|
|
|
The real problem is user SVCs that are numbered 200 through 255. Many program products have user SVCs. Among them are transaction processing systems (such as IMS and CICS), sort programs (such as CA Sort), and many others. Data centers frequently have two or three sets of SVCs for these program products so they can test new releases while they run the production versions concurrently. At many data centers, systems programmers have an authorization SVC that makes any program APF‑authorized. Normally, they do not use it to deliberately circumvent system security‑rather, they do it because it seems easier than dealing with APF libraries and change control procedures. However, it can also easily be used to subvert the system.
Some program products have included similar SVCs. One popular space management product formerly had an SVC that made it APF‑authorized so it could run the IBM IEBCOPY utility, which must run authorized. In the past, IBM published the source for a similar SVC to let ISPF/PDF run IEBCOPY. The SVC checked to ensure that it was called legitimately, but the checks were easily circumvented. Performance monitoring and system tuning tools such as Resolve and Omegamon frequently have SVCs that let them issue operator commands. Other products, such as the IBM Spool Display and Search Facility (SDSF) also have these SVCs. These SVCs might not screen sufficiently to determine who is calling them. The ingenious hacker can issue any command he wants.
More potential for security exposures exists with user SVCs than anywhere else in the system. As with other high‑authority programs, first you must prevent unauthorized access and update to the libraries where they reside. Except for the SVCs that are link edited to the nucleus, SVCs are normally kept in the LPA libraries. These libraries should be protected from unauthorized updates. The LPA Library Display (2.4.3) shows the names of all LPA libraries. Because SVCs can also be placed in MLPA or FLPA, you should also read the section Fixed and Modified LPA in this chapter.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |