|
|
|
CA Auditor provides a combined, customized analysis of the exit points actively running on the ESM product. Any exit point can have an impact on the flow of security processing.
There are a number of common SAF exit points applicable to all ESM products that impact things on a global level by:
Each ESM also provides a unique set of exit points that are applicable only to that product. CA Auditor displays a hierarchical view of the exit points to demonstrate the exits installed on a system and how they might then interact with each other.
Security-related exit points analysis should include:
SAF provides generalized security facilities. SAF calls are typically generated by the z/OS RACROUTE assembler macros. These RACROUTE macros can provide security functions such as signon and signoff processing and data set and resource authorization.
Additional SAF-related security functions are provided by SAF RACF Callable Services and Policy Director Authorization Services (PDAS).
To audit the ESM it is important to consider how the ESM integrates with the operating system, specifically the SAF component. An audit of the ESM by itself is insufficient.
A SAF RACROUTE macro invocation expands to generate a function-specific parameter list followed by the invocation of the SAF router program. The SAF router analyzes all incoming SAF requests, invoking the ESM as appropriate to process the request.
The SAF router is a documented interface. Installations can write their own versions. An installation-specific replacement SAF router is not recommended.
The SAF RACROUTE request processing flow is:
Each of these points is worthy of auditing because any can impact the overall processing of a security call.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |