RACF Access Monitor

Administration z/OS Manager for RACF z/VM Compliance and Auditing z/OS Adapters for SIEM
Admin Visual Audit for RACF® Audit for ACF2 Audit for TSS Alert
             

The RACF Access Monitor function provides RACF administrators with the data required to remove unused or obsolete resource profiles and authorizations defined within profiles. RACF administrators and analysts can also use this function to test resource profiles and access rights by running simulations against a candidate RACF database. The candidate database can be one prepared using zSecure Admin RACF-Offline, or a database on another z/OS® system where you intend to host production processes.

Using the Access Monitor function, you can monitor access events and collect the data for reporting and analysis. From the reports, you can view and analyze the resource profile and access usage. You can also use specific access events (RACINIT) for alerting through zSecure Alert, for example, for alert 1122.

zSecure Access Monitor also has the capability to capture information about many UNIX file system events. The information is captured at the full path level, and not at the directory level. For example, a file or directory open event causes a RACF access check for each directory in the full pathname. Access Monitor captures the file or directory open event, but does not record each individual directory access verification.

zSecure Access Monitor can provide preprocessed access records for use by an analytics product like IBM Z® Operations Analytics. The records are saved in a UNIX file and can be retrieved by one of the analytics components. To enable this process, several configuration steps must be performed. For more information on required configuration, see section Optional customization for analytics preprocessing in zSecure CARLa-Driven Components Installation and Deployment Guide.

Note: Your installation must have the Access Monitor program for the z/OS system installed and configured before data can be collected, analyzed, or passed on. You must also have access to the data sets used to consolidate the access data. For details on the setup and configuration, see zSecure CARLa-Driven Components Installation and Deployment Guide.
The RACF database cleanup function consists of three components:
  • The RACF Access Monitor program (C2PACMON) used for data collection.
  • The CKRCARLA program that summarizes and saves the collected data so it can be analyzed.
  • An ISPF menu component that allows you to specify selection criteria for reports, generate reports, analyze reports, and perform RACF database cleanup tasks.
The following processes provide the data to analyze access events and perform RACF database cleanup tasks.
Data collection
The RACF Access Monitor program (C2PACMON) collects the usage data on resource profiles and the authorizations defined within the profiles. To collect the required RACF information, the function dynamically defines several RACF exits to capture RACF events and collect the required information. When the Access Monitor program is running, it monitors access on a continuous basis.

The UNIX event data is collected through UNIX syscall exits. zSecure Access Monitor dynamically installs and activates these exits during startup. The UNIX event records contain information like the userid, uid and gid, and the full pathname of the file or directory. Access decisions for UNIX events are based on the file mode and the ACL. The UNIX event records do not contain the current access specifications.

The collected Access Monitor records are saved to disk at the end of each SMF interval. The SMF interval is specified by using the INTVAL parameter in member SMFPRMxx in PARMLIB. The default INTVAL parameter value is 30 minutes. The CKRCARLA program is used to combine the collected records and write them to a data set. Each type of access event is saved in a corresponding access record.

Data consolidation
Because access monitoring runs continuously, it collects a large amount of data. To maintain a manageable amount of data for reporting, the Access Monitor process summarizes the data collected at each interval on a daily basis. The summary removes redundant profile information and provides access counts on profiles with multiple access events. The summarized data is written to a daily consolidation data set. Daily consolidation data sets can be further consolidated on a weekly or monthly basis using the CKRCARLA procedures provided with zSecure Admin. Administrators can also create custom consolidation jobs to consolidate access data sets for different time intervals. For example, an installation might want to consolidate three monthly data sets into a single data set to generate quarterly Access Summary or RACF Usage reports. These consolidation data sets are the data source for the Access Monitor reporting functions.
Report Generation
Users process the consolidated access data by running ad-hoc queries to evaluate the profile usage and access data. Processing can be set up and run interactively using the options available on the Access Monitor menu in the product.

The access data can also be processed using CKRCARLA. Two CARLa NEWLIST types are available for this purpose. The ACCESS NEWLIST uses the Access Monitor records to report about the collected events. The RACF_ACCESS NEWLIST shows profiles in the RACF database and annotates these profiles with usage data from the Access Monitor records.

With proper record selection through the user interface or a CARLa program, Access Monitor reports can include the profiles of interest for a particular application. For example, you can report on all access permitted by the Global Access Checking table. You can also create commands to delete profiles that have not been used recently.

Figure 1 provides an overview of the Access Monitor data collection, consolidation, and reporting process. In the following figure, user requests for access are captured using RACF and UNIX exits. Access data is collected by Access Monitor (C2PACMON) and saved to a daily consolidation data set. The daily files can also be consolidated into weekly or monthly collections, for example. The consolidated data sets are the data source for the CKRCARLA program used to analyze and report on the access information. You can also use data from the RACF database as the data source for the reporting process. You can specify the same database used when the access data was collected or a candidate database. Depending on the options you selected, report output can be viewed from printed reports or ISPF panel displays. The reports are generated using the CKRCARLA program.
Figure 1. RACF Database Cleanup process program components and data flow
Process diagram describing the components and data flow of the RACF database cleanup process,