Writing Resource Rules › Protecting the DIAL Command

Protecting the DIAL Command

This section provides some guidelines to follow when implementing DIAL command control. The following terms are used in this section:

Dialer

Specifies the user who is requesting access to a target virtual machine. When a dialer requests access to a secured machine, CA ACF2 for z/VM prompts him to enter his logonid and current password.

Target Machine

Specifies the virtual machine to which the dialer is requesting access.

Complete the following steps to implement DIAL command control using CA ACF2 for z/VM:

1. Identify the virtual machines to be secured for DIAL access. By default, all machines are secured.
2. Establish command limiting controls that let users execute the DIAL command (optional).
3. Write DIAL resource rule sets that let target machines be accessed.

When the DIAL succeeds, CA ACF2 for z/VM creates a $DIAL SMF record. When the DIAL is severed, CA ACF2 for z/VM creates a $DROP SMF record. If a DIAL command does not pass each validation step, CA ACF2 for z/VM denies access and creates an SMF record. Details and examples for completing each of the above steps are provided in the following sections.

Establishing DIAL Command Limiting Controls

When you restrict DIAL using command limiting, you prevent unauthorized attempts to execute this command. The following controls determine the implementation for DIAL command limiting:

• The CMDLIM VMO record indicates the commands that are protected by command limiting. Use a LIMIT list to specify whether DIAL command limiting is performed. The default CMDLIM specification is ALL, which specifies that CA ACF2 for z/VM validates all commands.

  Display the commands currently validated for command limiting using the SHOW CMDLIM subcommand of the ACF command.

• If you decide to validate the DIAL command, create an appropriate DIAL command limiting rule set. For example:

  acf
  ACF
  set cmdlim
  CMDLIM
  compile dial
  $KEY(dial)
   ‑ uid(‑) allow
  COMPILER ENTERED .....
  store
  RULE DIAL STORED .....
  end
  

  This rule set lets all users issue the DIAL command to any virtual machine. Display the DIAL command limiting rule with the DECOMP subcommand of the CMDLIM setting.

  You also have to create a resource rule to let users DIAL to the target machine. Writing DIAL resource rules is explained in the next section.

Writing DIAL Resource Rules

To implement DIAL support for virtual machines, you must write DIAL resource rule sets and store them on the Infostorage database. The $KEY value for a resource rule is the target machine (the machine being dialed). For example:

acf
ACF
set resource(dia)
RESOURCE
compile
ACFpgm510I ACF COMPILER ENTERED
$KEY(dirm) type(dia)
 uid(maint) allow
 uid(tlc) allow
end
ACFpgm551I TOTAL RECORD LENGTH=NN BYTES NN PERCENT UTILIZED
store
ACFpgm769I RULE DIRM STORED

The DIAL operand of the RESCLASS VMO record defines the type‑code required for DIAL resource rule validation. The default is DIA. You can modify this value.

This rule set lets DIRM be dialed by MAINT and any user with the TLC‑ UID mask. You should create additional DIAL resource rules that are appropriate for your site using the COMPILE subcommand of the RESOURCE setting. You can display resource rules with the DECOMP subcommand of the RESOURCE setting. If you do not want CA ACF2 for z/VM to validate a dialer to a virtual machine, set the DIALBYP (DIAL resource validation BYPASS) attribute on the target machine’s logonid record. See the Administrator Guide for more information about DIALBYP.