z/OS UNIX System Services Planning
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Steps for setting up enhanced program security

z/OS UNIX System Services Planning
GA32-0884-00

Before you begin: You need to have:
  1. RACF® set up as your security product
  2. Enabled RACF enhanced program security
  3. Enabled BPX.MAINCHECK
  4. Determined which privileged programs you run that are affected by setting up RACF enhanced program security. The RACF programs that would be affected are the main jobstep programs of one of the following types of privileged applications:
    • z/OS UNIX applications that require a program controlled environment. This includes applications that require permission to BPX.DAEMON, BPX.SERVER or BPX.SRV.userid or those that use a privileged function like __passwd(). Examples of applications that would be affected by this are rlogin, telnet and su.
    • Applications that gain access to MVS™ data sets by using RACF program access to data sets (PADS) via entries in a DATASET profile's conditional access list.

Perform the following steps to set up ENHANCED program security mode.

  1. Turn on RACF ENHANCED program security mode. For more information about ENHANCED program security mode, see z/OS Security Server RACF Security Administrator's Guide.

    _______________________________________________________________

  2. Ensure that all affected MAIN jobstep programs are in an MVS load library in your MVS load library search order. They should have either the sticky bit attribute turned on (see Verifying that the sticky bit is on) or have been set up as an external link z/OS UNIX file (see Using external links to access MVS load libraries).

    If you use the warning mode provided by RACF enhanced program security as a way to determine which programs will be affected by the new enhanced security checking, note that in warning mode, the applications will not fail but you will get messages that indicate which programs are affected

    _______________________________________________________________

  3. Define the BPX.MAINCHECK security profile.
    RDEFINE FACILITY BPX.MAINCHECK UACC(NONE)

    _______________________________________________________________

  4. Re-IPL.

    _______________________________________________________________

When you are done, you have set up enhanced program security.

Tips:
  1. You can partially activate enhanced program security by defining the profile before restarting OMVS or issuing a SET OMVS or SETOMVS command. However, only address spaces that are started after enhanced program security was enabled are affected. Use this partial enablement for testing purposes only.
  2. Because the new RACF enhanced security checking requires a completely controlled program environment, testing using dbx might be restricted because it can cause the program environment to be considered uncontrolled. Testing a trusted MAIN program under dbx might require that the RACF enhanced security checking be set up in warning mode or that BPX.MAINCHECK be undefined. Attempting to do otherwise might cause some privileged operations to fail while under dbx control.

Guideline: Remain in warning mode until you have done at least one IPL, to ensure that you have tested with all your daemons.

Parent topic: Using enhanced program security

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014