Before you write the diagnose limiting rules, select the diagnose codes that CA ACF2 for z/VM includes or excludes from validation.
You can determine that executing certain diagnose codes requires no validation because they are commonly used by VM Class G users. Such diagnose codes include:
Stores the VM time information in the user’s virtual storage.
Performs input or output operations to a direct access device. System performance can be greatly affected if x’18’ executions are logged.
Specifies channel command word (CCW) chain to execute on a tape, disk, or unit record device. System performance can be greatly affected if x’20’ executions are logged.
Controls the function of the PA2 function key.
Communicates with IBM 3270 display stations.
You should restrict execution of the following diagnose codes:
Reads one page of the system error recording area
Reads the system dump spool file
Updates the VM directory
Replaces the specified data in any VM directory entry.
These are only a few of the diagnose codes you can choose to validate. You should review all diagnose codes for security concerns and implement diagnose instruction control as necessary.
|
Copyright © 2009 CA Technologies.
All rights reserved.
|
|