You are previewing Mainframe Basics for Security Professionals: Getting Started with RACF.
O'Reilly logo
Mainframe Basics for Security Professionals: Getting Started with RACF

Book Description

Leverage Your Security Expertise in IBM® System z™ Mainframe Environments

For over 40 years, the IBM mainframe has been the backbone of the world’s largest enterprises. If you’re coming to the IBM System z mainframe platform from UNIX®, Linux®, or Windows®, you need practical guidance on leveraging its unique security capabilities. Now, IBM experts have written the first authoritative book on mainframe security specifically designed to build on your experience in other environments.

Even if you’ve never logged onto a mainframe before, this book will teach you how to run today’s z/OS®  operating system command line and ISPF toolset and use them to efficiently perform every significant security administration task. Don’t have a mainframe available for practice? The book contains step-by-step videos walking you through dozens of key techniques. Simply log in and register your book at www.ibmpressbooks.com/register to gain access to these videos.

The authors illuminate the mainframe’s security model and call special attention to z/OS security techniques that differ from UNIX, Linux, and Windows. They thoroughly introduce IBM’s powerful Resource Access Control Facility (RACF) security subsystem and demonstrate how mainframe security integrates into your enterprise-wide IT security infrastructure. If you’re an experienced system administrator or security professional, there’s no faster way to extend your expertise into “big iron” environments.


Coverage includes

  • Mainframe basics: logging on, allocating and editing data sets, running JCL jobs, using UNIX System Services, and accessing documentation

  • Creating, modifying, and deleting users and groups

  • Protecting data sets, UNIX file system files, databases, transactions, and other resources

  • Manipulating profiles and managing permissions

  • Configuring the mainframe to log security events, filter them appropriately, and create usable reports

  • Using auditing tools to capture static configuration data and dynamic events, identify weaknesses, and remedy them

  • Creating limited-authority administrators: how, when, and why

  • Table of Contents

    1. Copyright
      1. Dedication
    2. IBM Press
      1. Rational and Software Development
      2. Computing
      3. Information Management
      4. WebSphere
      5. Lotus
      6. Open Source
      7. Business Strategy & Management
    3. Foreword
    4. Preface
    5. Acknowledgments
    6. About the Authors
    7. 1. Introduction to the Mainframe
      1. 1.1. Why Use a Mainframe?
        1. 1.1.1. A Little History
        2. 1.1.2. Why Are Mainframes Different?
        3. 1.1.3. Mainframe vs. Client/Server
      2. 1.2. Getting Started
        1. 1.2.1. What You Will Need
        2. 1.2.2. Logging in to the Mainframe
        3. 1.2.3. “Hello, World” from TSO
      3. 1.3. Job Control Language (JCL)
        1. 1.3.1. Introduction to JCL
        2. 1.3.2. Data Sets
        3. 1.3.3. Using ISPF to Create and Run Batch Jobs
          1. 1.3.3.1. Data Set Creation
          2. 1.3.3.2. Editing Data Set Members
        4. 1.3.4. JCL Syntax
        5. 1.3.5. Viewing the Job Output
          1. 1.3.5.1. Filtering Jobs
      4. 1.4. z/OS UNIX System Services
      5. 1.5. Getting Help
        1. 1.5.1. Context-Sensitive Help
          1. 1.5.1.1. TSO
          2. 1.5.1.2. ISPF
          3. 1.5.1.3. OMVS
        2. 1.5.2. The Manuals
      6. 1.6. Additional Information
    8. 2. Users and Groups
      1. 2.1. Creating a User
      2. 2.2. How to Modify a User for OMVS Access
        1. 2.2.1. Modifying the User
        2. 2.2.2. Creating the OMVS Home Directory (and Modifying Users from TSO)
        3. 2.2.3. Verifying MYUSER Has OMVS Access
      3. 2.3. Groups
        1. 2.3.1. Searching Groups
        2. 2.3.2. Displaying a Group
        3. 2.3.3. Connecting Users to a Group
      4. 2.4. zSecure
      5. 2.5. Additional Information
    9. 3. Protecting Data Sets and Other Resources
      1. 3.1. Protecting Data Sets
        1. 3.1.1. Default Permissions
        2. 3.1.2. Access Control List Permissions
        3. 3.1.3. Project Groups and Generic Profiles
      2. 3.2. Other Resources
        1. 3.2.1. Gathering Information
        2. 3.2.2. Activating UNIXPRIV
        3. 3.2.3. Delegating chown Privileges
        4. 3.2.4. Verifying the Change
        5. 3.2.5. Deleting Resource Profiles
      3. 3.3. Security Data (Levels, Categories, and Labels)
        1. 3.3.1. Defining the Policy
          1. 3.3.1.1. Security Levels
          2. 3.3.1.2. Categories
        2. 3.3.2. Assigning Security Levels and Categories
        3. 3.3.3. Security Labels (SECLABELs)
      4. 3.4. Securing UNIX System Services (USS) Files
      5. 3.5. zSecure
      6. 3.6. Additional Information
    10. 4. Logging
      1. 4.1. Configuring Logging
        1. 4.1.1. SMF Configuration
        2. 4.1.2. RACF Configuration
      2. 4.2. Generating Reports
        1. 4.2.1. Unloading Log Data to Sequential Text Files
        2. 4.2.2. Understanding Sequential Reports
        3. 4.2.3. Generating Reports with ICETOOL
        4. 4.2.4. Other Types of Reports
      3. 4.3. UNIX System Services (USS) Logging
        1. 4.3.1. Classes for USS Logging
        2. 4.3.2. SMF Settings for USS
        3. 4.3.3. Specifying Logging in USS
        4. 4.3.4. Viewing the USS Log Records
      4. 4.4. Logging in zSecure
      5. 4.5. Additional Information
    11. 5. Auditing
      1. 5.1. Auditing
      2. 5.2. The RACF Data Security Monitor (DSMON)
        1. 5.2.1. Running DSMON
        2. 5.2.2. The System Report
        3. 5.2.3. The Program Properties Table Report
        4. 5.2.4. The RACF Authorized Caller Table (ICHAUTAB) Report
        5. 5.2.5. The RACF Exits Report
        6. 5.2.6. The Selected User Attribute Report
        7. 5.2.7. The Selected Data Sets Report
      3. 5.3. The Set RACF Options (SETROPTS) Command
      4. 5.4. The RACF Database Unload Utility (IRRDBU00)
        1. 5.4.1. Removing IDs with IRRRID00
      5. 5.5. The RACF Health Checks
        1. 5.5.1. RACF_SENSITIVE_RESOURCES
        2. 5.5.2. RACF_IBMUSER_REVOKED
        3. 5.5.3. RACF Classes Active Health Checks
      6. 5.6. zSecure Auditing
      7. 5.7. Additional Information
    12. 6. Limited-Authority RACF Administrators
      1. 6.1. Profiles Owned by Users
      2. 6.2. Group-Owned Profiles and Group Authorities
        1. 6.2.1. The group-AUDITOR Authority
        2. 6.2.2. The group-SPECIAL Authority
        3. 6.2.3. The group-OPERATIONS Authority
      3. 6.3. System-Level Authorities
      4. 6.4. Manipulating Users
        1. 6.4.1. Creating Users
          1. 6.4.1.1. Permitting MYUSER Access to the TSO Segment
          2. 6.4.1.2. Creating the New TSO Segment
        2. 6.4.2. Manipulating Users
      5. 6.5. Additional Information
    13. 7. Mainframes in the Enterprise-Wide Security Infrastructure
      1. 7.1. What Is an Enterprise?
        1. 7.1.1. Enterprise Components
        2. 7.1.2. Security across Enterprise Components
        3. 7.1.3. Communication Protocols
      2. 7.2. Enterprise Security Administration
        1. 7.2.1. Authentication and Authorization
        2. 7.2.2. Credential Propagation and Transformation
      3. 7.3. Communicating between Enterprises—and Beyond
      4. 7.4. Additional Information