|
|
|
TSO is primarily a tool for the online development and testing of computer programs. It uses the VTAM telecommunications access method and, except for some CA ACF2 systems, keeps information about each of its users in the TSO user attribute data set, SYS1.UADS.
Use the Time Sharing Option display (2.5) to access this information.
Auditor___________________________ Location___________________ Page____of____
Approved__________________________ CPU________________________ Date__________
|
Step |
Description |
W/P Ref |
Finding |
Remarks |
|---|---|---|---|---|
|
1 |
Because computer hackers often exploit vendor‑supplied default user IDs, use the TSO display to determine if the defaults IBMUSER and ACFUSER were removed from SYS1.UADS. |
|
|
|
|
2 |
Use the Key z/OS Libraries display (2.4) or your access control software to determine if SYS1.UADS is adequately protected from unauthorized access or modification. |
|
|
|
|
3 |
Use the File History Search display (6.5) to search SMF for updates to SYS1.UADS. Verify that proper authorization and procedures were obtained for changes. |
|
|
|
|
4 |
From the TSO Analysis display (2.5), determine if any user IDs are named SYS1 or have SYS1 as a prefix. Access control software can treat these user IDs as owners of the system files and not perform access validation. |
|
|
|
|
5 |
Obtain the names of the APF libraries from the APF Library Statistics display (2.2.1). Use their high‑level qualifier and repeat the test outlined in Step 4. |
|
|
|
|
6 |
Use the high‑level qualifier to select a sample of production application data files. Repeat the test outlined in Step 4. |
|
|
|
|
7 |
TSO can permit a subset of console operator commands, including canceling other TSO users and view held output. Use the TSO Analysis display to determine which user IDs have OPERATOR authority. Verify that it was granted on a need‑to‑know basis. |
|
|
|
|
8 |
TSO users should not normally access tape files. From the display, note which user IDs have MOUNT authority, and determine if it was made available on a need‑to‑have basis. |
|
|
|
|
9 |
Although TSO is most often programmer’s tool, some data centers make it available to other users. If such use does not require submitting batch jobs, verify from the display that these user IDs do not have the JCL attribute. |
|
|
|
|
10 |
Obtain copies of data center procedures and standards for job class, message class, SYSOUT class, and remote printer destination IDs. Pick a sample of user IDs from the display and verify that they comply with these standards. |
|
|
|
|
11 |
TSO permits users to have multiple accounts and multiple logon procedures in accounts. Obtain copies of data center standards for accounting information and logon procedures, and then select a sample of user IDs to obtain the TSO PSWD/ACCT/PROC display. Verify that they comply with data center standards. |
|
|
|
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |