Ken, The reference that perhaps comes closest to what you want is the book "OS/390-z/OS Security Audit and Control Features". It used to be available from ISACA but is now out of print. It is a bit dated (2004), somewhat verbose, and mostly focused on RACF.
Also from ISACA is the 2009 checklist publication "z/OS Security Audit/Assurance Program". It is a free download for members. May not give you much more than you already have. At a glance, It appears is a slightly updated checklist from that available in the aforementioned book. You might also find the DISA STIG for RACF helpful. It includes controls for z/OS. http://iase.disa.mil/stigs/os/mainframe/z_os.html To add to your list, also offhand, include PARMLIBs, catalogs, JESPARMs (governing entry of operator commands), TSO parms, installation SVCs and Program Calls, Exits, I/O Appendages, PROCLIBs, and IPLPARMs. So much of z/OS control is tightly coupled with RACF protection (how do you protect APF libraries without RACF) that I would be inclined to combine their respective security best practices into a single document. Regards, Bob Robert S. Hansel Lead RACF Specialist RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.rshconsulting.com --------------------------------------------------------------------- 2013 RACF Training - Audit & Compliance Roadmap - Boston - NOV 5-8 - Intro & Basic Admin - WebEx - OCT 21-25 - Securing z/OS UNIX - WebEx - JUL 23-25 - Securing z/OS UNIX - WebEx - SEPT 17-20 - Securing z/OS UNIX - WebEx - DEC 3-6 --------------------------------------------------------------------- -----Original Message----- Date: Fri, 28 Jun 2013 18:46:51 +0000 From: Ken Porowski <[email protected]> Subject: z/OS Configuration for Security - Not RACF or other ESM I have been tasked with documenting 'best practice' for configuring z/OS for security. This does not include RACF (or other ESM) practices. The scope is limited to what I can do in configuring z/OS to ensure no one can bypass RACF/ESM. What I can think of offhand is keeping tight control of LPALIST, LINKLIST, APFLIST, SCHEDxx/PPT Does anyone know of a book/paper/guide/reference that would outline a 'best practice' for z/OS security configuration. I've been searching this list, redbooks, Google, but not finding much that isn't RACF/ESM specific. TIA Ken Ken Porowski VP Mainframe Engineering CIT Information Technology +1 973 740 5459 (tel) One CIT Drive Livingston, NJ 07039 [email protected] www.cit.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
