CA Examine

Configuring a Multilevel Secure System › CA Examine

CA Examine

CA Examine is an optional component of an MLS configuration.

CA Examine can help you determine if your z/OS system is properly configured along with identifying possible integrity exposures on your system.

Do not make CA Examine APF authorized. CA-Examine is not intended to be marked APF authorized in an MLS configuration. It does not install authorized, and must not be made authorized after the fact.

Configuration Checklist

This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.

Requirement	Complete
Install ISPF/PDF	□
Protect CA Examine libraries	□
Use CA Examine to verify proper configuration	□

Installing ISPF/PDF

CA Examine requires the services of ISPF/PDF: therefore, if CA Examine is installed, you must install ISPF/PDF.

Protecting CA Examine Libraries

Users typically concatenate their own ISPF/PDF CLIST, panel, skeleton, and message libraries to tailor the way ISPF/PDF works to meet their needs. In most cases, this is perfectly acceptable in an MLS configuration. There is, however, one case when it is not acceptable. This is when a security administrator is using CA Examine to verify the proper configuration of the system. In this case, the ISPF/PDF libraries, CA Examine libraries, and CA Top Secret ISPF libraries must be concatenated in front of any user libraries.

Example

The following example shows how the JCL for this concatenation would look in a TSO LOGON procedure:

//ISPPLIB	DD DSN=ISP.V3R5M0.ISPPENU,DISP=SHR	ISPF panels
//		DD DSN=ISP.V3R5M0.ISRPENU,DISP=SHR	PDF panels
//		DD DSN=CAI.CAISPP,DISP=SHR		CA Top Secret panels
//		DD ...					User panels
//*
//ISPMLIB	DD DSN=ISP.V3R5M0.ISPMENU,DISP=SHR	ISPF messages
//		DD DSN=ISR.V3R5M0.ISRMENU.DISP=SHR	PDF messages
//		DD DSN=CAI.CAISPM,DISP=SHR		CA Top Secret messages
//		DD DSN=CAI.EXAMINE.MESSAGES,DISP=SHR    CA Examine messages
//		DD ...					User messages
//*
//ISPSLIB	DD DSN=ISP.V3R5M0.ISPSENU,DISP=SHR	ISPF skeletons
//		DD DSN=ISR.V3R5M0.ISRSENU,DISP=SHR	PDF skeletons
//		DD DSN=CAI.CAISPS,DISP=SHR               CA Top Secret skeletons
//		DD ...					User skeletons
//*
//ISTPLIB	DD DSN=ISP.V3R5M0.ISPTENU,DISP=SHR	ISPF tables
//		DD D5N=ISP.V3R5M0.ISRTENU,DISP=5HR	PDF tables
//		DD DSN=CAI.EXAMINE.TABLES,DISP=SHR      CA Examine tables
//		DD ...					User tables
//*
//SYSPROC	DD DSN=ISR.V3R5M0.ISRCLIB,DISP=SHR	PDF CLISTs
//		DD DSN=CAI.CAICLIB,D1SP=SHR		CA Top Secret CLISTs
//		DD DSN=CAI.EXAMINE.CLIST,DISP=SHR       CA Examine CLISTs
//		DD ...					User CLISTs
//*

These libraries must be protected with CA Top Secret access rules so only system maintenance personnel can update them. In an MLS system, if the option to require security labels is activated, they should be labeled "SYSLOW" so they are accessible to all users.

Using CA Examine to Verify Proper Configuration

CA Examine can help you determine if your z/OS system is properly configured. It shows you various facets of z/OS by way of interactive, easy-to-read screens. Its batch facility makes it possible to save scripts of examinations, and run them periodically as batch jobs to ensure that the configuration has not changed. The following list details examples of what CA Examine can display:

The SVC Analysis option can show if you have any user SVCs, which are forbidden in an MLS system configuration.
The Appendages option shows if you have any user I/O appendages, which are forbidden in a mulilevel-secure system configuration.
The PARMLIB display takes the work out of determining your system options, by displaying for each member a list of other members that it points to. Members can be selected from the list for browsing.
The JES2 Options and SMF Options displays show you the options that are in effect for these subsystems.
The APF library display shows you all your APF-authorized libraries. This makes it easy to ensure that they are properly protected by access rules.
The operator console display shows how your consoles are configured.
The Freezer option saves a checksum of selected libraries. It can be rerun periodically to ensure that system libraries have not been changed.

All these functions and many more are described in the CA Examine documentation.