Enhancements to RACF's support for OpenEdition services include:
Extended ability to audit the use of superuser status
Default USER/GROUP support provided by APAR OW26800
Extended Ability to Audit the Use of Superuser Status
This support allows the auditing of the new OpenEdition spawn service. It
determines when a user is a superuser and the identity of that user. This extended
audit function allows a full audit trail that can be used to ensure that security is
adequate.
Auditing the use of superuser status is performed using the ck_priv event code and
the PROCESS class processing to audit UID and GID changes. The audit function
code 101 is added.
If you are not already auditing the PROCESS class, issue SETROPTS
LOGOPTIONS(xxxx(PROCESS)) to obtain the SMF TYPE80 record ck_priv.
Default USER/GROUP OMVS Segment Provided by APAR
OW26800
RACF allows definition of a system-wide default for OMVS segment information,
making it possible for users not specifically defined OpenEdition MVS users to
make use of OpenEdition services.
With this release, OpenEdition sockets are the primary socket interface . To utilize
this support, RACF provides the ability to define default OpenEdition information by
setting a system-wide option.
Previously, to use OpenEdition services, you needed to have a RACF USER profile
with an OMVS segment containing a UID and a current connect group that had a
GROUP profile with an OMVS segment containing a GID. If these were not
available, the initUSP service failed and the process could not use OpenEdition
services.
Now, if no OMVS segment is found in the USER profile during initUSP processing,
the default OMVS segment is used. If the default is found, it is used to set the UID,
HOME, and PROGRAM values for the user. If no default value is found, the
initUSP fails with the existing RACF return code of 8 and reason code of 20.
The same processing is done for the user's current connect group. If no OMVS
segment is found in the GROUP profile, the default is used. If no default value is
found, the initUSP fails with the existing RACF return code of 8 and reason code of
8.
After a default UID, GID, or both are assigned, initUSP processing continues. If the
user is connected to additional RACF groups and list-of-groups processing is
active, the supplemental group list is built using the GIDs of these additional
groups. No default processing occurs while the supplemental group list is built.
When initUSP assigns a default UID, GID, or both, it sets a bit in the user's USP to
indicate that it is a default USP. This bit causes an additional relocate section to be
added to any SMF TYPE80 records written by RACF callable services for this user.
6OS/390 V2R4.0 Security Server (RACF) Planning: Installation and Migration