I see the rule but I do not understand the rationale. Limiting UPDATE and ALTER access to systems programmers is logical and reasonable. Limiting READ access is not unless there are parameters in PARMLIB not available anywhere else that can be used to gain an elevation of authority.
I have not yet seen any answer that lists or categorizes any such parameters. -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Itschak Mugzach Sent: Friday, February 4, 2022 2:36 AM To: [email protected] Subject: Re: What is the audit basis to prevent read access to z/OS PARMLIB's? Hi Peter, Follow the rule of the attached STIG: SYS1.PARMLIB is not limited to only system programmers. z/OS RACF STIG <https://urldefense.com/v3/__https://www.stigviewer.com/stig/zos_racf/2019-12-12/__;!!Ebr-cpPeAnfNniQ8HSAI-g_K5b7VKg!aA09B5HkqOaskW90pkLECUCcQGvZXO4k2OszP_a1AFtBsYYqQGscz6FHqNXY_ELhYBorjQ$ > <Text snipped> On Fri, Feb 4, 2022 at 1:51 AM Farley, Peter x23353 < [email protected]> wrote: > That was my question -- what possible attack vector can be derived > form PARMLIB entries? I cannot see any such vector coming out of > anything I know about PARMLIB, but I probably don’t know enough, which > is why I am asking here. > > No passwords, no information that Mark Zelden's IPLINFO can’t retrieve > anyway from a running system, so what's the issue? > > Peter > > -----Original Message----- > From: IBM Mainframe Discussion List <[email protected]> On > Behalf Of Matt Hogstrom > Sent: Thursday, February 3, 2022 6:43 PM > To: [email protected] > Subject: Re: What is the audit basis to prevent read access to z/OS > PARMLIB's? > > I would suspect that it exposes potential attack vectors for the system. > Ideally the system should be secure but loose lips sink ships. > > Matt Hogstrom > [email protected] > > “To my Ph.D. supervisor, for whom no thanks is too much.” > > > On Feb 3, 2022, at 6:12 PM, Farley, Peter x23353 < > [email protected]> wrote: > > > > I'll be the first to admit that I know just enough of what is in > SYS1.PARMLIB to be dangerous, BUT . . . > > > > What information could possibly be gleaned from reading PARMLIB that > would require a knowledgeable auditor to insist on restricting read > access (other than security by obscurity and sysprog/auditor job security)? > > > > Just curious, I don't plan on hacking anything. -- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
