Professional Documents
Culture Documents
This documentation and any related computer software help programs (hereinafter referred to as the "Documentation") are for your informational purposes only and are subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
CA Product References
This document references the following CA products: CA ACF2 for z/OS (CA ACF2 for z/OS) CA Common Services for z/OS (CCS) CA Cleanup for ACF2 (CA Cleanup)
Contact CA
Contact Technical Support For your convenience, CA provides one site where you can access the information you need for your Home Office, Small Business, and Enterprise CA products. At http://ca.com/support, you can access the following: Online and telephone contact information for technical assistance and customer services Information about user communities and forums Product and documentation downloads CA Support policies and guidelines Other helpful resources appropriate for your product
Provide Feedback If you have comments or questions about CA product documentation, you can send a message to techpubs@ca.com. If you would like to provide feedback about CA product documentation, complete our short customer survey, which is also available on the CA Support website, found at http://ca.com/docs. Best Practices Guide Process These best practices represent years of product experience, much of which is based on customer experience reported through interviews with development, technical support, and technical services. Therefore, many of these best practices are truly a collaborative effort stemming from customer feedback. To continue and build on this process, we encourage users to share common themes of product use that might benefit other users. Please consider sharing your best practices with us.
To share your best practices, contact us at techpubs@ca.com and preface your email subject line with "Best Practices for product name" so that we can easily identify and categorize them.
Contents
Chapter 1: Introduction 7
Purpose of this Guide .......................................................................... 7 Audience ...................................................................................... 7 Documentation Set Overview ................................................................... 7 Mainframe 2.0 Overview ....................................................................... 8 Mainframe 2.0 Features ........................................................................ 9
11
Installation Considerations .................................................................... 11 CA Mainframe Software Manager .............................................................. 11 DB2 Subsystems Protection ................................................................... 12 CAIENF DB2 Component of CA Common Services ............................................... 12
15
CA ACF2 Option for DB2 Configuration ......................................................... 15 The OPTIONS Record...................................................................... 15 The EXITS Record......................................................................... 16 CA ACF2 for z/OS Configuration ............................................................... 17 CA ACF2 for z/OS OPTS Record ............................................................ 17 CA ACF2 for z/OS Exit Considerations ...................................................... 17 CA ACF2 for z/OS INFODIR Record ......................................................... 18 Removal of Obsolete Security ................................................................. 19 Obsolete User Definitions and Entitlements ................................................. 20 Obsolete Configuration Options ............................................................ 20 Expired and Unused User IDs and Entitlements ............................................. 20 Convert Native DB2 Security Information ...................................................... 21
23
Auditability Considerations .................................................................... 23 Global Logging Controls ................................................................... 23 User-Based Controls ...................................................................... 24 Entitlement-Based Controls ................................................................ 25 Compliance Auditing .......................................................................... 26 Regular and Audit Regimen Using CA Auditor ................................................... 27
Contents 5
Index
29
Chapter 1: Introduction
This section contains the following topics: Purpose of this Guide (see page 7) Audience (see page 7) Documentation Set Overview (see page 7) Mainframe 2.0 Overview (see page 8) Mainframe 2.0 Features (see page 9)
Audience
The intended audience of this guide is systems programmers and administrators who install, configure, deploy, and maintain <ACFDB2>.
Chapter 1: Introduction 7
Chapter 1: Introduction 9
Best Practices Management Integrates with IBM Health Checker for z/OS to verify that deployed software follows our best practices. The health checks continually monitor the system and software to provide feedback on whether the software continues to be configured optimally. Best Practices Guide Provides best practices for product installation and configuration. Note: For additional information about the CA Mainframe 2.0 initiative, see http://ca.com/mainframe2.
Installation Considerations
We recommend an installation process using a standardized set of libraries and procedures. Business Value: This process simplifies and standardizes the installation process so it is reliable and repeatable. These standardized libraries typically begin with the CAI high-level qualifier. We have optimized installation and maintenance procedures to support these standard data set names. CA ACF2 Option for DB2 is installed and maintained using SMP/E. Additional Considerations: We now offer an easy-to-install Electronic Software Delivery (ESD) program. You can download product and maintenance releases over the Internet directly to your system from the http://ca.com/support. When you order the product, you receive the authorizations and instructions to access, download, and prepare the installation files without the need for a physical tape.
CA MSM lets you download product and maintenance releases over the Internet directly to your system from http://ca.com/support. After you use CA MSM to download your product or maintenance, you use the same interface to install the downloaded software packages using SMP/E. Additional Considerations: After you install the product, use the CA ACF2 Option for DB2 documentation set at http://ca.com/support to configure your product. CA MSM can continue to help you maintain your product. More Information: For more information about CA MSM, see the CA Mainframe Software Manager Guide. For more information about product setup, see the CA ACF2 Option for DB2 Getting Started Guide. Both documents are available at http://ca.com/support.
Business Value: If the CAIENF DB2 component is not initialized, CA ACF2 Option for DB2 will not initialize in any DB2 subsystem, and DB2 will revert to using whatever native DB2 security controls are still intact.
Business Value: As CA ACF2 for z/OS has evolved, we have added exit functionality to the base product, typically using new options, security records, privileges, and so on. Because CA ACF2 Option for DB2 leverages the security controls of CA ACF2 for z/OS, any exits specified in the CA ACF2 for z/OS base product can affect the access decision CA ACF2 for z/OS returns to any DB2 access authorization request; therefore, examine any CA ACF2 for z/OS exit line by line to identify specifically the role of each exit. Additional Considerations: We also suggest that you consider the following: Carefully control CA ACF2 for z/OS exit code and the libraries used to hold the source and executable code, and implement stringent change control restrictions to ensure that all changes are properly tracked and audited. Implement strict security and change management controls to ensure that only properly certified changes are allowed to occur.
The freezer function of CA Auditor is an excellent method of helping to automatically monitor these critical data sets.
The GSO INFODIR records control the memory-based sharing of CA ACF2 Option for DB2 resource rules. Using the GSO INFODIR records, you define which specific CA ACF2 for z/OS resource types are to have directories built into common storage. Generally ECSA will be used for these directories, although this can be overridden by settings in the GSO RULEOPTS record. When you define the GSO INFODIR records, you specify what objects are to be placed into storage, specifically the directory only or the directory and the rules themselves. You have choices here on how and whether to make the rules resident as follows: Rules can be made resident (R) at CA ACF2 for z/OS initialization, in response to a REFRESH command and in response to a REBUILD command. Use this option for most instances of resident resource rules for the following reasons: It is more efficient for CA ACF2 for z/OS to acquire the storage once and load all of the rules into storage during initialization. It alleviates possible future out-of-storage situations whereby a rule needed to secure a critical application function cannot be loaded because of a storage shortage, thus resulting in application unavailability. It eliminates possible performance spikes that might arise if CA ACF2 for z/OS needed to periodically retrieve rule records from DASD to meet security demands.
Rules can be brought in on demand (D), meaning that CA ACF2 for z/OS maintains in storage only those rule sets that are actually used. This option might be used for more infrequently used rules and lesser used applications.
Rules can be brought into memory on a transient basis (T), meaning that CA ACF2 for z/OS will load them only when used and will then release them when the use is complete. Use this option only for the lightest use systems that are not subject to service level agreements and other user constraints.
Additional Considerations: Expired, obsolete, and unused credentials and entitlements pose a large security risk and, for this reason are the target of many contemporary compliance laws, requirements, and regulations. The PCI-DSS standard contains very specific language concerning processing of expired or obsolete user credentials and entitlements. The v1.2 specification states that inactive accounts must be removed or disabled after 90 days.
Auditability Considerations
We recommend that you log data to fit your business needs, but we caution you to devise your logging plans with auditability and resource usage in mind. Business Value: The security administrator, through entitlement-based controls and general security configuration options, controls the amount of logging on a system. The options that are set must reflect the business needs of the installation. Logging does affect performance; logging does cost in terms of processing path length, data repository size, and more. Consider this potential for overhead when deciding what logging controls to activate. More Information: The following sections detail several logging controls and our recommendations on how to use them.
Auditability Considerations
Additional Considerations: Examine the following GSO controls that affect logging at a global level: BLPPGM record CLASMAP record DELRSRC record LOGPGM record MLSOPTS record OPTS record PPGM record SECVOLS record
User-Based Controls
We recommend that you implement user-based controls for logging to generate log entries when CA ACF2 for z/OS uses the controls to determine what resources a user has accessed. Business Value: This practice lets you track user and logonid activity.
Auditability Considerations
Additional Considerations: You can log all system entry (logon, job) activity by using one of the following logonid record privileges: MON-LOG MONITOR PP-TRC P-TRCV TRACE TSO-TRC LOGSHIFT
Consider the role that special privileges play on an individual user level and their impact on logging. CA ACF2 for z/OS generates special log entries based on the following logonid privileges: SECURITY NON-CNCL PRIV-CTL (if this causes special privileges to be granted) READALL RULEVLD
Entitlement-Based Controls
When a CA ACF2 Option for DB2 resource rule is written, the security administrator has control over the specific circumstances in which logging records will be written. By default, CA ACF2 for z/OS logs failed access attempts or access attempts made under special circumstance such as under security authority. We recommend detailed examination of the rule sets. Business Value: Examination may reveal that some generated loggings are superfluous and can be eliminated without impacting system security or auditability.
Compliance Auditing
Compliance Auditing
We recommend using CA Compliance Manager which provides a single source for real-time, compliance-related information and events occurring within the mainframe environment. Business Value: CA Compliance Manager lets you easily manage and audit your mainframe environment. It accomplishes this with continuous, real-time monitoring and collection of compliance and security-related information, policy alerting, and an intuitive reporting interface for compliance and security event reporting. It also gives you the comprehensive auditing tools that you need to prove your compliance to IT and risk-management auditors. Additional Considerations: CA Compliance Manager consists of several components: The Change Monitor detects and records changes to external security manager (ESM) configurations, operating system security configuration, and selected PDS/PDSE data sets. The Data Warehouse stores information about mainframe security events in a relational repository that is accessible for compliance reporting, allowing complex reporting processes to be initiated. It also provides real-time access to current and historical security information for forensic analysis, going beyond current reporting capabilities of security products. The Alert component provides real-time notification of potential security breaches indicated by changes in the security configuration and specific security events. Stakeholders can receive immediate notification of pertinent violations, user activity, and access or change activity to critical resources using email notification, Write To Operator (WTO), or help desk ticket creation.
The Logger component writes information about mainframe security events to a dedicated z/OS log stream. A historical record of security events is maintained to address compliance and audit requirements and security forensics. This approach provides greater capability and is easier to use than standard log collection using SMF and file-based security journals. A web-enabled user interface provides summary and detailed reports that answer the audit questionWho accessed what, from where, and when. For example, you can report on everything a specific user has accessed or everyone who accessed a resource due to a specific permission. From the web interface, you can also create the policy statements that control what events are captured and the actions to take.
More Information: For a complete description of this product, see the CA Compliance Manager Implementation Guide.
Maintaining the integrity of the z/OS system is necessary to maintain proper system and application functionality. Regular audits can also satisfy many common compliance regulations, laws, and requirements, such as Sarbanes-Oxley (SOX) and the Payment Card Industry-Data Security Standard (PCI-DSS).
Additional Considerations: As you devise your auditing regimen, consider the following points: The z/OS system is the foundation for the applications and data that run your business; therefore, if the z/OS system has integrity exposures, the associated applications have the same exposures. A sound security policy bolsters z/OS integrity. Similarly, a proper z/OS implementation supports your overall security because a user could exploit any weakness to circumvent critical security controls and damage your applications.
Sound system integrity is the result of careful planning, well-defined procedures, proper security and change control mechanisms, and regular auditing to verify that users are following these procedures.
Index
A
access decisions 17 auditing your system 27 Overview 8
O
obsolete logonids 20
C
CA Auditor freezer function 16, 17 CA Cleanup 20 CA Common Services (CCS) 12 CAIENF DB2 component 12 CA Compliance Manager 26 conversion utility 21 credential monitoring 20
P
privileges DBADM privilege 15 SYSADM 15
S
security controls 17 security entitlements 20 security processing 15, 16 SELECT access 15 subsystem protection 12
D
DASD-related overhead 18
E
entitlement monitoring 20 exits 16 considerations 17
G
GSO records ABORT 17 EXITS 16 identify obsolete 20 INFODIR 18 MODE value 17 OPTS record 17 RULE 17 RULEOPTS 18
I
Infostorage database 15, 16
L
logging data 23, 24, 25
M
Mainframe 2.0 CA Mainframe Software Manager 11 Electronic Software Delivery 11 features 9
Index 29