Rob, I was joking. No doubt, SDSF will not drop protection for the MVS LISTs like APF, LPA, LNK. But I expect the vendor not to reinvent new risk while not handling the old ones. ISRDDN, TASID and other tools are already in place without supplying any protection! IBM itself (in "Security for system datasets") recommends considering UACC of NONE for sys1.parmlib (where the list are defined. Most of the new functions in SDSF already exist in ISRDDN, unprotected other than the warning panel. BTW, I think that the list supplied in "Security system datasets" is facilitating. SYS1.samplib has some very helpful tools for the pen-tester, sys1.saxrrexec has the password validation rexx and rexx compiler points to the library where the source code resides.and I haven't seen SYS1.TELCMLIB for years... I look like it is time to update the list.
I know how to access the lists from storage, but why bother if someone give the information for free? ITschak On Tue, Jan 30, 2018 at 8:01 PM, Rob Scott <[email protected]> wrote: > I think that the likelihood of SDSF removing protection for the APF > command in the next release is exactly zero. > > There are a few points, I would like to make: > > (1) SDSF historically has provided protection for all of its non-trivial > commands and the dynamic construction of the user interface is based on > security decisions. SDSF users expect there to be a security resource for > any new command that displays data. Granting carte-blanche access to a > whole ream of commands (old or new) in a new release would be incompatible > with previous behaviour. > (2) SDSF has to cope with cross-system requests - it is very possible that > the user might not have access to certain SDSF commands on non-local > systems. > (3) SDSF data collection runs in a authorized state and it does not have > to be re-engineered to provide secure protection of functionality. ISRDDN > runs as a key-8 problem state ISPF program and to convert it to securely > protect its functionality would be a non-trivial amount of development > effort. > > Rob Scott > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:[email protected]] On > Behalf Of Walt Farrell > Sent: Monday, January 29, 2018 7:19 PM > To: [email protected] > Subject: Re: RFE For ISRDDN/DDLIST to further protect system integrity > > On Mon, 29 Jan 2018 20:03:11 +0200, ITschak Mugzach <[email protected]> > wrote: > > >To summerise rob's and Walt's argument, the security applied to apf > >panel in sdsf was a mistake and i believe ibm will remove it in next > release... > > There are some possible distinction between SDSF and ISRDDN, though. > First, SDSF already provides highly granular controls that are intended > both for security and simply for customization, and it would seem strange > to IBM's customers for an SDSF function not to have such controls, given > the other controls that have already been present. > > Second, I think that SDSF has the ability to provide information from more > than one system. ISRDDN is only giving you information from the current > system, I think. It's true that it makes no sense to protect the function > in ISRDDN because anyone can simply look in storage to see the information. > But SDSF may deserve more protection as it can show you information from > systems that you're not allowed to logon to, and thus can't inspect > directly. > > Having said that, I no longer have access to internal IBM discussions and > really don't know much about the history of SDSF controls for its APF panel > and the rationale for providing them. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, send email > to [email protected] with the message: INFO IBM-MAIN > ================================ > Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA > 02451 ■ Main Office Toll Free Number: +1 855.577.4323 > Contact Customer Support: https://my.rocketsoftware.com/ > RocketCommunity/RCEmailSupport > Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - > http://www.rocketsoftware.com/manage-your-email-preferences > Privacy Policy - http://www.rocketsoftware.com/ > company/legal/privacy-policy > ================================ > > This communication and any attachments may contain confidential > information of Rocket Software, Inc. All unauthorized use, disclosure or > distribution is prohibited. If you are not the intended recipient, please > notify Rocket Software immediately and destroy all copies of this > communication. Thank you. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
