Before writing any command limiting rules, select the CP commands to include or exclude from CA ACF2 for z/VM validation.
You may not need to validate the execution of certain CP commands because VM Class G users may commonly use them. Such commands include:
Continues or resumes execution in the virtual machine at the specified location
Ends the spooling activity
Clears all pending interrupts from the specified virtual devic
Stores data in specific registers or locations
Clears virtual storage and associated keys, or simulate the RESET or RESTART commands
Sets virtual console options.
You may need to tightly control the execution of other CP commands. This can include Class A commands such as:
Logs the specified user off the system
Terminates all VM/SP functions
Changes the contents of real storage.
You can also allow the use of certain commands, but log their execution. When determining which CP commands to include or exclude from validation, you can use the previous lists of commands as a guide. You should carefully review the security exposures imposed by each CP command and place controls where necessary.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|