On Fri, 5 Jun 2015 12:09:42 -0500, John McKown <[email protected]> wrote:
>I can, sort of, see a possible security concern here. At present, to >access CICS, a RACF id must have a CICS segment. To access TSO, it must >have a TSO segment. A CICS user cannot log in to TSO if they don't have a >TSO segment. But, with the automatic UID & GID assignment, that CICS user >could, if they were knowledgeable enough, use PuTTY on their PC to connect >and have a z/OS UNIX prompt. Depending on the environment, they may then >have access to information to which they should not. Especially if the >"security" department in the past has been lax because "they can only get >to stuff via CICS, so why bother with a lot of unnecessary data set >profiles?" > >At the very least, the "unauthorized" user could be running stuff "for >learning purposes" which would use up CPU and DASD resources (e.g. fill up >/tmp) and so impact performance and perhaps even billing (MSU increase). >Can _you_ say "fork bomb"? Also, it could cause other problems with >auditing. As in not having any reports for this sort of thing at present >because "nobody uses it". So now the auditors and security people may need >to be involved. And that may have other, political, repercussions. John, Thanks for the additional input. You added some points that I was vaguely concerned about, but had not actually put words to in my haste to post what I consider to be a concern. Prior to the changes with the various BPX.*.USER profiles, I had not realized a user originally added to RACF for just CICS could acquire an session via ssh to the host. Therefore none of those userids have ever had OMVS(NOUID) added to them. I'm thinking that I might need to go alter all of those userids and our process for adding new userids to RACF needs to be changed. Anyone else out there already doing something in this area or have plans to do so? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
