|
|
|
The control of APF authorization for TSO commands and programs is critical to z/OS security. Because APF‑authorized TSO commands and programs can bypass system validity checks and security, you should review the entries in these tables to ensure that system integrity is not compromised. The main areas of interest are:
These are APF‑authorized TSO command processors. These commands are listed in the APFCTABL table.
These are other APF‑authorized programs that can be invoked by using the TSO CALL command. These programs are listed in the APFPTABL table.
These are APF‑authorized programs that the TSO Service Facility can execute. These programs are listed in the APFTTABL table.
The location of the tables identified in the list above depends on the version of z/OS used by the data center. These CSECTs can reside in the IKJET02 or IKJTABLS member of SYS1.LPALIB. These tables can be built from parmlib at IPL.
Unsupported batch commands are another area of interest that CA Auditor analyzes in this display. Unsupported batch commands are TSO command processors or programs that are not permitted to execute in batch. These commands and programs are listed in the NSCPTABL table in the IKJEFT02 (or IKJTABLS) member of SYS1.LPALIB. If the data center uses TSO/E Release 4 or later, these tables can be built from Parmlib at IPL. Although this table is not concerned with APF commands as such, the data center can use this table to prevent the use of certain commands in a batch environment.
The APF‑authorized TSO Table Entries display locates all APF‑authorized TSO tables. To view a specific group of entries, for example all tables marked for review by CA Auditor, use the SORT command.
To search the libraries on the system for a module, enter S (Select) next to that library. CA Auditor displays the TSO APF Library Search display. To record a description for a library, enter D next to that library. The pop-up description panel is displayed. You can enter your description.
To access the APF-Authorized TSO Table Entries, select option 3 (2.2.3).
To view all of the entries in a certain group, for example all tables that CA Auditor has flagged as recommended for review, use the SORT command (see the Using Display Commands section in the “Introduction” chapter for information).
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |