eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Securing HFS FunctionsSystem Functions (IBMFAC ATTRIBUTE)BPX.CAHFS.CHANGE.PRIORITY—Allows a user to change the schedulingpriority of a process, process group, or user.BPX.CAHFS.SET.PRIORITY—Allows a user to set the scheduling priority of aprocess, process group, or user.BPX.CAHFS.SET.RLIMIT—Allows a user to set the resource limit for the callingprocess.BPX.CAHFS.MOUNT—Allows a user to mount file systems.BPX.CAHFS.UNMOUNT—Allows a user to remove a virtual file system.BPX.CAHFS.PTRACE—Allows a user to control and debug another process.Although the user need not be defined as a superuser to use this function, accessto this resource does not give the user any more authority than a superuserwould have. Access to the function is denied if the user attempts to debug aprogram running with SETUID or SETGID, that is, a program that switches useridentification.BPX.CAHFS.CREATE.LINK—Allows a user to create a hard link to an existingfile. A hard link is essentially another name for the same file data. If the originalfile is removed, the hard link still points to the file data. The data is not deleteduntil the last link is removed. The user requires a permission withACCESS(ALTER) to the HFS file resource for both the original file and the linkfile. It is important to note that when data associated with a hard link isaccessed, the CA-ENF/USS service requests the file name from OS/390 UNIXServices. The file name returned might be the hard link name or the original filename regardless of the actual path accessed. It is unpredictable which name isreturned. Therefore, when a hard link exists, you must maintain permissions forboth the link name and the original name.BPX.CAHFS.CREATE.EXTERNAL.LINK—Allows a user to create an externallink to an object outside of the file system, such as an MVS data set. An externallink is a file that contains the name of an external object. If the external object isremoved, the external link still contains the name of the non-existent object.BPX.CAHFS.CREATE.SYMBOLIC.LINK—Allows a user to create a symboliclink to an existing file. A symbolic link is a file that contains the name of anotherfile. If the original file is removed, the file data is deleted but the symbolic linkstill contains a pointer to the non-existent file. Symbolic link names are validatedwhen the link is created and deleted. All other accesses are validated with theoriginal file name. In addition to this resource, the user also requires a PERMITwith ACCESS(ALTER) to the HFS file resource for both the original file and thelink file.2–8 Cookbook
Securing HFS FunctionsFile FunctionsFile-related functions can be secured to various levels of granularity. This isaccomplished by determining a user’s highest level of access to an IBMFACresource. The ACCESS keyword of the IBMFAC resource authorization is usedfor this purpose. The following actions are taken based upon the ACCESS value:ALL—The user is allowed to perform the function against all files.CONTROL—The user is allowed to perform the function if the user also hasACCESS(CONTROL) access to the HFS file resource. The access level ofCONTROL is not used in normal file access. It is utilized here to provideadditional controls for file functions.UPDATE—Processing is the same as for CONTROL.READ—The user is allowed to perform the function if the user also hasACCESS(CONTROL) access to the HFS file resource, or if the user is consideredthe owner of the file. This is ownership as defined by CA SAF HFS security, notUNIX file UID.NONE—If the user has no access to the IBM FACILITY resource, the function isdenied.Because the absence of the ACCESS keyword in a permission implies READaccess, be sure to specify ACCESS in all of the file function IBMFAC permissionsso that you do not inadvertently allow greater access to functions than youintended.HFS file permission settings and UID/GID ownership are not used for validationpurposes when CA SAF HFS security is active. However, the followingresources restrict changes to these settings for those cases in which they must bemaintained.File Functions (IBMFAC)The following are the file functions authorized via the IBMFAC ATTRIBUTE:BPX.CAHFS.CHANGE.FILE.ATTRIBUTES—Allows a user to change extendedfile attributes, such as APF authorization and program control. Native OS/390UNIX services will issue an IBMFAC resource call to determine authorization toset the specific attribute, but not to specific files. Use of this file function resourceprovides additional control down to the file level.BPX.CAHFS.CHANGE.FILE.AUDIT.FLAGS—HFS files contain two sets ofaudit flags, one that can be set by a normal user and the other that can only be setby an auditor. This resource allows a user to change user-audit flags in a file.BPX.CAHFS.CHANGE.FILE.FORMAT—Allows a user to change the format ofa file. Changes include defining text data delimiters or binary file format.Controlling Access to the Hierarchical File System 2–9
- Page 67 and 68: Digital Certificate SupportDCDSN(re
- Page 69 and 70: Digital Certificate SupportNote: In
- Page 71 and 72: Digital Certificate SupportYou can
- Page 73 and 74: Digital Certificate SupportCase #2.
- Page 75 and 76: Digital Certificate SupportImportan
- Page 77 and 78: Digital Certificate SupportAdding a
- Page 79 and 80: Digital Certificate SupportReconnec
- Page 81 and 82: Digital Certificate SupportTSS LIST
- Page 83 and 84: Certificate Name Filtering SupportT
- Page 85 and 86: Certificate Name Filtering SupportI
- Page 87 and 88: Certificate Name Filtering SupportD
- Page 89 and 90: Certificate Name Filtering SupportL
- Page 91 and 92: KerberosKerberosetrust CA-Top Secre
- Page 93 and 94: KerberosThe command syntax for this
- Page 95 and 96: KerberosThe following command creat
- Page 97 and 98: Mapping of Foreign EnvironmentsMapp
- Page 99 and 100: Mapping of Foreign EnvironmentsMapp
- Page 101 and 102: Distributed File Server SMB SUPPORT
- Page 103 and 104: NFS (Network File System)The first
- Page 105 and 106: z/OS and OS/390 Security Server Sup
- Page 107 and 108: z/OS and OS/390 Security Server Sup
- Page 109 and 110: z/OS and OS/390 Security Server Sup
- Page 111 and 112: Chapter2Controlling Access to theHi
- Page 113 and 114: Controlling HFS Using the Native UN
- Page 115 and 116: Controlling HFS Using CA SAF HFS Se
- Page 117: Securing HFS FunctionsKeywordALLCON
- Page 121 and 122: Implementing CA SAF HFS SecurityImp
- Page 123 and 124: HFSSEC Control Option+12—The addr
- Page 125 and 126: HFSSEC Control OptionDiagnosticsThe
- Page 127 and 128: HFSSEC Control OptionUNIX CMDCHMOD(
- Page 129 and 130: HFSSEC Control OptionTSSSUTIL EQUIV
- Page 131 and 132: HFSSEC Control OptionUNIX CMDS ACCE
- Page 133 and 134: HFSSEC Control OptionExample 1// JO
- Page 135 and 136: HFSSEC Control OptionExample 2// JO
- Page 137 and 138: MessagesMessagesCAS2301EEVENT PROCE
- Page 139 and 140: MessagesCAS2306Wxxxxxxxxxxxxxxx EVE
- Page 141: MessagesCAS2319ITRACEID=aaaaaaaa US
- Page 144 and 145: The SYSPLEX XES FunctionThere are t
- Page 146 and 147: eTrust CA-Top Secret and the SYSPLE
- Page 148 and 149: Defining the Sysplex to eTrust CA-T
- Page 150 and 151: Managing the Coupling FacilityWhen
- Page 152 and 153: Defining SYSTEM LOGGER to eTrust CA
- Page 154 and 155: IMVSECUR/*=========================
- Page 156 and 157: IMVSECUR/*=========================
- Page 158 and 159: IMVSECURFeature RACF eTrust CA-Top
- Page 160 and 161: PERMITIn eTrust CA-Top Secret, all
- Page 163 and 164: Indexcomponent names for z/OS and O
- Page 165 and 166: OpenEdition MVS supportACIDs needed
Securing HFS FunctionsFile FunctionsFile-related functions can be secured to various levels of granularity. This isaccomplished by determining a user’s highest level of access to an IBMFACresource. The ACCESS keyword of the IBMFAC resource authorization is used<strong>for</strong> this purpose. The following actions are taken based upon the ACCESS value:ALL—The user is allowed to per<strong>for</strong>m the function against all files.CONTROL—The user is allowed to per<strong>for</strong>m the function if the user also hasACCESS(CONTROL) access to the HFS file resource. The access level ofCONTROL is not used in normal file access. It is utilized here to provideadditional controls <strong>for</strong> file functions.UPDATE—Processing is the same as <strong>for</strong> CONTROL.READ—The user is allowed to per<strong>for</strong>m the function if the user also hasACCESS(CONTROL) access to the HFS file resource, or if the user is consideredthe owner of the file. This is ownership as defined by <strong>CA</strong> SAF HFS security, notUNIX file UID.NONE—If the user has no access to the IBM FACILITY resource, the function isdenied.Because the absence of the ACCESS keyword in a permission implies READaccess, be sure to specify ACCESS in all of the file function IBMFAC permissionsso that you do not inadvertently allow greater access to functions than youintended.HFS file permission settings <strong>and</strong> UID/GID ownership are not used <strong>for</strong> validationpurposes when <strong>CA</strong> SAF HFS security is active. However, the followingresources restrict changes to these settings <strong>for</strong> those cases in which they must bemaintained.File Functions (IBMFAC)The following are the file functions authorized via the IBMFAC ATTRIBUTE:BPX.<strong>CA</strong>HFS.CHANGE.FILE.ATTRIBUTES—Allows a user to change extendedfile attributes, such as APF authorization <strong>and</strong> program control. Native <strong>OS</strong>/390UNIX services will issue an IBMFAC resource call to determine authorization toset the specific attribute, but not to specific files. Use of this file function resourceprovides additional control down to the file level.BPX.<strong>CA</strong>HFS.CHANGE.FILE.AUDIT.FLAGS—HFS files contain two sets ofaudit flags, one that can be set by a normal user <strong>and</strong> the other that can only be setby an auditor. This resource allows a user to change user-audit flags in a file.BPX.<strong>CA</strong>HFS.CHANGE.FILE.FORMAT—Allows a user to change the <strong>for</strong>mat ofa file. Changes include defining text data delimiters or binary file <strong>for</strong>mat.Controlling Access to the Hierarchical File System 2–9