If you want to hide your APF list then you also need to prevent ISRDDN's APF option as it displays the APF list very nicely. I'm sure you can protect the SDSF APF command, but can you prevent SHOWZOS, and other tools, from looking in storage and displaying the list for you? The fact is that you can't.
Perhaps you should, if following the STIG rules for PARMLIB, also prevent user access to /etc in your OMVS and other *nix environments. Lionel B. Dyck <>< Website: https://www.lbdsoftware.com Github: https://github.com/lbdyck “Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are.” - - - John Wooden -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Edgington, Jerry Sent: Friday, February 4, 2022 11:47 AM To: [email protected] Subject: Re: What is the audit basis to prevent read access to z/OS PARMLIB's? I agree with Ed, for most of the PARMLIB, but the APF list of libraries, should be protected, since that is one way someone can get into the OS. Provided the person has access to one of those libraries. So, I tended to be, maybe, over protective of the APF and possible LNKLST, depending upon the system parms. Jerry Edgington | Sr.Technical Analyst IT Technical Operations Enterprise Systems 400 Broadway | Cincinnati, Ohio 45202 513.629.1826 direct 513.629.1787 fax WesternSouthern.com -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Ed Jaffe Sent: Friday, February 4, 2022 12:43 PM To: [email protected] Subject: Re: What is the audit basis to prevent read access to z/OS PARMLIB's? This message was sent from an external source outside of Western & Southern's network. Do not click links or open attachments unless you recognize the sender and know the contents are safe. ________________________________________________________________________________________________________________________ On 2/4/2022 7:04 AM, Farley, Peter x23353 wrote: > I see the rule but I do not understand the rationale. Limiting UPDATE and > ALTER access to systems programmers is logical and reasonable. Limiting READ > access is not unless there are parameters in PARMLIB not available anywhere > else that can be used to gain an elevation of authority. The z/OS STIG is often wrong. I laugh when it protects SYS1.PARMLIB since all of our specifications are in SYS2.PARMLIB! LOL Considering PARMLIB in general, there used to be some passwords in the clear that would appear there (e.g., NJE). I have no idea if that's still true today. FWIW, there is absolutely nothing in our PARMLIB that we try to hide from end users. We might be naive... -- Phoenix Software International Edward E. Jaffe 831 Parkview Drive North El Segundo, CA 90245 https://www.phoenixsoftware.com/ -------------------------------------------------------------------------------- This e-mail message, including any attachments, appended messages and the information contained therein, is for the sole use of the intended recipient(s). If you are not an intended recipient or have otherwise received this email message in error, any use, dissemination, distribution, review, storage or copying of this e-mail message and the information contained therein is strictly prohibited. If you are not an intended recipient, please contact the sender by reply e-mail and destroy all copies of this email message and do not otherwise utilize or retain this email message or any or all of the information contained therein. Although this email message and any attachments or appended messages are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way from its opening or use. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
