When writing rules to protect your spool queue and files, you must consider all of the spooling-related commands. Be aware that some commands, such as CHANGE, QUERY, PURGE, SPTAPE, and TRANSFER, alter the attributes of a spool file. Rules for these commands should ensure that a user cannot deliberately alter the attributes of a spool file and then obtain access to it. When one of these commands is issued, CA ACF2 for z/ VM searches through the spool queue and matches all attributes of the spool file to the operands specified in the CP command. This process ensures that the object of the command (the affected spool file) is properly matched against the CA ACF2 for z/ VM rule.
Class C and E users, or a person that has access to the computer system console, can use the CP commands that display storage (DCP and DMCP) to determine the attributes of a spool file or spooling device. These users could also use the STCP command to alter the attributes of spool files. We recommend you use CA ACF2 for z/ VM command limiting to control these powerful CP commands and employ physical security measures to protect the computer system console.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|