You might have the FACILITY class profile BPX.DEFAULT.USER setup at your
site allowing anyone with a valid RACF userid access. See z/OS UNIX
System Services Planning. If not users who lacked an OMVS segment
would probably not be able to use FTP.
It is fairly considered a facility worthy of attention by some sites.
Some sites like ours and probably yours tightly controlled access to
IND$FILE on the premise that providing channel outside the glass walls
it needed careful control. In fairness the glass walls have a lot of
little hamster tubes running in and out today:-) So no one can say for
your site if it is a security exposure or not but your management and
auditors might reasonably ask your help in securing it just like TSO nee
TSO IND$FILE. If your RACF data set profiles and userids are not
properly setup and audited it might be providing unintended access. The
argument for it being a problem is that the CICS users generally don't
have access to data sets not having TSO and ISPF but only limited
transactions to use. With FTP any userid can be used as a means to
directly access MVS or USS data sets and data sets with UACC of READ or
higher might not be something you ever intended to make available.
You could use the FTCHKPWD exit can be used to lock FTP down using just
about any way you want. See the sample in TCPIP.SEZAINST(FTCHKPWD).
Just be careful whatever you do you don't pull the rug out from under
users who consider their use of FTP part of their job. You might start
with reviewing SMF data to see what access is actually being done today.
Good luck and have fun!
Best Regards,
Sam Knutson, GEICO
Performance and Availability Management
mailto:[EMAIL PROTECTED]
(office) 301.986.3574
"Think big, act bold, start simple, grow fast..."
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On
Behalf Of Ted MacNEIL
Sent: Tuesday, September 12, 2006 5:23 PM
To: [email protected]
Subject: Access to FTP
We recently found out (or rather our auditers found out) that you don't
need a TSO segment to use FTP from a PC to z/OS.
I tested with an id that was only defined to one CICS region.
I could not sign on to TSO with it.
But, I could access FTP.
Our security and audit people think this is a security exposure.
Two questions:
1. Is it?
2. If it is, how do we close it?
====================
This email/fax message is for the sole use of the intended
recipient(s) and may contain confidential and privileged information.
Any unauthorized review, use, disclosure or distribution of this
email/fax is prohibited. If you are not the intended recipient, please
destroy all paper and electronic copies of the original message.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
