CARLa can also be used to set a verified security baseline for your z/OS and RACF environment and automatically track changes to that verified baseline. This baseline is crucial in tracking changes to your critical, sensitive settings, and security definitions.

In the following example, you are shown how to track changes to the verified baseline of user IDs who possess the RACF system-wide SPECIAL attribute. Note the known and verified RACF system-wide SPECIALs are filtered by using an “EXCLUDE” statement. Suppose that a new member of staff joins the RACF administration team. The security manager approves this staff member to be assigned RACF system-wide SPECIAL attribute. In that case, you must add an additional “EXCLUDE” statement for this new RACF administrator’s user ID.

By the way, you can also code a single EXCLUDE statement that holds the list of all known system-wide SPECIAL user IDs. So for example, the statement:
exclude key=(IBMUSER, JPEASE, INST001, INST002, INST003)
also works. Alternatively, if all or most RACF administrators have user IDs starting with an identical prefix, you can use a “mask=” operand in your EXCLUDE statement.

Exercise:

Attempt running this report by using the following user IDs as excluded user IDs. < TSOCP01-20, INST001-0005, IBMUSER> Does the report show any remaining unexpected administrators?

Using a similar conceptual approach, you can also build baseline reports based on who possesses OPERATIONS, AUDITOR, UAUDIT, PRIVILEGED, TRUSTED, REVOKE, RESTRICTED, and/or PROTECTED attributes.

Alternative baseline reports can be built by using the same or similar methodology for checking, for example:

• The list of SENSITIVE data sets.
  
• Active exits.
  
• Programs in the program properties table.
  
• Permissions on the data set profiles that protect the SMF files and RACF database.
  
• Many others…
  

 

 

View Suggested samples and answers

 

Continue with Revalidating privileges

 

© Copyright IBM Corp. 2012, 2020

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.