CA Top Secret Option for DB2 Best Practices Guide

Download PDF
7 downloads 152 Views 568KB Size Report
Comment
DB2 Subsystem Protection—Updated the recommendation to refer to the .... The guide provides a brief introduction to CA's Mainframe 2.0 strategy and features ...
CA Top Secret® Option for DB2

Best Practices Guide r1.3

This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the “Documentation”) is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may not be disclosed by you or used for any purpose other than as may be permitted in (i) a separate agreement between you and CA governing your use of the CA software to which the Documentation relates; or (ii) a separate confidentiality agreement between you and CA. Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE. The use of any software product referenced in the Documentation is governed by the applicable license agreement and such license agreement is not modified in any way by the terms of this notice. The manufacturer of this Documentation is CA. Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors. Copyright © 2010 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

CA Technologies Product References This document references the following CA Technologies products: ■

CA Audit



CA Auditor for z/OS (CA Auditor)



CA Mainframe Software Manager (CA MSM)



CA Top Secret® for z/OS (CA Top Secret)



CA Top Secret® Option for DB2

Contact CA Technologies Contact CA Support For your convenience, CA Technologies provides one site where you can access the information that you need for your Home Office, Small Business, and Enterprise CA Technologies products. At http://ca.com/support, you can access the following resources: ■

Online and telephone contact information for technical assistance and customer services



Information about user communities and forums



Product and documentation downloads



CA Support policies and guidelines



Other helpful resources appropriate for your product

Providing Feedback About Product Documentation If you have comments or questions about CA Technologies product documentation, you can send a message to [email protected]. To provide feedback about CA Technologies product documentation, complete our short customer survey which is available on the CA Support website at http://ca.com/docs.

Best Practices Guide Process These best practices are based on customer experience reported through interviews with development, technical support, and technical services. Therefore, many of these best practices are a collaborative effort stemming from customer feedback. To continue to build on this process, we encourage you to share common themes of product use that might benefit other users. Please consider sharing your best practices with us. To share your best practices, contact us at [email protected] and preface your email subject line with "Best Practices for product name" so that we can easily identify and categorize them.

Documentation Changes The following documentation updates have been made since the last release of this documentation: ■

Documentation Set Overview—Updated to note the new Installation Guide and Product Guide.



Conversion of Existing DB2 Subsystems—Updated the recommendation to refer to the Product Guide.

Contents Chapter 1: Introduction

9

Documentation Set Overview ...................................................................................................................................... 9

Chapter 2: Installation Best Practices

11

CA Mainframe Software Manager ............................................................................................................................. 11

Chapter 3: Configuration Best Practices

13

Product Family Review ............................................................................................................................................... 13 CA Top Secret for z/OS Control Options..................................................................................................................... 13 CA Top Secret for z/OS Performance Factors ............................................................................................................. 14 Exit Considerations ..................................................................................................................................................... 14

Chapter 4: Auditability Best Practices

17

Auditability Considerations ........................................................................................................................................ 17 Global Logging Controls ...................................................................................................................................... 17 User-Based Logging Controls .............................................................................................................................. 18 Entitlement-Based Logging Controls ................................................................................................................... 20 Credential and Monitoring System ............................................................................................................................ 20 Removal of Obsolete Security Objects ....................................................................................................................... 21 Obsolete Configuration Options ................................................................................................................................ 21

Chapter 5: Implementation Best Practices

23

Conversion of Existing DB2 Subsystems ..................................................................................................................... 23

Index

25

Contents 7

Chapter 1: Introduction The guide introduces the CA Technologies mainframe management strategy and features, and describes the best practices for installing and configuring your product. The intended audience of this guide is systems programmers and administrators who install, maintain, deploy, and configure your product. This section contains the following topics: Documentation Set Overview (see page 9)

Documentation Set Overview The following list provides a basic description of each guide in the CA Top Secret Option for DB2 documentation set: Administrator Guide Describes how to secure the IBM Database 2 (DB2) product using CA Top Secret Option for DB2. Best Practices Guide Describes the best practices for installing and configuring CA Top Secret Option for DB2. Installation Guide Details the steps to install CA Top Secret Option for DB2. Messages Guide Lists the messages that CA Top Secret Option for DB2 can issue, explains why the message appears, and details how you should respond. Product Guide Describes normal operating procedures. Release Summary Describes enhancements, updates to features, system requirements, installation considerations, upgrade considerations, published solutions, and documentation information.

Chapter 1: Introduction 9

Chapter 2: Installation Best Practices This section contains the following topics: CA Mainframe Software Manager (see page 11)

CA Mainframe Software Manager We recommend that you use CA MSM to acquire, install, and maintain your product. Business Value: CA MSM provides a web interface, which works with Electronic Software Delivery (ESD) and standardized installation, to provide a common way to manage CA mainframe products. You can use it to download and install this product. CA MSM lets you download product and maintenance releases over the Internet directly to your system from http://ca.com/support. After you use CA MSM to download your product or maintenance, you use the same interface to install the downloaded software packages using SMP/E. Additional Considerations: After you install the product, use the product documentation set at http://ca.com/support to configure your product. CA MSM can continue to help you maintain your product. More Information: For more information about CA MSM, see the CA Mainframe Software Manager guide at http://ca.com/support.

Chapter 2: Installation Best Practices 11

Chapter 3: Configuration Best Practices This section contains the following topics: Product Family Review (see page 13) CA Top Secret for z/OS Control Options (see page 13) CA Top Secret for z/OS Performance Factors (see page 14) Exit Considerations (see page 14)

Product Family Review We recommend that you review the installation and configuration of CA Top Secret for z/OS before installing and configuring CA Top Secret Option for DB2. Business Value: CA Top Secret Option for DB2 leverages the security controls of CA Top Secret for z/OS to enable you to control access to DB2 resources, identify usage activity, violation activity, administrative activity, and so on. Because CA Top Secret for z/OS checks the actual resource authorizations, its installation and configuration dramatically affects the integrity and performance of CA Top Secret Option for DB2. More Information: For detailed product information, see the CA Top Secret for z/OS Best Practices Guide.

CA Top Secret for z/OS Control Options We recommend that you review and plan how you will use CA Top Secret for z/OS control options. Business Value: Control options specified in the CA Top Secret parameter file dictate CA Top Secret for z/OS processing. You can also specify options during startup and dynamically change them using TSS MODIFY commands.

Chapter 3: Configuration Best Practices 13

CA Top Secret for z/OS Performance Factors

Many control options are critical because they can greatly impact how CA Top Secret for z/OS operates. Control options can also affect performance—poorly chosen or otherwise improper options can negatively impact security processing. They are also critical from a configuration and compliance point of view, especially because each system uses different sources of configuration controls. More Information: For control option best practices, see the CA Top Secret for z/OS Best Practices Guide.

CA Top Secret for z/OS Performance Factors When diagnosing perceived performance problems with security processing, we recommend that you consider the whole system. Business Value: If the system as a whole is experiencing critical system performance problems, you are generally not going to correct the problems by doing CA Top Secret for z/OS performance tuning, unless the implementation is the root of the problem. Numerous factors can affect CA Top Secret for z/OS performance. By reviewing these factors, you can optimize performance by adjusting CA Top Secret for z/OS configuration options and its environmental configuration. More Information: For performance optimization, see the CA Top Secret for z/OS Best Practices Guide.

Exit Considerations We recommend that you periodically review each exit to recertify its applicability and usefulness. If the exit provides a function that CA Top Secret for z/OS now provides, you can migrate from that exit point to the native product functionality. Business Value: As CA Top Secret for z/OS has evolved, we have added exit functionality to the base product, typically using new options, security records, privileges, and so on. Because CA Top Secret Option for DB2 leverages the CA Top Secret for z/OS security controls, any exits specified in the base product can affect the access decision CA Top Secret for z/OS returns to any DB2 access authorization request; therefore, examine CA Top Secret for z/OS exits line-by-line to identify specifically the role of each exit.

14 Best Practices Guide

Exit Considerations

Additional Considerations: We also suggest that you consider the following: ■

Carefully control CA Top Secret for z/OS exit code and the libraries that hold the source and executable code, and implement strict change controls to help ensure that all changes are properly tracked and audited.



Implement strict security and change management controls to help ensure that only properly certified changes are allowed to occur.

The CA Auditor freezer function can automatically monitor these critical data sets.

Chapter 3: Configuration Best Practices 15

Chapter 4: Auditability Best Practices This section contains the following topics: Auditability Considerations (see page 17) Credential and Monitoring System (see page 20) Removal of Obsolete Security Objects (see page 21) Obsolete Configuration Options (see page 21)

Auditability Considerations We recommend that you log data to fit your business needs, but we caution you to devise your logging plans with auditability and resource usage in mind. Business Value: The security administrator, through entitlement-based controls and general security configuration options, controls the amount of logging on a system. The options that are set must reflect the site's business needs. Logging does affect performance; logging does cost in terms of processing path length, data repository size, and more. Consider this potential for overhead when deciding what logging controls to activate. More Information: The following sections detail several logging controls and our recommendations on how to use them.

Global Logging Controls We recommend that you use global control options to customize how you capture data to logs. Business Value: By capturing system-wide data to logs, you can secure data for an audit, troubleshooting, and potential error recovery.

Chapter 4: Auditability Best Practices 17

Auditability Considerations

Additional Considerations: The following global control options help you customize when and how you capture data to logs: LOG Allows you to perform the following tasks: ■

Identify the types of events that CA Top Secret for z/OS logs



Specify whether the events are logged onto the Audit Tracking File (ATF), System Management Facility (SMF), or both



Specify if the violation message is displayed

The LOG option affects all facilities. ETRLOG Sends mainframe security events, such as loggings and violations, to CA Audit. ETROPTS Controls which events the monitor sends to CA Audit. More Information: For a detailed discussion of global logging controls, see the CA Top Secret for z/OS Command Functions Guide.

User-Based Logging Controls We recommend that you implement user-based controls for logging to generate log entries when CA Top Secret uses the controls to determine what resources a user has accessed. Business Value: This practice lets you track user activity and ACID activity. Additional Considerations: You can log all activity for a user by using one of the following ACID attributes: AUDIT Specifies an audit ACID activity. TRACE Activates a diagnostic trace on all ACID activity, such as initiations, resource access, violations, and user security mode.

18 Best Practices Guide

Auditability Considerations

Consider the role that special privileges play on an individual user level and their impact on logging. CA Top Secret for z/OS generates special log entries based on the following ACID privileges: NODSNCHK Specifies that no data set name checks are performed. CA Top Secret for z/OS bypasses all data set access security checks. Auditing occurs. NOLCFCHK Allows an ACID to execute any command or transaction for all facilities, regardless of Limited Command Facility (LCF) restrictions. Auditing occurs. If the NOLCFCHK attribute is in an ACID, that ACID's terminal cannot be locked. NORESCHK Allows an ACID to bypass security checking for all owned resources except data sets and volumes. Auditing occurs. NOSUBCHK Allows an ACID to bypass alternate ACID usage as well as all job submission security checking. Associated ACIDs may submit all jobs regardless of the (derived) ACID on the job statement being submitted. Auditing occurs. NOVOLCHK Allows an ACID to bypass volume level security checking. Auditing occurs. More Information: For a detailed discussion of user-based controls, see the CA Top Secret for z/OS Command Functions Guide.

Chapter 4: Auditability Best Practices 19

Credential and Monitoring System

Entitlement-Based Logging Controls We recommend that you define specific permissions to generate log entries to determine when a user accesses a resource. Business Value: This practice lets you customize the data that appears in your logs and to track access to a resource. When a data set or resource access is allowed, the security administrator controls the circumstances in which logging records are written. By default, CA Top Secret for z/OS logs failed access attempts or access attempts allowed by a privilege. Additional Considerations: The ACTION(AUDIT) keyword generates a log entry. More Information: For a detailed discussion of entitlement-based controls, see the CA Top Secret for z/OS Command Functions Guide.

Credential and Monitoring System We recommend that you implement an automated credential and entitlement monitoring system such as CA Cleanup, which provides a viable, cost-effective means to automatically identify and remove unused, obsolete, or expired user credentials and security entitlements. Business Value: Many of today's sites face challenges when dealing with user credentials and security entitlements that are unused, obsolete, and whose presence complicates security, auditing, and compliance processes. Expired, obsolete, and unused credentials and entitlements pose a large security risk and for this reason are the target of many of the contemporary compliance laws, requirements, and regulations. The Payment Card Industry’s Data Security Standard (PCI-DSS) contains specific language concerning processing of expired or obsolete user credentials and entitlements. The v1.2 specification states that you must remove or disable inactive accounts after 90 days. This best practice helps you address these types of standards.

20 Best Practices Guide

Removal of Obsolete Security Objects

More Information: The CA Cleanup products provide automated tracking of usage and can help to identify what is used, what is not used, and what you can safely remove. For detailed product information, see the CA Cleanup documentation at http://ca.com/support.

Removal of Obsolete Security Objects We recommend that you identify and remove obsolete options. Business Value: Some of your defined options may remain in effect even though the original supporting business case is no longer relevant. You might need to substantiate each control to an auditor. More Information: For a list of control options, see the CA Top Secret for z/OS Control Options Guide.

Obsolete Configuration Options To monitor changes, we recommend that you implement a change control mechanism to track security policy changes that result in changes to control options, configuration options, pertinent ACIDs, permits, and so on. Business Value: An audit of a security control may require that you substantiate your change controls.

Chapter 4: Auditability Best Practices 21

Obsolete Configuration Options

Additional Considerations: Frequently a site implements a security policy through particular control options and that policy remains defined permanently, even though the underlying business case behind the policy has been modified or deleted. Consider the situation whereby security controls are put into place to govern access to an application running on a specific application platform. If you move the application to a different platform or delete it altogether, security administrators may not be aware of this change. Consequently, they may continue to maintain a portion of a security policy that is no longer valid.

22 Best Practices Guide

Chapter 5: Implementation Best Practices This section contains the following topics: Conversion of Existing DB2 Subsystems (see page 23)

Conversion of Existing DB2 Subsystems If you are implementing CA Top Secret Option for DB2 in an existing DB2 subsystem, you must perform a conversion as part of the implementation process. This conversion must take the existing native DB2 security information and convert the security controls into corresponding security controls in CA Top Secret for z/OS. We recommend that you plan accordingly for this part of the conversion. Business Value: DB2 has an internal security process based on SQL GRANT and REVOKE statements. The native DB2 security authorizations are maintained in DB2 system tables, from which DB2 performs security checks whenever a DB2 resource is accessed. This conversion involves an implementation team, including the database administrators currently responsible for DB2 security and the security administrators responsible for the CA Top Secret for z/OS security controls. More Information: For the tasks involved in the implementation process and the personnel required for the implementation team, see the Product Guide.

Chapter 5: Implementation Best Practices 23

Index C CA Audit • 17 CA Auditor for z/OS • 14 CA Cleanup • 20 CA Mainframe Software Manager (MSM) • 11 CA Top Secret for z/OS settings control options • 13 performance tuning • 14 product review • 13 change control mechanism • 21

AUDIT • 18 NODSNCHK • 18 NOSUBCHK • 18 NOVOLCHK • 18 TRACE • 18

D DB2 subsystem conversion • 23

E entitlement-based logging controls • 20 exit code controls • 14 native product functionality • 14

G global logging controls ETRLOG • 17 ETROPTS • 17 LOG • 17

L logging plan • 17

M monitoring credentials • 20

O obsolete options • 21

P parameter file • 13 Payment Card Industry’s Data Security Standard (PCI-DSS) • 20

U user-based logging controls

Index 25