RACF Protection CONSOLE OPERCMDS
Transcript Of RACF Protection CONSOLE OPERCMDS
RACF Protection CONSOLE & OPERCMDS
CHIRUG ‐ November 2017
RSH CONSULTING, INC. RACF SPECIALISTS 617‐969‐9050 WWW.RSHCONSULTING.COM
RSH Consulting ‐ Robert S. Hansel
RSH Consulting, Inc. is an IT security professional services firm established in 1992 and dedicated to helping clients strengthen their IBM z/OS mainframe access controls by fully exploiting all the capabilities and latest innovations in RACF. RSH's services include RACF security reviews and audits, initial implementation of new controls, enhancement and remediation of existing controls, and training.
• www.rshconsulting.com • 617‐969‐9050
Robert S. Hansel is Lead RACF Specialist and founder of RSH Consulting, Inc. He began working with RACF in 1986 and has been a RACF administrator, manager, auditor, instructor, developer, and consultant. Mr. Hansel is especially skilled at redesigning and refining large‐scale implementations of RACF using role‐based access control concepts. He is a leading expert in securing z/OS Unix using RACF. Mr. Hansel has created elaborate automated tools to assist clients with RACF administration, database merging, identity management, and quality assurance.
• 617‐969‐8211 • [email protected] • www.linkedin.com/in/roberthansel • http://twitter.com/RSH_RACF
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
2
November 2017
Topics
Introduction and Basic Control Concepts Console Authority and Control Operator Command Protection
RACF, z/OS, DB2, and CICS are Trademarks of the International Business Machines Corporation
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
3
November 2017
Basic Control Concepts
Operator commands are the commands used to manage the system, control running processes, and dynamically configure the system
Consoles (physical and logical) are the conduits through which operator commands are entered
The authority to execute operator commands is governed by:
• OPERCMDS profiles, or • AUTH parameter on the console, which governs use when:
There is no protecting OPERCMDS profile, or There is no RACF user logged on at a physical console
Console logons are governed by:
• LOGON parameter on the console as defined in PARMLIB(CONSOLxx), and • CONSOLE profiles
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
4
November 2017
Console's Role
Relay system messages to the operator
• System initialization (IPL) information • Device status information • Network status information • Started task status information • Application program status information • Requests for replies
Relay operator commands to the system
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
5
November 2017
Operator Command Functional Overview
Manage z/OS and its environment
• Manage the IPL • Control and configure hardware • Reply to messages • Start, modify, and stop tasks • Communicate with VTAM and TCPIP • Control JES • Shutdown z/OS
Manage system software
• Load new LNKLST • Refresh LNKLST • Refresh VLF • Change system PARMLIB concatenation • Add and delete APF‐authorized libraries • Activate and deactivate dynamic exits • Set software parameters
Manage flow of work
• Start initiators • Hold, release, and cancel jobs • Hold and release output • Assign forms • Print and route output • Purge jobs and output
Manage the network
• Establish connections • Control lines • Control VTAM applications • Control nodes • Start and stop remote devices
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
6
November 2017
Operator Command Protection Mechanisms
Physical control of access to console Console authorities JES2 HASPPARM authorities OPERCMDS profiles FACILITY CSV‐prefixed profiles
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
7
November 2017
Consoles
MCS ‐ Multiple Console Support (MCS)
PARMLIB(CONSOLxx)
• Physical terminal channel attached to CPU; static device address (DEVNUM)
• SYSCONS ‐ System Console ‐ MCS console attached to the processor
SMCS ‐ System Network Architecture (SNA) MCS PARMLIB(CONSOLxx)
• Physical terminal connected via VTAM; static Logical Unit (LU) name
HMCS ‐ Hardware Management MCS
• LAN connection to CPU
PARMLIB(CONSOLxx)
SUBSYSTEM
PARMLIB(CONSOLxx)
• Used by authorized programs; static definition; generally replaced by EMCS
EMCS ‐ Extended MCS
APF‐authorized program
• Defined dynamically using MCSOPER assembly macro
• Examples ‐ TSO CONSOLE command, SDSF, NetView, and homegrown programs
Hard Copy console
PARMLIB(CONSOLxx)
• SYSLOG output
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
8
November 2017
Consoles
MCS Console
I/O Channel
Processor Attached MCS SYSCON
SNA SMCS
LAN
HMCS
z/OS
SUBSYSTEM Started Task
CONSOLE Address Space
APF‐Authorized Program MCSOPER Macro (EMCS)
CONSOLE or SDSF Command (EMCS)
SUBMIT command
JES2 SUBSYSTEM
VTAM
Started Task or Batch Job // DD SYSOUT=(,INTRDR)
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
TSO USER
RJE RJE Workstation
NJE $N
z/OS ‐ JES2
CHIRUG
9
November 2017
Consoles ‐ PARMLIB(CONSOLxx)
Statements and options
INIT
HARDCOPY DEVNUM( SYSLOG | OPERLOG )
DEFAULT LOGON( REQUIRED | OPTIONAL | AUTO )
CONSOLE
DEVNUM( device | SUBSYSTEM | SYSCONS | SMCS | HMCS ) NAME( console‐name ) LOGON( REQUIRED | OPTIONAL | AUTO | DEFAULT ) AUTH( INFO | [ SYS | IO | CONS] | ALL | MASTER ) TIMEOUT( 00 | nn )
Ref: z/OS MVS Initialization and Tuning Reference
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
10
November 2017
CHIRUG ‐ November 2017
RSH CONSULTING, INC. RACF SPECIALISTS 617‐969‐9050 WWW.RSHCONSULTING.COM
RSH Consulting ‐ Robert S. Hansel
RSH Consulting, Inc. is an IT security professional services firm established in 1992 and dedicated to helping clients strengthen their IBM z/OS mainframe access controls by fully exploiting all the capabilities and latest innovations in RACF. RSH's services include RACF security reviews and audits, initial implementation of new controls, enhancement and remediation of existing controls, and training.
• www.rshconsulting.com • 617‐969‐9050
Robert S. Hansel is Lead RACF Specialist and founder of RSH Consulting, Inc. He began working with RACF in 1986 and has been a RACF administrator, manager, auditor, instructor, developer, and consultant. Mr. Hansel is especially skilled at redesigning and refining large‐scale implementations of RACF using role‐based access control concepts. He is a leading expert in securing z/OS Unix using RACF. Mr. Hansel has created elaborate automated tools to assist clients with RACF administration, database merging, identity management, and quality assurance.
• 617‐969‐8211 • [email protected] • www.linkedin.com/in/roberthansel • http://twitter.com/RSH_RACF
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
2
November 2017
Topics
Introduction and Basic Control Concepts Console Authority and Control Operator Command Protection
RACF, z/OS, DB2, and CICS are Trademarks of the International Business Machines Corporation
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
3
November 2017
Basic Control Concepts
Operator commands are the commands used to manage the system, control running processes, and dynamically configure the system
Consoles (physical and logical) are the conduits through which operator commands are entered
The authority to execute operator commands is governed by:
• OPERCMDS profiles, or • AUTH parameter on the console, which governs use when:
There is no protecting OPERCMDS profile, or There is no RACF user logged on at a physical console
Console logons are governed by:
• LOGON parameter on the console as defined in PARMLIB(CONSOLxx), and • CONSOLE profiles
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
4
November 2017
Console's Role
Relay system messages to the operator
• System initialization (IPL) information • Device status information • Network status information • Started task status information • Application program status information • Requests for replies
Relay operator commands to the system
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
5
November 2017
Operator Command Functional Overview
Manage z/OS and its environment
• Manage the IPL • Control and configure hardware • Reply to messages • Start, modify, and stop tasks • Communicate with VTAM and TCPIP • Control JES • Shutdown z/OS
Manage system software
• Load new LNKLST • Refresh LNKLST • Refresh VLF • Change system PARMLIB concatenation • Add and delete APF‐authorized libraries • Activate and deactivate dynamic exits • Set software parameters
Manage flow of work
• Start initiators • Hold, release, and cancel jobs • Hold and release output • Assign forms • Print and route output • Purge jobs and output
Manage the network
• Establish connections • Control lines • Control VTAM applications • Control nodes • Start and stop remote devices
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
6
November 2017
Operator Command Protection Mechanisms
Physical control of access to console Console authorities JES2 HASPPARM authorities OPERCMDS profiles FACILITY CSV‐prefixed profiles
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
7
November 2017
Consoles
MCS ‐ Multiple Console Support (MCS)
PARMLIB(CONSOLxx)
• Physical terminal channel attached to CPU; static device address (DEVNUM)
• SYSCONS ‐ System Console ‐ MCS console attached to the processor
SMCS ‐ System Network Architecture (SNA) MCS PARMLIB(CONSOLxx)
• Physical terminal connected via VTAM; static Logical Unit (LU) name
HMCS ‐ Hardware Management MCS
• LAN connection to CPU
PARMLIB(CONSOLxx)
SUBSYSTEM
PARMLIB(CONSOLxx)
• Used by authorized programs; static definition; generally replaced by EMCS
EMCS ‐ Extended MCS
APF‐authorized program
• Defined dynamically using MCSOPER assembly macro
• Examples ‐ TSO CONSOLE command, SDSF, NetView, and homegrown programs
Hard Copy console
PARMLIB(CONSOLxx)
• SYSLOG output
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
8
November 2017
Consoles
MCS Console
I/O Channel
Processor Attached MCS SYSCON
SNA SMCS
LAN
HMCS
z/OS
SUBSYSTEM Started Task
CONSOLE Address Space
APF‐Authorized Program MCSOPER Macro (EMCS)
CONSOLE or SDSF Command (EMCS)
SUBMIT command
JES2 SUBSYSTEM
VTAM
Started Task or Batch Job // DD SYSOUT=(,INTRDR)
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
TSO USER
RJE RJE Workstation
NJE $N
z/OS ‐ JES2
CHIRUG
9
November 2017
Consoles ‐ PARMLIB(CONSOLxx)
Statements and options
INIT
HARDCOPY DEVNUM( SYSLOG | OPERLOG )
DEFAULT LOGON( REQUIRED | OPTIONAL | AUTO )
CONSOLE
DEVNUM( device | SUBSYSTEM | SYSCONS | SMCS | HMCS ) NAME( console‐name ) LOGON( REQUIRED | OPTIONAL | AUTO | DEFAULT ) AUTH( INFO | [ SYS | IO | CONS] | ALL | MASTER ) TIMEOUT( 00 | nn )
Ref: z/OS MVS Initialization and Tuning Reference
RACF Protection ‐ CONSOLE & OPERCMDS
© 2017 RSH Consulting, Inc. All Rights Reserved.
CHIRUG
10
November 2017