Re: Stopping DB2
Terry, Walt really can't comment on RACF controlling DB2 commands. The issue is that RACF can only answer those questions that are asked of it. Prior to Version 8, DB2 didn't ask RACF if the issuer of the command is aurhorized, so RACF never came into the picture. Wayne Driscoll Product Developer JME Software LLC NOTE: All opinions are strictly my own. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Terry Sambrooks Sent: Thursday, May 25, 2006 7:49 AM To: IBM-MAIN@bama.ua.edu Subject: Re: Stopping DB2 Hi Radoslaw, As mentioned previously RACF is not used within SDSF at present so the message issue with the illegal /-DB8G STOP DDF was: ISF015I SDSF COMMAND ATTEMPTED '-DB8G STOP DDF I am not saying that the method used is the best method for inhibiting the illicit use of commands, as I simply do not know. My system is not a production system but one of the IBM supplied development systems. In that respect many of the additional command inhibit requirements you cite are not applicable. The only other method I know that is active is that JES2 has batch command processing set to ignore to block commands in the input stream as much as possible. It would be useful to receive a comment from Walt Farrell in respect of RACF control of DB2 start/stop processing. Kind regards - Terry Terry Sambrooks Director KMS-IT Limited 228 Abbeydale Road South Dore Sheffield S17 3LA UK Tel: +44 (0)114 262 0933 WEB: www.legac-e.co.uk www.kmsitltd.co.uk Reg: England & Wales 3767263 at the above address All outgoing E-mails are scanned but it remains the recipients responsibility to ensure that their system is protected from viruses, trojans, worms, and spy-ware. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Stopping DB2
Hi Radoslaw, As mentioned previously RACF is not used within SDSF at present so the message issue with the illegal /-DB8G STOP DDF was: ISF015I SDSF COMMAND ATTEMPTED '-DB8G STOP DDF I am not saying that the method used is the best method for inhibiting the illicit use of commands, as I simply do not know. My system is not a production system but one of the IBM supplied development systems. In that respect many of the additional command inhibit requirements you cite are not applicable. The only other method I know that is active is that JES2 has batch command processing set to ignore to block commands in the input stream as much as possible. It would be useful to receive a comment from Walt Farrell in respect of RACF control of DB2 start/stop processing. Kind regards - Terry Terry Sambrooks Director KMS-IT Limited 228 Abbeydale Road South Dore Sheffield S17 3LA UK Tel: +44 (0)114 262 0933 WEB: www.legac-e.co.uk www.kmsitltd.co.uk Reg: England & Wales 3767263 at the above address All outgoing E-mails are scanned but it remains the recipients responsibility to ensure that their system is protected from viruses, trojans, worms, and spy-ware. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Stopping DB2
Terry Sambrooks wrote: Hi Radoslaw, In your post in response to Wayne, you wrote ".But seriously: I have business reasons to allow some folks to issue DISPLAY (and some MODIFY) commands. I can filter the commands very precisely, for example I can allow to F CICSA, but not CICSB. However *every* person having such (limited) access is also able to blow up our DB2 subsystem." This situation is not the case on my z/OS 1.6 System. I recently opened Display authority within SDSF to allow certain uses to display the status of various network components. If I log on to one of these userids and type /-DB8G STOP DDF the command is rejected by SDSF as being an authorised attempt. What message is issued when user tries to do it ? Any ICH408I ? Do you have any command exit ? Is it controlled only by SDSF parm member ? Whilst I accept that attempting to stop DDF rather than DB2 in its entirety is not quite the same, the point is that SDSF stopped the command, whilst it did allow /D SMF. I haven't got any User's authorised to issue the modify command so I cannot comment specifically at that higher level of authority, but certainly Display, at least on my system, does not give authority to close DB2. As a point of interest I also have a VTAM application which issue various shutdown commands, and whilst it can close some tasks either via Cancel or Stop, it cannot close DB2 at present as its command is declared unauthorised. My system also has a simplistic approach in this area in that RACF is not, as far as I know, exploited from an SDSF perspective, it is only the SDSF Parm member which controls security. Can you share you parm member ? BTW: in that case you should also protect every other "command interface", like // COMMAND in JCL, TSO COMMAND, NetView, SMSC consoles, MCS consoles, etc. "Protect" here means "totally disallow" or "trust selected users". Regards -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Stopping DB2
Hi Radoslaw, In your post in response to Wayne, you wrote ".But seriously: I have business reasons to allow some folks to issue DISPLAY (and some MODIFY) commands. I can filter the commands very precisely, for example I can allow to F CICSA, but not CICSB. However *every* person having such (limited) access is also able to blow up our DB2 subsystem." This situation is not the case on my z/OS 1.6 System. I recently opened Display authority within SDSF to allow certain uses to display the status of various network components. If I log on to one of these userids and type /-DB8G STOP DDF the command is rejected by SDSF as being an authorised attempt. Whilst I accept that attempting to stop DDF rather than DB2 in its entirety is not quite the same, the point is that SDSF stopped the command, whilst it did allow /D SMF. I haven't got any User's authorised to issue the modify command so I cannot comment specifically at that higher level of authority, but certainly Display, at least on my system, does not give authority to close DB2. As a point of interest I also have a VTAM application which issue various shutdown commands, and whilst it can close some tasks either via Cancel or Stop, it cannot close DB2 at present as its command is declared unauthorised. My system also has a simplistic approach in this area in that RACF is not, as far as I know, exploited from an SDSF perspective, it is only the SDSF Parm member which controls security. Kind regards - Terry Terry Sambrooks Director KMS-IT Limited 228 Abbeydale Road South Dore Sheffield S17 3LA UK Tel: +44 (0)114 262 0933 WEB: www.legac-e.co.uk www.kmsitltd.co.uk Reg: England & Wales 3767263 at the above address All outgoing E-mails are scanned but it remains the recipients responsibility to ensure that their system is protected from viruses, trojans, worms, and spy-ware. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Re: Stopping DB2 (was SMP/E SMPWRK* vs. SDB)
Wayne Driscoll wrote: Radoslaw, There is a simple solution to resolving the -stop db2 issue. Don't allow people who have no business accessing a console, be it via a real console, an EMCS console (including SDSF) or any other approach. Wayne, it is a joke, yes ? Otherwise: I'm aware that I can disallow people to use any console. I can also disallow them to use any mainframe connection, and - if there is no business case - I can switch off the mainframe - in that case everything will be very secure. We call it "binary security". You have access to all or nothing. Simple rule. But seriously: I have business reasons to allow some folks to issue DISPLAY (and some MODIFY) commands. I can filter the commands very precisely, for example I can allow to F CICSA, but not CICSB. However *every* person having such (limited) access is also able to blow up our DB2 subsystem. Regards -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
Stopping DB2 (was SMP/E SMPWRK* vs. SDB)
Radoslaw, There is a simple solution to resolving the -stop db2 issue. Don't allow people who have no business accessing a console, be it via a real console, an EMCS console (including SDSF) or any other approach. Wayne Driscoll Product Developer JME Software LLC NOTE: All opinions are strictly my own. -Original Message- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of R.S. Sent: Wednesday, May 24, 2006 11:16 AM To: IBM-MAIN@bama.ua.edu Subject: Re: SMP/E SMPWRK* vs. SDB Ray Mullins wrote: >>-Original Message- >>From: IBM Mainframe Discussion List >>[mailto:[EMAIL PROTECTED] On Behalf Of R.S. >>Sent: Wednesday May 24 2006 00:10 >> >>I think it's typical for IBM. Examples: > > > > >>2. DB2 doesn't (wasn't) check RACF profile when started/closed. >>Effect: >>everybody (who can issue operator commands) can kill DB2. The same >>person can be strictly controlled when i.e. using DISPLAY command, he >>could be authorized to D SMF, but not D IPLINFO. But not -dsn STOP >>DB2. > > > This sort of makes sense, though, if you think about how the command > is being processed. [...] No, it doesn't. I know more or less how it's being processed. Simply I don't care. I bought z/OS, RACF and DB2 from same company. It's not safe (disclaimer: I was told it's fixed in v8). For example JES commands are processed in similar way, but RACF protected. OK, I don't insist on RACF, let it be interally (in DB2) protected, via some GRANT. But it's not. It's open for everyone. > > >>3. IND$FILE also uses BLKSIZE of 3200/6160. >>There are more examples like the above. > > > At one time, the linkage editor was very touchy about block sizes > > 3200 unless you played games with PARM SIZE= and REGION. Yes, at one time. 20 years ago ? Is there anything to add here ? Regards -- Radoslaw Skorupka Lodz, Poland -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html