|
|
|
For performance or other reasons, certain programs and subsystems must be permitted to bypass standard z/OS security and control mechanisms. The program properties table (PPT) tells z/OS which programs are endowed with these special powers. You need read access authority to SYS1.LINKLIB.
Use the Program Properties Table option (3.6) to access this information.
Auditor___________________________ Location___________________ Page____of____
Approved__________________________ CPU________________________ Date__________
|
Step |
Description |
W/P Ref |
Finding |
Remarks |
|---|---|---|---|---|
|
1 |
From the PPT display, prepare a work paper that shows the programs specified in the PPT and the special powers granted to them. Determine if adequate documentation is available that defines the purpose, use, and function of each specified program. |
|
|
|
|
2 |
z/OS systems may be shipped with PPT entries for products that are not installed on the system. Use the System Overview display (1.1) to determine whether the JES2 or JES3 job entry subsystem is installed on your computer. |
|
|
|
|
3 |
If you determined in Step 2 that you have JES2, review the PPT display to ensure that the JES3 module, IATINTK, is not specified in the PPT. |
|
|
|
|
4 |
If you determined in Step 2 that you had JES3, review the display to ensure that the JES2 module, HASJES20, is not in the PPT. |
|
|
|
|
5 |
From the Computer System Profile, determine if the data center has CICS. If it does not, review the PPT display. If the data center does not have CICS, no modules with DFH as the prefix, such as DFHSIP, should exist in the PPT. |
|
|
|
|
6 |
From the Computer System Profile, determine if the data center has IMS. If it does not, review the PPT display. If the data center does not have IMS, no modules with DFS as the prefix, such as DFSMVRC0, or with storage key 7 should exist in the PPT. |
|
|
|
|
7 |
If any inappropriate or otherwise suspect PPT entries were identified from the display in Steps 3 through 6, select each entry and perform a library search to detect missing modules. The PPT Analysis display (3.6) tries to identify standard IBM entries. However, if the module does not exist, the entry for it in the PPT represents a security exposure. See the Technical Reference Guide for more information. |
|
|
|
|
8 |
On the PPT display, select all modules that have a z/OS system storage protection key (a key value less than 8). Perform a library search for each of these modules. These programs can access and modify system storage. Key 0 is the “master key.” Searching the libraries and LPA determines if any of the module names has no associated module entry. |
|
|
|
|
9 |
Use the PPT display to select and search system libraries for each module that has Yes displayed in the Password Bypass field on the PPT Analysis screen. This indicates that this module can bypass PASSWORD, CA Top Secret, and RACF file protection. Searching the libraries and LPA determines if any of the module names has no associated module entry. |
|
|
|
|
10 |
Use the PPT display to select all modules that can ignore data set integrity. This is indicated by Yes in the Data Set Integrity Bypass field. Perform a search of all eligible APF libraries to determine the location of each module. Searching the libraries and LPA determines if any of the module names has no associated module entry. |
|
|
|
|
11 |
If, for any of the searches you performed in Steps 7 through 10, the PPT Library Search screen appeared after the search with only an entry in the PROGRAM field, CA Auditor could not find the module or you do not have read access to the library where the module resides. If the module does not exist, this entry in the PPT can permit substitution of a “Trojan horse” module for the missing module to gain the powers granted by the PPT. |
|
|
|
|
12 |
Note multiple copies of any of the modules you searched for in Steps 7 through 10. Using the Program Origin (5.1), Program Statistics (5.2) and File History Search (6.5) displays, gather information about each copy, such as module sizes, link edit dates, APF status, and so on. Multiple versions of a PPT module can indicate that the version that the data center intends for use is not the one that is actually being used on the system. |
|
|
|
|
13 |
Check the PPT Analysis display to see if any missing modules (from Steps 7 through 10) reside in FLPA or MLPA. If a PPT entry is found in the MLPA, PLPA, and a library, the MLPA version is the one that is executed. If a PPT entry is found in the PLPA and a library, the PLPA version is the one that is executed. |
|
|
|
|
14 |
If the same modules reside in multiple locations, z/OS search any JOBLIB or STEPLIB libraries first, followed by FLPA, MLPA, LPA, and then SYS1.LINKLIB and its concatenations. Use the Link List Library Display (2.4.2) to find the names of the libraries in the concatenation. Note: If the library specified by the JOBLIB or STEPLIB DD statement is not an APF‑authorized library, the module does not gain the powers specified for it in the PPT. |
|
|
|
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |