|
|
|
As an even trickier technique, a programmer could code part of the program name in the procedure, and then pass only part of the program name as a parameter. This would foil scans looking for the entire program name as a character string. Besides looking for procedure references, be alert to the presence of JOBLIB and STEPLIB DD statements in production JCL. They can mean that production programs are executed from unauthorized test libraries. If both JOBLIB and STEPLIB are found in a job, the JOBLIB is not used for the duration of the step that contains the STEPLIB.
Be alert to the unauthorized use of JOBCAT or STEPCAT DD statements in the JCL. They permit the jobs to execute using files that are cataloged in private catalogs. Because z/OS permits files with the exact same names to exist on the system as long as they are on separate volumes, using a private catalog in place of the system catalog would permit the substitution of a bogus file for a legitimate one. This technique is called spoofing.
Do not overlook the various JES statements that can be found in the JCL. Unless disabled, both JES2 and JES3 permit operator commands in the JCL using the // (NULL) statement, and JES2 permits them in the /* (EOF) statement.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |