RACF/DB2 EXTERNAL security issues

Mohamed Esmael

RACF/DB2 EXTERNAL security issues

Hello All 

 We using RACF EXTERNAL security on DB2 V11 with z/os v2.1 

we face some issues 

1- we want to make report to monitor Admin Activities , from reading we found that we can do that by using SMF record type 100 ,101,102 , how can we do that and what other things we can use ?

2- how to prevent SYSADM to change exit routines that enable RACF external security? (Generally limit SYSADM to perform any actions on members that related to security  

James Campbell

RACF/DB2 EXTERNAL security issues
(in response to Mohamed Esmael)
1) read up on SYSIBM.SYSAUDITPOLICIES columns SYSADMIN and DBADMIN, ifcid 361
and DSN1SMFP.


2) ensure that the sysadm'ers do not have update access to the SDSNEXIT library used by
the Db2 started tasks. Any changes they make have to pass through a separate security
function to be verified and actually be applied.

James Campbell


On 15 Oct 2017 at 4:51, Mohamed Esmael wrote:

>
> Hello All 
>  We using RACF EXTERNAL security on DB2 V11 with z/os v2.1 
> we face some issues 
> 1- we want to make report to monitor Admin Activities , from reading we found that we can do
> that by using SMF record type 100 ,101,102 , how can we do that and what other things we can
> use ?
> 2- how to prevent SYSADM to change exit routines that enable RACF external security?
> (Generally limit SYSADM to perform any actions on members that related to security  
>
>

---
This email has been checked for viruses by AVG.
http://www.avg.com

Kurt Struyf

RE: RACF/DB2 EXTERNAL security issues
(in response to Mohamed Esmael)

Yes audit policies are probably the easiest things to do, should you want to keep it purely in RACF. Then in RACF you can also set auditing on for certain profiles.

for instance ssid.SYSADM

 

Mohamed Esmael

RE: RACF/DB2 EXTERNAL security issues
(in response to James Campbell)

Thanks James for you support , i want to clarify some issues 

1- if i use RACF/DB2 External security , the catalog tables will not exist so how can i use it ? also how to generate IFcid 361 and how to use DSN1SMFP utility 

2- you mean to make RACF profile and limit access to it  

Mohamed Esmael

RE: RACF/DB2 EXTERNAL security issues
(in response to Kurt Struyf)

Thanks Kurt for replying 

i want to ask about how can make auditing through RACF ?