System Installation Choices › Catalog Display › Review Considerations

Review Considerations

The audit, control, and security issues for the catalog system are fairly straightforward.

• Most data centers use VSAM password protection to prevent updates to their master catalog or to list the VSAM passwords for any subordinate UCATs. They use the VSAM alias facility to define which UCAT handles which groups of names. This lets the master catalog stay reasonably small to speed up search time. More importantly, it makes it easier to recover the MCAT from a backup if it is damaged. With few entries, the MCAT does not change often. Because z/OS cannot be IPLed without an MCAT, it is of key importance.
• Because most of the z/OS system libraries are cataloged, it is important to guard the integrity of the catalog system to prevent the substitution of a fake library for the real one by altering the catalog pointer.

  Because z/OS stores the location of many of its libraries at IPL, it is possible to IPL with the catalog pointing to one set of libraries and then recatalog a different set after the IPL.

  z/OS continues to use the original set of libraries, and any review based on the current state of the catalog is misleading. CA Auditor displays, therefore, do not rely on the catalog, but consult z/OS itself for information about the location of files that z/OS is using.

• Another aspect to consider is the manner in which the master catalog is identified. In actuality, there is no difference between an ICF master catalog and an ICF user catalog. What makes an ICF catalog a master catalog is the manner in which it is identified as being the master catalog when z/OS is IPL’d.

There are two ways of identifying the master catalog name to the system when performing an IPL.

• The easiest, and most common, is through use of the SYSCAT statement within the LOADxx initialization parameter. When specified in this manner, the operator does not receive any prompt whereby he/she can override the master catalog name.
• If the LOADxx member does not specify a SYSCAT statement, then it is possible to use an old mechanism called the SYSCATLG member. This refers to a member link-edited into the SYS1.NUCLEUS data set which is used to specify the master catalog data set. Because this mechanism is cumbersome to customize and use, it has fallen out of favor, and has been almost universally replaced by the LOADxx member’s SYSCAT statements.

In any event, when auditing the LOADxx member used at IPL, care should be taken to also track the SYSCAT statement to guard against any changes which might affect the master catalog specification.