PTLDRIVM - Privilege Escalation of SPECIAL, PLA job that alters the ACEE

book

Article ID: 192642

calendar_today

Updated On:

Products

CA Database Analyzer for DB2 for z/OS CA Fast Unload for DB2 for z/OS CA Fast Check for DB2 for z/OS CA Fast Index for DB2 for z/OS CA Fast Load for DB2 for z/OS CA Rapid Reorg for DB2 for z/OS CA Database Management for DB2 for z/OS - Utilities Suite

Issue/Introduction

Why does CA DB2 tools Use privilege escalation by the PTLDRIVM program that enables the SPECIAL attribute.  

Environment

Release : 20.0

Component : CA Log Analyzer for DB2 for z/OS

Resolution

We document:

Privilege Escalation Detection Feature

Background

The z/OS 2.4.0 release of z/OS Security Server RACF has a new feature documented as Detecting ACEE modifications. The intent of this feature is to detect privilege escalation in a user’s security environment, specifically when the ACEE (accessor environment element) has been modified. When this feature has been explicitly enabled on systems running both RACF and the CA Database Management Solutions for Db2 for z/OS, RACF may report message IRR421I when the execution of the CA Database Management Solutions for Db2 for z/OS products have made changes to the users’ security environment. As noted in the RACF documentation, these changes may not be malicious and may in fact be beneficial.

 

The CA Database Management Solutions for Db2 for z/OS products are committed to the integrity of the resources that our customers trust us to manage. In addition to calling the External Security Manager via the z/OS SAF interface, we also leverage security definitions that are already in place for Db2 objects, users, and resources. The products will query the Db2 security authorization routines to determine whether Db2 would allow the user access to the specific resource. When the response from the routines indicates a user is indeed authorized, the products will directly modify the runtime security environment. This technique minimizes the customer impact of having to manage duplicate security definitions for Db2 as well as for users of the CA Database Management Solutions for Db2 for z/OS products.

Remediation

When the RACF feature is enabled, it can impact Version 19.0 and Version 20.0 of the CA Database Management Solutions for Db2 for z/OS.  Customers who experience IRR421I messages must define a RACF bypass profile to suppress the messages. 

 

To define a RACF bypass profile, issue the following RACF command to create a profile definition:

 

RDEFINE ACEECHK IRR.EXCLUDE.PTLDRIVM

 

This profile will then suppress the IRR421I message should it appear with your usage of the products when executing in a RACF controlled environment. Review the RACF Detecting ACEE modifications documentation for additional details.  

 

Note: RACF can also be configured to abend (S4C6, reason xACE) the running program when a security environment change is detected. However, we do not recommend use of this capability since it can result in early termination and unexpected and undesirable results to the operation of the CA Database Management Solutions for Db2 for z/OS.

 

When the RACF feature is not activated, there is no impact and no action to be taken.  

 

Note: For Version 19.0, there are no plans to provide support for this RACF feature. End of support has previously been announced for September 2020. For Version 20.0, support for this feature is in active development. When final support is published, we will send another Proactive Notification: Advisory