On Thu, 7 May 2009 22:50:01 -0700, Ed Gould <[email protected]> wrote:
>I think I am going to disagree a little with you on this. Where the disagreement comes in is where companies hand out APF libraries like candy. > >I actually had a programmer that was smart enough to copy amaspzap into an authorized library and figure out where AMASPZAP was issuing the resource (right term?calls to RACF) and essentially no-oping it and the same for the place in amaspzap where it asks the operator to reply U and one or two other places. > >Companies need to control APF libraries at all costs, IMO. In this case the person could have called it something else and no one would have been any wiser. They also need to go through the libraries every so often and delete anything un-identifiable. If I had UPDATE to an APF library there are lots of things I would do before I'd bother making a copy of AMASPZAP. UPDATE to an APF library effectively gives you access to all data on the system, and lets you impersonate any user you want to, whenever you want it. At that point, why mess with AMASPZAP? -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
