RACF Security in a UNIX System Services Environment

Virtual Classroom Environment dates - click to book!

UK Start Times

USA/Canada Start Times

What do I need?

• webcam
• headphones with microphone
• sufficient bandwidth, at least 1.5 Mb/s in each direction.

What you will learn

On successful completion of this course you will be able to:

• describe the necessary requirements to implement a secure UNIX System Services environment
• create users with OMVS segments and their resources
• administer directory and file access using permission bits, ACLs and RACF classes
• list the RACF UNIX System Services General Resource Classes for Security
• move around the UNIX System Services environment
• use UNIX System Services commands with regards to security
• use file systems and ACLs
• recognise and understand USS error messages with regards to security
• understand the security implications for Daemons and Servers
• understand the use of superuser and UID(0)
• recognise the tasks needed to audit USS Security events.

Who Should Attend

he course is suitable for all Security Administrators and Systems Programmers working in a z/OS UNIX System Services environment.

Prerequisites

Attendees should have a clear understanding of z/OS at a conceptual level and have an understanding of RACF that can be gained by attending the course RACF Administration & Auditing. A familiarity with UNIX System Services and a knowledge of TSO/ISPF and JCL is also required.

Duration

2 days

Fee (per attendee)

£1335 (ex VAT)

This includes free online 24/7 access to course notes.

Hard copy course notes are available on request from rsmshop@rsm.co.uk

at £50.00 plus carriage per set.

Course Code

RAUX

Contents

Introduction to USS Features and Services

What are 'Open Systems'?; z/OS USS; Benefits of USS; z/OS USS components; z/OS UNIX interfaces; HFS; SAF for z/OS UNIX; USS security with RACF; UNIX internals overview; The Kernel; LOADxx and the IPL process; Load Unit Address,The LOAD parameter - dddxxsn,The LOADxx member; The UNIX support in z/OS; Displaying OMVS processes; USS z/OS packaging; z/OS and USS comparative functions; Terminal and workstation support; Special TSO/E commands; Controlling z/OS UNIX - BPXPRMxx parmlib member; Displaying OMVS information; ulimit - a (shell command); New ISPF panels; The Shell; USS functions; Processes and fork(); fork() and shared storage; spawn() function; Inter-Process Communications functions; Memory mapped files; Threads; Daemon processes; The UNIX file system; The system files - /etc, /dev, /bin and others; Display File systems; Security classification; Multilevel security; Security labels; Security levels; Security categories; Dominance and equivalence.

Practical exercise on each student's exclusive z/OS system.

Users & Groups

UNIX user definition; Users & Groups ; User & Group Profiles; RACF User/Group profile extensions; UNIX identity with USP; RACF commands for Users; RACF commands for Groups; System Resource limits; OMVS segment - additions; The SEARCH command; Security administration; SURROGAT class; Surrogate authority; FIELD Level access checking; Using the FIELD class; Security for OMVS.

Practical exercise on each student's exclusive z/OS system.

Superusers & UID/GID Management

User definition - superuser; BPX.SUPERUSER; Switch to superuser mode; Superuser granularity; UNIPRIV resource names; UNIPRIV class; Managing UIDs; Prevention of shared UIDs; Shared UIDs; Search enhancement to map UID & GID; Automatic UID/GID assignment: The Started Task Table; Using ICHRIN03; Using the STARTED class; Trusted and Privileged.

Practical exercise on each student's exclusive z/OS system.

Application Identity Mapping

Application Identity Mapping.

z/OS UNIX File and Function Security

Directories & files; UNIX file security; Protecting directories & files; Access levels; The File Security Packet (FSP); Reading File Permissions; Basic - file authorisation checking; File Permission - examples; Protecting files; chmod command examples; chown command - change file owner; chmod - change file mode (permissions); Protecting files; File authorisation checking with UNIXPRIV; RESTRICTED attribute; Default file permissions & umask; List file & directory information; Interpreting ICH4081 messages; Interpreting BPX messages; Interpreting other messages; Facility Class , FACILITY class profiles, FSACCESS class, FSEXEC class.

Practical exercise on each student's exclusive z/OS system.

Access Control Lists (ACLs)

Access Control Lists (ACLs); Three Types of ACL; Two types of Access ACL - base ; Two types of Access ACL - extended; Permission Bits & ACLs; Authority to create ACLs; The getfacl & setfacl commands; getfacl; setfacl; Managing ACLs; getfacl - no ACLs; getfacl - display ACLs for directory; ACL examples; setfacl - change permission bits; ACL inheritance; Directory default ACLs; File default ACLs; getfacl - display all ACLs; UNIXPRIV & ACLs; Authorisation checking - summary; Recommendations.

Practical exercise on each student's exclusive z/OS system.

Security for Daemons & Servers

UNIX level security for daemons; RACF profiles for daemon security; Server overview; UNIX level security for servers; RACF profiles for server security; Recommendations; Maintaining a clean program environment; Program profiles and libraries; File extended attributes and authorities; Protecting with BPX profiles.

Practical exercise on each student's exclusive z/OS system.

Auditing UNIX System Services Security Events

What can be audited; New RACF classes; RACF commands to implement; SMF records; UNIX commands to audit file access; File Security Packet (FSP); UNIX commands to implement auditing; List file & directory information; Setting the auditing option in the FSP; Auditing the superuser; FSP reporting - HFS Unload; Health Checkers.

Practical exercise on each student's exclusive z/OS system.