Using enhanced program security

If you choose to use the enhanced program security function, and you have daemons that use programs defined to RACF® as execute-controlled programs (by having EXECUTE access to the RACF PROGRAM profile that defines the program, or EXECUTE access to the library containing the program), then you need to take some special actions to configure your daemons so that they will run properly.

In an environment with enhanced program security, and using execute-controlled programs, the initial program executed by a daemon must be defined to RACF with a profile in the PROGRAM class, and that profile must specify the MAIN option via the profile's APPLDATA. However, only programs loaded from an MVS™ library can be defined using the RACF PROGRAM class; you cannot define programs loaded from the z/OS UNIX file system. Therefore, if you have daemons that use execute-controlled programs, you need to move their initial program from the z/OS UNIX file system into an MVS library so that you can define it completely to RACF.

Additionally, if you run with enhanced program security and have the BPX.DAEMON FACILITY class profile defined, you can use another FACILITY profile to request that z/OS UNIX apply tighter security controls to your daemons. Typically, with BPX.DAEMON defined, z/OS UNIX will work with RACF to enforce a clean environment for any daemon. In this case, the daemon can run only those programs defined to the RACF PROGRAM class or marked controlled via the extattr shell command with the +p option.

For additional security, you can define FACILITY profile BPX.MAINCHECK. When you do that, z/OS UNIX and RACF will require that the first program your daemon executes must be defined to RACF using a PROGRAM profile with the MAIN option for use of execute-controlled programs. If you define BPX.MAINCHECK, then you need to move the first program that any daemon executes from to an MVS library if it currently resides in the UNIX file system.