|
|
|
Next, you should obtain the source code for the user appendages. For appendages supplied by software vendors, it can be difficult to get the source code because many vendors consider their code proprietary and do not give it out. Many audit and security experts feel that you can assume that, because the company is betting its reputation on the quality of its programming, it should not compromise your security in any way. In any case, you should obtain source code for any appendages written by local systems programmers.
Once you have the source code, review it. If you do not read assembler language, you must ask another systems programmer for a “peer review.” You must determine what the appendage does and why it is necessary to have it. For appendages that are mentioned in IEAAPP00, you also must ensure that they have sufficient self‑protection to avoid being subverted by unauthorized programs.
APF‑authorized programs are more tightly controlled. Even if an APF program wanted to subvert the system, it would have easier ways to do damage than through an I/O appendage.
You can also use the Program Freezer (5.5) to make digital signatures of the appendages in SYS1.SVCLIB or the LPA libraries. The next time you do a review, you can use the Program Freezer again to see if any of the appendages have changed. You can also use the ISPF/PDF Copy function to make copies of the appendages. If you copy them now, you can run the Program Comparison display (5.3) during a later review to obtain the details of any changes. Many operating system components and most program products and subsystems provide exit points that let data centers tailor their use or provide new functions.
Exits are user‑written programs that obtain control at decision‑making points in the vendor’s software. For example, when a job uses all of the time allocated for its use, it is normally terminated by z/OS with an S522 abend code. z/OS provides an exit called IEFUTL (Time Limit) to extend the time allocated to a job, based on criteria that the data center decides to use. Exits are usually written in assembler language by a systems programmer.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |