And you can find, if you know the control blocks, the smf configuration, the dump dataset info, etc.
Nothing is hidden from those who know the keys. By locking down PARMLIB you just make it harder - not impossible. Lock down /etc and see what happens. Lionel B. Dyck <>< Website: https://www.lbdsoftware.com Github: https://github.com/lbdyck “Worry more about your character than your reputation. Character is what you are, reputation merely what others think you are.” - - - John Wooden -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of ITschak Mugzach Sent: Friday, February 4, 2022 01:07 PM To: [email protected] Subject: Re: What is the audit basis to prevent read access to z/OS PARMLIB's? Only few of the parmlib members are represented on mobs control blocks. Attacker may want to understand how smf is configured, to make sure his activity is not recorded, what are the dump dataset mask, racf dataset table (if it is a racf shop) and and many other information that help penetrate the system. Remember the first rule of security “need to know”. Most users do not have the need. And for the hacker: You want the data, sweat! ITschak בתאריך יום ו׳, 4 בפבר׳ 2022 ב-20:25 מאת Mike Shaw <[email protected] >: > Amen Lionel. SHOWZOS is publicly available. Users can write their own > REXX code using the STORAGE function to display the active APF list on > their system. Security through (attempted) obscurity does not work. > > Mike Shaw > MVS/QuickRef Support Group > Chicago-Soft, Ltd. > > > On Fri, Feb 4, 2022 at 1:02 PM Lionel B. Dyck <[email protected]> wrote: > > > If you want to hide your APF list then you also need to prevent > > ISRDDN's APF option as it displays the APF list very nicely. I'm > > sure you can protect the SDSF APF command, but can you prevent > > SHOWZOS, and other > tools, > > from looking in storage and displaying the list for you? The fact > > is > that > > you can't. > > > > Perhaps you should, if following the STIG rules for PARMLIB, also > > prevent user access to /etc in your OMVS and other *nix environments. > > > > Lionel B. Dyck <>< > > Website: https://www.lbdsoftware.com > > Github: https://github.com/lbdyck > > > > “Worry more about your character than your reputation. Character is what > > you are, reputation merely what others think you are.” - - - John > Wooden > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > > Behalf Of Edgington, Jerry > > Sent: Friday, February 4, 2022 11:47 AM > > To: [email protected] > > Subject: Re: What is the audit basis to prevent read access to z/OS > > PARMLIB's? > > > > I agree with Ed, for most of the PARMLIB, but the APF list of > > libraries, should be protected, since that is one way someone can get into > > the OS. > > Provided the person has access to one of those libraries. So, I > > tended > to > > be, maybe, over protective of the APF and possible LNKLST, depending > > upon the system parms. > > > > > > Jerry Edgington | Sr.Technical Analyst IT Technical Operations > > Enterprise Systems > > 400 Broadway | Cincinnati, Ohio 45202 > > 513.629.1826 direct > > 513.629.1787 fax > > WesternSouthern.com > > > > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On > > Behalf Of Ed Jaffe > > Sent: Friday, February 4, 2022 12:43 PM > > To: [email protected] > > Subject: Re: What is the audit basis to prevent read access to z/OS > > PARMLIB's? > > > > This message was sent from an external source outside of Western & > > Southern's network. Do not click links or open attachments unless > > you recognize the sender and know the contents are safe. > > > > > ______________________________________________________________________ > __________________________________________________ > > > > On 2/4/2022 7:04 AM, Farley, Peter x23353 wrote: > > > I see the rule but I do not understand the rationale. Limiting > > > UPDATE > > and ALTER access to systems programmers is logical and reasonable. > > Limiting READ access is not unless there are parameters in PARMLIB > > not available anywhere else that can be used to gain an elevation of > authority. > > > > The z/OS STIG is often wrong. I laugh when it protects SYS1.PARMLIB > > since all of our specifications are in SYS2.PARMLIB! LOL > > > > Considering PARMLIB in general, there used to be some passwords in > > the clear that would appear there (e.g., NJE). I have no idea if > > that's still true today. > > > > FWIW, there is absolutely nothing in our PARMLIB that we try to hide > > from end users. We might be naive... > > > > > > -- > > Phoenix Software International > > Edward E. Jaffe > > 831 Parkview Drive North > > El Segundo, CA 90245 > > https://www.phoenixsoftware.com/ > > > > > > > > > ---------------------------------------------------------------------- > ---------- > > This e-mail message, including any attachments, appended messages > > and the information contained therein, is for the sole use of the > > intended recipient(s). If you are not an intended recipient or have > > otherwise received this email message in error, any use, > > dissemination, > distribution, > > review, storage or copying of this e-mail message and the > > information contained therein is strictly prohibited. If you are not > > an intended recipient, please contact the sender by reply e-mail and > > destroy all > copies > > of this email message and do not otherwise utilize or retain this > > email message or any or all of the information contained therein. > > Although this email message and any attachments or appended messages > > are believed to be free of any virus or other defect that might > > affect any computer system into which it is received and opened, it > > is the responsibility of the > recipient > > to ensure that it is virus free and no responsibility is accepted by > > the sender for any loss or damage arising in any way from its opening or > > use. > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO > > IBM-MAIN > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO > > IBM-MAIN > > > > -------------------------------------------------------------------- > > -- For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO > > IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to [email protected] with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
