IBM Security zSecure, Version 2.2.0

Standard RACF command exits

The RACF System Programmers Guide mentions some examples of usage of the RACF® exits:

Controlling password quality
Restricting a SPECIAL user to resume and password reset

Other purposes for the RACF exits are sometimes used as well. In some installations, RACF exits are used for the following purposes:

Enforcing a smaller password interval for selected users
Setting auditing attributes for users with non-standard authorizations
Preventing changes to the UACC of data sets
Preventing addition of the user ID "*" to an access list

The password quality control can be done by comparison of the new password against a list of forbidden words or against the characters in the current password. An example is testing for keyboard patterns like QWERTY and LKJHGF, or months like MARCH and APRIL. Comparison against current password can involve things like more than 3 characters in the same position. For this second test, an example of an invalid password is QP11AL if the current password is QP10AL.

The following description illustrates one of the more advanced uses of the RACF exits. This example describes an attempt to prevent changes to the UACC of data sets.

Preventing changes to the UACC of data sets involves several RACF exits. The first is the one called for the special form of the RACROUTE REQUEST=AUTH used internally in the RACF commands. On its own, this exit is not enough. It must be combined with the RACF exit called in RACROUTE REQUEST=DEFINE. However, even this combination is not foolproof against all possible ways that a user can influence the UACC setting of a data set profile.

These type of exits are insufficient to control all desired aspects of profiles. For this reason, RACF has a new exit point in OS/390® Release 3. This Common Command exit is called before and after execution of most RACF commands. However, RACF places the following restrictions on this exit:

The RRSF keywords AT and ONLYAT are already processed and stripped from the command.
You cannot check which keywords are provided by the terminal user because defaults are already supplied.
You cannot change the command itself.

In addition, coding such an exit is not trivial mainly because the keywords are presented in the form of a long character string. Processing of the TSO command syntax, including parenthesis and quoted strings, is considered a complicated and difficult task by many people. It is partly for this reason that zSecure™ Command Verifier is an effective way to implement additional security controls. Another advantage of zSecure Command Verifier is that no assembler or other programming skills are required. The installation policy rules can be defined by policy profiles. zSecure Command Verifier takes care of parsing, verification, error messages, and generation of the audit trail.

Feedback