Browse Prior Art Database

Detection and Elimination of Unauthorized Resource Access Control Facility Privileges

IP.com Disclosure Number: IPCOM000104067D
Original Publication Date: 1993-Mar-01
Included in the Prior Art Database: 2005-Mar-18
Document File: 2 page(s) / 41K

Publishing Venue

IBM

Related People

Harroun, PC: AUTHOR

Abstract

The Resource Access Control Facility (RACF*) has three main privileges that grant a user additional authority, SPECIAL, OPERATIONS, and AUDITOR. When normal users are able to compromise the security of an MVS* system, these privileges are generally the goal.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 73% of the total text.

Detection and Elimination of Unauthorized Resource Access Control Facility Privileges

      The Resource Access Control Facility (RACF*) has three main
privileges that grant a user additional authority, SPECIAL,
OPERATIONS, and AUDITOR.  When normal users are able to compromise
the security of an MVS* system, these privileges are generally the
goal.

      Controls are often put in place to monitor the users authorized
for these privileges in the RACF database.  However, the use of the
privileges is actually allowed by the privilege flags in the Accessor
Environment Element (ACEE).  These flags are set upon logon or job
initiation.  Changing these flags can not be controlled or monitored
by current tools.

      By coding an exit the ACEE flags can be controlled.  The exit
can be either the RACHECK Pre-processing (ICHRCXO1) exit or RACHECK
Post-Processing (ICHRCXO2) exit.  Upon every access attempt the exit
will check the ACEE flags.  If a flag is on, it will determine if the
@AUTHUSR class is active.  If so, it will retrieve data from the
@AUTHUSR profile of the userid.  If the data from the profile does
not authorize the userid to have those privileges, the userid is
eliminated.

      Elimination is accomplished by removing all privileges from the
ACEE, failing the access attempt, and issuing a started task.  The
started task can be tailored by the installation to notify security
control personel and take any other actions deemed appropriate.

 ...