|
The data security monitor (DSMON) produces a set of reports that
provide information about the current status of the data security
environment at your installation.
The reports DSMON can produce are:
Figure 1. Reports produced
by DSMON
These reports can help you (1) check the initial steps you took
to establish system security, and (2) make additional security checks
periodically.
A short description of each report follows. See z/OS Security Server RACF Auditor's Guide for
more information on these reports and how to invoke the data security
monitor. - The system report
- The system report contains information such as the identification and model
of the processor complex, and the name, version, and release of the
operating system. This report also specifies the RACF® version and release number and whether RACF is active. If RACF is inactive, DSMON prints a message that
tells you whether RACF was
not activated at IPL or was deactivated by the RVARY command.
- The group tree report
- This report lists, for each requested group, all
of its subgroups, all of the subgroups' subgroups, and so on, as well
as the owner of each group listed in the report, if the owner is not
the superior group.
You can use the group tree report to examine
the overall RACF group structure
for your system. You can also determine the scope of the group for
group-related user attributes (group-SPECIAL, group-OPERATIONS, and
group-AUDITOR).
- The program properties table report
- This report lists all of the programs in
the MVS™ program properties table
(PPT). The report also indicates, for each program, whether the program
is authorized to bypass password protection and whether it runs in
a system key.
You can use the program properties table report to
verify that only those programs that the installation has authorized
to bypass password protection are, in fact, able to do so. Such programs
are normally communication and database control programs, and other
system control programs.
You can also verify that only those
programs that the installation has authorized are able to run in a
system key.
- The RACF authorized caller
table report
- This report lists the names of all of the programs in
the RACF authorized-caller
table. The programs in this table are authorized to issue the RACROUTE
REQUEST=VERIFY macro to perform user verification, or the RACROUTE
REQUEST=LIST macro to load profiles into main storage.
You can
use this report to verify that only those programs that are supposed
to be authorized to modify an ACEE (accessor environment element)
are able to issue the RACROUTE REQUEST=VERIFY. This verification is
a particularly important security requirement because the ACEE contains
a description of the current user. This description includes the user
ID, the current connect group, the user attributes, and the group
authorities. A program that is authorized to issue the RACROUTE REQUEST=VERIFY
could alter the ACEE to simulate any user.
You can also use
this report to verify that only those programs that are supposed to
be authorized to access profiles are able to issue the RACROUTE REQUEST=LIST.
Because profiles contain complete descriptions of the characteristics
that are associated with RACF-defined entities, you must carefully
control access to them.
- The RACF class descriptor
table report
- This report lists, for each general resource class in the class
descriptor table (CDT), the
class name, the default UACC, whether the class is active, whether
auditing is being done, whether statistics are being kept, and whether
OPERATIONS attribute users have access.
You can use the class descriptor
table report to determine which classes (besides DATASET) are defined
to RACF and active, and therefore
can contain resources that RACF protects.
- The RACF exits report
- This report lists the names of all
of the installation-defined RACF exit
routines and specifies the size of each exit routine module.
You
can use the RACF exits report
to verify that the only active exit routines are those that your installation
has defined. The existence of any other exit routines might indicate
a system security exposure, because RACF exit
routines can be used to bypass RACF security
checking. Similarly, if the length of an exit routine module differs
from the length of the module when it was defined by your installation,
the module might have unauthorized modifications.
- The RACF global access
checking table report
- This report lists, for each resource
class in the global access table, all of the entry names and their
associated resource access authorities.
Because global access checking
allows anyone to access the resource at the associated access authority,
you should verify that each entry has an appropriate level of access
authority.
- The RACF started procedures
table reports
- RACF generates two reports
about the started procedures table (ICHRIN03).
- If the STARTED class is active, the report uses the STARTED class
profiles and contains the TRACE attribute. The trace uses module ICHDSM00.
- If the STARTED class is not active, the trace uses the installation
replaceable load module, ICHRIN03.
The reports list the
procedure name, the user ID and group name to be associated with the
procedure, and whether the procedure is privileged or trusted.
You
can use the report to determine which started procedures are defined
to RACF, and which have the
privileged attribute. If a started procedure is privileged or trusted,
it bypasses all REQUEST=AUTH and REQUEST=FASTAUTH processing (unless
the CSA or PRIVATE operand was specified on REQUEST=AUTH), including
checks for security classification of users and data.
- The selected user attribute report
- The selected user attribute report:
- Lists all RACF users with
the SPECIAL, OPERATIONS, AUDITOR, or REVOKE attributes
- Specifies whether they possess these attributes on a system-wide
(user) or group level
- Indicates whether they have any user ID associations
You can use this report to verify that only those users who
need to be authorized to perform certain functions have been assigned
the corresponding attribute.
- Selected user attribute summary report
- The selected user attribute summary report shows the number of installation-defined
users and totals for users with the SPECIAL, OPERATIONS, AUDITOR,
and REVOKE attributes, at both the system and group level. You can
use this report to verify that the number of users with each of these
attributes, on either a system or group level, is the number that
your installation wants. In particular, you should make sure that
you have assigned the SPECIAL attribute (on a system level) to at
least one user and the AUDITOR attribute (on a system level) to at
least one user.
- The selected data sets report
- This report lists the names of selected system data sets and, for
each data set, specifies the criterion for selection, the serial number
of the volume on which it resides, whether the data set is RACF-indicated
or RACF-protected, and the universal access authority (UACC). If a
data set meets more than one selection criterion, there is a separate
entry in the report for each criterion. The selected data sets include
system data sets, the MVS master
catalog, user catalogs, the RACF primary
and backup data sets, and user-specified data sets.
You can use
the selected data sets report to determine which of these data sets
are protected by RACF and which
are not. You can also check whether the UACC associated with each
of the data sets is compatible with your installation's resource access
control requirements.
To reduce impact to system performance
during the running of this report, you can limit or disable the listing
of user catalogs. To do this, create a FACILITY class profile that
protects the ICHDSM00.SYSCAT resource. When this resource is protected
and the DSMON user does not have READ access to it, DSMON suppresses
the listing of user catalogs and issues message ICH66134I, indicating
the insufficient authority.
Example: To disable user
catalog listing for the Selected Data Sets Report: RDEFINE FACILITY ICHDSM00.SYSCAT UACC(NONE)
PERMIT ICHDSM00.SYSCAT CLASS(FACILITY) RESET
|