Rules Facility Guide › Installing the Rules Facility › Post–Installation Recommendations

Post–Installation Recommendations

An open system is a system in which anyone one can log on to a user ID or link to a user ID if they know the password. Now that the Rules Facility is installed, you need to create rules and then test those rules to be sure they give the necessary security to provide a closed system. A closed system means that access to the system, through commands such as LOGON and LINK, has been restricted. No one should be able to do anything without a specific rule. A closed system will have a NORULE REJECT record in the CA VM:Secure SECURITY CONFIG file.

Note: Be sure to read the Security with the Rules Facility for information about setting up different security functions within the Rules Facility.

You may find the following recommendations helpful:

• Initially, keep the NORULE ACCEPT record active in the SECURITY CONFIG file. This record ensures all security activity occurring before you installed the Rules Facility will continue.

  Note: For more information about the NORULE record, see the Reference Guide.

• Write and test sample rules. Use the VMXSRA report program to help you determine what rules you need to write.

  Note: For instructions on writing rules, see Security with the Rules Facility.

• After you write all the rules for your site, use the LOGMSG command with the NORULE parameter. This command lets you create a message that tells users that they need to contact a security administrator to write a rule so that they can perform a certain activity.

  Note: For information about the LOGMSG command, see the Reference Guide. For information about creating log messages, see Creating and Querying Log Messages.

• When requests for new rules decrease, you can change the NORULE record in the SECURITY CONFIG to NORULE REJECT.

  Note: For information about the NORULE record, see the Reference Guide.

• CA VM:Secure with the Rules Facility also performs journaling. Set the CP journaling limit greater than values on the JOURNAL record in the SECURITY CONFIG file.

  Note: For more information about using CP journaling with CA VM:Secure, see CA VM:Secure Journal Facility and CP Journaling.

• After the Rules Facility is installed, implement the following recommendations to tailor the amount of information that is audited:
  • Schedule the AUDITEXT command to perform more frequent audit extracts. The AUDITEXT command moves the contents of the VMSECURE AUDIT file to your 191 minidisk (A–disk) and reinitializes the AUDT minidisk.

    Run the AUDITEXT command at a scheduled time every day. When you extract audit data, also run the security reports using the VMXSRA and VMXSRB report programs.

    Note: For more information about the AUDITEXT command, and the report programs, see the Reference Guide. For more information about auditing in general, see the Administration Guide.

    You do not need to back up the AUDT minidisk if you follow these recommendations.

  • When the Rules Facility is installed, every logon and minidisk link is audited. Because there can be many links for each user ID that logs on, this creates an increase in the number of audit records. To ignore the minidisk links and track only the logons, you can use a CPIGNORE DIRLINK record in the VMXRPI CONFIG file. For more information about using this record, see CPIGNORE Record.

    Note: Any minidisk that is ignored is not affected by rules.

• After your system is closed with CA VM:Secure active, you may want to change the settings on any CPACTION records in the VMXRPI CONFIG file. The default setting is:

  CPACTION * ACCEPT
  

  You should change it to the following:

  CPACTION * REJECT
  

To incorporate the new CPACTION settings

1. Run the VMXCPG EXEC with the new VMXRPI CONFIG file to create new replacement text decks.
2. Perform a CP system generation, IPL the generated VM system, and reinitialize CA VM:Secure.
3. Verify the CPACTION settings by running the QCPCFG command.
4. You can write additional CPACTION records for selected user IDs to permit z/VM maintenance when CA VM:Secure is not active.