RACF - Securing z/OS UNIX

This course is essential for anyone who intends to assume responsibility for maintaining z/OS Unix controls or wants to verify their z/OS Unix environment is properly secured and monitored. Participants will gain a solid understanding of z/OS Unix and how it can be secured in a system protected by RACF. The course will explore the assignment of user UID and group GID Unix identities and offer best practices for managing them. Powerful Daemon and Superuser authorities will be discussed along with guidance on their assignment and alternatives offered by UNIXPRIV profiles. Considerable time and attention will be devoted to file and directory access controls. Participants will learn how permission bits and Extended Access Control Lists (ACLs) grant access as well as how UNIXPRIV profiles influence access authorization. Techniques and best practices for granting permissions will be provided. The course includes descriptions and lab exercises for all commands used for administering permissions.

• RACF Administrators and Analysts who want to take control of z/OS Unix security
• IT Auditors seeking to ensure regulatory compliance
• Systems Programmers who provide Unix and RACF technical support or implement system controls

Completion of an introductory RACF Administration course, or equivalent RACF experience.

On completing this course, students will have learned:

• Security-related z/OS Unix configuration options
• How z/OS Unix UIDs and GIDs are assigned
• Ways to grant full and limited Superuser authority
• Controlling Daemons and Servers
• How file and directory access is permitted
• Effective use of UNIXPRIV profiles
• Best practices for using permission bits and ACLs
• Ensuring security access events are logged

Introduction to z/OS Unix
Overview, background, & functions
OMVS Procedure & BPXPRMxx parameters
Unix File System
/etc Configuration Files
Security Levels

Users & Groups
Introduction to Unix UIDs and GIDs
OMVS user and group profile segments
User Security Packet (USP)
Real, Effective, & Saved UID
Supplemental GIDs
Automatic ID assignment
Preventing duplicate UID assignment
Default User - BPX.DEFAULT.USER
Surrogate authority

High Level Authorities
Daemons
Servers
Superuser
PRIVILEGED & TRUSTED Started Tasks
FACILITY class BPX profiles & authorities
UNIXPRIV class profiles and authorities

Program Controls & Attributes
Maintaining a clean program environment
Program profiles & libraries
File extended attributes & authorities

File System Security
Physical & Logical File System
Navigating the directory structure
File Security Packet (FSP)
RACF's role in file access authorization
Setuid and Setgid
Listing the FSP
Superuser, Owner, Group, & Other authority
Permissions bits
Extended Access Control Lists (ACLs)
Access permit levels
UNIXPRIV class profiles affecting authorization
Access authorization logic

Monitoring & Logging
User auditing
File and directory audit bits
UNIXPRIV profile auditing
SETROPTS AUDIT & LOGOPTIONS settings
SMF options & other factors affecting auditing
Reporting tools - SMF unload & RACFICE

Other Control Issues
FACILITY & FIELD class administration profiles
Identity Mapping - UNIXMAP & AIM
Performance Tuning