Release : 20.0

Component : CA Log Analyzer for DB2 for z/OS

We document:

Privilege Escalation Detection Feature

Background

The z/OS 2.4.0 release of z/OS Security Server RACF has a new feature documented as Detecting ACEE modifications. The intent of this feature is to detect privilege escalation in a user’s security environment, specifically when the ACEE (accessor environment element) has been modified. When this feature has been explicitly enabled on systems running both RACF and the CA Database Management Solutions for Db2 for z/OS, RACF may report message IRR421I when the execution of the CA Database Management Solutions for Db2 for z/OS products have made changes to the users’ security environment. As noted in the RACF documentation, these changes may not be malicious and may in fact be beneficial.

The CA Database Management Solutions for Db2 for z/OS products are committed to the integrity of the resources that our customers trust us to manage. In addition to calling the External Security Manager via the z/OS SAF interface, we also leverage security definitions that are already in place for Db2 objects, users, and resources. The products will query the Db2 security authorization routines to determine whether Db2 would allow the user access to the specific resource. When the response from the routines indicates a user is indeed authorized, the products will directly modify the runtime security environment. This technique minimizes the customer impact of having to manage duplicate security definitions for Db2 as well as for users of the CA Database Management Solutions for Db2 for z/OS products.

Remediation

When the RACF feature is enabled, it can impact Version 19.0 and Version 20.0 of the CA Database Management Solutions for Db2 for z/OS.  Customers who experience IRR421I messages must define a RACF bypass profile to suppress the messages. 

To define a RACF bypass profile, issue the following RACF command to create a profile definition:

RDEFINE ACEECHK IRR.EXCLUDE.PTLDRIVM

This profile will then suppress the IRR421I message should it appear with your usage of the products when executing in a RACF controlled environment. Review the RACF Detecting ACEE modifications documentation for additional details.  

Note: RACF can also be configured to abend (S4C6, reason xACE) the running program when a security environment change is detected. However, we do not recommend use of this capability since it can result in early termination and unexpected and undesirable results to the operation of the CA Database Management Solutions for Db2 for z/OS.

When the RACF feature is not activated, there is no impact and no action to be taken.  

Note: For Version 19.0, there are no plans to provide support for this RACF feature. End of support has previously been announced for September 2020. For Version 20.0, support for this feature is in active development. When final support is published, we will send another Proactive Notification: Advisory.