On Sun, 4 Apr 2010 20:38:02 +0000, Ted MacNEIL wrote:
>>If it's a blanket statement such as, "Use of any SMP/E function allows
>>compromise of system integrity, therefore only highly trusted personnel
>should be permitted use of any SMP/E function," the hole is far from closed.
>
>Yes! Yes!! And, YES!
>If you can't/won't explain the issue, how can you allow us to protect
>ourselves?
>
In case IBM customers' needs haven't been sufficiently well explained
here, let me provide an example of another IBM product, AMASPZAP
which, in my perception, provides comparable hazards. ("comparable?"
Are there varying degrees of system integrity compromise?)
16.1 "z/OS V1R10.0 MVS Diagnosis: Tools and Service Aids"
__________________________________________________________________________________
16.1 Planning for SPZAP
SPZAP is an application that provides editing capabilities for data on a
direct access
storage device (DASD). Protect against SPZAP (and other applications that
can update
data sets) being used to damage data through use of the installation's
security
protection scheme:
* In z/OS DFSMS Using Data Sets, see the chapter, "Protecting Data Sets"
for
information pertaining to protecting data sets.
* In z/OS DFSMSdfp Advanced Services, see the chapter, "Protecting the
VTOC and VTOC
Index" for information pertaining to protecting VTOCs.
...
__________________________________________________________________________________
16.4 Running SPZAP
You can run SPZAP using control statements as input into the job stream or
dynamically
as part of selected macros:
* "Using JCL and control statements to run SPZAP" in topic 16.4.1
* "Invoking SPZAP dynamically" in topic 16.4.1.3
Operational considerations
Consider the following points when you run SPZAP:
* SPZAP uses the system OPEN macro. Therefore, SPZAP cannot modify or
inspect
RACF-protected data sets when SPZAP cannot successfully complete the
access checks
that occur during OPEN processing.
Something similar is needed for the new SMP/E classes. (Or is it
already present in the APAR ++HOLD, To which I haven't access.)
But note that there are no permissions peculiar to AMASPZAP; all
needed security is provided by protecting data sets and VTOCs.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
