In a C2 environment, you should be able to restrict and log the introduction (and deletion) of objects into a user’s address space. This means that you must be capable of both restricting objects to authorized users and auditing the use of the objects.
The DEFINE (privilege class A or B or G) and DETACH (privilege class B or G) commands control the introduction and deletion of objects into a user’s address space by establishing and terminating virtual devices, such as T-DISKs (temporary minidisk storage areas).
DEFINE is a prerequisite for introducing objects through CTCAs; that is, when two virtual machines establish virtual CTCAs with DEFINE, data transfers can then take place by linking the CTCAs with the COUPLE command. (For information about the COUPLE command, see the COUPLE Command section.) When the data transfer is complete, you can issue DETACH to terminate the virtual CTCAs.
With CA ACF2 for z/ VM command limiting, you can log or prevent the use of DEFINE and DETACH to control how objects can be accessed. To implement command limiting for the CP DEFINE and DETACH commands, you must create command limiting rule sets with a $KEY of DEFINE and DETACH. For example, to audit all real and virtual devices being defined or detached, LOG access rules are required:
$KEY(DEFINE) - UID(-) LOG
$KEY(DETACH) - UID(-) LOG
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|