subject:"RACF Stop\/Start\?"

Re: RACF Stop/Start?

2005-09-26 Thread Hal Merritt

I have found that it is generally a waste of time trying to guess what
an auditor really wants to know. That is, it is not a reasonable
assumption that the auditor has phrased the question correctly. It has
been productive to keep asking for more details. Work with the auditor
to develop a question that satisfies his/her objectives and helps you to
craft a high quality answer. 

For example, the root question might really be: "Can RACF be disabled by
operator command?".  

HTH. 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Debbie Mitchell
Sent: Monday, September 26, 2005 3:08 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Re: RACF Stop/Start?

Perhaps they mean the %STOP command (substitue your own command
character 
for %) isn't protected?


Debbie

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-26 Thread Debbie Mitchell

Perhaps they mean the %STOP command (substitue your own command character 
for %) isn't protected?


Debbie

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-26 Thread Hal Merritt

Short answer: no. Nor does the auditor. I would advise management to
keep that in mind as they evaluated any 'findings'. 

HTH and good luck. 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Irwin M. Deutsch
Sent: Tuesday, September 13, 2005 2:12 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: RACF Stop/Start?

Hi,

Our auditor has asked  why have not protected the command to 'stop'
racf.
Neither I nor our MVS gurus know of such an animal. I found some STOP
for
RRSF in System Command manual, but that's just some part of RACF.

Any ideas on what our auditor is talking about?

Thanks,

Irwin Deutsch
AIG Sunamerica
(DB2/CICS guy tinkering with RACF)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-14 Thread Walt Farrell


On 9/14/2005 9:30 AM, McKown, John wrote:

The RACF disaster was about 2 months ago. If I had not had a backup RACF
database (only 1 day old), and no alternate system (I had both), it
would have been a SEV 1 to recover. But with an alternate RACF database,
it was a simple RVARY command to switch to the valid (but slightly out
of date) RACF db.


I'm curious how you managed to "destroy" both your active primary and 
active backup RACF databases, such that a simple RVARY SWITCH did not 
suffice to get you out of trouble.


Walt Farrell, CISSP
z/OS Security Design, IBM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-14 Thread McKown, John

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Leonard Woren
> Sent: Tuesday, September 13, 2005 10:08 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: Re: RACF Stop/Start?
> 
> 
> On Tue, Sep 13, 2005 at 02:24:59PM -0500, McKown, John 
> ([EMAIL PROTECTED]) wrote:
> > Your auditor is likely used to an ACF2 or TopSecret shop. 
> If the ACF2 or
> > TSS started task is not running, then your security system 
> is down and
> > things are nasty (I've done that too, I'm old and made many mistakes
> > over the years). RACF does not have this vulnerability.
> 
> Seriously, that's a feature, not a "vulnerability".  Trying to fix
> things when your RACF db is broken is damn near impossible.  Trying
> to fix things when your ACF2 db is broken is just really aggravating.
> There's a 2 orders of magnitude difference there.
> 
> Caveat:  The above is based on my experience with having been in both
> situations, but long ago.  However, I have not heard anything since
> which would lead me to believe that anything has changed.
> 
> With ACF2, you can stop the address space, fix the db, restart the
> address space and you're running normally again.  Can this be done
> with RACF?  With ACF2, you can stop it and restart immediately 
> pointing to an alternate db with a different name on a different
> volume.  Can you do this with RACF?
> 
> 
> /Leonard

I did that. I've destroyed both an ACF2 database and a RACF database.
Clever, aren't I? The ACF2 problem was like 20 years ago and was not too
difficult to repair. Just a pain to reply to all the WTOR messages (no
automation way back then at that shop).

The RACF disaster was about 2 months ago. If I had not had a backup RACF
database (only 1 day old), and no alternate system (I had both), it
would have been a SEV 1 to recover. But with an alternate RACF database,
it was a simple RVARY command to switch to the valid (but slightly out
of date) RACF db.

I may be the RACF "person" here, but I am woefully ignorant of it. And I
don't really have time to learn. Not to mention bureaucratic inertia.
And the "mainframe is not worth the time" attitude.

--
John McKown
Senior Systems Programmer
UICI Insurance Center
Information Technology

This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and its'
content is protected by law.  If you are not the intended recipient, you
should delete this message and are hereby notified that any disclosure,
copying, or distribution of this transmission, or taking any action
based on it, is strictly prohibited.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-14 Thread Thomas Conley

- Original Message - 
From: "Leonard Woren" <[EMAIL PROTECTED]>

Newsgroups: bit.listserv.ibm-main
Sent: Tuesday, September 13, 2005 11:08 PM
Subject: Re: RACF Stop/Start?

With ACF2, you can stop the address space, fix the db, restart the
address space and you're running normally again.  Can this be done
with RACF?  With ACF2, you can stop it and restart immediately 
pointing to an alternate db with a different name on a different

volume.  Can you do this with RACF?

Leonard,

Yes to both.  You just need to know how to use the RVARY command.

Regards,
Tom Conley

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-14 Thread Shmuel Metz (Seymour J.)

In <[EMAIL PROTECTED]>,
on 09/13/2005
   at 12:12 PM, "Irwin M. Deutsch" <[EMAIL PROTECTED]> said:

>Our auditor has asked  why have not protected the command to 'stop'
>racf.

Why am I not surprised?

>Any ideas on what our auditor is talking about?

Well, I doubt that the auditor has any idea of what the auditor is
talking about. There may be address spaces associated with RACF that
you can stop, e.g., RACF, RRSF, but stopping those will *not* stop
RACF itself.

That said, you probably should have a profile to protect the STOP
command, and you should certainly manage the password for RVARY in a
cautious fashion.

A knowledgeable auditor is a joy forever. An untrained auditor is a
millstone around your neck.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see  
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-14 Thread Walt Farrell


On 9/13/2005 11:08 PM, Leonard Woren wrote:

On Tue, Sep 13, 2005 at 02:24:59PM -0500, McKown, John ([EMAIL PROTECTED]) 
wrote:


Your auditor is likely used to an ACF2 or TopSecret shop. If the ACF2 or
TSS started task is not running, then your security system is down and
things are nasty (I've done that too, I'm old and made many mistakes
over the years). RACF does not have this vulnerability.



Seriously, that's a feature, not a "vulnerability".  Trying to fix
things when your RACF db is broken is damn near impossible.  Trying
to fix things when your ACF2 db is broken is just really aggravating.
There's a 2 orders of magnitude difference there.

Caveat:  The above is based on my experience with having been in both
situations, but long ago.  However, I have not heard anything since
which would lead me to believe that anything has changed.

With ACF2, you can stop the address space, fix the db, restart the
address space and you're running normally again.  Can this be done
with RACF?  


With RACF you generally don't have to "stop" anything.  If the primary 
has suffered a failure, you have a backup and can simply RVARY SWITCH 
(possibly after also doing a V xxx,OFFLINE,FORCE if necessary to box the 
device the primary is on).


Or, if the administrator has hosed things up with an ill-advised command 
you can RVARY INACTIVE, which puts you into failsoft, and the 
administrator or system programmer can restore a recent backup.  Then 
RVARY ACTIVE and you're going again.


In -my- experience, such problems are exceedingly rare, but relatively 
simple to cope with, if you have a good strategy in place (active 
primary/backup DBs, and good backups (nightly, if possible).



With ACF2, you can stop it and restart immediately 
pointing to an alternate db with a different name on a different

volume.  Can you do this with RACF?


You cannot point to a DB of a different name, but you can inactivate the 
current DB, rename another one to the same name, and reactivate it 
immediately.


You also have a backup DB that you an switch to with one command and 
possibly one operator reply.



Walt Farrell, CISSP
z/OS Security Design, IBM

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-14 Thread R.S.


Irwin M. Deutsch wrote:


Hi,

Our auditor has asked  why have not protected the command to 'stop' racf.
Neither I nor our MVS gurus know of such an animal. I found some STOP for
RRSF in System Command manual, but that's just some part of RACF.

Any ideas on what our auditor is talking about?


Idea #1.
Auditor has no idea also.

Idea #2.
STOP RACF address space.
Nothing related to security (holes).
RACF A/S is optional, can be started or stopped during normal operations.
This command can be protected using (AFAIR) RACF.STOP profile in OPERCMD 
class.


Idea #3.
He means stop RACF.
No such stop.

Idea #4.
He means RVARY INACTIVE.
RVARY command is *not protected* by any profile, it is protected by 
password. After RVARY WTOR is issued, operator have to reply with 
password or NO word.



--
Radoslaw Skorupka
Lodz, Poland

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Leonard Woren

On Tue, Sep 13, 2005 at 02:24:59PM -0500, McKown, John ([EMAIL PROTECTED]) 
wrote:
> Your auditor is likely used to an ACF2 or TopSecret shop. If the ACF2 or
> TSS started task is not running, then your security system is down and
> things are nasty (I've done that too, I'm old and made many mistakes
> over the years). RACF does not have this vulnerability.

Seriously, that's a feature, not a "vulnerability".  Trying to fix
things when your RACF db is broken is damn near impossible.  Trying
to fix things when your ACF2 db is broken is just really aggravating.
There's a 2 orders of magnitude difference there.

Caveat:  The above is based on my experience with having been in both
situations, but long ago.  However, I have not heard anything since
which would lead me to believe that anything has changed.

With ACF2, you can stop the address space, fix the db, restart the
address space and you're running normally again.  Can this be done
with RACF?  With ACF2, you can stop it and restart immediately 
pointing to an alternate db with a different name on a different
volume.  Can you do this with RACF?

/Leonard

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Shane Ginnane

Must be a recommendation in "DP Audit 101".
When I arrived at this site, that was the *only* command that was covered
by a profile.

Shane ...

>
> Our auditor has asked  why have not protected the command to 'stop' racf.
> Neither I nor our MVS gurus know of such an animal. I found some STOP for
> RRSF in System Command manual, but that's just some part of RACF.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

RACF Stop/Start?

2005-09-13 Thread Walter Marguccio

--- "Irwin M. Deutsch" <[EMAIL PROTECTED]> wrote:

> Hi,
> Our auditor has asked  why have not protected the command to 'stop'
> racf.  Neither I nor our MVS gurus know of such an animal. I found 
> some STOP for RRSF in System Command manual, but that's just some 
> part of RACF. Any ideas on what our auditor is talking about?

Irwin,
as part of our shutdown procedure for our z/OS, we do issue %STOP [1]
command to stop RACF. The RACF STC does end, but I must admit I've
never tried to see whether RACF functionality is also 'stopped'. After
all, we do this only during shutdown, I would *NEVER* do it during
normal operation.

Walter Marguccio

[1] Or whatever character you assigned to the RACF subsystem.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Edward E. Jaffe


Thomas Conley wrote:

... Even if you managed to "stop" RACF, it would go into "failsafe" 
mode, and every RACROUTE gets a WTOR to the console which must be 
verified by the system operator (you haven't lived until you hit 
"failsafe" mode, it takes like 10 minutes to log on to TSO ...



Only ten minutes?? It took me almost 45! After that, I wrote an MPF exit 
that unconditionally replies in the affirmative to each of those WTOs. 
Comes in might handy when needed!


--
-
| Edward E. Jaffe||
| Mgr, Research & Development| [EMAIL PROTECTED]|
| Phoenix Software International | Tel: (310) 338-0400 x318   |
| 5200 W Century Blvd, Suite 800 | Fax: (310) 338-0801|
| Los Angeles, CA 90045  | http://www.phoenixsoftware.com |
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Thomas Conley

- Original Message - 
From: "Irwin M. Deutsch" <[EMAIL PROTECTED]>

Newsgroups: bit.listserv.ibm-main
Sent: Tuesday, September 13, 2005 3:12 PM
Subject: RACF Stop/Start?

Hi,

Our auditor has asked  why have not protected the command to 'stop' racf.
Neither I nor our MVS gurus know of such an animal. I found some STOP for
RRSF in System Command manual, but that's just some part of RACF.

Any ideas on what our auditor is talking about?

Irwin,

To put it politely, the auditor is speaking from the rectum (from the Latin 
"oratus rectumis").  It is not possible to stop RACF with a STOP command. 
An RVARY command can inactivate the RACF database, but you need a password 
to do that (shame on you if the password is still the default, use SETROPTS 
to fix that).  Even if you managed to "stop" RACF, it would go into 
"failsafe" mode, and every RACROUTE gets a WTOR to the console which must be 
verified by the system operator (you haven't lived until you hit "failsafe" 
mode, it takes like 10 minutes to log on to TSO ;-)  God save us from 
auditors who can't find it with both hands and a flashlight.

Regards,
Tom Conley 

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Edward E. Jaffe


Irwin M. Deutsch wrote:


Our auditor has asked  why have not protected the command to 'stop' racf.
Neither I nor our MVS gurus know of such an animal. I found some STOP for
RRSF in System Command manual, but that's just some part of RACF.

Any ideas on what our auditor is talking about?
 



I'm guess s/he is talking about the RVARY command.

--
-
| Edward E. Jaffe||
| Mgr, Research & Development| [EMAIL PROTECTED]|
| Phoenix Software International | Tel: (310) 338-0400 x318   |
| 5200 W Century Blvd, Suite 800 | Fax: (310) 338-0801|
| Los Angeles, CA 90045  | http://www.phoenixsoftware.com |
-

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Wayne Driscoll

I would guess that your auditor is assuming that the ability to stop the
RACF subsystem will stop the security system.  This is false.  Once a system
is IPL'd with RACF, it is extremely difficult to to stop RACF from
processing security calls, and even if RACF did go into "failsafe" mode, a
WTOR will be issued for most RACF calls, so the system will not be
processing normally.
Wayne Driscoll
Product Developer
Western Metal Supply
NOTE: All opinions are strictly my own.
 

-Original Message-
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf
Of Irwin M. Deutsch
Sent: Tuesday, September 13, 2005 2:12 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: RACF Stop/Start?

Hi,

Our auditor has asked  why have not protected the command to 'stop' racf.
Neither I nor our MVS gurus know of such an animal. I found some STOP for
RRSF in System Command manual, but that's just some part of RACF.

Any ideas on what our auditor is talking about?


Thanks,

Irwin Deutsch
AIG Sunamerica
(DB2/CICS guy tinkering with RACF)

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email
to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the
archives at http://bama.ua.edu/archives/ibm-main.html

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread McKown, John

> -Original Message-
> From: IBM Mainframe Discussion List 
> [mailto:[EMAIL PROTECTED] On Behalf Of Irwin M. Deutsch
> Sent: Tuesday, September 13, 2005 2:12 PM
> To: IBM-MAIN@BAMA.UA.EDU
> Subject: RACF Stop/Start?
> 
> 
> Hi,
> 
> Our auditor has asked  why have not protected the command to 
> 'stop' racf.
> Neither I nor our MVS gurus know of such an animal. I found 
> some STOP for
> RRSF in System Command manual, but that's just some part of RACF.
> 
> Any ideas on what our auditor is talking about?
> 
> 
> Thanks,
> 
> Irwin Deutsch
> AIG Sunamerica
> (DB2/CICS guy tinkering with RACF)

There is no way to stop RACF from doing its security work. Period. Well,
destroy the active RACF database will do it (been there, done that, not
fun!).

There can be a RACF started task. This started task has two functions.
The first is to allow a security administrator to logon to a z/OS
console and enter RACF command such as ALU, LU, etc as they would
normally do in TSO. The second is to act as an end-point for RRSF.

Your auditor is likely used to an ACF2 or TopSecret shop. If the ACF2 or
TSS started task is not running, then your security system is down and
things are nasty (I've done that too, I'm old and made many mistakes
over the years). RACF does not have this vulnerability.

--
John McKown
Senior Systems Programmer
UICI Insurance Center
Information Technology

This message (including any attachments) contains confidential
information intended for a specific individual and purpose, and its'
content is protected by law.  If you are not the intended recipient, you
should delete this message and are hereby notified that any disclosure,
copying, or distribution of this transmission, or taking any action
based on it, is strictly prohibited.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

2005-09-13 Thread Imbriale, Donald (Exchange)

The STOP command is discussed in the RACF System Programmer's Guide.

Don Imbriale

>-Original Message-
>From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf
>Of Irwin M. Deutsch
>Sent: Tuesday, September 13, 2005 3:12 PM
>To: IBM-MAIN@BAMA.UA.EDU
>Subject: RACF Stop/Start?
>
>Hi,
>
>Our auditor has asked  why have not protected the command to 'stop'
racf.
>Neither I nor our MVS gurus know of such an animal. I found some STOP
for
>RRSF in System Command manual, but that's just some part of RACF.
>
>Any ideas on what our auditor is talking about?
>
>


***
Bear Stearns is not responsible for any recommendation, solicitation, 
offer or agreement or any information about any transaction, customer 
account or account activity contained in this communication.
***

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

RACF Stop/Start?

2005-09-13 Thread Irwin M. Deutsch

Hi,

Our auditor has asked  why have not protected the command to 'stop' racf.
Neither I nor our MVS gurus know of such an animal. I found some STOP for
RRSF in System Command manual, but that's just some part of RACF.

Any ideas on what our auditor is talking about?


Thanks,

Irwin Deutsch
AIG Sunamerica
(DB2/CICS guy tinkering with RACF)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

Re: RACF Stop/Start?

RACF Stop/Start?

19 matches

Site Navigation

Mail list logo

Footer information