I too have auditors who treat the my mainframe like one those little puters and I find it best to first educate them before they convince my management to send me chasing phantoms. Don't assume your auditor won't appreciate a mainframe education.
The first place to hide a virus is in the OS, y/n? What protects the mainframe OS? Answer, APF. I monitor the APF libraries for any alterations on a daily basis. Any changes that didn't go thru change control are cause for investigation. Most auditors don't know squat about APF, and if they did, they would be asking about it instead of a mainframe virus scanner. The 2nd place to hide virus is in software, which on the mainframe are the command libraries. Aside from the potential for corrupt vendor software (unlikely a vendor will install compromised loadlib, but we're talking auditors here), most those command libraries (vendor & in-house) are written in interpretive languages and can be scanned using standard PDS utilities for whatever string (like delete commands) your shop believes poses the greatest threat. Loadlibs can be scanned using standard utilities as well. One method is to unload the PDS to a GDG daily, and compare the current to the previous day's file for any changes. Start with the linklist and the logon proc sysproc/sysexec allocations, after that the catalog can be scanned for application and personal clist/rexx libraries. Looking for changes to the baseline may not qualify as a virus scanner, but it's a whole lot better than doing nothing or spending a fortune on unnecessary software. The 3rd place I look for mainframe malware is in the parmlibs, JCL, macros, utilities and such. DASD utilities can erase the entire storage pool if corrupted. Who can update these libraries? Are they subject to stringent change control procedures? Are their contents monitored for changes and content? Does your auditor know what DASD is? HSM? DFDSS? Address these items and I can almost guarantee that you'll pass your audits like I do. Disclaimer: apart from monitoring APF, none the above is industry standard, not yet anyway... -hernandez > > > On Fri, 28 Jan 2011 12:27:54 -0600, Jim Marshall <jim.marsh...@opm.gov> > wrote: > > >Auditors came around and wrote up our z/OS V1R10 > Sysplex for not running a > >Virus Checker. Anyone has a constructive solution > as to one being available or > >some verbage which defends the position. > > > >Been hunting around for a Virus Checker for > zLinux. Also interested in what > >kind of over head it might use. > > > >thanks jim > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access > instructions, > send email to lists...@bama.ua.edu > with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
