Perhaps you could look at the common storage tracking information for
your SP 231 storage. With appropriate settings in your DIAGXX parmlib
member CSA/SQA storage tracking data should indicate the owner (address
space) of the storage. Perform this analysis before the problem occurs.
This
I am not aware of native rexx support for LOAD. You could write a rexx
function in assembler. I believe if you look at the CBT web site there
is at least a single example of this.
This technique is something I use when I see machine instructions and I
don't know how to decode them. You may be
Yes, I believe I have a way to attack a mainframe system where I don't
have access.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series™
www.zassure.com
(312)574-0007
On 3/28/2012 02:03 AM, Elardus Engelbrecht wrote:
Ray Overby wrote:
I am a vendor so take my post
with little to no audit trail.
What part of this is not a mainframe problem?
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.zassure.com
(312)574-0007
On 3/27/2012 13:25 PM, R.S. wrote:
W dniu 2012-03-27 17:06, Greg Dorner pisze:
Dear IBM-MAINers,
Our auditors
users can access any ESM protect resources regardless of installation
controls with no logging or auditing then by all means ignore the issue.
It does not mean it is not true.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.zassure.com
(312)574-0007
On 3/27/2012
for
developing and maintaining this type of code. It requires a constant
vigilance to make sure these types of errors don't get out into the
field. Even then it only takes a single error that could compromise
the system integrity. It is a difficult job.
Ray Overby
Key Resources, Inc.
Ensuring System
:
*--*
ECBADDSF WTOR ECB
REPLYDSCL8 WTOR REPLY BUFFER
WTORD1 DS0D,XL(WTOR1L) WTOR REMOTE PLIST
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.zassure.com
(312)574-0007
On 3/19
Ben - I disagree that the code is non-rent. While there are a-cons
generated by the WTOR MF=L macro expansion the WTOR MF=E macro is
replacing these a-cons. The code does successfully execute in a program
linked as RENT REUS.
MF=L WTOR:
Loc Object CodeAddr1 Addr2 Stmt Source
that is from ISVs.
If the backdoor, intercept, or other authorized program violates the IBM
statement of integrity then it is a problem that needs to be remediated.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.zassure.com
(312)574-0007
On 3/8/2012 08:40 AM, Charles
the before and after state around the invoking of the
authorized service you generally see some form of elevated capabilities
when a violation of the IBM statement of integrity occurs.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series^(TM)
www.zassure.com
(312)574-0007
On 3/8
Rob - How about: If your authorized program while executing in PSW Key
0-7 stores into an address provided by an unauthorized caller (as long
as the store operation uses the execution PSW KEY) then this is a
violation of the IBM statement of integrity.
Ray Overby
Key Resources, Inc.
Ensuring
Assuming this data is produced by a summary format in IPCS I believe
the LX is 2B and the EX is 00.
On 3/4/2012 11:46 AM, Micheal Butz wrote:
PC
NUMBER
2B00 The Following PC number is for LX or linkage index 0 as The
high order 0's signify
-Original
sequential to work you must modify the RPL to
put it into sequential mode (OPTCD=SEQ) prior to issuing the GET request.
If this is not your problem I still think the review process I outlined
will help you figure out what your problem is. You can contact me off
list if you like.
Ray Overby
ACF2 uses SVCs to perform security calls. They used to be called SVC A
(ACF00SVA) and SVC S (ACF99SVC).
On 1/1/2012 10:33 AM, Scott Ford wrote:
Peter,
If memory servers me correctly CA uses SVCs to perform security calls. I am not
an expert in CA-ACF2 , but this what i remember
Regards,
-In an N lpar sysplex with each lpar running late level z/OS (lets
say z/os 1.11 or higher) if a single lpar crashes (i.e. - an unscheduled
termination of z/OS without performing normal shutdown procedures)will
this affect the other systems?
-Can this situation be simulated by having
Is there a way to copy a z/OS USS pax file to another z/OS system without using
FTP and have the pax file still be usable when copy completed?
For example:
01) Copy USS file to some type of z/os file on source z/OS system.
02) IND$FILE source system z/os file to USB drive.
03) Plug USB drive
AMATERSE does not appear to directly support USS files as input. I
reviewed the doc + tried several test cases.
On 8/18/2011 09:24 AM, Mark Zelden wrote:
On Thu, 18 Aug 2011 09:01:19 -0500, Ray Overbyrayove...@comcast.net wrote:
Is there a way to copy a z/OS USS pax file to another z/OS
-West National Life Insurance Company of TennesseeSM and The
MEGA Life and Health Insurance Company.SM
-Original Message-
From: IBM Mainframe Discussion List
[mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ray Overby
Sent: Thursday, August 18, 2011 9:01 AM
To: IBM-MAIN@bama.ua.edu
Subject
Thanks to all who responded. I was able to successfully copy the pax
file from one z/os to another using John's suggestion. The only change I
made was to add -x os390 option.
By default it appears that the z/OS file created was FB 80. I was able
to use IND$FILE binary transfer directly the
I was looking at my options for allocating a PDSE. They appear to be:
-ISPF 3.2 using LIBRARY as Data set name type value.
-JCL - DSNTYPE= parameter. You would use other parameters similar to
what you would use for a PDS.
-SVC 99 in assembler - DALDSNT (DSNTYPE) Text unit appears
Try SNAPX with the SDATA=(PCDATA) parameter specified. This would assume
that you know which LX the PC routine resides in.
On 5/19/2011 15:18 PM, Micheal Butz wrote:
Hi would anyone know give a PC number how I can find out the
associated module address
Sent from my iPhone
I found it interesting that a CVSS score was included in this post.
Based upon my limited experience with CVSS scores associated with z/OS
vulnerabilities 7.5 is pretty high. For example, a SVC that stores into
a caller specified address while in PSW Key 0 Supervisor state and the
unauthorized
Barry,
Here is Dennis's original post.
Ray
On 2/28/2011 11:56 AM, Dennis Schaffer wrote:
Hi,
We're running TRX from OES Inc., and we're looking for alternatives.
TRX provides allocation and i/o services for the TSO/ISPF environment. TRX
allows us to
avoid maintaining logon procs with
totally assure you that a manual process just will not work in our
lifetimes.So, an automated process is necessary.And VAT provides that
automation.
And I agree with you that many z/OS Auditors need to be educated on this.
Ray Overby
Key Resources, Inc.
Ensuring System Integrity for z/Series
visit www.vatsecurity.com
http://www.vatsecurity.com and attend one of our webinars or contact
us so we can discuss it.
Ray Overby
Key Resources, Inc.
ray.ove...@kr-inc.com
On 1/28/2011 12:27 PM, Jim Marshall wrote:
Auditors came around and wrote up our z/OS V1R10 Sysplex for not running
By architecture, REXX functions are executed in an environment where:
-The psw key is 8
-The psw indicates problem state
-The JSCBAUTH bit is zero.
When the JSCBAUTH bit is zero the MODESET macro will get a S047 abend
when executed. Therefore rexx functions cannot get into an
Peter,
Here is a copy of the procedure I use to delete orphaned vsam files. I
last used this on a z/OS 1.12 system (recently).
Ray Overby
01) Change volser to os format VTOC.
Put in valid job card
//**
//* FUNCTION
Another tactful way to say this is:
How long would z/OS continue to run after this program is executed?
Low address protection may cause this program to abend with a S0C4 if
they are lucky...
Is low address protection a hardware or software feature?
On 12/15/2010 14:06 PM, Tom Marchant
I use the following technique for identifying situations where recursive
abends occur. When a recovery environment is created (ESTAE/FRR) I
allocate storage associated with the recovery routine. If an abend
occurs the recovery routine tests a flag in the allocated storage. The
flag is set by
Barry,
What do you think of contacting Lindy off list to see if we can't get
into contact with heavily customized systems with lots of system
exits. KRI could help them with their technical expertise...
Ray
On 10/15/2010 06:46 AM, Lindy Mayfield wrote:
I think that there is another
My apologies to this the list. I did not mean for this email to be
sent there..
On 10/15/2010 07:42 AM, Ray Overby wrote:
Barry,
What do you think of contacting Lindy off list to see if we can't get
into contact with heavily customized systems with lots of system
exits. KRI could help
Rick brings up a good point: /But as these types of problems grow,
I'm sure that IBM and REPUTABLE vendors are working to close any holes
that might exist./ As I see it there are two parts to this. Vendor
testing prior to shipping code and Vendor response when problems are
reported in the
I agree that notification of the code owner (ISV or IBM) is the right
thing to do for integrity based vulnerabilities. Unlike vulnerabilities
that are based upon configuration, IPL parameters or security settings
integrity vulnerabilities cannot be remediated by the installation. You
have to
-Some code that is executing in an authorized state
- Supervisor state
- PSW key 0-7
- Ability to issue MODESET SVC (APF authorized)
-This code would have one of the following flaws:
- Store into requester provided storage address while in an
authorized
Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Ray Overby
Sent: Thursday, October 14, 2010 6:54 PM
To: IBM-MAIN@bama.ua.edu
Subject: Re: Mainframe hacking?
-Some code that is executing in an authorized state
- Supervisor state
- PSW key 0-7
-The sad news is that integrity exposures exist today in every
z/OS system. There is no need to install anything other than what you
already have installed.
-These integrity exposures have already gotten past the system's guys.
- Current systems programmers (in general) do not have
more information on my website: www.vatsecurity.com
http://www.vatsecurity.com and information on the software I have
developed, the Vulnerability Analysis Tool, which does a vulnerability
scan on z/OS systems and finds many, many z/OS and ISV system integrity
vulnerabilities.
Ray Overby
Key
Discussion List [ibm-m...@bama.ua.edu] On Behalf Of Ray
Overby [rayove...@comcast.net]
Sent: Wednesday, September 29, 2010 4:13 PM
To: IBM-MAIN@bama.ua.edu
Subject: Does anyone have doc on IEC988I message?
I used lookat and did not find
I used lookat and did not find it.
--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at
-Original Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On Behalf Of
Ray Overby
Sent: Wednesday, September 29, 2010 4:13 PM
To: IBM-MAIN@bama.ua.edu
Subject: Does anyone have doc on IEC988I message?
I used lookat and did not find it.
NOTICE
Message-
From: IBM Mainframe Discussion List [mailto:ibm-m...@bama.ua.edu] On
Behalf Of Ray Overby
Sent: Wednesday, September 29, 2010 4:13 PM
To: IBM-MAIN@bama.ua.edu
Subject: Does anyone have doc on IEC988I message?
I used lookat and did not find
-From an installations point of view all code that runs in system
key (0-7), supervisor state, or has the ability to do so:
-Should be considered part of the operating system (system
extensions if you like).
-Has the ability to circumvent the installation implemented
My understanding is if the target address space is non-swappable then
you can safely use non-srb code to obtain access to the other address
space's private area. I believe the unpredictability comes when the
target address spaces are swappable. Depending upon your application
requirements
ACF2 Security privilege is a combination of RACF SYSTEM SPECIAL + SYSTEM
OPERATIONS
McKown, John wrote:
-Original Message-
From: IBM Mainframe Discussion List
[mailto:ibm-m...@bama.ua.edu] On Behalf Of Bathmaker, Jon
Sent: Friday, April 23, 2010 10:20 AM
To: IBM-MAIN@bama.ua.edu
discarded as
being not acceptable. Maybe there are other options that you discarded.
Just my .02 cents.
Ray Overby wrote:
ACF2 Security privilege is a combination of RACF SYSTEM SPECIAL +
SYSTEM OPERATIONS
McKown, John wrote:
-Original Message-
From: IBM Mainframe Discussion List
The CA ACF2 R14 system programmers guide chapter 7 user exits should
contain most of the doc on ACF2 exits. I believe you should look at
VLDEXIT (dataset and program preval exit) and RSCXIT1 (resource preval
exit). With these exits you could simulate SECURITY authority.
Elliot, David wrote:
ACF2 SECURITY attribute allows insert, change, delete of any ACF2
database record. It also changes an access violation to an allow and
log (assuming requester does not have authority from some other source).
It is pretty powerful...
You would not be able to turn off ACF2 checking other
LPAMOD= or RANGE= and/or you may have to change when
you set your trap (i.e. - before OAM is started for instance w/PVTMOD=).
Hope this helps.
Ray Overby
Mark Jacobs wrote:
I'm trying to debug a modification to our OAM CBRUXVNL exit and I can't
get a SLIP IF to capture anything.
I tried a SLIP
that is displayed by this trace. You should be able to
verify that your program is executing as you expect.
Notes:
01) Replace the WTOR with PUTGET if your target address space is a TSO
session as the WTOR will not work quite like you would like...
Ray Overby
Lindy Mayfield wrote
System Services Messages and Codes: 3.0
http://publibz.boulder.ibm.com/cgi-bin/bookmgr_OS390/FRAMESET/bpxza880/3.0?SHELF=DT=20070606153306
. Is this correct?
Ray Overby
--
For IBM-MAIN subscribe / signoff / archive access
Thanks to all for the info..
McKown, John wrote:
-Original Message-
From: IBM Mainframe Discussion List
[mailto:[EMAIL PROTECTED] On Behalf Of Ray Overby
Sent: Monday, August 11, 2008 2:26 PM
To: IBM-MAIN@BAMA.UA.EDU
Subject: Where is doc for BPX1MPC return information?
I am
is high.
Ray Overby
Peter Relson wrote:
While it is true that many might not care about someone corrupting a user
key CSA area (even if it potentially compromises their system), that is not
the only integrity exposure that user key CSA can result in.
Allowing unauthorized communication
are
required to suppress logrec recording. Also, if there are other
requirements (such as using other operands on the SETRP) the doc may
cover that also.
Ray Overby
David Kreiss wrote:
We have a non space switching PC we use to ensure we have the required
access to a specifiable piece of storage (much
David,
Are there multiple level(s) of recovery in place? If so, is one of them
turning on the logrec recording?
Ray Overby
David Kreiss wrote:
Ray,
Yes, we looked at the SETRP RECORD=NO and all it does is turn off the
SDWARCRD bit in SDWAACF2. We checked to ensure there was proper
Barry,
The non-auth name/token services comes to mind.
Ray Overby
Schwarz, Barry A wrote:
When using ISPF 3.4 on a system with HSM, the migrated datasets show up
with a volser of MIGRATn. Most of the time, the user is only interested
in the active datasets (which frequently
Mike,
There is an acb error code (2 or 4 bytes) that is useful. It used to be
documented w/the VTAM OPEN as opposed to VSAM open. If I remember
correctly it should be in the VTAM programming book(s). That will get
you more detail.
Ray Overby
Michael Knigge wrote:
All,
we currently move
I am writing an assembler program. I have obtained the format 1 dscb for
a data set. Is there a way to tell if the PDS or PDSE is empty by using
the format 1 dscb? If not, how do you tell if a PDS or PDSE is empty?
Ray Overby
to check the
ECB prior to issuing the POST. I believe PoPs (or POO as some folks call
it) has a section on bypassing post that would be useful for you to look at.
Ray Overby
Lindy Mayfield wrote:
Thanks. That makes sense.
What doesn't is that Cannatello's book has a page and a half
is on then issue the PC call. If the bit is off
the don't issue the PC.
Hope this helps.
Ray Overby
David Logan wrote:
Here is a question for the masses. I am calling a PC routine from C++. The
C++ and assembly code snippets are at the end.
My question is this: When the address space
. If bit is on then issue the PC call. If the bit is off
the don't issue the PC.
Hope this helps.
Ray Overby
David Logan wrote:
Here is a question for the masses. I am calling a PC routine from C++. The
C++ and assembly code snippets are at the end.
My question is this: When the address space
60 matches
Mail list logo