCTION RACGAC
===== FUNCTION RACUSR
===== FUNCTION RACDST
===== * * * End of File * * *
After a few minutes, you receive the messages that are shown in Example 5-38.
Example 5-38 RACDSMON completion
Program ICHDSM00 is being executed - Please wait
DMSACC723I R (0200) R/W - OS
DMSACC723I Q (0300) R/W - OS
CSTSET001I CMS SUB-TASKING SUPERVISOR INITIALIZED.
CSTINT003I INITIATOR ACTIVATED.
PRT FILE 0012 SENT FROM EDI PRT WAS 0012 RECS 0352 CPY 001 A NOHOLD NOKEEP
CSTINT004I PROGRAM 'RACFIPLU' ENDED. COMPLETION CODE = 000000.
CSTINT006I NO MORE SUB-TASKS.
CSTTER001I CST TERMINATED.
Return code from ICHDSM00 = 0
PRT FILE 0016 SENT FROM EDI PRT WAS 0016 RECS 0026 CPY 001 A NOHOLD NOKEEP
Ready; T=0.04/0.05 11:15:12
When the RACDSMON EXEC completes, you must perform an IPL of the CMS or 190 to have full CMS function. The 490 disk that is owned by RACFVM does not include all of the CMS executable files that you have with a normal CMS. After performing the IPL of the 490 disk, you do not have access to FIELIST, RDRLIST, FULLIST, XEDIT, and so on.
The RACDSMON EXEC creates two files in your VMRDR. The file that is named (none) is the report that is generated. You should receive a file that provides a file name and file type that is used by the security audit team. You can discard the file ICHDSM00 $$$$$$$$. If you forgot to spool the VMPRT, transfer the files from the VMPRT to the VMRDR.
The audit report includes the following information:
RACF System Report (see Example 5-39).
Example 5-39 RACF System Report
RACF DATA SECURITY MONITOR
S Y S T E M R E
------------------------------------------------------------------------
CPU-ID 0DDA87
CPU MODEL 2964
OPERATING SYSTEM/LEVEL z/VM Version 7 Release 1.0, service l
LAST SYSTEM GENERATION Generated at 06/16/19 12:07:28 EDT
LAST SYSTEM IPL IPL at 06/22/19 16:57:27 EDT
RACF VERSION 7 RELEASE 1 IS ACTIVE
RACF DATA SECURITY MONITOR
RACF Exits Report (see Example 5-40).
Example 5-40 RACF Exits Report
DSMON RPT0723 A1 F 132 Trunc=132 Size=356 Line=1
====>
11 R A C F E X I T S R E P O R T
12 EXIT MODULE MODULE
13 NAME LENGTH
14 -------------------------------------------------
15 ICHPWX11 1,520
16 RACF DATA SECURITY MONITOR
Selected User Attribute Report (see Example 5-41).
Example 5-41 Selected User Attribute Report
S E L E C T E D U S E R A T T R
USERID ----------------- ATTRIBUTE TYPE ----------------
SPECIAL OPERATIONS AUDITOR REVOKE
-----------------------------------------------------------------------
$ALLOC$ SYSTEM
$DIRECT$ SYSTEM
$PAGE$ SYSTEM
$SPOOL$ SYSTEM
$SYSCKP$ SYSTEM
$SYSWRM$ SYSTEM
$TDISK$ SYSTEM
BLDCMS SYSTEM
BLDNUC SYSTEM
BLDRACF SYSTEM
BLDSEG SYSTEM
IBMUSER SYSTEM SYSTEM
KLAUSM SYSTEM
MAINT SYSTEM
MAINT630 SYSTEM
MIGMAINT SYSTEM
RAMPAZZO SYSTEM SYSTEM
VIC SYSTEM
WILLIANR SYSTEM SYSTEM
6VMLEN20 SYSTEM
RACF DATA SECURITY MONITOR
S E L E C T E D U S E R A T T R I B U T
------------------------------------------------------------------------
TOTAL DEFINED USERS: 156
TOTAL SELECTED ATTRIBUTE USERS:
ATTRIBUTE BASIS SPECIAL OPERATIONS AUDITOR
---------------- --------------- --------------- -----------
SYSTEM 5 9
GROUP 0 0
RACF Class Descriptor Table Report (see Example 5-42).
Example 5-42 RACF Class Descriptor Table
R A C F C L A S S D E S C R I P T O
CLASS DEFAULT
NAME STATUS AUDITING STATISTICS UACC
------------------------------------------------------------------------
RVARSMBR INACTIVE NO NO NONE
RACFVARS INACTIVE NO NO NONE
SECLABEL INACTIVE NO NO NONE
VMMDISK ACTIVE YES NO NONE
VMRDR ACTIVE YES NO NONE
VMCMD INACTIVE NO NO NONE
VMNODE INACTIVE NO NO NONE
VMBATCH ACTIVE NO NO NONE
VMDEV INACTIVE NO NO NONE
FILE INACTIVE NO NO NONE
DIRECTRY INACTIVE NO NO NONE
SFSCMD INACTIVE NO NO NONE
VMPOSIX INACTIVE NO NO NONE
VMLAN ACTIVE YES NO NONE
VMMAC INACTIVE NO NO NONE
VMSEGMT ACTIVE NO NO NONE
RACF Global Resource Table Report (see Example 5-43).
Example 5-43 RACF Global Resource Table
R A C F G L O B A L A C C E S S
CLASS ACCESS ENTRY
NAME LEVEL NAME
----------------------------------------------------------------------
DATASET -- GLOBAL INACTIVE --
RVARSMBR -- GLOBAL INACTIVE --
SECLABEL -- GLOBAL INACTIVE --
VMMDISK -- GLOBAL INACTIVE --
VMRDR -- GLOBAL INACTIVE --
VMCMD -- GLOBAL INACTIVE --
VMNODE -- GLOBAL INACTIVE --
VMBATCH -- GLOBAL INACTIVE --
VMDEV -- GLOBAL INACTIVE --
FILE -- GLOBAL INACTIVE --
DIRECTRY -- GLOBAL INACTIVE --
SFSCMD -- GLOBAL INACTIVE --
VMPOSIX -- GLOBAL INACTIVE --
VMLAN -- GLOBAL INACTIVE --
VMMAC -- GLOBAL INACTIVE --
VMSEGMT -- GLOBAL INACTIVE --
RACF Group Tree Report (see Example 5-44).
Example 5-44 RACF Group Tree Report
R A C F G R O U P T R E E
LEVEL GROUP (OWNER)
-----------------------------------------------------------------------
1 SYS1 (IBMUSER )
|
2 | DIRMADMN
|
2 | DIRMSRV
|
2 | GADM (IBMUSER )
|
2 | GBIN (IBMUSER )
|
2 | GNOBODY (IBMUSER )
|
2 | GSYS (IBMUSER )
|
2 | MAIL (IBMUSER )
|
RACF SMF Data Unload Utility
Available since RACF/VM 1.10 and RACF FL 530, the RACF SMF Data Unload Utility (RACFADU) is the IBM preferred utility for processing RACF audit records. With it, you can create a sequential file from the security relevant SMF data. You can use the sequential file in the following ways:
View the file directly.
Use the file as input for installation-written programs.
Manipulate the file with sort and merge utilities.
Output to an XML-formatted file for viewing with a web browser.
If the output is loaded into a database management system (for example, IBM DB2® or SQL/DS), you can issue your own queries. RACF includes the sample statements that are required to define and load the IBM Db2® tables.
Before you can run the RACFADU EXEC, the following requirements must be met:
Link and access the RACFVM 305 disk.
Link the RACFVM 301 and 302 disks.
Have adequate free space on your A disk for the output file (30 cylinders is acceptable).
You can run RACFADU EXEC with or without any parameters. Without any parameters, it opens the RACFADU panel (see Example 5-45 on page 147).
Example 5-45 RACF SMF Unload Utility
RACF SMF Unload Utility - Input Panel
 
. Virtual address of input SMF data minidisk ____
. Virtual address of output minidisk ____
. Filename and filetype of sequential RACFADU OUTPUT
output file
. Filename and filetype of XML easily readable ________ ________
output file
. Filename and filetype of XML compressed ________ ________
output file
PF1 = Help PF2 = Execute PF3 = Quit
ENTER = Verify input fields
Enter CP/CMS Commands below:
====>
Example 5-46 shows the command that is run with all the required options for the command, which bypasses the input panel.
Example 5-46 RACFADU without an input panel
racfadu 301 191
RACFADU OUTPUT
RPIADU033I SMF unload completed successfully.
View the RACFADU MESSAGES file for additional details.
Ready; T=0.01/0.01 13:32:28
When you run the exec in either mode, the following files are created on your A disk by default:
RACFADU MESSAGES A1
RACFADU OUTPUT A1
The RACFADU MESSAGES file describes how many of each type of SMF records were processed, as shown in Example 5-47.
Example 5-47 RACFADU MESSAGES file
* * * Top of File * * *
IRR67652I The utility processed 0 SMF type 30 records.
IRR67652I The utility processed 223 SMF type 80 records.
IRR67652I The utility processed 5 SMF type 81 records.
IRR67655I The utility processed 0 SMF type 83 subtype 1 records.
IRR67655I The utility processed 0 SMF type 83 subtype 2 records.
IRR67655I The utility processed 0 SMF type 83 subtype 3 records.
IRR67655I The utility processed 0 SMF type 83 subtype 4 records.
IRR67655I The utility processed 0 SMF type 83 subtype 5 records.
IRR67655I The utility processed 0 SMF type 83 subtype 6 records.
IRR67653I The utility bypassed 0 SMF records not related to IRRADU00.
IRR67650I SMF data unload utility has successfully completed.
* * * End of File * * *
The RACFADU OUTPUT file is the readable output of all the SMF data records (see Example 5-48). If this file exists on the output disk, you are prompted to rename or replace the old file before continuing. These files can be used by Db2, SQL/DS, and DFSORT/CMS.
Example 5-48 RACFADU OUTPUT file
RACFADU OUTPUT A1 V 5331 Trunc=5331 Size=5043 Line=3972 Col=1 Alt=0
===>
3972 DEFINE SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3973 RDEFINE SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3974 PERMIT SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3975 PERMIT SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3976 PERMIT SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3977 PERMIT SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3978 PERMIT SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3979 PERMIT SUCCESS 11:00:34 2007-07-18 VMSP NO NO NO DETRO SYS1
3980 ACCESS SUCCESS 11:11:44 2007-07-18 VMSP NO NO NO DETRO SYS1
4598 ACCESS SUCCESS 17:18:19 2007-07-18 VMSP NO NO NO DETRO SYS1
4751 ACCESS SUCCESS 17:24:04 2007-07-18 VMSP NO NO NO DETRO SYS1
The utility can be used to generate an XML file that is readable with a browser. To create the XML file, you must pass the file name and file type for the XML file. The following parameters are included:
OUTXRN filename File name of output XML easily readable file.
OUTXRT filename File type of output XML easily readable file.
OUTXCN filename File name of output XML compressed.
OUTXCT filename File type of output XML compressed.
It is much easier to use the panel when the XML files are generated from your SMF data (see Example 5-49 on page 149). Also, if you are using the XML function, it works better with the compressed version of this process.
Example 5-49 Using the RACF SMF Unload Utility Input panel to generate XML files from SMF data
RACF SMF Unload Utility - Input Panel
 
. Virtual address of input SMF data minidisk 0301
. Virtual address of output minidisk 0191
. Filename and filetype of sequential
output file
. Filename and filetype of XML easily readable ________ ________
output file
. Filename and filetype of XML compressed RACFADU1 XML_____
output file
PF1 = Help PF2 = Execute PF3 = Quit
ENTER = Verify input fields
Enter CP/CMS Commands below:
====>
After the file is created, use the IBM Personal Communications program or any other method available on your installations to download the file from the A disk to the desktop in text mode. After you download the file, open it with an editor and change the encoding value and XML syntax error on the first line, as shown in Example 5-50 (and as documented in RACF Security Server Auditor’s Guide, SC24-6311). This step is required because of the mismatch between the z/VM use of EBCDIC versus the PC that uses ASCII.
Example 5-50 Changing the XML header
<xml version='1.0' encoding='ISO8859-l'>
<securityEventLog xmlns='http://www.ibm.com/xmlns/zOS/IRRSchema'>
 
<rdf:Description rdf:about=''
xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'
xmlns:dc='http://purl.org/dc/elements/1.1/'>
<dc:creator> RACF for z/VM SMF Unload (HRF6030)</dc:creator>
<dc:subject>RACF Security Event Log 2016-06-23 13:37:39</dc:subject>
<dc:language>en</dc:language>
</rdf:Description>
At the bottom of the file, it is missing the close tag for the XML, and some browsers might encounter problems opening the file. In this case, add the missing tag, as shown in Example 5-51.
Example 5-51 Correcting the XML close tag
</securityEventLog>
</xml>
You can view the audit report on personal computers and workstations by using an XML-capable web browser. Many browsers that are available today can correctly parse and render XML documents. Therefore, when the audit report is on that system, you can read it as easily as any other web document. Open a listing of the files and single- or double-click the file to open it in the browser window.
In this example, when this file is opened by using Firefox, you receive a message in reference to a missing style file (see Figure 5-2). In this case, you must combine this file with a customized stylesheet to get the browser to filter and display the windows in a more acceptable format.
Figure 5-2 Opening an XML file with Firefox
Internet Explorer opens the file without any message, as shown in Figure 5-3 on page 151.
Figure 5-3 Opening an XML file with Internet Explorer
RACF Report Writer Utility
 
Note: The RACF Report Writer Utility (RACFRW) is no longer the IBM preferred utility for processing RACF audit records. The RACF SMF data unload utility is the preferred reporting utility. The RACFRW does not support many of the audit records that are introduced after RACF 1.9.2.
The RACFRW lists the contents of System Management Facilities (SMF) records in a format that is easy to read. SMF records are in the SMF data file. You can also tailor the reports to select specific SMF records that contain certain kinds of RACF information. With the RACFRW, you can obtain the following information:
Reports that describe attempts to access a particular RACF-protected resource in terms of user identity, number and type of successful accesses, and number and type of attempted security violations.
Reports that describe user and group activity.
Reports that summarize system use and resource use.
The RACF report writer lists the contents of SMF records in a format that is easy to read. It provides a wide range of reports so that you can monitor and verify the use of the system and resources.
The RACF report writer consists of the following phases:
1. Command and subcommand processing.
2. Record selection.
3. Report generation.
The steps to perform when running the RACRPORT EXEC are similar to the steps in running other RACF utilities. You must link and access several disks that are owned by RACFVM and then run the exec (see Example 5-52). Unlike the RACDSMON where you must link to the RACFVM 200 and 300 disks (the location of the RACF database), this time you need access to the SMF records that are created on the RACFVM 301 and 302 disks.
Example 5-52 Linking the necessary disks for RACRPORT
link racfvm 191 291 rr
DASD 0291 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 14:22:22
 
link racfvm 301 301 rr
DASD 0301 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 14:22:29
 
link racfvm 302 302 rr
Ready; T=0.01/0.01 14:22:36
 
link racfvm 305 305 rr
DASD 0305 LINKED R/O; R/W BY RACFVM at ITSOZVM4
Ready; T=0.01/0.01 14:22:42
 
acc 305 l
DMSACP723I L (305) R/O
Ready; T=0.01/0.01 14:41:36
While working with RACRPORT, we observed that the tdisk that was used by this utility was hardcoded in the program with virtual address 5FF. If you use that virtual address for something else, you must detach it or redefine the disk to another address.
The RACRPORT EXEC generates the reports in your virtual printer. Therefore, spool your printer to your reader to make things easier.
The SET SECUSER command is used to change the secondary user ID that is associated with your VM or another user’s VM. To run the command for the OPERATOR VM, you must be authorized to run class A privileged commands (see Example 5-53 on page 153). This command is the command that additionally authorizes the use of the CP SEND command.
Example 5-53 CP query privclass
id
EDI AT ITSOZVM4 VIA * 06/23/16 14:26:59 EDT THURSDAY
Ready;
q priv
Privilege classes for user EDI
Currently: ABCDEFG
Directory: ABCDEFG
The privilege classes are not locked against changes.
Before you can run this utility, RACFVM must switch from the primary SMF disk to the alternative SMF disk. This task is accomplished by using the RACF SMF SWITCH command.
During the RACF implementation, an optional step was available to change the Message Routing Table, which allowed you to define more VMs that are allowed to request the SMF SWTICH of RACFVM. At that time, you did not need to add VMs to this list. Now, you implement this process by having the OPERATOR VM issue the SMF SWITCH, as shown in Example 5-54.
Example 5-54 Switching the SMF disk
q secuser racfvm
Secondary
Userid Userid Status
RACFVM OPERATOR logged on
Ready;
set secuser racfvm *
HCPCFX6768I SECUSER of RACFVM initiated.
Ready;
smsg racfvm smf switch
You are not authorized to issue SMSG to a RACF server
Ready;
set secuser racfvm reset
RACFVM : HCPCFX6768I Your SECUSER set to OPERATOR by EDI.
HCPCFX6769I SECUSER of RACFVM terminated.
Ready;
q secuser operator
Secondary
Userid Userid Status
OPERATOR not defined
Ready;
set secuser operator *
HCPCFX6768I SECUSER of OPERATOR initiated.
Ready;
send cp operator smsg racfvm smf switch
Ready;
OPERATOR: RPISMF066I Switched to secondary disk
set secuser operator reset
OPERATOR: HCPCFX6769I Your SECUSER terminated by EDI.
HCPCFX6769I SECUSER of OPERATOR terminated.
Ready;
 
Note: As you can see in Example 5-54, OPERATOR and RACFSMF are the only VMs that are authorized to send messages to RACFVM.
If RACFSMF was not granted the authority to link to the RACFVM 301 and 302 disks, SMF SWITCH fails. The solution is to issue RACF PERMITS commands for those disks:
rac permit racfvm.301 class(vmmdisk) id(racfsmf) ac(control)
rac permit racfvm.302 class(vmmdisk) id(racfsmf) ac(control)
rac permit racfvm.191 class(vmmdisk) id(racfsmf) ac(read)
Now, when you run the SMF SWITCH command through the CP SEND command, it is successful. With this step completed, you can run the RACRPORT command after you have accessed the 305 disk (see Example 5-55).
Example 5-55 Running RACRPORT
The RACFRW CONTROL file cannot be located and is required for execution
to continue.
Do you wish to create a RACFRW CONTROL file?
Please enter YES or NO
yes
XEDIT will be invoked in order to tailor the RACFRW CONTROL file.
Please be sure to issue the FILE command when edits are completed.
Please press Enter to continue
The RACFRW CONTROL file must contain the input that is required by RACFRW, including the RACFRW command and subcommands. This file is on your A disk and is created with XEDIT when RACFRW is run. The statements that are included in Example 5-56 generate a detailed report.
Example 5-56 RACFRW CONTROL file
RACFRW CONTROL A1 F 80 Trunc=80 Size=7 Line=7 Col=1 Alt=7
DMSXMD587I XEDIT:
===== * * * Top of File * * *
===== RACFRW TITLE ('PLACE YOUR RACF REPORT TITLE HERE')
===== SELECT VIOLATIONS
===== SELECT SUCCESSES
===== EVENT LOGON
===== EVENT SETROPTS
===== LIST
===== END
|...+....1....+....2....+....3....+....4....+....5....+...
===== * * * End of File * * *
After modifying the RACFRW CONTROL file and saving it to your A disk, you are prompted to define where the work disk is stored (a tdisk or your A disk). Because the A disk is usually a small disk, use the tdisk. Respond to the prompt as shown in Example 5-57.
Example 5-57 Use of tdisk when running RACRPORT
The RACF Report Writer requires Disk Space for a Sort work file.
You may wish to use Tdisk for this function.
Note: If Tdisk is not used, the Sort work file will be written on
the A disk.
Do you wish to use Tdisk for the Sort work file?
Please enter YES or NO
YES
The RACRPORT EXEC does not contain the logic that is in the RACDSMON exec, where RACDSMON might determine what type of tdisk space was defined on your system. With the RACRPORT EXEC, you must specify the tdisk disk type.
The query tdisk command (see Example 5-58) gives you information about system-defined tdisk space. However, it does not provide the characteristics of the disk device. You must query the devices to obtain the disk type.
Example 5-58 The query tdisk command
q tdisk
DASD 3D07 ATTACHED CPVOL 0000 VM3D07
DASD MDISKS NOT FOUND
DASD 3E07 ATTACHED CPVOL 0001 VM3E07
RAMPAZZO 05FF 00000007
Ready;
 
q 3d07 id
DASD 3D07 3390-0A CU: 2107-E8
3D07 EQID: 002107900IBM7500000000000DVV610D070000000000000D0A
Ready;
With this information, you can select the correct type of tdisk to create as the sort disk. The EXEC then provides you with the information about the SMF disk that is being used for the generation of this report (see Example 5-59). The requirement is that the sort disk must be the same size or larger than the source disk. As a preferred practice, make the sort disk the same size as the source disk.
Example 5-59 Information about rgw disk that contains the SMF DATA file
You will now be prompted for Tdisk space
Since the number of cylinders or blocks required depends on the size of
the SMF DATA file, it is recommended that you allocate a
temporary disk that is at least as large as the SMF DATA file.
The disk containing the SMF DATA file will be displayed below
LABEL VDEV M STAT CYL TYPE BLKSZ FILES BLKS USED-(%) BLKS LEFT BLK TOTAL
RCF301 301 C/A R/O 7 3390 4096 1 33-03 1227 1260
Please enter the number of cylinders or blocks for Tdisk allocation.
7
After you define the size of the source disk, the tdisk is created as address 5FF (this address must be available). It then uses the definitions that you created in the RACFRW CONTROL file and generates a console file in your VMRDR. You can use the peek command to view this file or receive it to disk. If you print it, it should be printed on a printer that supports logical record lengths of 132 characters.
Because of variations from one installation to another, and all different types of policies that are used by the companies, it is not possible to identify all of the ways an auditor might use the RACFRW.
However, the following monitoring possibilities are available, which are described in RACF Security Server Auditor’s Guide, SC24-6305:
Password violation levels
Access attempts in WARNING mode
Access violations
Use of RACF commands
Specific users
SPECIAL users
OPERATIONS users
Failed accesses to resources protected by a security level
Accesses to resources protected by a security label
 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.178.237