I you control your console commands through SAF, you have fairly fine granularity.
BTW, a couple of decades ago I reported a similar issue .on a command that is extremely common. If you're doing an audit, look at the common commands in addition to the rare ones. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר ________________________________________ From: IBM Mainframe Discussion List <[email protected]> on behalf of ITschak Mugzach <[email protected]> Sent: Tuesday, December 19, 2023 3:12 AM To: [email protected] Subject: Z/OS Survey - Unusuall system commands There are some MVS commands that are hard to understand how and why they were created. What bothers me is the fact that the input of the commands that modify MVS behavior allows input from private dataset. These are the first commands I am trying when I do a pentest... For example: *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset that is not part of the parmlib concatenation itself. for example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command allows specification of TCPIP configuration from a private library. How frequent do you use these commands (if ever) and how do you identify the use (assuming that the commands are protected by your ESM). I wonder why IBM allows such a scenario. ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
