W dniu 2013-08-14 10:28, Victor Hugo Ochoa Avila pisze:
Hello everyone.
A question.
What is the procedure to protect the MCS consoles?
I need to protect consoles with RACF, and allow access to a particular group
support.
1. Protect resources, not tools. Console is rather tool than resource.
The resource is operator command. You should protect the commands using
OPERCMDS class profiles. Note, not only MVS commands are to be
protected, also JES commands and other subsystems (SDSF, RACF, DB2, MQ).
2. See CONSOLxx member, parameter LOGON(REQUIRED). With this value one
has to logon on the console in order to issue any further command. Other
options are AUTO (logged-off console has it's own default user), or
OPTIONAL - in this case logged-off console has no control in OPERCMDS
class. That means the console should be physically protected (if such
setting is approved at all).
3. For consoles attached to OSA-ICC or 2074, in other words, connected
via IP network, you have to secure the network, which means network
activities like router filters, etc. Out of mainframe activities. Note
the console traffic is not encrypted, including passwords and it could
be sniffed.
4. There is also CONSOLE class in RACF. In general, it's similar to
TERMINAL class, as it controls who can use given console, by its name.
IMHO I see no big reason why JSMITH could use CONS1, but not CONS2.
Note, the other security means, including OPERCMDS still apply. The
interesting option her could be conditinal access to OPERCMDS resources
with WHEN(CONSOLE(consname)) - for that you have to activate CONSOLE
class, even with ** UACC(READ) profile.
--
Radoslaw Skorupka
Lodz, Poland
--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.
This e-mail may contain legally privileged information of the Bank and is intended solely for business use of the addressee. This e-mail may only be received by the addressee and may not be disclosed to any third parties. If you are not the intended addressee of this e-mail or the employee authorised to forward it to the addressee, be advised that any dissemination, copying, distribution or any other similar activity is legally prohibited and may be punishable. If you received this e-mail by mistake please advise the sender immediately by using the reply facility in your e-mail software and delete permanently this e-mail including any copies of it either printed or saved to hard drive.
BRE Bank SA, 00-950 Warszawa, ul. Senatorska 18, tel. +48 (22) 829 00 00, fax
+48 (22) 829 00 33, www.brebank.pl, e-mail: [email protected]
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 0000025237, NIP: 526-021-50-88.
Według stanu na dzień 01.01.2013 r. kapitał zakładowy BRE Banku SA (w całości wpłacony) wynosi 168.555.904 złotych.
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
