|
|
|
To detect logic bombs in a z/OS environment, check for unauthorized machine language changes (for example, zaps or other hooks) in widely used z/OS modules that you cannot trace to a standard system maintenance procedure, such as SMP/E. The CA Auditor SMP Analysis Function can detect these changes in an SMP/E environment. Insist that your data center apply z/OS and applications system maintenance through an auditable change‑control process such as SMP/E. Use the CA Auditor Program Statistics Display to look for nonstandard CSECT names in IBM modules. Compare suspicious modules to the original distribution libraries.
Review the contents of the link pack areas. Use the CA Auditor Link Pack Area Display and the Fixed and Modified LPA Display to investigate suspicious modules that a logic bomb could activate. Pay particular attention to the modified link pack area (MLPA and EMLPA). Most bombs either crash the system or corrupt data. Those intended to take down the system probably need APF authorization. With the CA Auditor APF Library Analysis displays, check the APF libraries carefully. Use the CA Auditor System Exit Display to check the system exits. Review all z/OS exit source code and ensure that each exit’s purpose, use, and function are documented.
Sometimes you can detect a logic bomb by looking for its trigger. Review each module carefully for this type of logic. If it checks for a particular job name, data set name, program name, or user ID, find out why.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |