|
|
|
z/OS security, integrity, and control depends upon proper administration of its system libraries. All of these libraries should be protected from unauthorized modification. Those that contain programs that bypass standard z/OS interfaces should also be read‑protected. The APF, Link List, and LPA Library Displays are subsets of the Key System File Display. You can access this information from the Key z/OS Libraries display (2.4).
Auditor___________________________ Location___________________ Page____of____
Approved__________________________ CPU________________________ Date__________
|
Step |
Description |
W/P Ref |
Finding |
Remarks |
|---|---|---|---|---|
|
1 |
Use the Key System File Display (2.4.4) to prepare a work paper that lists the names of all z/OS system libraries. Note the dates of creation, expiration, and access for each library. |
|
|
|
|
2 |
Use your access control software to identify all unprotected libraries. |
|
|
|
|
3 |
From the Key System File Display (2.4.4), determine if any of the libraries were not accessed due to an unavailable volume. Use the Catalog File Scan (6.2) to obtain the data set volser and the Hardware Device display (1.2) to identify removable disk media or offline DASD devices. Check for compliance with data center procedures. |
|
|
|
|
4 |
From the Key System File Display (2.4.4), determine if any libraries were not found on their designated disk pack volume. This exposure permits creation of a “Trojan horse” library by anyone who can allocate the missing library to the pack. |
|
|
|
|
5 |
To prevent unauthorized use of programs that can bypass security mechanisms, use the Computer System Profile and the Program Origin display (5.1) to determine if the libraries that contain IEHDASDR, FDR, FDRDSF, IEHATLAS, IEHINITT, ICKDSF, ADRDSSU, Resolve, Omegamon, and APF‑authorized copies of AMASPZAP are access‑protected. |
|
|
|
|
6 |
As outlined in this guide, use the APF Library Statistics Summary (2.2.1), the Duplicate APF Programs (2.2.2), and Program Statistics (5.2) displays to further analyze the contents of the APF libraries. Identify obsolete, duplicate, and potential “Trojan horse” APF programs. |
|
|
|
|
7 |
Because the system parameter library specifies many of the key z/OS libraries, use the Parmlib displays to keep track of the APF library lists, system linklist, and the LPA libraries. Follow the checklist steps for the Parmlib IPL Map (2.1.1) and Parmlib Member Status (2.1.2) displays to determine if adequate controls protect the library lists. Note: If your site uses a logical Parmlib that consists of two or more data sets concatenated together, you will need to use the 2.1 Parmlib Analysis functions to analyze all of the logical Parmlib data sets. The 2.4.4 Key System File Display will process only the SYS1.PARMLIB data set, and this may be inadequate for your installations environment. |
|
|
|
|
8 |
From the Key System File Display (2.4.4), verify that the z/OS PASSWORD file is read‑protected to prevent unauthorized access and disclosure of its contents. |
|
|
|
|
9 |
From the Key System File Display (2.4.4), note those libraries that use multiple extents. Determine if the Operations or Technical Support staff monitor library size on a systematic basis to prevent system outages from overflowed libraries. |
|
|
|
|
10 |
The LOADxx parameter member can exist in the SYSx.IPLPARM data set on the IODF volume or the SYS1.PARMLIB data set on the sysres volume. Be certain the access control software allows only appropriate update to these data sets through a change control procedure. |
|
|
|
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |