Re: APF Libraries (Was ADRDSSU protection

Fri, 08 May 2009 06:37:55 -0700

I had a problem once with an APF library not being RACF protected. I set up a library for something, I can't even remember what, and put it in the APF list. Unfortuneatly, it was the only APF library that had RACF protection allowing update by anyone. We had an audit about 2 years or so before the datacenter closed for good, and the audit tool that was used pointed out that problem. Of course, it was fixed within minutes of finding it. I can't remember the name of the tool, but I know it was very good, and expensive, although we finally bought it only after my boss negotiated a really good deal.
It really seemed funny that about 2 years before the datacenter was closed, we started doing things that should have been done all along. We had our first disaster recovery test, and our first real audit of z/OS. Of course, that was the time that Sarbanes Oxley really hit the fan. 


On another note, the job front is looking up.  I've got several 
possibilities for jobs now, although none of them may pan out.


Eric

Eric Bielefeld
Sr. Systems Programmer
Milwaukee, Wisconsin
414-475-7434



----- Original Message ----- 
From: "Ed Gould" <[email protected]>

Newsgroups: bit.listserv.ibm-main
To: <[email protected]>
Sent: Friday, May 08, 2009 12:50 AM
Subject: Re: ADRDSSU protection



Rick,


I think I am going to disagree a little with you on this. Where the 
disagreement comes in is where companies hand out APF libraries like 
candy.



I actually had a programmer that was smart enough to copy amaspzap into an 
authorized library and figure out where AMASPZAP was issuing the resource 
(right term?calls to RACF) and essentially no-oping it and the same for 
the place in amaspzap where it asks the operator to reply U and one or two 
other places.



Companies need to control APF libraries at all costs, IMO. In this case 
the person could have called it something else and no one would have been 
any wiser. They also need to go through the libraries every so often and 
delete anything un-identifiable.



Ed 


----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html






















					Reply via email to