>Dave wrote: >I can change this by coding JCL parameters to mimic production, but if I don't notice it or don't know what the proper parameters are, I get security >violations. If it's a large JOB, I get lots of security violations. It's still not a hacking attempt. >
Perhaps someone else could use your JCL scan to hack with? I don't know and I wouldn't do it myself. I wrote a REXX interface to our JCL scan product so it can check a production userid access to a dataset resource. I told the folks that use it that they must understand the fact that they cannot rely on the results of the access when the "real" task opens the dataset in its environment during OPEN time if: 1.) the task at OPEN is running Privileged or Trusted, 2.) the task at OPEN happened to have a trusted token, 3.) the task flipped one or more of those "bypass authority checking" bits before OPEN, 4.) the task at OPEN when the REQUEST=AUTH was a CSA or PRIVATE request, therefore bypassing GAC authority, 5.) that the Rexx interface call does not check for conditional access entries. The REXX interface function does a RACROUTE REQUEST=AUTH and uses: USERID=user_id (for third party checking) STATUS=ACCESS (send back the access code (NONE, READ, UPDATE, CONTROL, ALTER) LOG=NONE (do not cut SMF audit records) And a few other necessary parameters. USERID and LOG require APF. I also check if the caller has the authority to use this function with a profile in the FACILITY class. George Fogg ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
