'Re: Recommendations for class FSSEC - RACLIST and LOGOPTIONS'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: Recommendations for class FSSEC - RACLIST and LOGOPTIONS
From:       "Robert S. Hansel (RSH)" <R.Hansel () RSHCONSULTING ! COM>
Date:       2011-04-30 10:06:14
Message-ID: NCBBLKNFEEPHCAAMOFKLMEPNMJAA.R.Hansel () RSHConsulting ! com
[Download RAW message or body]

Jim,

Classes DIRACC, DIRSRCH, and FSOBJ, as well as PROCESS, PROCACT, and IPCOBJ,
exist solely to govern auditing of related Unix events via SETROPTS AUDIT
and LOGOPTIONS. They are not meant to be active, nor do they exist to
contain profiles. Their active status is immaterial as to whether they apply
to you. This used to be true for FSSEC as well, but that changed when it
became necessary to activate the class to enable the use of Extended ACLs.

With respect to LOGOPTIONS, I recommend setting FSSEC to ALWAYS and all the
others to at least FAILURES. See article "Auditors: Verify LOGOPTIONS are
set to log z/OS Unix events" in the January 2010 issue of our RACF Tips
newsletter (available on our website).

Setting these classes to LOGOPTIONS NEVER might improve performance, but
doing so would deny you security monitoring information for most Unix access
events and violations. (The activity of a user with UAUDIT would still get
logged.) Whoever wrote this INSIGHT paper you mention was clueless as to
needs of security. It's like telling you to set LOGOPTIONS NEVER on the
DATASET class. Following their advice would probably put you out of
compliance with whatever regulatory requirements apply to your organization.

As for SETROPTS AUDIT, I prefer turning this on for all these same classes.
However, doing so will generate SMF records for the following, which you may
or may not feel is necessary to collect.
FSOBJ    Creations and deletions of USS file system objects
IPCOBJ   Creations and deletions of USS objects (e.g., semaphores)
PROCESS  Dubbing and undubbing of a process

If your organization is at the point where they need to sacrifice security
to get the performance they need, perhaps they should instead consider IBM
(Install Bigger Machine).

Regards, Bob

Robert S. Hansel
Lead RACF Specialist
RSH Consulting, Inc.
617-969-8211
www.linkedin.com/in/roberthansel
www.rshconsulting.com

---------------------------------------------------------------------
2011 RACF Training
- Audit for Results   - Boston - OCT 25-27
- Intro & Basic Admin - Boston - MAY 10-12
- Intro & Basic Admin - Boston - OCT 11-13
- Securing z/OS UNIX  - WebEx  - JUL 19-21

Visit our website for registration & details
---------------------------------------------------------------------

-----Original Message-----
Date:    Fri, 29 Apr 2011 08:34:48 -0400
From:    "Tyree, Jim" <Jim.Tyree@DOIT.NH.GOV>
Subject: Re: Recommendations for class FSSEC - RACLIST and LOGOPTIONS

Our current settings are:

Active classes:    FSSEC  (but NOT DIRACC, DIRSRCH, or FSOBJ)

Audit classes:     None of these four classes

LOGOPTIONS "DEFAULT":  FSSEC


I like the suggestion to change the FSSEC option to always.  But it
sounds as if the other recommendations in the "INSIGHT" paper do not
happen to apply to our shop.

Thanks very much,


Jim



-----Original Message-----
From: RACF Discussion List [mailto:RACF-L@LISTSERV.UGA.EDU] On Behalf Of
Bruce Wells
Sent: Wednesday, April 27, 2011 12:24 PM
To: RACF-L@LISTSERV.UGA.EDU
Subject: Re: Recommendations for class FSSEC - RACLIST and LOGOPTIONS

RACF Discussion List <RACF-L@listserv.uga.edu> wrote on 04/27/2011
11:40:32 AM:

>
> Someone forwarded a paper presented at "INSIGHT" (whatever that is)
that
> reported vastly improved performance for ZFS (and therefore WebSphere)
> by changing RACF setting for classes DIRACC, DIRSRCH, FSOBJ, and
FSSEC.
>
> The suggested changes were:
>
> AUDIT to NONE, LOGOPTIONS to NEVER, and RACLIST all classes.
>
> Setting AUDIT to NONE makes sense to me, but:
>
> Q1: My current LOGOPTION for class FSSEC is "DEFAULT".  I think
> "DEFAULT" means use the option from the profile for the resource.  But
> since FSSEC does not have profiles, what does LOGOPTION "DEFAULT" vs.
> "NONE" mean for this class?
>
> Q2: Since there aren't any profiles in these classes, does RACLIST or
> not RACLIST mean anything?
>

I agree with everything Hayim posted separately.

In addition, you are right about FSSEC in that there are no
corresponding
file-level settings.  Furthermore, logging FSSEC should not affect
performance like logging file accesses would.  In fact, I recommend
ALWAYS
logging FSSEC since that gives you information about changes to
the security information about files.  Generally, people log that sort
of
thing for changes to RACF profiles.

I would take this a step at a time.  You didn't tell us what your
current
settings are; only the suggested changes.  Certainly, if you are
logging ALWAYS for DIRSRCH, you'll want to change that to FAILURES first
and see what benefit that yields before jumping to NEVER.  Then move on
to
FSOBJ and DIRACC.
Keep in mind that if you change to NEVER, you will not get ICH408I
messages which can be useful in debugging file access problems (e.g.
someone who should have been granted access was denied access).


Regards,
      Bruce R. Wells, CISSP
      z/OS Security Server Design and Development
      Phone: Tie 8-295-7498  External: (845) 435-7498
      Internet: brwells@us.ibm.com
      Poughkeepsie, NY  USA
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic