|
|
|
For audit purposes, it is important to remember that the z/OS operating systems are one of three IBM operating systems that are backed by an integrity statement. This policy letter spells out what IBM means by operating system integrity. IBM defines it as the inability of any program not authorized by a mechanism under the customer’s control to:
It is important to understand z/OS security mechanisms. They operate in all systems even when an access control software package is present. Storage protection is a hardware feature. It works by dividing main storage into 4 KB blocks. Each block of storage is assigned a storage protection key. Each program that runs on the computer is also assigned a storage key, which is kept in the program status word (PSW), a special hardware register. Whenever a program tries to modify a block of storage, the hardware checks the PSW key to ensure it matches the storage block key. If it does, the hardware permits the change to proceed. If it does not, the hardware sends an interrupt to the operating system to abend the program. This hardware feature is called storage protection.
IBM took this process one step further by taking advantage of the hardware’s ability to perform the same key checking on read operations. This is called fetch protection. The hardware was designed to use 16 storage protection keys. Key 0 has special status and is considered to be the master key, permitting access to all storage. Various operating system components use keys 1 through 7. All virtual storage user programs run in storage key 8. V=R programs (that is, programs in real storage) run in keys 9 through 15. From a security and integrity standpoint, a program with key 0 can access any real storage on the computer, enabling undetected access to all production data.
| Copyright © 2009 CA. All rights reserved. | Tell Technical Publications how we can improve this information |