Transcription
Securing JES Resource ClassesJim McNeillNYRUG November 25, 2014 2014 Vanguard Integrity Professionals, Inc.1Session Topics Job Control Overview Controlling Job Input Controlling JOB CLASSES Controlling Printing (Output) Controlling Access to SPOOL Controlling NJE Security 2014 Vanguard Integrity Professionals, Inc.Page 12
RACF Related /JESSUBMITNJERJE/RJPLine & PSFPrintersBATCHINPUTSYSOUTWRITERJESSPOOLSPOOL 2014 Vanguard Integrity Professionals, Inc.3Input and Output Controls Input Controls– Allow control of job names (JESJOBS)– Allow control of who can use which job classes– Allow control of who can enter jobs from where(JESINPUT/NODES)– Allow control of Surrogate submission (SURROGAT) Output Controls– Allow control of who can send JOBS & SYSOUT where(WRITER)– Allow control of who can access SYSOUT on the spool(JESSPOOL) 2014 Vanguard Integrity Professionals, Inc.Page 24
Security Tokens Associated with JOB during input services– Identifies Submitter of JOB– Identifies Owner of JOB– Identifies Owner of all resources associated with the JOB SYSIN SYSOUT Transportable - not associated with a particularaddress space 2014 Vanguard Integrity Professionals, Inc.5Security TokensJES INPUT QUEUESTOKENJob SubmitterPROCESSINGUTOKENJob OwnerJES OUTPUT QUEUERTOKENResource Owner 2014 Vanguard Integrity Professionals, Inc.Page 36
Token nal/ExternalSession Type 2014 Vanguard Integrity Professionals, Inc.7Who is the Submitter?UTOKENUTOKEN of thesubmitting job/useris called an STOKEN?possibleunknown NJE userUTOKENSUBMITNODEStranslationfor NJE jobsSTOKENfrom submitting jobSUBMITTERUTOKEN unknown local user 2014 Vanguard Integrity Professionals, Inc.Page 48
Who is the Job Owner?USER from JOBCARDPropagated USER via INTRDRUndefined UserJES Input ServicesRACROUTE VERIFY/XACEEUTOKENuseriduseridgroupid.SETR JES(BATCHALLRACF) 2014 Vanguard Integrity Professionals, Inc.9Determining the Job's OwnerInternalReaderUSER / PASSWORDcoded on Job Statementor user translated (NJE)USER / PASSWORDnot coded on JobStatement or user nottranslated (NJE)Local &RJE/RJPDevicesNJENodesCoded Value Coded Value Coded ValueSubmittingUser ID ispropagated ? 2014 Vanguard Integrity Professionals, Inc.Page 510
Preventing JES PropagationCICSPRD//TRNA----------JOB acctnum,----- --- ------- --- ------- --- ---TRNATRNAJESARTM//TRNA----------JOB acctnum,USER CICSPRD----- --- --- ------- --- --- ------- --- --- ---RACF DatabaseSETR CLASSACT(PROPCNTL)RDEF PROPCNTL CICSPRD UA(NONE)SETR RACLIST(PROPCNTL)PROPCNTL class profileCICSPRDUA(NONE) 2014 Vanguard Integrity Professionals, Inc.11Control of Job SubmissionJES//Jobname JOB . . .Which Jobs?From Who?From Where? 2014 Vanguard Integrity Professionals, Inc.Page 612
Steps to Protect Job InputDefineProfiles:DecideJob NameStandardsActivateClasses &TestDecideWho isJESJOBSAllowed toDecideSubmitWhat JobsJESINPUTEachJob&are to beFromRestrictedSURROGATWhere 2014 Vanguard Integrity Professionals, Inc.13Controlling Job Names – JESJOBS‘Nasty Class’ RC 8//VANPAY1 JOB . . .JESJob name control based on "who" and "from where"RACF DatabaseJESJOBS ProfilesSUBMIT.node.job.userUACCAccess ListCANCEL.node.user.jobUACCAccess ListSUBMIT.**READCANCEL.**NONE 2014 Vanguard Integrity Professionals, Inc.Page 714
Defining JESJOBS Class Profiles To allow only the PAYROLL group to submit theVANPAY job from node LVPROD:RDEF JESJOBS SUBMIT.LVPROD.VANPAY*.* UACC(NONE)PERMIT SUBMIT.LVPROD.VANPAY*.* CL(JESJOBS)ID(PAYROLL) AC(READ) To allow only KAREN to cancel the VANPAY jobfrom LVPROD:RDEF JESJOBS CANCEL.LVPROD.*.VANPAY* UACC(NONE)PERMIT CANCEL.LVPROD.*.VANPAY* CL(JESJOBS)ID(KAREN) AC(ALTER) To allow anyone to submit all other jobs:RDEF JESJOBS SUBMIT.** UACC(READ) 2014 Vanguard Integrity Professionals, Inc.15Controlling Job Classes – JESJOBS‘Nasty Class’ RC 8//VANPAY1 JOB . . .CLASS BJESFacility profiles determine who is checked – Submitter, Owner or NO check made.RACF DatabaseUACCAccess ListJES.JOBCLASS.OWNERFACILITY s) must be Discrete – used as switches only 2014 Vanguard Integrity Professionals, Inc.Page 816
Controlling Job Classes – JESJOBS‘Nasty Class’ RC 8//VANPAY1 JOB . . .CLASS BJESJESJOBS profiles determine who can use a certain JOB Class.RACF DatabaseJESJOBS ProfilesJOBCLASS.nodename.jobclass.jobnameUACCAcc ListGenerics may be used 2014 Vanguard Integrity Professionals, Inc.17Defining JESJOBS Class ProfilesUser JIMM submits a CLASS B job named JIMMX with USER BOB in theJOBCARD. The local node is VANLV. Of course SURROGAT profile check.If there is a JES.JOBCLASS.OWNER profile in the FACILITY class, a checkis made if user BOB has READ access to JESJOBS profile:RDEF JESJOBS JOBCLASS.VANLV.B.JIMMX OWNER(SECADMN) UACC(NONE)PE JOBCLASS.VANLV.B.JIMMX CLASS(JESJOBS) ID(BOB) ACC(R)If there is a JES.JOBCLASS.SUBMITTER profile in the FACILITY class, acheck is made if user JIMM has READ access to JESJOBS profile:RDEF JESJOBS JOBCLASS.VANLV.B.JIMMX OWNER(SECADMN) UACC(NONE)PE JOBCLASS.VANLV.B.JIMMX CLASS(JESJOBS) ID(JIMM) ACC(R)If both FACILITY class profiles exist, then JIMM and BOB must have READaccess to the JESJOBS class profile 2014 Vanguard Integrity Professionals, Inc.Page 918
Hints for defining JESJOBS Class ProfilesYou probably want to define a backstop profile to allow all users access to alljob classes.RDEF JESJOBS JOBCLASS.** OWNER(SECADMN) UACC(READ)Then define profiles to limit certain classes.RDEF JESJOBS JOBCLASS.*.P.* OWNER(SECADMN) UACC(NONE)PE JOBCLASS.*.P.* CLASS(JESJOBS) ID(PRODJOBS) ACC(R)If JESJOBS was not previously active, be sure to define SUBMIT.** and/orCANCEL.** before activating the class. Remember JESJOBS is a “nasty”class.Create the Facility class profiles after the JESJOBS profiles. 2014 Vanguard Integrity Professionals, Inc.19Port-of-Entry Control – JESINPUT ClassDEVICEJES2 POE NAME‘Nasty Class’ RC 8JES3 POE NAMEJES readerRDRnnJname of readerDisk readern/aDR member nameRJE/RJP readerRnnnn.RDnWorkstation nameNJE readerAdjacent NodenameNJERDRDump Jobn/aDUMPJOBSpool OffloadOFFn.JRn/aInternal ReaderINTRDRINTRDRTSO SUBMITINTRDRINTRDRStarted tasksSTCINRDRSTCINRDRTSO logonsTSUINRDRTSO terminal nameRDEF JESINPUT R124.RD1 UACC(NONE)PE R124.RD1 CL(JESINPUT) ID(PAYROLL) AC(READ)RDEF JESINPUT ** UA(READ) 2014 Vanguard Integrity Professionals, Inc.Page 1020
Surrogate Job Submission//jobname JOB USER JILLJESRACF DatabaseSURROGAT class profileJILL.SUBMITJACK / READJACKRDEF SURROGAT JILL.SUBMIT OWNER(SECADMN) UACC(NONE)PE JILL.SUBMIT CLASS(SURROGAT) ID(JACK) AC(READ) 2014 Vanguard Integrity Professionals, Inc.21Steps to Protect Job OutputDefineProfiles:DefinePrinters toProtectDecideWho CanUse WhichPrintersDecideWho CanLook atOtherUser’sSYSOUTActivateClasses &TestWRITERJESSPOOL 2014 Vanguard Integrity Professionals, Inc.Page 1122
Printer Access – WRITER Class‘Nasty Class’ RC 8JESJES2 PARMSRACF DatabasePRT(n) . . .WRITER ProfilesJES3 PARMSDEVICE JNAME jesx.LOCAL.devnUACCAccess Listjesx.RJE/RJP.devnUACCAccess List 2014 Vanguard Integrity Professionals, Inc.23Defining WRITER Class Profiles To allow only the PAYROLL group to use local printerPRT45:RDEF WRITER JES%.LOCAL.PRT45 UACC(NONE)PE JES%.LOCAL.PRT45 CL(WRITER) ID(PAYROLL) AC(READ) To allow only the PAYROLL group to use the remote printerR5:RDEF WRITER JES%.RJE.R5 UACC(NONE)PE JES%.RJE.R5 CL(WRITER) ID(PAYROLL) AC(READ) To allow all users to use all other printers:RDEF WRITER JES%.*.** UACC(READ) 2014 Vanguard Integrity Professionals, Inc.Page 1224
Access Control to SYSOUT – JESSPOOLSPOOL‘Nasty Class’ RC 8JESRACF DatabaseJESSPOOL Profilesnode.user.jobname.job#.Dsid.dsname UACCAccess List 2014 Vanguard Integrity Professionals, Inc.25Access to SYSOUTRequirementAuth.JESSPOOL Profile NameAllow viewing of CAROL'sdata for the ACCOUNTjob on LVPRODREADLVPROD.CAROL.ACCOUNT.**Allow deletion of BETH'sdata for the BACKUP jobon LVPRODALTERLVPROD.BETH.BACKUP.**Allow receipt of data sentto FRANK for theBLKMAIL job, MAILDATAdata set on LVPRODALTERLVPROD.FRANK.BLKMAIL.*.*.MAILDATA 2014 Vanguard Integrity Professionals, Inc.Page 1326
Steps to Protect NJEDefineProfiles:ControlJOBS /SYSOUT?ControlInbound /OutboundWork?ControlWhoseWork isSent andReceived?ActivateClasses,RACLIST& TestWRITERNODES 2014 Vanguard Integrity Professionals, Inc.27NJE – WRITER and NODES ClassTo Control Sending:WRITER ClassJOBSJES%.NJE.nodeTarget nodeSYSOUTJES%.NJE.nodeTo Control Receipt:NODES Classnode.USERJ.useridnode.GROUPJ.groupidSending nodenode.USERS.useridnode.GROUPS.groupid 2014 Vanguard Integrity Professionals, Inc.Page 1428
NODES Class Profile – UACCRequirementRegard for SendingNode/User IDNeeded UACCNo Need to Re-verifyPassword on Incoming Jobs(No Password Needed)TRUSTEDCONTROL / UPDATERe-verify User ID andPassword on Incoming Jobs(Password Needed)SEMI-TRUSTEDREADNo Jobs Accepted fromNode/User/GroupUNTRUSTEDNONE 2014 Vanguard Integrity Professionals, Inc.29Controlling Outgoing Jobs and SYSOUTPRT on DallasXEQ on Vegas// . JOBUSER NANCYWRITER Class Profile at OrangeRACF DatabaseJES%.NJE.VEGASNANCY(READ)USER ProfileNANCYORANGESubmitting NodeVEGASExecution NodeDALLASOutput NodeWRITER Class Profile at VegasRACF DatabaseJES%.NJE.DALLASNANCY(READ)USER ProfileNANCYWRITER Class Profile at DallasRACF R ProfileNANCY 2014 Vanguard Integrity Professionals, Inc.Page 1530
Controlling Entry of Jobs – NODES ClassPRT on DallasXEQ on Vegas// . JOBUSER NANCYNODES Class Profile at VegasRACF DatabaseORANGESubmitting NodeORANGE.USERJ.NANCYVEGASExecution NodeUSER ProfileNANCYNODES Class Profile at DallasRACF DatabaseDALLASOutput NodeVEGAS.USERS.NANCYNancy'sOutputUSER ProfileNANCY 2014 Vanguard Integrity Professionals, Inc.31USERID TranslationPRT on OrangeORANGESubmitting NodeVEGASUser ID TranslationXEQ on Vegas// . JOBsubmitted inOrangeOWNER RICKYSUSER RICKYOWNER RICKY LUCYSUSER RICKYRACF DBRACF DBUser ProfileRICKYUser ProfileLUCYOWNER &SUSER RICKYSUSER RICKYOutput Nodetranslate ownerRICKY to LUCYOWNER LUCYSUSER RICKYtranslate ownerto submit userRDEF NODES VEGAS.USERS.*UA(UPDATE) ADDMEM(&SUSER)Execution NodeRicky'sOutputRDEF NODES ORANGE.USERJ.RICKYUA(UPDATE) ADDMEM(LUCY) 2014 Vanguard Integrity Professionals, Inc.Page 1632
JES //VANPAY1 JOB . . .CLASS B RACF Database FACILITY Profiles UACC Access List 'Nasty Class' RC 8 JES.JOBCLASS.OWNER n/a n/a JES.JOBCLASS.SUBMITTER n/a n/a Profile(s) must be Discrete -used as switches only Facility profiles determine who is checked -Submitter, Owner or NO check made.
