To ensure that security is not compromised in a
multilevel-secure system,
the RACF® SETROPTS options listed
in
Table 1 should be active. The user
with the RACF SPECIAL attribute
activates these options using the SETROPTS command.
Table 1. SETROPTS options that should be active
in a multilevel-secure environment
SETROPTS option |
Description |
CATDSN(FAILURES) |
Use this option to prevent users from accessing data sets that
are not cataloged or that are not system temporary data sets. FAILURES
specifies that RACF is to reject
any request to access a data set that is not cataloged. |
ERASE(ALL) |
Use this option to erase (overwrite with binary zeroes) the
contents of any scratched or released data set extents that are part
of a DASD data set regardless of the erase indicator set. |
GENERICOWNER |
Use this option to prevent an administrator from creating a
profile that is more specific than an existing profile, for all general
resource classes except the PROGRAM class and the grouping classes,
except in the case where the administrator is the owner of the existing
less specific profile. |
JES(BATCHALLRACF, XBMALLRACF) |
Use this option to require that all batch jobs run with a RACF-defined
identity. |
MLACTIVE(FAILURES) |
Use this option to require that all resources
protected by profiles in certain classes have a security label assigned
to them. The classes are listed in Table 1. |
MLFSOBJ(ACTIVE) |
Use this option to require that files and directories
have security labels. Those that do not can only be accessed by trusted
or privileged started tasks. |
MLIPCOBJ(ACTIVE) |
Use this option to require that all IPC objects
have a security label. Those that do not can only be accessed by trusted
or privileged started tasks. |
MLS(FAILURES) |
Use this option to prevent users from downgrading
data by writing it to a lower security label, unless they have activated
write-down mode. |
MLSTABLE |
Use this option to prevent authorized users
from changing profiles in the SECLABEL class with the RALTER command,
or changing the SECLABEL field in profiles, while the system is not
quiesced. |
NOMLQUIET |
Run with the NOMLQUIET option set for normal
operations. Set the MLQUIET option temporarily when you need to change
profiles in the SECLABEL class or change the SECLABEL field in profiles. |
PROTECTALL (FAILURES) |
Use this option to ensure that a user can create or access
a data set only if the data set is RACF-protected. |
SECLABELAUDIT |
Use this option to log access attempts to resources
that have a security label assigned and access attempts by users who
have a security label assigned. The profile in the SECLABEL class
that defines a security label specifies the auditing that is done. |
SECLABELCONTROL |
Use this option to prevent users who do not
have the RACF SPECIAL attribute
from changing profiles in the SECLABEL class using the RALTER command
or changing the SECLABEL field of profiles. |
The following options control the use of security labels, and are
optional in a
multilevel-secure environment.
Table 2. SETROPTS options that are optional in
a multilevel-secure environment
SETROPTS option |
Description |
MLNAMES |
Use this option to activate the name-hiding
function. The name-hiding function can degrade system performance
because it requires authorization checks for every object for which
a non-SPECIAL user attempts to list the name. You should balance the
performance impact against the possibility of exposing sensitive information
in the names of data sets, files, and directories on your system to
decide whether you want to activate the MLNAMES option. |
SECLBYSYSTEM |
Use this option to activate the use of system-specific
security labels. The SECLBYSYSTEM option can sometimes cause unexpected
results from authorization checks, because the security labels used
on different systems in a sysplex are not consistent. (For examples,
see Shared file system environment and system-specific security labels). Activate this option only
if you need to run work on specific systems on a sysplex based on
security classification. |
The following options control the use of security labels, and are
not recommended in a
multilevel-secure environment.
Table 3. SETROPTS options that are not recommended
in a multilevel-secure environment
SETROPTS option |
Description |
COMPATMODE |
This option allows a user to access a resource
if the user is authorized to use a security label that would allow
the access, regardless of whether the user is using the security label
at the time of the authorization check. |
For information about the SETROPTS options that control the use of security labels, see SETROPTS options that control the use of security labels. For information about setting these options, see Activating multilevel security. For information about SETROPTS options in general, see z/OS Security Server RACF Security Administrator's Guide. For information about the
SETROPTS command, see z/OS Security Server RACF Command Language Reference.