Re: IEFOPZxx Parmlib Members -- Debate at GSE LSG Meeting

2017-03-25 Thread Peter Relson 
Did I miss some introductory discussion?

I think that there is not typically much more to IEFOPZxx than there would 
be to any other data set in a STEPLIB or the LNKLST -- things like APF 
authorization and update access (plus program control if applicable). If 
someone has update access to PARMLIB, there is no reason to think about 
anything beyond that. 

The same could have been said to be true for CSVRTLxx when that was 
supported.

Peter Relson
z/OS Core Technology Design


--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IEFOPZxx Parmlib Members -- Debate at GSE LSG Meeting

2017-03-19 Thread scott Ford 
I second what Walt said as we I am a security provisioning designer working
on z/OS from a ISV



On Sun, Mar 19, 2017 at 7:38 AM Walt Farrell  wrote:

> On Sun, 19 Mar 2017 07:00:27 +, Mark Wilson 
> wrote:
>
>
>
> >Just following up on your comment re your curiosity re IEFOPZxx debate on
> the GSE UK LSG Agenda.
>
> >
>
> >We will debate IEFOPZ from two perspectives:
>
> >
>
> >The first being how, why and when to use it, as its one of those topics
> that can potentially just slip by if the techies are not paying
>
> >attention.
>
> >
>
> >The second and the more interesting discussion will be around any
> potential security issues that could be exploited, by a rogue user,
>
> >who has update or higher access to PARMLIB, couple with some patience or
> the ability to dynamically enable this for a given program.
>
> >
>
> >Given they could introduce their own code into the system, there are
> several security questions to be asked:
>
>
>
> Speaking as a former security designer for z/OS, I have to say that if a
> rogue user has update access to PARMLIB you have a lot more than IEFOPZxx
> to worry about.
>
>
>
> --
>
> Walt
>
>
>
> --
>
> For IBM-MAIN subscribe / signoff / archive access instructions,
>
> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
>
> --
Scott Ford
IDMWORKS
z/OS Development

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: IEFOPZxx Parmlib Members -- Debate at GSE LSG Meeting

2017-03-19 Thread Walt Farrell 
On Sun, 19 Mar 2017 07:00:27 +, Mark Wilson  wrote:

>Just following up on your comment re your curiosity re IEFOPZxx debate on the 
>GSE UK LSG Agenda.
>
>We will debate IEFOPZ from two perspectives:
>
>The first being how, why and when to use it, as its one of those topics that 
>can potentially just slip by if the techies are not paying
>attention.
>
>The second and the more interesting discussion will be around any potential 
>security issues that could be exploited, by a rogue user, 
>who has update or higher access to PARMLIB, couple with some patience or the 
>ability to dynamically enable this for a given program.
>
>Given they could introduce their own code into the system, there are several 
>security questions to be asked:

Speaking as a former security designer for z/OS, I have to say that if a rogue 
user has update access to PARMLIB you have a lot more than IEFOPZxx to worry 
about.

-- 
Walt

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

IEFOPZxx Parmlib Members -- Debate at GSE LSG Meeting

2017-03-19 Thread Mark Wilson 
John,

Just following up on your comment re your curiosity re IEFOPZxx debate on the 
GSE UK LSG Agenda.

We will debate IEFOPZ from two perspectives:

The first being how, why and when to use it, as its one of those topics that 
can potentially just slip by if the techies are not paying attention.

The second and the more interesting discussion will be around any potential 
security issues that could be exploited, by a rogue user, who has update or 
higher access to PARMLIB, couple with some patience or the ability to 
dynamically enable this for a given program.

Given they could introduce their own code into the system, there are several 
security questions to be asked:


· what security controls are available to us?

· What monitoring solutions are they if this is dynamically changed?

· What controls should/must be deployed?

I have to write a few slides on this over the coming week and may come up with 
more questions than answers!

Hope this helps….

Mark

Mark Wilson | Technical Director | RSM Partners Ltd

Head Office:  +44 (0) 1527 837767
Mobile:  +44 (0) 7768 617006
Email:ma...@rsmpartners.com
Web:  www.rsmpartners.com

GSE Information
Large Systems Working Group Chairman
www.lsx.gse.org.uk

GSE UK Conference Manager
www.gse.org.uk/tyc
Email: mark.wil...@gse.org.uk



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN