------------------------------------<snip>-----------------------------------
??? Testers didn't have SURROGAT (I assume they weren't Production
Support, and didn't have access to automation), and they didn't
know the production password? How were they bypassing?
-------------------------------<unsnip>----------------------------------
Until the RACF amd JES2 controls were available, they would use IEBGENER
to submit a PDS member to INTRDR. We stopped most of that by changing
the PROD id's password and not letting it be known. We also used a TSO
"Most"? I would expect "all". Do you mean that the password
was leaked to some unauthorized persons?
--------------------------------------<unsnip>----------------------------------------
Yes it was. The person responsible was "promoted to the sidewalk" after
he admitted this fact.
--------------------------------------<snip>-------------------------------------------
SUBMIT exit to parse the JOB statement on any SUBMIT'ed JOB statement,
removing the USER and PASSWORD operands (among others) and cutting an
Isn't there a JES or INTRDR exit (discussed here long ago) that
should be preferred to the SUBMIT exit because it traps all
jobs, not just those SUBmitted by TSO. (Nowadays FTP "QUOTE SITE
FILE=JES" provides another bypass.)
---------------------------------------<unsnip>---------------------------------------------
Yes, a JES2 exit might have been used, but we felt that a SUBMIT exit
was easier and equally effective, since our users had no other mechanism
(we thought) to submit a job. We hadn't thought of them using IEBGENER
to INTRDR; most of them weren't that bright. :-)
-----------------------------------<snip>-----------------------------------------------
SMF record for violations. After a few reprimands to persistant
violators, we managed to convince people that our standards were NOT
just "window dressing" and the majority of the problem went away. One
person was able to "hack" his way past all our standards, etc. by using
a 3rd party SVC; he was terminated when we finally got tired of
listening to his "excuses" and dealing with the problems he caused. The
Career death wish?
---------------------------------<unsnip>------------------------------------------------
Apperantly. He's selling used cars now. When he asked us for a
reference, our only comment was "not eligible for re-hire".
-------------------------------------<snip>---------------------------------------
owner of the SVC was informed of how it was being abused and has
installed safeguards to prevent recurrance. They have also supplied the
SVC code in source form to allow us to "critique" their fix. Thank you,
CA/IDMS Tech Support. Your action was timely, effective and efficient.
(Big bouquet of roses) Vastly different from the various responses of
your "Marketting Team". :-)
Good for them.
-----------------------------------<unsnip>--------------------------------
My sentiments exactly.
Rick
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
