I may be missing something obvious here but if in my past life I worked
with many thousands of "CICS only" users none of whom had a CICS
segment. Now if they did use their PC to acquire a z/OS UNIX prompt,
then what? They would have access to any ID(*) or UACC=notNONE dataset
profiles. I suppose they could submit a job whose last step submits
itself 10 more time, etc etc..... Likewise FTP some datasets.....
On 6/5/2015 4:05 PM, David Magee wrote:
On Fri, 5 Jun 2015 12:09:42 -0500, John McKown <[email protected]>
wrote:
I can, sort of, see a possible security concern here. At present, to
access CICS, a RACF id must have a CICS segment. To access TSO, it must
have a TSO segment. A CICS user cannot log in to TSO if they don't have a
TSO segment. But, with the automatic UID & GID assignment, that CICS user
could, if they were knowledgeable enough, use PuTTY on their PC to connect
and have a z/OS UNIX prompt. Depending on the environment, they may then
have access to information to which they should not. Especially if the
"security" department in the past has been lax because "they can only get
to stuff via CICS, so why bother with a lot of unnecessary data set
profiles?"
At the very least, the "unauthorized" user could be running stuff "for
learning purposes" which would use up CPU and DASD resources (e.g. fill up
/tmp) and so impact performance and perhaps even billing (MSU increase).
Can _you_ say "fork bomb"? Also, it could cause other problems with
auditing. As in not having any reports for this sort of thing at present
because "nobody uses it". So now the auditors and security people may need
to be involved. And that may have other, political, repercussions.
John,
Thanks for the additional input. You added some points that I was vaguely
concerned about, but had not actually put words to in my haste to post what I
consider to be a concern. Prior to the changes with the various BPX.*.USER
profiles, I had not realized a user originally added to RACF for just CICS
could acquire an session via ssh to the host. Therefore none of those userids
have ever had OMVS(NOUID) added to them. I'm thinking that I might need to go
alter all of those userids and our process for adding new userids to RACF needs
to be changed.
Anyone else out there already doing something in this area or have plans to do
so?
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
