Ive always thought the TCPIP OBEY command was a security exposure. Someone could reconfigure TCPIP using their private data set. Yes you can lock down the command. I think VTAM is better, you can only activate a member which is in the VTAM VTAMLST dataset concatenation - and so you have to use one of the system approved data sets. On our test systems we had USER.VTAMLST and could control write access to this Colin
On Tue, 19 Dec 2023 at 08:12, ITschak Mugzach <[email protected]> wrote: > There are some MVS commands that are hard to understand how and why they > were created. What bothers me is the fact that the input of the commands > that modify MVS behavior allows input from private dataset. These are the > first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset > that is not part of the parmlib concatenation itself. for example: SETLOAD > 03,PARMLIB,DSN=sys4.relson > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > private library. > > How frequent do you use these commands (if ever) and how do you identify > the use (assuming that the commands are protected by your ESM). I wonder > why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
