eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect
Share Embed Flag
Download ePaper

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect eTrust CA-Top Secret Security for z/OS and OS ... - SupportConnect

supportconnectw.ca.com
from supportconnectw.ca.com More from this publisher
12.07.2015 Views

Securing HFS FunctionsBPX.CAHFS.CHANGE.FILE.MODE—Allows a user to change any file modeinformation. This includes changes to file permission settings, setting theexecution UID or GID indicators, and setting the "sticky" bit. Native OS/390UNIX permission settings are used for validation purposes only when CA SAFHFS security is inactive.BPX.CAHFS.CHANGE.FILE.MODE.STICKY—Allows a user to set the "sticky"bit in the file mode information. The "sticky" bit causes a program to be loadedfrom MVS libraries instead of the HFS.BPX.CAHFS.CHANGE.FILE.MODE.EUID—Allows a user to set theexecution-UID indicator in the file mode information. When this indicator is set,the program runs under the UNIX UID of the file owner instead of the UID of theuser running the program.BPX.CAHFS.CHANGE.FILE.MODE.EGID—Allows a user to set theexecution-GID indicator in the file mode information. When this indicator is set,the program runs under the UNIX GID of the file owner instead of the GID of theuser running the program.BPX.CAHFS. CHANGE.FILE.OWNER—Allows a user to change file owner UIDsetting. Native OS/390 UNIX ownership settings are used for validationpurposes only when CA SAF HFS security is inactive.BPX.CAHFS. CHANGE.FILE.GROUP—Allows a user to change file owner GIDsetting. Native OS/390 UNIX ownership settings are used for validationpurposes only when CA SAF HFS security is inactive.BPX.CAHFS. CHANGE.FILE.TIME—Allows a user to change the last access ormodification time to the current time or a user-specified time. If the current timeis to be set and the user has write access to the file, the function is allowed. If theuser does not have write access or a user-specified time is to be set, access mustbe allowed to this IBMFAC resource.Sample PermissionsThe following example shows TSS PERMITS that allow Thelma to change the filemode and owner for all files. Louise is allowed to change the file mode for onlythose files that reside in a certain directory, but is not allowed to change the fileowner in any file:TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE) ACCESS(ALL)TSS PER(LOUISE) IBMFAC(BPX.CAHFS.CHANGE.FILE.MODE) ACCESS(CONTROL)TSS PER(THELMA) IBMFAC(BPX.CAHFS.CHANGE.FILE.OWNER) ACCESS(ALL)TSS PER(LOUISE) HFSSEC(/certain.directory.) ACCESS(ALL)2–10 Cookbook

Implementing CA SAF HFS SecurityImplementing CA SAF HFS SecurityCA SAF HFS security is an application of CAIENF/USS (UNIX System Services).This security application is activated when the appropriate DCM modules arelinked into the ENF database. The following describes the implementation steps:1. eTrust CA-Top Secret for OS/390 5.1 SP2 or higher is required to implementCA SAF HFS Security.2. Determine if exit processing is required for path name translation, user pathdefinition or to enable file ownership. See below for specifics regarding exitprocessing. If using the exit, assemble and link the exit code using thesample SMPE usermod found in OPMAT member UD00001.3. Define HFS file and function resource authorizations. It is recommended thatall the function resources described in the previous sections be defined. Autility is provided to assist in creating these resource rules. See section CASAF HFS ADD/PERMIT Generation Utility for details.4. If you utilize the user file ownership feature of CA SAF HFS security(described in Exit Processing section), also define authorizations for users.5. Verify that the proper level of CAIENF is available to support ENF/USS. CACommon Services for z/OS and OS/390 with the following APARs providesthis support: LO89578 through LO89581, LO89584, LO92642, and LO94652,and LO94657.6. The ENF started task must be a valid OMVS user. Message CARR014E isissued if this is not done. Ensure the ENF acid specifies a group. Install thefollowing DCM modules into the ENF database using the ENFDB utilityprogram: CARRDCM0 (Framework) and J163DCM0(CA-Top Secret).7. Defining a VLF class for use as a cache can enhance performance ofENF/USS. The cache size is determined by the MAXVIRT specification. Thenumber of cache entries is approximated by dividing the defined amount ofVLF storage by the average size of your path names. Add the following toyour current COFVLFxx member in SYS1.PARMLIB:CLASS NAME(CAENFU) /* ENF/USS pathname cache */EMAJ(PATHCACHE) /* Major name */MAXVIRT(256) /* 1 megabyte */8. Adding the NODSNCHK attribute to the BPXOINIT logonid during initialtesting will allow OMVS to successfully initialize without violations. Onceappropriate authorizations are in place, the NODSNCHK attribute should beremoved.9. The following message is issued by CAIENF/USS at ENF startup when CASAF HFS security is successfully initialized:CARR036I - SAFHFINT / J163 Now InitializedControlling Access to the Hierarchical File System 2–11

Securing HFS FunctionsBPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE—Allows a user to change any file modein<strong>for</strong>mation. This includes changes to file permission settings, setting theexecution UID or GID indicators, <strong>and</strong> setting the "sticky" bit. Native <strong>OS</strong>/390UNIX permission settings are used <strong>for</strong> validation purposes only when <strong>CA</strong> SAFHFS security is inactive.BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE.STICKY—Allows a user to set the "sticky"bit in the file mode in<strong>for</strong>mation. The "sticky" bit causes a program to be loadedfrom MVS libraries instead of the HFS.BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE.EUID—Allows a user to set theexecution-UID indicator in the file mode in<strong>for</strong>mation. When this indicator is set,the program runs under the UNIX UID of the file owner instead of the UID of theuser running the program.BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE.EGID—Allows a user to set theexecution-GID indicator in the file mode in<strong>for</strong>mation. When this indicator is set,the program runs under the UNIX GID of the file owner instead of the GID of theuser running the program.BPX.<strong>CA</strong>HFS. CHANGE.FILE.OWNER—Allows a user to change file owner UIDsetting. Native <strong>OS</strong>/390 UNIX ownership settings are used <strong>for</strong> validationpurposes only when <strong>CA</strong> SAF HFS security is inactive.BPX.<strong>CA</strong>HFS. CHANGE.FILE.GROUP—Allows a user to change file owner GIDsetting. Native <strong>OS</strong>/390 UNIX ownership settings are used <strong>for</strong> validationpurposes only when <strong>CA</strong> SAF HFS security is inactive.BPX.<strong>CA</strong>HFS. CHANGE.FILE.TIME—Allows a user to change the last access ormodification time to the current time or a user-specified time. If the current timeis to be set <strong>and</strong> the user has write access to the file, the function is allowed. If theuser does not have write access or a user-specified time is to be set, access mustbe allowed to this IBMFAC resource.Sample PermissionsThe following example shows TSS PERMITS that allow Thelma to change the filemode <strong>and</strong> owner <strong>for</strong> all files. Louise is allowed to change the file mode <strong>for</strong> onlythose files that reside in a certain directory, but is not allowed to change the fileowner in any file:TSS PER(THELMA) IBMFAC(BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE) ACCESS(ALL)TSS PER(LOUISE) IBMFAC(BPX.<strong>CA</strong>HFS.CHANGE.FILE.MODE) ACCESS(CONTROL)TSS PER(THELMA) IBMFAC(BPX.<strong>CA</strong>HFS.CHANGE.FILE.OWNER) ACCESS(ALL)TSS PER(LOUISE) HFSSEC(/certain.directory.) ACCESS(ALL)2–10 Cookbook

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!