Creating and defining the started task

Create a dedicated started task control (STC) user under which the BMC AMI Security Policy Manager started task will run.



Related topic

Installing

To create the started task

Create the STC user ID with the following characteristics:

Additionally, grant the following permissions to the STC user for SPM to have full functionality:

  • CLASS OPERCMDS - MVS.MCSOPER.* (READ)
  • CLASS OPERCMDS - MVS.DISPLAY.* (READ)
  • CLASS MQCMDS - \[MQsubsystemName\].Display.** (READ)
  • CLASS MQCMDS - \[MQSubsystemName\].Security.** (READ)
  • CLASS UNIXPRIV - SUPERUSER.FILESYS (READ)

With these authorities, the started task can initialize without security issues. If you encounter access errors on startup, contact BMC Support.

To define the started task to RACF

(SPE2501)When you define the user associated with the SPM task, you need to configure the started task definition for the environment where you are running SPM.

To make sure that SPM can read through the entire UNIX file system, scan USS files, and detect anomalies, perform either of the following steps:

  • Grant the SPM STC user ID READ access to the UNIXPRIV class SUPERUSER.FILESYS
  • Assign the TRUSTED attribute to the STARTED class profile created for SPM

Use the following commands to define the SPM started task to RACF:

ADDUSER <stcUser> NOPASSWORD NOOIDCARD NAME('BMC AMI SPM') OWNER(<owner>) DFLTGRP(<groupName>)

CONNECT <stcUser> GROUP(<groupName>) OWNER(<owner>) AUTH(USE) UACC(NONE)
RDEFINE STARTED <spmSTCname>.* STDATA(USER(<stcUser>) TRUSTED)
RDEFINE STARTED <masterSTCname>.* STDATA(USER(<stcUser>) TRUSTED)
SETROPTS REFRESH RACLIST(STARTED)

ALTUSER <stcUser> OMVS(HOME('<pathName>'))
ALTUSER <stcUser> OMVS(PROGRAM('/bin/sh'))
ALTUSER <stcUser> OMVS(UID(<uidNumber>))
PE IRR.DIGTCERT.LIST CL(FACILITY) ID(stcUser) AC(CONTROL)

Replace the following placeholders:

  • <stcUser>—RACF user ID under which the SPM started task runs
  • <owner>—RACF owner for the resource
  • <groupName>—RACF group name to which the RACF user ID belongs
  • <userID>—RACF user identifier that is granted access to SPM
  • <spmSTCname>—Name of the SPM procedure (for example, BASPMS)
  • <masterSTCname>—Name of the SPM master address space (for example, BASPMM)
  • <pathName>—USS home directory for the stcUser

To define the started task to Top Secret

Use the following syntax as a guide to make sure that the BMC AMI Security Policy Manager started task has the correct Top Secret authorities:

TSS CREATE(BASPM) NAME('BMC AMI SPM') TYPE(SCA) PASSWORD(NOPW)
TSS ADD(BASPM) GROUP(<stcGroupName>) UID(<uidNumber>)
TSS ADD(BASPM) GROUP(OMVSGRP) DFLTGRP(OMVSGRP)
TSS ADDTO(BASPM) HOME(/u/baspm)OMVSPGM(/bin/sh)
TSS ADD(STC) PROCNAME(<spmMasterAddressSpaceName>) ACID(BASPM)
TSS ADD(STC) PROCNAME(<spmAddressSpaceName>) ACID(BASPM)
TSS PERMIT(BASPM)CASECAUT(TSSUTILITY.TSSCFILE) ACCESS(USE)
TSS ADMIN(BASPM) RESOURCE(AUDIT,REPORT,INFO)MISC9(GENERIC) ACID(AUDIT,REPORT,INFO)DATA(ALL, PROFILE) MISC8(ALL)
TSS ADDTO(BASPM) FAC(STC)
TSS ADMIN(BASPM) MISC4(CERTLIST)

Replace the following placeholders:

  • <stcGroupName>—Started task command group name
  • <uidNumber>—User identifier value in the OMVS segment
  • <spmMasterAddressSpaceName>—Name of the SPM master address space
  • <spmAddressSpaceName>—Name of the SPM address space

To define the ACF2 started task

  1. Use the following syntax as a guide to make sure that the BMC AMI Security Policy Manager started task has the correct ACF2 authorities:

    INSERT <stcUserId> NAME(BMC AMI Security Policy Manager) ACCOUNT AUDIT RESTRICT –
    SECURITY TSO GROUP(<omvsGroup>) PREFIX(RSS) CONSOLE JCL –
    OPERATOR PROMPT HOME(/u/baspm) OMVSPGM(/bin/sh) –
    UID(<uid>) RULEVLD RSRCVLD

    Replace the following placeholders:

    • <stcUserId>—ACF2 logon ID for the started task
    • <omvsGroup>—OMVS group name
    • <uid>—ACF2 UID string

  2. Select TSO option 6 and set the following global system options (GSO) record:

    ACF
    SET CONTROL(GSO)
    INSERT STC GROUP(OMVSGRP) LOGONID(<stcUserId>) STCID(<stcName>)
    F ACF2,REFRESH(STC)

    Replace the following placeholders:

    • <stcUserId>—ACF2 logon ID for the started task
    • <stcName>—Started task name

    Tip

    To make sure the GSO record was successfully updated, run the following command:

    SHOW STCID
  3. Set up the logon ID for the RSS STCs because they create USS processes and retain all privileges.
    This does not happen if the logon ID is set up with the STC privilege instead of an STC GSO record.

  4. Set the following general resource access:

    $KEY(BPX) TYPE(FAC)
    CONSOLE UID(<stcUserId>) ALLOW
    SUPERUSER UID(<stcUserId>) ALLOW

    $KEY(IRR) TYPE(FAC)
    RADMIN UID(<stcUserId>) ALLOW
    DIGTCERT.LIST UID(<rssUIDstring>) ALLOW

    Replace the <stcUserId> placeholder with the ACF2 logon ID for the started task.

  5. Under ACF2 operator commands (OPERCMDS), restrict the MVS.MODIFY.STC.RSSSPM.RSSSPM resource to authorized users who maintain the software.
    The ACF2 logon ID for the started task requires access to the SDSF resource, ISF.CONNECT.**, and all SDSF display commands.


 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*