What is RACF in a mainframe

RACF, but fast!

Systems and their environment

Host monitoring

By David Ferré, Berlin

The warning times against hacker attacks are quite short. Subsequent manual evaluation of security logs on mainframes can easily come too late. Tools for the selection and automated evaluation of reports can help to react more quickly and to avoid or minimize damage.

IT security managers often get envious looks when they tell colleagues that they are supported in their daily work by the Resource Access Control Facility (RACF) on the mainframe. This system is synonymous with the highest level of security against unwanted data theft or manipulation. And rightly so: IBM's security solution records and describes almost all security-relevant events.

Almost every day, it logs that company-wide security rules such as regular password changes are not being observed by some users or that unauthorized login attempts have been accumulated or changes have taken place in the RACF database. How far in the past the detected security-relevant events are, however, depends on the scope of the reports generated from RACF as well as on the speed of the evaluating employee.

Because the security logs are only available after batch processing and printing in list form. If there is a high risk of errors, these lists must be evaluated manually in order to find out what was recorded on the last or even the penultimate day in terms of security breaches. The high number of security-relevant events in a large company - experts estimate it to be several million daily - cannot be effectively countered with manual evaluations of reports. Nowadays, security officers often only evaluate the reports on a random basis, which opens the door to abuse.

At the latest due to the increasing importance of the central computer in e-business and internet applications and thus the opening of the "Big Blue" to thousands of customers and thus also to potential attackers, the importance of intelligent real-time detection methods for security-relevant events is increasing for IT security officers in companies. The Gartner Group also reports in "The Erosion of Mainframe Security" on a previously unknown threat to mainframe security due to the increasing opening of these systems to the Internet.

The result of a mainframe security check at 350 international large companies showed, among other things, that the time span until a successful unauthorized intrusion into a host system is between 10 minutes and two days. This short period offers practically no opportunity to record security breaches in a timely manner by manually evaluating reports. Attempts to hack - be it from outside or inside - are often only recognized in time by chance.

So that the mainframe remains a bastion in corporate IT even in times of e-commerce and e-business applications, security guidelines must be checked and tightened. This also requires new mechanisms for the introduction and monitoring of such guidelines as well as the security systems themselves. An essential aspect is the sustainable reduction of the period between the first occurrence of a security-relevant event and its detection - ideally the implementation of reliable real-time security monitoring. Only if security breaches are detected immediately can possible damage be averted or the effects kept as low as possible.

5-W principle

Whichever solution evaluates the security protocols promptly: It is important to reduce the flood of data generated from RACF considerably by selecting the essential data. In order to capture the essential information quickly and in a targeted manner and thus achieve a high level of ability to act, the software should be able to answer the following questions according to the 5-W principle:

  • Who started the event?
  • What happened?
  • Where did it happen?
  • When did it happen?
  • To whom has something happened or who is affected?

RACF provides answers to this question in a variety of System Management Facility (SMF) and other event formats. It therefore makes sense to standardize the evaluation of this information before applying company-specific filter and reporting guidelines. This means that they are not only available for the recording of current events in a uniform format, but can also be used later for revision purposes for any evaluations. Administrators, auditors and auditors can then access a uniform, standardized data format when generating any user-defined reports. The complexity of RACF can thus be hidden.


The monitoring of security-relevant events in real time can be done by reading out the SMF exits IEFU83. The active reporting of detected events takes place via e-mail, to central security event consoles, etc.

Real-time warning

IT auditors in particular are interested in the possibility of promptly checking characteristics for compliance with the security policy in a company and documenting the results. In addition to standard reports, you can also use situation-related individual reports that can be created flexibly. Standard software products exist for this, which allow any evaluations and consistency checks of the RACF messages by reading out and processing SMF data records in a uniform application environment.

The approach of reporting security breaches in real time continues. This reverses the widely practiced principle of retrospectively searching for security-relevant events: The IT auditor does not have to search for such events or incorrectly implemented security rules, but the system automatically reports security-relevant events or rule violations. Such an alarm can take place in different ways: In addition to e-mails, events can also be sent to central security event consoles or via SMS.

Beta Systems Software AG, for example, provides an automation solution for real-time monitoring of security-relevant events in companies. The Automated Security Auditor for OS / 390 BETA 89 monitors and filters the "Type 80" SMF data records generated from RACF with the aim of reducing their number and limiting them to critical, security-relevant events. The use of the SMF exit IEFU83 enables the existing filter logic to be changed during operation.

BETA 89 reports security events in real time via e-mail or to central security event consoles from Tivoli, for example. The software initiates a task under OS / 390 to identify reportable security events and to carry out the report. For this purpose, guidelines for filtering and reporting as well as target information for reporting security events are stored in a relational database.

David Ferré is Director of the "Data Center Management" business unit at Beta Systems Software AG ( www.betasystem.com).

© SecuMedia-Verlags-GmbH, D-55205 Ingelheim,
KES 5/2001, page 20


Back to content