RACF - Securing z/OS UNIX
Course: RACUNX
Duration: 2 Days
Level: II
On our website at:
http://www.verhoef-training.com/courses/RACUNX.html
Course Summary
This course is essential for anyone who intends to assume responsibility for maintaining z/OS Unix controls or wants to verify their z/OS Unix environment is properly secured and monitored. Participants will gain a solid understanding of z/OS Unix and how it can be secured in a system protected by RACF. The course will explore the assignment of user UID and group GID Unix identities and offer best practices for managing them. Powerful Daemon and Superuser authorities will be discussed along with guidance on their assignment and alternatives offered by UNIXPRIV profiles. Considerable time and attention will be devoted to file and directory access controls. Participants will learn how permission bits and Extended Access Control Lists (ACLs) grant access as well as how UNIXPRIV profiles influence access authorization. Techniques and best practices for granting permissions will be provided. The course includes descriptions and lab exercises for all commands used for administering permissions.
Topics Covered In This Course
Introduction to z/OS Unix
- Overview, background, & functions
- OMVS Procedure & BPXPRMxx parameters
- Unix File System
- /etc Configuration Files
- Security Levels
Users & Groups
- Introduction to Unix uids and gids
- OMVS user and group profile segments
- User Security Packet (USP)
- Real, Effective, & Saved UID
- Supplemental GIDs
- Automatic ID assignment
- Preventing duplicate UID assignment
- Default User - BPX.DEFAULT.USER
- Surrogate authority
High Level Authorities
- Daemons
- Servers
- Superuser
- PRIVILEGED & TRUSTED Started Tasks
- FACILITY class BPX profiles & authorities
- UNIXPRIV class profiles and authorities
Program Controls & Attributes
- Maintaining a clean program environment
- Program profiles & libraries
- File extended attributes & authorities
File System Security
- Physical & Logical File System
- Navigating the directory structure
- File Security Packet (FSP)
- RACF's role in file access authorization
- Setuid and Setgid
- Listing the FSP
- Superuser, Owner, Group, & Other authority
- Permissions bitsExtended Access Control Lists (ACLs)
- Access permit levels
- UNIXPRIV class profiles affecting authorization
- Access authorization logic
Monitoring & Logging
- User auditing
- File and directory audit bits
- UNIXPRIV profile auditing
- SETROPTS AUDIT & LOGOPTIONS settings
- SMF options & other factors effecting auditing
- Reporting tools - SMF unload & RACFICE
Other Control Issues
- FACILITY & FIELD class administration profiles
- Identity Mapping - UNIXMAP & AIM
- Performance Tuning
What You Can Expect
On completing this course, students will have learned:
- Security-related z/OS Unix configuration options
- How z/OS Unix UIDs and GIDs are assigned
- Ways to grant full and limited Superuser authority
- Controlling Daemons and Servers
- How file and directory access is permitted
- Effective use of UNIXPRIV profiles
- Best practices for using permission bits and ACLs
- Ensuring security access events are logged
Who Should Take This Course
- RACF Administrators & Analysts who want to take control of z/OS Unix security
- IT Auditors seeking to ensure regulatory compliance
- Systems Programmers who provide Unix and RACF technical support or implement system controls
Recommended Prerequisites
Completion of an introductory RACF Administration course or equivalent RACF experience.
Training Style
Instructor-led with hands-on lab sessions.
Related Courses
Code |
Course Title |
Duration |
Level |
|
ZFSX |
zFS Exploitation |
2 Days |
I |
Details |
ZOSJS |
z/OS JUMP START FOR TECHNICAL SUPPORT STAFF |
5 Days |
I |
Details |
RACFAD01 |
RACF Administration |
4 Days |
II |
Details |
UNZOS |
UNIX System Services for z/OS |
3 Days |
II |
Details |
Every student attending a Verhoef Training class will receive
a certificate good for $100 toward their next public class taken
within a year.
You can also buy "Verhoef Vouchers" to get a discounted rate for a
single student in any of our public or web-based classes.
Contact your account manager or our sales office for details.