Using the //MTFDEBUG dd statement is not documented anywhere else in CA Disk documentation, and is intended for use by CA Disk technical staff only. The use of this dd statement can nevertheless be considered a security exposure.
CA Disk allows the use of the //MTFDEBUG dd statement only if it receives a return code of less than 8 from SAF using the macro:
RACROUTE REQUEST=AUTH,
RELATED='DMS/OS AUTH CHECK', APPL='DMSOS ', ATTR=ALTER, CLASS='DATA SET', ENTITY=DISK.USING.MTFDEBUG.DD
There is no CA Disk control over this check. If you do nothing, the return code is always less than 8, and use of the //MTFDEBUG dd statement is allowed. If you do not have a security package that is compatible with SAF, you cannot control access to this dd statement.
To activate the CA Disk //MTFDEBUG dd statement security feature
If your SAF-compatible security package does not have protection-by-default and you want to allow only certain users to use //MTFDEBUG dd statements, instruct your security package to deny access to DISK.USING.MTFDEBUG.DD, (universal access of NONE) and then grant ALTER access to the authorized users.
CA Disk issues a message and ignore //MTFDEBUG dd statements from users without sufficient authority to that resource.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|