Use of DSCMON is a STIG violation
Sent from my iPhone No one said I could type with one thumb > On Jun 21, 2024, at 19:59, Mark Schuffenhauer <[email protected]> wrote: > > Hello Bob, > > I would not make it trusted, but that is mainly up to the security standards > of the company. > > It depends on the shop and how there datasets are. I have always advocated > that a LLA, LPA, and APF datasets should rarely change and have a standard > nomenclature so that someone doesn't try to shove in > SYS$KA2.NONSTAND.WEIRD.MYLOADLIB > > It really depends on how LLA looks. If the names in there look random and the > member(s) is(are) updated frequently, then it is painful. If there are a lot > of SETPROG LNKLST commands, it's painful. If there is no change control > process required for updates, nor a PARMLIB monitor process to catch any > changes, I would encourage standards and advise them. > > I would let the customer decide about trusted, versus horribly generic > dataset read access, or having to update the STCID security dataset access. I > am working from horribly generic to standards. > > > > ________________________________ > From: IBM Mainframe Discussion List <[email protected]> on behalf of > Robert S. Hansel <[email protected]> > Sent: Friday, June 21, 2024 7:50 AM > To: [email protected] <[email protected]> > Subject: Data Set Commander Monitor (DSCMON) Access Authority > > Greetings all, > > > > I posted this on RACF-L a week ago. There were not replies, so I thought I > would try this list. > > > > I am implementing RACF control for DSCMON for the first time and wondering > how others have implemented it. Below is some background information, my > thoughts, and some questions. > > > > DSCMON is a Started Task that can dynamically and, in some cases, > automatically refresh the in-memory copies of Linklist library directories > maintained by LLA (Library Lookaside Facility). To perform this function, > DSCMON needs READ access to all the Linklist libraries. It also needs access > in OPERCMDS to modify LLA. > > > > Ensuring DSCMON is permitted READ access to all Linklist libraries will be > an ongoing administrative burden. It will require constant review of the > list of Linklist libraries to confirm DSCMON has READ access and, if > necessary, permitting DSCMON READ access to any new libraries that are added > to the Linklist. Failure to provide READ access to a Linklist library will > prevent DSCMON from updating the LLA directory for that library. Most > likely, the process of maintaining these permissions could be partially > automated, and maybe an alert could be set for any Linklist library changes, > but it will still require ongoing RACF changes. Note that a computer > operator could still perform a refresh using an operator command, but less > conveniently and not automatically as when done by DSCMON. > > > > The technician installing DSCMON proposed giving it TRUSTED authority and > claims most organizations implement it this way. TRUSTED would certainly > eliminate the need to maintain its access permissions. I suspect its access > activity is likely to be low so I would be inclined to give its ID UAUDIT to > track its access activity if it were made TRUSTED. Nonetheless, I have mixed > feelings about giving it TRUSTED. This is not a product on IBM's sanctioned > TRUSTED list, and I am loath to give any task TRUSTED that is not > sanctioned. > > > > To any of you who currently have DSCMON on your system or previously worked > with it, how have you implemented RACF controls? Has it been given TRUSTED > authority? If so, was its ID also given UAUDIT? If not TRUSTED, how have its > READ permissions to all the Linklist libraries been maintained? Is there an > alert for the addition of libraries to Linklist. Has a RACF exit been > implemented to grant it access? > > > > I look forward to reading your replies. > > > > Regards, Bob > > > > Robert S. Hansel 2024 IBM Champion > > Lead RACF Specialist > > RSH Consulting, Inc. > > 617-969-8211 > > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681029668%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=wK%2Bb5%2FKqQHMFqtsib%2BgfxSilw4h2LK0gbDdELxUfgMk%3D&reserved=0<http://www.linkedin.com/in/roberthansel>> > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fin%2Froberthansel&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681044154%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sj9EdtrZqMKusQZSPhJNT7XhHA2IAVQx8bX7dggTdSg%3D&reserved=0<http://www.linkedin.com/in/roberthansel> > > <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681047843%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=oeSx8xI%2Bx5Bq4lvLacy9uTEapxWSqykC6pseIgQQLC8%3D&reserved=0<http://www.rshconsulting.com/>> > > https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.rshconsulting.com%2F&data=05%7C02%7C%7Cb14774d70c8f48e3469208dc91f0cf54%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C638545710681051088%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=5YqwpQBTa6zBL%2FRzZuRHUgG6PRThWGpiCQgcuqD3%2F3A%3D&reserved=0<http://www.rshconsulting.com/> > > -------------------------------------------------------------------------- > > Upcoming RSH RACF Training - WebEx > > - RACF Level I Administration - OCT 7-11, 2024 > > - RACF Level II Administration - NOV 4-8, 2024 > > - RACF Level III Admin, Audit, & Compliance - DEC 9-13, 2024 > > - RACF - Securing z/OS UNIX - SEPT 23-27, 2024 > > - zSecure Admin - Basic Administration - NOV 19-22, 2024 > > --------------------------------------------------------------------------- > > > > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
