Before you begin: You need to have:
- RACF® set up as your security
product
- Enabled RACF enhanced program
security
- Enabled BPX.MAINCHECK
- Determined which privileged programs you run that are affected
by setting up RACF enhanced
program security. The RACF programs
that would be affected are the main jobstep programs of one of the
following types of privileged applications:
- z/OS UNIX applications
that require a program controlled environment. This includes applications
that require permission to BPX.DAEMON, BPX.SERVER or BPX.SRV.userid or
those that use a privileged function like __passwd(). Examples of
applications that would be affected by this are rlogin, telnet and su.
- Applications that gain access to MVS™ data
sets by using RACF program
access to data sets (PADS) via entries in a DATASET profile's conditional
access list.
Perform the following steps to set up ENHANCED program security
mode.
- Turn on RACF ENHANCED program
security mode. For more information about ENHANCED program security
mode, see z/OS Security Server RACF Security Administrator's Guide.
_______________________________________________________________
- Ensure that all affected MAIN jobstep programs are in an MVS load library in your MVS load library search order. They should have
either the sticky bit attribute turned on (see Verifying that the sticky bit is on)
or have been set up as an external link z/OS UNIX file (see Using external links to access MVS load libraries).
If you use the warning mode provided
by RACF enhanced program security
as a way to determine which programs will be affected by the new enhanced
security checking, note that in warning mode, the applications will
not fail but you will get messages that indicate which programs are
affected
_______________________________________________________________
- Define the BPX.MAINCHECK security profile.
RDEFINE FACILITY BPX.MAINCHECK UACC(NONE)
_______________________________________________________________
- Re-IPL.
_______________________________________________________________
When you are done, you have set up enhanced program security.
Tips: - You can partially activate enhanced program security by defining
the profile before restarting OMVS or issuing a SET OMVS or SETOMVS
command. However, only address spaces that are started after enhanced
program security was enabled are affected. Use this partial enablement
for testing purposes only.
- Because the new RACF enhanced
security checking requires a completely controlled program environment,
testing using dbx might be restricted because it
can cause the program environment to be considered uncontrolled. Testing
a trusted MAIN program under dbx might require that the RACF enhanced security checking
be set up in warning mode or that BPX.MAINCHECK be undefined. Attempting
to do otherwise might cause some privileged operations to fail while
under dbx control.
Guideline: Remain in warning mode until you have done at
least one IPL, to ensure that you have tested with all your daemons.