If a user has write access to a PDS with LRECL=80, such as his ISPF profile dataset, he can store anything he wants in it, including an object module which he could build on the fly using ISPF Edit. If he then has execution access to the Linkage Editor, he can execute this module. I don't think RACF can prevent this. So I wonder what kind of preventive automated control the auditor (or check list author) is looking for. It is probably just a boiler plate requirement because it sounds so reasonable in theory.
The finding does not say the controls don't exist; only that they are not documented. I think the easiest response is to take a very specific interpretation of "software installation" and document how all system dataset, APF libraries, and production datasets are protected against unauthorized updates (note that you get to decide what is an appropriate authorization). This allows the auditor the check the item off. (It will take someone with much more mainframe acumen to debate whether the controls are adequate.) One can reasonably argue that what a user does in his own dataset does not constitute software installation but is merely a normal step in the development process. Software is not installed until the development cycle is complete and management has signed off. :>: -----Original Message----- :>: From: IBM Mainframe Discussion List [mailto:[email protected]] On :>: Behalf Of Greg Dorner :>: Sent: Wednesday, September 05, 2012 5:22 AM :>: To: [email protected] :>: Subject: Preventing the installation of "unapproved" software :>: :>: Man, the auditors came up with a new one! :>: :>: "Gap noted. Automated controls to prevent the installation of unapproved :>: software were not documented." :>: :>: So I have been assigned the task of researching how to provide :>: "Automated controls to prevent the installation of unapproved software". :>: :>: I'm hoping someone on the list has a clue to what could possibly do this. :>: My brain already hurts thinking about it. Just thinking logically with :>: my limited intellect tells me doing this is somewhat close to impossible. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
