|
|
|
z/OS trap doors are most easily implemented as either time‑sharing option (TSO) commands or as operating system supervisor calls (SVCs). TSO commands are convenient for programmers to use, and SVCs are easily issued from either TSO or batch programs. Trap door TSO commands normally require APF authorization; therefore, you can find them in the IKJEFTE2 and IKJEFTE8 tables or their TSO/E counterparts, IKJTABLS and IKJEFTAP. Use the CA Auditor TSO Information Summary to examine these tables carefully for suspicious entries.
You can find trap door SVCs in the link pack area (LPA) or the z/OS nucleus. Pay particular attention to user‑defined SVC numbers 200 through 255. Various program products and locally developed functions can use these SVCs, which make them a likely hiding place for a trap door. Do not ignore other SVCs reserved for specific IBM products that might not be installed in your z/OS system, such as the reserved RACF SVCs from 130 through 133.
Although APF‑authorized TSO commands and user‑supplied SVCs are the easiest way to implement trap doors, system exits, subsystems, appendages, and the program properties table (PPT) also offer opportunities for malicious users. Use the appropriate CA Auditor displays to analyze these components of the operating system.
Sometimes you can find trap doors by finding the modules that service them. Usually the installer requires access to an APF library. Using your access control software to prevent unauthorized update of these libraries is critical to controlling trap doors. Review the current contents of APF libraries with the CA Auditor APF Library Analysis displays and periodically check these modules to ensure they were not changed outside the approved procedures. You can use the Program Freezer Function to detect programs that changed and the Program Comparison Option to analyze the changed APF programs. Critical modules can be tampered with during system maintenance or when you IPL an unsecured z/OS test system. Eliminate duplicate and obsolete modules. Identify nonstandard modules. Analyze the memory‑resident LPA using the CA Auditor Link Pack Area Display. Use the CA Auditor SMP Analysis displays to search your load libraries for modules that were not installed using SMP/E.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |