This section contains information for installing DASD Dump and Restore support. CA ACF2 for z/VM protects the DDR module only when it resides on the CMS system disk. To turn on DDR protection, the security administrator writes a rule that makes the DDR MODULE execute‑only to everyone on the system. In addition, you must not allow DDR to copy the CMS system disk.
If the CMS system disk is the $CMSSYS$ 190 disk, the following rule set correctly activates DDR security:
acf ACF $key($cmssys$) v0190.ddr:module.uid(‑) exec(a) v0190.‑ uid(‑) pgm(ddr) v0190.‑ uid(‑) read(a) exec(a)
CA ACF2 for z/VM assumes the DDR function belongs to the owner of the CMS system disk. Therefore, it does not validate the owner of the CMS system disk for DDR. To avoid this circumvention of DDR security, there are two possible courses of action:
If you are only logging DDR validations, you normally see both a READ and a WRITE logging each time a user uses DDR to write on a disk because DDR always reads from an output disk before it actually writes to the disk. CA ACF2 for z/VM also performs a format validation for DDR output operations. Thus, if you are logging (but not preventing) both DDR and FORMAT operations, you see a DDR READ, a DDR WRITE, and a FORMAT logging for a single output operation.
We recommend you secure the IPL DDRXA standalone module from general system users. For example, you can place it on a MAINT minidisk so that users cannot use it. You can use CA ACF2 for z/VM command limiting to prevent users from IPLing nonsecured virtual machines.
|
Copyright © 2013 CA Technologies.
All rights reserved.
|
|