Again, thanks to all for their support and advice. Because of the
number of questions raised by the replies, some directly to me, I have
decided to share the fragment from the brief presented, so that you all
can decide whether or not I have paraphrased the presentation fairly and
accurately, as below. I have "redacted" an instance or two of site
specific information for the sake of confidentiality:
"6. Remove ACF2 Alter SVC:
"FINDING ... {Y}ou are utilizing the ACF2 “Alter” SVC. You have it
defined as SVC {XXX}. This is a dangerous SVC because it allows
alteration of many ACF2 components without associated ACF2 validation.
Specifically, the SVC uses the Supercall facility, which lets an
APF-authorized requester perform database maintenance functions without
explicit CA ACF2 authorization.
"RECOMMENDATION Consider the removal of the SVC or at least the
invocation of exit SVCIXIT (see GSO EXITS options in chapter 14 of the
CA ACF2 Administrator Guide) to identify what programs, if any, are
employing the SVC TYPE=A (alter) processing.
"BUSINESS VALUE The ACF2 Alter SVC is essentially a back door into ACF2.
Closing that door will reduce the possibility that it will be used
maliciously."
It appears that, by posting my original question, I may have stepped
into a nearby hornets' nest, so please direct additional replies to me
offlist.
Speaking only for myself,
Tom Sims
Tom Sims wrote:
Greetings,
Yesterday we entertained a group of vendor representatives who presented
their assessment of our implementation of ACF2. Among their key
findings and recommendations was a high-criticality suggestion to remove
the ACF2 "alter SVC," which was characterized as a dangerous back door
around access control, the removal of which would substantially reduce
our exposure to its malicious use.
...snip...
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
