Re: Submitting batch if you don't have TSO
> On Sunday, September 15, 2019, 10:40:53 PM PDT, Bill Soper > wrote: > With CICS 5.5... you can submit as the CICS logged on userid... This could still become a headache for the security admin and others if not managed correctly. Assigning surogat and maintaining dataset profiles for CICS user's. Ensuring that user's can't modify JCL or assign output destinations could be considered an exposure. The help desk must deal with jobs problems because CICS user's seldom understand JCL. Interfacing with the job scheduler would be far more acceptable. Job errors and abends are dealt with in a more timely manner. User manipulation is limited and it's easier to administrate. Jon. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Apologies if I'm repeating ... With CICS 5.5... you can submit as the CICS logged on userid... https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.5.0/upgrading/process/upgrade_security.html#upgrade_security__jcl-submission Short version: Define surrogate checks to allow the region user ID to submit jobs on behalf of these users. Configure the following feature toggles: com.ibm.cics.spool.surrogate.check=true com.ibm.cics.spool.defaultjobuser=TASK Cheers, Bill -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, 11 Sep 2019 12:15:11 -0500, Paul Gilmartin wrote: >As I follow this thread, I wonder why CICS doesn't submit batch jobs >with the credentials of the requesting individual rather than the CICS >region. Some of the IBM CICS designers over the years have wanted to allow that. The IBM z/OS Security and Integrity teams (in my time) strongly resisted that because with the design of CICS it's not safe. Yes, CICS verifies the user's identity with RACF (or other security product) but after that there are storage isolation issues in a multi-user environment such as a CICS region that make it impossible for the system to trust the user's identity sufficiently to allow it to propagate to another environment such as a batch job. Note that this is a fundamental issue with mult-user address spaces that run customer- or user-provided code, not just with CICS. It can be mitigated by vigilant and vigorous inspection of all the customer- and/or user-provided code that will run in the region. However, it can only be truly resolved by appropriate protection and isolation of both the control blocks that prove a user's identity and the transaction code. And, unfortunately, providing that isolation has performance implications and might require hardware changes. Those performance implications were considered unacceptable for a CICS environment. We had some interesting discussions over the years investigating potential CICS or z/OS software changes, possibly coupled with z hardware changes, that could allow protection and propagation of the user's identity safely, but none of them resulted in satisfactory solutions that would also maintain the required level of performance. -- Walt (former SAF and RACF Designer/Developer, for those who may not know) -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Back to the original question... This is almost more comparable to asking the question "Who can submit JCL using the ID(s) used by Control-M/CA-7/other scheduler"? I would dare say that usually there are pretty tight controls... production control/schedulers.? If there are tight controls on submitting JCL that is reviewed, controlled or is really more of changing input control cards than submitting JCL... then I might be more in favor. If the answer is they can submit any old JCL, then have one of them run a IEFBR14 that deletes something that an auditor needs. *ok.. so this might be extreme and possible CLM (career limiting move)*... but actually showing the vulnerability might be better than just talking about it. No controls = not advisable. The other item is to tightly control what the CICS region ID can do... which should be done anyway. At least the damage someone can do will be relegated to items confined to that CICS region. Any of the JCL submission entry points is vulnerable without proper review and controls. There are almost always exits that can be used to modify jobs to place controls.. not so popular (exits at least) any more.. but for the right use.. might be the ticket. YMMV.. good luck with changing ingrained possible dangerous behaviors without a management buy-in. or as they say in "The Princess Bride" "Have fun storming the castle!" Rob Schramm -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> Usuing any UNIX facility causes the task to be dubbed with the UID in the > owners OMVS segment, a generated unique UID, or (obsolete) a default UID. None of which is relevant to whether the OMVS segment is required to use the OMVS command. > Have you a better citation? For what? The ANSI standard is the correct document for ANSI REXX. Has IBM claimed that TSO/E REXX running in Unix System Services is ANSI compliant? If not, then Using REXX and z/OS UNIX System Services is the only relevant document. > What should LINEIN() do to distinguish an empty line from end-of-file? Whatever the language reference specifies. If it claims to be ANSI compatible then it should raise NOTREADY. > I've used implementations where the STREAM() function makes the distinction. Probably Regina, which *does* claim to be ANSI compliant. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> Sent: Thursday, September 12, 2019 8:58 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO > On 2019-09-12, at 14:26:36, Seymour J Metz wrote: > >> This implies that submitter must have an OMVS segment. > > No. If he can run in a Unix shell than he can use the Unix functions for REXX. > > I looked at Chapter 2. OMVS, a 3270 terminal interface to the z/OS shell in > z/OS: UNIX System Services User's Guide and didn't see anything about > requiring an OMVS segment. It's possible that you need an OMVS segment to use > the OMVS command, but that's certainly not implied by the functions for RXX > under a Unix shell. > Usuing any UNIX facility causes the task to be dubbed with the UID in the owners OMVS segment, a generated unique UID, or (obsolete) a default UID. >> And it was done as a function package, so SIGNAL ON NOTREADY is not >> supported. > > The ANSI specifications call for returning an empty string rather than > raising a signal. But I wonder whether IBM would accept an RFE to allow > external to raise a signal. > I find NOTREADY in the Preliminary ANSI Standard at: http://secure-web.cisco.com/1-6aKvuClnCXSaxxzypslqut6oQBsNlDbLOSGFnoNtKZ1U3AbH1IRdfBoQ_Ghxdm44mcFIgp7cj0accJstzQ_P42beELAo55el1sMRzbdC2fwS25mdNEz60nL78znAnI390-tQrItkVfwaEuYFrZfh57-3egYAHsdIBCb6xn7H7-6ozLl8ZVZYqSDxVxmPX9UAr8pc7UdjJEHtRowr4BcmxjblUMsqSOVrjE1p0xZfO4hv61Z368GvbC7g-nwQLJNQI7fYwSGPzbuDXwGvsQ3TLdOGU0XaeqL1UQEzHYWp-VC9TJN9cseRpT3pMDvtlmNEET46ycVcvPpPIOBnCx2Y2rBIJC1mKn0iuYVaEZu0EE1f3HEnEn0sNNxaiyq9_p3cDTAkvdMH2FQ7VdcZ7Guu0A1ydN72NPNovyOZOASPoAfmFsld1FiXUsLJ2kGZKcL/http%3A%2F%2Fwww.rexxla.org%2Frexxlang%2Fstandards%2Fj18pub.pdf Have you a better citation? What should LINEIN() do to distinguish an empty line from end-of-file? I've used implementations where the STREAM() function makes the distinction. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN I documentation describes the ANSI standard; does IBM complain the the stream I/O for REXX in Unix System Services is ANSI compliant. If not, then -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> On 2019-09-12, at 14:26:36, Seymour J Metz wrote: > >> This implies that submitter must have an OMVS segment. > > No. If he can run in a Unix shell than he can use the Unix functions for > REXX. > > I looked at Chapter 2. OMVS, a 3270 terminal interface to the z/OS shell in > z/OS: UNIX System Services User's Guide and didn't see anything about > requiring an OMVS segment. It's possible that you need an OMVS segment to use > the OMVS command, but that's certainly not implied by the functions for RXX > under a Unix shell. > Usuing any UNIX facility causes the task to be dubbed with the UID in the owners OMVS segment, a generated unique UID, or (obsolete) a default UID. >> And it was done as a function package, so SIGNAL ON NOTREADY is not >> supported. > > The ANSI specifications call for returning an empty string rather than > raising a signal. But I wonder whether IBM would accept an RFE to allow > external to raise a signal. > I find NOTREADY in the Preliminary ANSI Standard at: http://www.rexxla.org/rexxlang/standards/j18pub.pdf Have you a better citation? What should LINEIN() do to distinguish an empty line from end-of-file? I've used implementations where the STREAM() function makes the distinction. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> You mean like a BPX function? No, those are IBM, not ANSI. I mean like charin, charout, linein, lineout. > built-in Only if you consider functions in a function package to be builtin; they're certainly not part of the REXX interpreter. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Don Poitras Sent: Thursday, September 12, 2019 4:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO You mean like a BPX function? Not that I see. The 'submit' from Gil's link is just a rexx program (/bin/submit) that calls the Rexx 'submit' built-in. Before this version, Bill Schoen used to have a version that used: --- call bpxwdyn 'alloc dd(sub) sysout writer(intrdr) recfm(f)', 'lrecl(80) msg(2)' address mvs 'execio' s.0 'diskw sub (fini stem s.' call bpxwdyn 'free dd(sub) msg(2)' --- I'm sure that still works. In article you wrote: > ObNit submit() is a Unix System Services function that is written to be > called from REXX. There are a bunch of them. > ObRaisedEyebrows For some reason IBM added the ANSI functions for stream I/O > for REXX under Unix but not for REXX under TSO. > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > From: IBM Mainframe Discussion List on behalf of > Don Poitras > Sent: Wednesday, September 11, 2019 3:56 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > In article <9767139758844518.wa.paulgboulderaim@listserv.ua.edu> you > wrote: > > On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote: > > >IBM Explorer for z/OS using the z/OS perspective is also an alternative to > > >TSO in submitting batch jobs. > > > > > Could do likewise with UNIX System Services: > > > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxa400/jclsub.htm > > The submit command submits JCL from the shell. By using this command > > you do not need to open a TSO session to submit JCL. > > -- gil > The 'submit' command itself is just a REXX program wrapping the REXX > 'submit' function. > https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb600/subm.htm -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> This implies that submitter must have an OMVS segment. No. If he can run in a Unix shell than he can use the Unix functions for REXX. I looked at Chapter 2. OMVS, a 3270 terminal interface to the z/OS shell in z/OS: UNIX System Services User's Guide and didn't see anything about requiring an OMVS segment. It's possible that you need an OMVS segment to use the OMVS command, but that's certainly not implied by the functions for RXX under a Unix shell. > And it was done as a function package, so SIGNAL ON NOTREADY is not supported. The ANSI specifications call for returning an empty string rather than raising a signal. But I wonder whether IBM would accept an RFE to allow external to raise a signal. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> Sent: Thursday, September 12, 2019 3:22 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO On Thu, 12 Sep 2019 18:50:00 +, Seymour J Metz wrote: >ObNit submit() is a Unix System Services function that is written to be called >from REXX. There are a bunch of them. > This implies that submitter must have an OMVS segment. Is Default User or Unique User supported nowadays? >ObRaisedEyebrows For some reason IBM added the ANSI functions for >stream I/O for REXX under Unix but not for REXX under TSO. > And only for UNIX files. Feels political: Conway's Law? I believe the author was a UNIX-oriented developer, perhaps daunted by the co-requisite for allocation. But that was done for cp(1) and a few other functions: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.bpxa500/usmd.htm And it was done as a function package, so SIGNAL ON NOTREADY is not supported. A programmer might kludge SYSCALL PIPE and cp to get a streamable file file descriptor file. I understand that compiled Rexx supports ANSI stream I/O for Classic data sets but not for UNIX files. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
You mean like a BPX function? Not that I see. The 'submit' from Gil's link is just a rexx program (/bin/submit) that calls the Rexx 'submit' built-in. Before this version, Bill Schoen used to have a version that used: --- call bpxwdyn 'alloc dd(sub) sysout writer(intrdr) recfm(f)', 'lrecl(80) msg(2)' address mvs 'execio' s.0 'diskw sub (fini stem s.' call bpxwdyn 'free dd(sub) msg(2)' --- I'm sure that still works. In article you wrote: > ObNit submit() is a Unix System Services function that is written to be > called from REXX. There are a bunch of them. > ObRaisedEyebrows For some reason IBM added the ANSI functions for stream I/O > for REXX under Unix but not for REXX under TSO. > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > From: IBM Mainframe Discussion List on behalf of > Don Poitras > Sent: Wednesday, September 11, 2019 3:56 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > In article <9767139758844518.wa.paulgboulderaim@listserv.ua.edu> you > wrote: > > On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote: > > >IBM Explorer for z/OS using the z/OS perspective is also an alternative to > > >TSO in submitting batch jobs. > > > > > Could do likewise with UNIX System Services: > > > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxa400/jclsub.htm > > The submit command submits JCL from the shell. By using this command > > you do not need to open a TSO session to submit JCL. > > -- gil > The 'submit' command itself is just a REXX program wrapping the REXX > 'submit' function. > https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb600/subm.htm -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Thu, 12 Sep 2019 18:50:00 +, Seymour J Metz wrote: >ObNit submit() is a Unix System Services function that is written to be called >from REXX. There are a bunch of them. > This implies that submitter must have an OMVS segment. Is Default User or Unique User supported nowadays? >ObRaisedEyebrows For some reason IBM added the ANSI functions for >stream I/O for REXX under Unix but not for REXX under TSO. > And only for UNIX files. Feels political: Conway's Law? I believe the author was a UNIX-oriented developer, perhaps daunted by the co-requisite for allocation. But that was done for cp(1) and a few other functions: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.bpxa500/usmd.htm And it was done as a function package, so SIGNAL ON NOTREADY is not supported. A programmer might kludge SYSCALL PIPE and cp to get a streamable file file descriptor file. I understand that compiled Rexx supports ANSI stream I/O for Classic data sets but not for UNIX files. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
ObNit submit() is a Unix System Services function that is written to be called from REXX. There are a bunch of them. ObRaisedEyebrows For some reason IBM added the ANSI functions for stream I/O for REXX under Unix but not for REXX under TSO. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Don Poitras Sent: Wednesday, September 11, 2019 3:56 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO In article <9767139758844518.wa.paulgboulderaim@listserv.ua.edu> you wrote: > On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote: > >IBM Explorer for z/OS using the z/OS perspective is also an alternative to > >TSO in submitting batch jobs. > > > Could do likewise with UNIX System Services: > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxa400/jclsub.htm > The submit command submits JCL from the shell. By using this command > you do not need to open a TSO session to submit JCL. > -- gil The 'submit' command itself is just a REXX program wrapping the REXX 'submit' function. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb600/subm.htm -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
As far as I can remember from the late 80's early 90's, I set up submitting jobs through the CICS transient data queue to the internal reader. These were print jobs to a local printer, issued from within a transaction and under the CICS region's ID. CP On 11/09/2019 22:24, Joel C. Ewing wrote: > On 9/11/19 12:15 PM, Paul Gilmartin wrote: >> On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: >> >>> LOL. What gave me that idea is sheer, unadulterated ignorance. I came into >>> the mainframe world through applications development. I was given a solid >>> grounding in JCL back in the beginning of my training, decades ago; to me >>> "INTRDR" is an argument that I can include in my JCL with the TSO SUBMIT >>> command. (Or, as someone else pointed out, using FTP.) >>> >> An alternative might be might be as simple as: >> //STEPEXEC PGM=IEBGENER >> //SYSUT2 DDSYSOUT=(,INTRDR),... >> >> As I follow this thread, I wonder why CICS doesn't submit batch jobs >> with the credentials of the requesting individual rather than the CICS >> region. >> >> -- gil > Perhaps because there are typically several orders of magnitude more > CICS users than TSO users, and the typical CICS user who is not also a > TSO user should not by default be set up with a catalog alias or in RACF > to have direct access to data sets required to run much of any use under > his own userid in batch. Running under the CICS region's security would > have better chance of success, but allows too much power. It makes > more sense for the CICS transaction application code submitting JCL on a > CICS user's behalf to supply the customized JCL and specify an > application-related "batch" userid that is appropriate for the job, and > use RACF SURROGAT authority to the CICS region to avoid the need for > passwords. Individual installations can write their own CICS "job > submit" routine to make it easier for application development to adhere > to whatever unique batch job standards exist at the installation. > > J. C. Ewing > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On 9/11/19 12:15 PM, Paul Gilmartin wrote: > On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: > >> LOL. What gave me that idea is sheer, unadulterated ignorance. I came into >> the mainframe world through applications development. I was given a solid >> grounding in JCL back in the beginning of my training, decades ago; to me >> "INTRDR" is an argument that I can include in my JCL with the TSO SUBMIT >> command. (Or, as someone else pointed out, using FTP.) >> > An alternative might be might be as simple as: > //STEPEXEC PGM=IEBGENER > //SYSUT2 DDSYSOUT=(,INTRDR),... > > As I follow this thread, I wonder why CICS doesn't submit batch jobs > with the credentials of the requesting individual rather than the CICS > region. > > -- gil Perhaps because there are typically several orders of magnitude more CICS users than TSO users, and the typical CICS user who is not also a TSO user should not by default be set up with a catalog alias or in RACF to have direct access to data sets required to run much of any use under his own userid in batch. Running under the CICS region's security would have better chance of success, but allows too much power. It makes more sense for the CICS transaction application code submitting JCL on a CICS user's behalf to supply the customized JCL and specify an application-related "batch" userid that is appropriate for the job, and use RACF SURROGAT authority to the CICS region to avoid the need for passwords. Individual installations can write their own CICS "job submit" routine to make it easier for application development to adhere to whatever unique batch job standards exist at the installation. J. C. Ewing -- Joel C. Ewing -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
In article <9767139758844518.wa.paulgboulderaim@listserv.ua.edu> you wrote: > On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote: > >IBM Explorer for z/OS using the z/OS perspective is also an alternative to > >TSO in submitting batch jobs. > > > Could do likewise with UNIX System Services: > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxa400/jclsub.htm > The submit command submits JCL from the shell. By using this command > you do not need to open a TSO session to submit JCL. > -- gil The 'submit' command itself is just a REXX program wrapping the REXX 'submit' function. https://www.ibm.com/support/knowledgecenter/SSLTBW_2.4.0/com.ibm.zos.v2r4.bpxb600/subm.htm -- Don Poitras - SAS Development - SAS Institute Inc. - SAS Campus Drive sas...@sas.com (919) 531-5637Cary, NC 27513 -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
-- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of PINION, RICHARD W. Sent: Wednesday, September 11, 2019 2:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Been there, done that. Fortunately, the company still had a card reader and a card punch, lat 1980's. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jesse 1 Robinson Sent: Wednesday, September 11, 2019 1:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO [External Email] This reminds me of the tale I related recently about having to revive a data center 400 miles away after VTAM got broken in a sysres switch. It seems so simple to 'run a job to rename a data set'. But if you cannot logon to a system, how will that job get submitted? If you are clever enough to have a mechanism like 'S JOB,JOBNAME=XXX', how will you edit up the IDCAMS control statements you need in job XXX? Or whatever else it would take to accomplish what one minute of TSO activity could achieve? We can dismiss TSO as a simple tool with no special comic book powers. But try to get anything useful done without it. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Wednesday, September 11, 2019 10:15 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Submitting batch if you don't have TSO On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: >LOL. What gave me that idea is sheer, unadulterated ignorance. I came >into the mainframe world through applications development. I was given >a solid grounding in JCL back in the beginning of my training, decades >ago; to me "INTRDR" is an argument that I can include in my JCL with >the TSO SUBMIT command. (Or, as someone else pointed out, using FTP.) > An alternative might be might be as simple as: //STEPEXEC PGM=IEBGENER //SYSUT2 DDSYSOUT=(,INTRDR),... As I follow this thread, I wonder why CICS doesn't submit batch jobs with the credentials of the requesting individual rather than the CICS region. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN EXCITING NEWS! Beginning this fall, First Tennessee will become First Horizon. Learn more: thenewfirsthorizon.com Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> We can dismiss TSO as a simple tool with no special comic book powers. But > try to get anything useful done without it BTDT,GTTS. You'd be amazed at what you can do without TSO. Some easy options come to mind: 1. Wylbur 2. A virtual card reader under z/VM 3. ZZSA Of course, once you fix your VTAM problem, you can go back to TSO, which is convenient. But, as the camel says, TMTOWTDI. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of PINION, RICHARD W. Sent: Wednesday, September 11, 2019 2:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Been there, done that. Fortunately, the company still had a card reader and a card punch, lat 1980's. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jesse 1 Robinson Sent: Wednesday, September 11, 2019 1:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO [External Email] This reminds me of the tale I related recently about having to revive a data center 400 miles away after VTAM got broken in a sysres switch. It seems so simple to 'run a job to rename a data set'. But if you cannot logon to a system, how will that job get submitted? If you are clever enough to have a mechanism like 'S JOB,JOBNAME=XXX', how will you edit up the IDCAMS control statements you need in job XXX? Or whatever else it would take to accomplish what one minute of TSO activity could achieve? We can dismiss TSO as a simple tool with no special comic book powers. But try to get anything useful done without it. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Wednesday, September 11, 2019 10:15 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Submitting batch if you don't have TSO On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: >LOL. What gave me that idea is sheer, unadulterated ignorance. I came >into the mainframe world through applications development. I was given >a solid grounding in JCL back in the beginning of my training, decades >ago; to me "INTRDR" is an argument that I can include in my JCL with >the TSO SUBMIT command. (Or, as someone else pointed out, using FTP.) > An alternative might be might be as simple as: //STEPEXEC PGM=IEBGENER //SYSUT2 DDSYSOUT=(,INTRDR),... As I follow this thread, I wonder why CICS doesn't submit batch jobs with the credentials of the requesting individual rather than the CICS region. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN EXCITING NEWS! Beginning this fall, First Tennessee will become First Horizon. Learn more: thenewfirsthorizon.com Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, 11 Sep 2019 13:40:42 -0500, Len DiCristofano wrote: >IBM Explorer for z/OS using the z/OS perspective is also an alternative to TSO >in submitting batch jobs. > Could do likewise with UNIX System Services: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxa400/jclsub.htm The submit command submits JCL from the shell. By using this command you do not need to open a TSO session to submit JCL. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
IBM Explorer for z/OS using the z/OS perspective is also an alternative to TSO in submitting batch jobs. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Been there, done that. Fortunately, the company still had a card reader and a card punch, lat 1980's. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Jesse 1 Robinson Sent: Wednesday, September 11, 2019 1:59 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO [External Email] This reminds me of the tale I related recently about having to revive a data center 400 miles away after VTAM got broken in a sysres switch. It seems so simple to 'run a job to rename a data set'. But if you cannot logon to a system, how will that job get submitted? If you are clever enough to have a mechanism like 'S JOB,JOBNAME=XXX', how will you edit up the IDCAMS control statements you need in job XXX? Or whatever else it would take to accomplish what one minute of TSO activity could achieve? We can dismiss TSO as a simple tool with no special comic book powers. But try to get anything useful done without it. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Wednesday, September 11, 2019 10:15 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Submitting batch if you don't have TSO On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: >LOL. What gave me that idea is sheer, unadulterated ignorance. I came >into the mainframe world through applications development. I was given >a solid grounding in JCL back in the beginning of my training, decades >ago; to me "INTRDR" is an argument that I can include in my JCL with >the TSO SUBMIT command. (Or, as someone else pointed out, using FTP.) > An alternative might be might be as simple as: //STEPEXEC PGM=IEBGENER //SYSUT2 DDSYSOUT=(,INTRDR),... As I follow this thread, I wonder why CICS doesn't submit batch jobs with the credentials of the requesting individual rather than the CICS region. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN EXCITING NEWS! Beginning this fall, First Tennessee will become First Horizon. Learn more: thenewfirsthorizon.com Confidentiality notice: This e-mail message, including any attachments, may contain legally privileged and/or confidential information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution, or copying of this e-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this e-mail message from your computer. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
This reminds me of the tale I related recently about having to revive a data center 400 miles away after VTAM got broken in a sysres switch. It seems so simple to 'run a job to rename a data set'. But if you cannot logon to a system, how will that job get submitted? If you are clever enough to have a mechanism like 'S JOB,JOBNAME=XXX', how will you edit up the IDCAMS control statements you need in job XXX? Or whatever else it would take to accomplish what one minute of TSO activity could achieve? We can dismiss TSO as a simple tool with no special comic book powers. But try to get anything useful done without it. -Original Message- From: IBM Mainframe Discussion List On Behalf Of Paul Gilmartin Sent: Wednesday, September 11, 2019 10:15 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: (External):Re: Submitting batch if you don't have TSO On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: >LOL. What gave me that idea is sheer, unadulterated ignorance. I came >into the mainframe world through applications development. I was given >a solid grounding in JCL back in the beginning of my training, decades >ago; to me "INTRDR" is an argument that I can include in my JCL with >the TSO SUBMIT command. (Or, as someone else pointed out, using FTP.) > An alternative might be might be as simple as: //STEPEXEC PGM=IEBGENER //SYSUT2 DDSYSOUT=(,INTRDR),... As I follow this thread, I wonder why CICS doesn't submit batch jobs with the credentials of the requesting individual rather than the CICS region. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, 11 Sep 2019 10:58:58 -0400, Bob Bridges wrote: >LOL. What gave me that idea is sheer, unadulterated ignorance. I came into >the mainframe world through applications development. I was given a solid >grounding in JCL back in the beginning of my training, decades ago; to me >"INTRDR" is an argument that I can include in my JCL with the TSO SUBMIT >command. (Or, as someone else pointed out, using FTP.) > An alternative might be might be as simple as: //STEPEXEC PGM=IEBGENER //SYSUT2 DDSYSOUT=(,INTRDR),... As I follow this thread, I wonder why CICS doesn't submit batch jobs with the credentials of the requesting individual rather than the CICS region. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> And maybe I'll end up limiting the answers I collect to the obvious ones, > those likely to be accessible to the average CICS user or developer. Keep in mind that there are a lot of CICS users and developers out there; what is not obvious to you may be obvious to a lot of them. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Bob Bridges Sent: Wednesday, September 11, 2019 10:58 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO LOL. What gave me that idea is sheer, unadulterated ignorance. I came into the mainframe world through applications development. I was given a solid grounding in JCL back in the beginning of my training, decades ago; to me "INTRDR" is an argument that I can include in my JCL with the TSO SUBMIT command. (Or, as someone else pointed out, using FTP.) I know in theory that I'm ignorant; it's why I'm bringing up the question (ie "how might a user submit batch jobs without having TSO?"). In practice, as you see, by reflex I sometimes forget and say ignorant things like that. And maybe I'll end up limiting the answers I collect to the obvious ones, those likely to be accessible to the average CICS user or developer. If one way in requires advanced hacker skills and knowledge, it probably isn't going to impress management with the urgent desire to spend time and money on fixing the problem. Also I should understand the method pretty thoroughly myself, lest I be reduced under cross-examination to "gee, I heard there was a way using a pin-wire flummox, but I'm not sure how that works..." --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Every now and then go away, have a little relaxation, for when you come back to your work your judgment will be surer. Go some distance away because then the work appears smaller and more of it can be taken in at a glance and a lack of harmony and proportion is more readily seen. -Leonardo Da Vinci */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Tuesday, September 10, 2019 13:21 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO > Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? Whatever gave you that idea? TSO is just another application that uses the internal reader, with no special privileges. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Bob Bridges Sent: Monday, September 9, 2019 9:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? What I'm asking is how users might submit batch who ~don't~ have TSO. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* In an emergency, a drawstring from a parka hood can be used to strangle a snoring tent mate. -"Camping Tips" */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Kelly Sent: Wednesday, September 4, 2019 14:21 If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) --- On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still
Re: Submitting batch if you don't have TSO
LOL. What gave me that idea is sheer, unadulterated ignorance. I came into the mainframe world through applications development. I was given a solid grounding in JCL back in the beginning of my training, decades ago; to me "INTRDR" is an argument that I can include in my JCL with the TSO SUBMIT command. (Or, as someone else pointed out, using FTP.) I know in theory that I'm ignorant; it's why I'm bringing up the question (ie "how might a user submit batch jobs without having TSO?"). In practice, as you see, by reflex I sometimes forget and say ignorant things like that. And maybe I'll end up limiting the answers I collect to the obvious ones, those likely to be accessible to the average CICS user or developer. If one way in requires advanced hacker skills and knowledge, it probably isn't going to impress management with the urgent desire to spend time and money on fixing the problem. Also I should understand the method pretty thoroughly myself, lest I be reduced under cross-examination to "gee, I heard there was a way using a pin-wire flummox, but I'm not sure how that works..." --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Every now and then go away, have a little relaxation, for when you come back to your work your judgment will be surer. Go some distance away because then the work appears smaller and more of it can be taken in at a glance and a lack of harmony and proportion is more readily seen. -Leonardo Da Vinci */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Seymour J Metz Sent: Tuesday, September 10, 2019 13:21 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO > Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? Whatever gave you that idea? TSO is just another application that uses the internal reader, with no special privileges. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Bob Bridges Sent: Monday, September 9, 2019 9:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? What I'm asking is how users might submit batch who ~don't~ have TSO. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* In an emergency, a drawstring from a parka hood can be used to strangle a snoring tent mate. -"Camping Tips" */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Kelly Sent: Wednesday, September 4, 2019 14:21 If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) --- On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
You've described authorizing CICS to submit, which would be fine if there were only one CICS user. What is needed is for cics to control which users can do what, e.g., limit job submission to transactions that check CICSSUBMIT SUBMIT.nodename.jobname.userid and only allow user1 to submit a job for user2 if user1 has access to CICSSUBMIT SUBMIT.nodename.jobname.user2 and CICS has access to JESJOBS SUBMIT.nodename.jobname.user2 -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Lennie Dymoke-Bradshaw Sent: Tuesday, September 10, 2019 6:15 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO If users are able to specify userid and password in the JCL built by a CICS transaction you can still use JESJOBS profiles to selectively allow or disallow them based on the userid and/or the jobname. RDEFINE JESJOBS SUBMIT.nodename.jobname.userid UACC(NONE) So to disallow jobs on all userids (even if the password is included) build, SUBMIT.nodename.*.* Then to allow job JOBNAME1 to be submitted under USER1 construct, SUBMIT.nodename.JOBNAME1.USER1 And grant access to your CICS region userid. You can also define a SURROGAT profile to allow submission without a password. Use of PROPCNTL is a hard rule. It stops ALL security propagation, but not all job submission. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: http://secure-web.cisco.com/1pVN8rwVYhMkGYzdbOogsAM866IBWF2dEWKdZD0RV9RuojR_wuLYL7A6czr0UrpUigCwghOeewjD239U3nixjB29k5W0H9mwpCZEkdMQj2r4JwzeCEvWcydYa-5e6c-JGjTQfERvHXqTcMa_YurcFmRGBn70iuokXgCf4LQGT3PPz8H-cwr8yshaV41cXWYpypovHZ4AXGoDfvmDDKG0JDEjhtccI4lt61yCpQlaRWDo_3-TzhpEw4P_rkMzBJtr6LPCh1WyPobktFgmFpcf1GTY-TgBwhWMR9Ry3yPLSk86DaVBzvPru-orbmYKxbM9SLZ6ggBz3IMaOIfYqa-k1hHcOAplQdksVc9prNVb7Tp6IgTyo2S3S0cT8e398KvG6bxjWF4c8cTurvjzWBA3OloxwSUmy7fKhSYabIxdkxfeIn0xI3Sx4dPYLKMsH96ty/http%3A%2F%2Fwww.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 10 September 2019 22:05 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] Submitting batch if you don't have TSO That's the same as any other address space. If you don't have a userid on the job, or specify *, then the job inherits from the submitting address space. If you have a userid and password, the password must be valid. If you have proxy authority, you don't need a password on the JOB statement. If you have a CICS transaction that let's the user submit a job without a userid, then that job will run with the full authority of the CICS userid. Your kindly security auditor may not be pleased. The same applies to any other multi-user address space; if you let your users submit jobs, put in appropriate controls. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Tuesday, September 10, 2019 3:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Seymour, The exception is CICS. If you write to the internal read you don't need to specify user in the jobcard. This cics attribute is controlled by propcntl class. ITschak בתאריך יום ג׳, 10 בספט׳ 2019, 20:08, מאת Seymour J Metz : > Any user who can submit a job can submit a job with USER=. For that > job to run he needs to either include the password for that userid of > have surrogate authority to it. > > I he is submitting jobs with a password than there is a risk that he > will compromise that password; surrogate authority is a much safer way > to enable the submissions. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > > From: IBM Mainframe Discussion List on > behalf of Jantje. > Sent: Tuesday, September 10, 2019 7:04 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > > On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges > wrote: > > >Not sure where to ask this, > Here is fine... > > > So, I've read the whole thread and unless I am missing something, I > don't think you run any more risk than what you would have if none of > your users have a TSO segment. > > As others have pointed out, the USER= is superfluous, because, > by default, when CICS submits the job it is with that userID anyway. > > Then, yes, there are tons of ways to get a job into the system, but > submitting JCL from TSO in se will not allow any user to submit that > job as the CICS region userID. Unless of course your security set-up > allows uncontrolled usage of the USER= clause on the job card. > > For
Re: Submitting batch if you don't have TSO
If users are able to specify userid and password in the JCL built by a CICS transaction you can still use JESJOBS profiles to selectively allow or disallow them based on the userid and/or the jobname. RDEFINE JESJOBS SUBMIT.nodename.jobname.userid UACC(NONE) So to disallow jobs on all userids (even if the password is included) build, SUBMIT.nodename.*.* Then to allow job JOBNAME1 to be submitted under USER1 construct, SUBMIT.nodename.JOBNAME1.USER1 And grant access to your CICS region userid. You can also define a SURROGAT profile to allow submission without a password. Use of PROPCNTL is a hard rule. It stops ALL security propagation, but not all job submission. Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 10 September 2019 22:05 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] Submitting batch if you don't have TSO That's the same as any other address space. If you don't have a userid on the job, or specify *, then the job inherits from the submitting address space. If you have a userid and password, the password must be valid. If you have proxy authority, you don't need a password on the JOB statement. If you have a CICS transaction that let's the user submit a job without a userid, then that job will run with the full authority of the CICS userid. Your kindly security auditor may not be pleased. The same applies to any other multi-user address space; if you let your users submit jobs, put in appropriate controls. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Tuesday, September 10, 2019 3:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Seymour, The exception is CICS. If you write to the internal read you don't need to specify user in the jobcard. This cics attribute is controlled by propcntl class. ITschak בתאריך יום ג׳, 10 בספט׳ 2019, 20:08, מאת Seymour J Metz : > Any user who can submit a job can submit a job with USER=. For that > job to run he needs to either include the password for that userid of > have surrogate authority to it. > > I he is submitting jobs with a password than there is a risk that he > will compromise that password; surrogate authority is a much safer way > to enable the submissions. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > > From: IBM Mainframe Discussion List on > behalf of Jantje. > Sent: Tuesday, September 10, 2019 7:04 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > > On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges > wrote: > > >Not sure where to ask this, > Here is fine... > > > So, I've read the whole thread and unless I am missing something, I > don't think you run any more risk than what you would have if none of > your users have a TSO segment. > > As others have pointed out, the USER= is superfluous, because, > by default, when CICS submits the job it is with that userID anyway. > > Then, yes, there are tons of ways to get a job into the system, but > submitting JCL from TSO in se will not allow any user to submit that > job as the CICS region userID. Unless of course your security set-up > allows uncontrolled usage of the USER= clause on the job card. > > For any mere mortal to submit a job with a USER= on the job card, your > security package (TSS in your case, RACF in mine) will have to be > instructed to allow that particular mortal to do so. SURROGAT does > indeed cover your fear. Set a (very) generic profile that forbids any > surrogate user and then set specific profiles to grant the access to > only those that actually need it. > > Apart from that, I would recommend to use the USER= clause on the job > card of the jobs that are submitted by your CICS regions, but then to > specify a DIFFERENT user ID than that of the region. Give the CICS > region user ID (and nobody else) SURROGATE on this other user ID. > > O, and, yes, I would worry about what JCL can be submitted from CICS, > but I understand that is under control in your installation (the > assembler program, you spoke about). > > > Very best regards, > > Jantje. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -
Re: Submitting batch if you don't have TSO
That's the same as any other address space. If you don't have a userid on the job, or specify *, then the job inherits from the submitting address space. If you have a userid and password, the password must be valid. If you have proxy authority, you don't need a password on the JOB statement. If you have a CICS transaction that let's the user submit a job without a userid, then that job will run with the full authority of the CICS userid. Your kindly security auditor may not be pleased. The same applies to any other multi-user address space; if you let your users submit jobs, put in appropriate controls. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Tuesday, September 10, 2019 3:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Seymour, The exception is CICS. If you write to the internal read you don't need to specify user in the jobcard. This cics attribute is controlled by propcntl class. ITschak בתאריך יום ג׳, 10 בספט׳ 2019, 20:08, מאת Seymour J Metz : > Any user who can submit a job can submit a job with USER=. For that job to > run he needs to either include the password for that userid of have > surrogate authority to it. > > I he is submitting jobs with a password than there is a risk that he will > compromise that password; surrogate authority is a much safer way to enable > the submissions. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > > From: IBM Mainframe Discussion List on behalf > of Jantje. > Sent: Tuesday, September 10, 2019 7:04 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > > On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges > wrote: > > >Not sure where to ask this, > Here is fine... > > > So, I've read the whole thread and unless I am missing something, I don't > think you run any more risk than what you would have if none of your users > have a TSO segment. > > As others have pointed out, the USER= is superfluous, because, by > default, when CICS submits the job it is with that userID anyway. > > Then, yes, there are tons of ways to get a job into the system, but > submitting JCL from TSO in se will not allow any user to submit that job as > the CICS region userID. Unless of course your security set-up allows > uncontrolled usage of the USER= clause on the job card. > > For any mere mortal to submit a job with a USER= on the job card, your > security package (TSS in your case, RACF in mine) will have to be > instructed to allow that particular mortal to do so. SURROGAT does indeed > cover your fear. Set a (very) generic profile that forbids any surrogate > user and then set specific profiles to grant the access to only those that > actually need it. > > Apart from that, I would recommend to use the USER= clause on the job card > of the jobs that are submitted by your CICS regions, but then to specify a > DIFFERENT user ID than that of the region. Give the CICS region user ID > (and nobody else) SURROGATE on this other user ID. > > O, and, yes, I would worry about what JCL can be submitted from CICS, but > I understand that is under control in your installation (the assembler > program, you spoke about). > > > Very best regards, > > Jantje. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Seymour, The exception is CICS. If you write to the internal read you don't need to specify user in the jobcard. This cics attribute is controlled by propcntl class. ITschak בתאריך יום ג׳, 10 בספט׳ 2019, 20:08, מאת Seymour J Metz : > Any user who can submit a job can submit a job with USER=. For that job to > run he needs to either include the password for that userid of have > surrogate authority to it. > > I he is submitting jobs with a password than there is a risk that he will > compromise that password; surrogate authority is a much safer way to enable > the submissions. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > > From: IBM Mainframe Discussion List on behalf > of Jantje. > Sent: Tuesday, September 10, 2019 7:04 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > > On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges > wrote: > > >Not sure where to ask this, > Here is fine... > > > So, I've read the whole thread and unless I am missing something, I don't > think you run any more risk than what you would have if none of your users > have a TSO segment. > > As others have pointed out, the USER= is superfluous, because, by > default, when CICS submits the job it is with that userID anyway. > > Then, yes, there are tons of ways to get a job into the system, but > submitting JCL from TSO in se will not allow any user to submit that job as > the CICS region userID. Unless of course your security set-up allows > uncontrolled usage of the USER= clause on the job card. > > For any mere mortal to submit a job with a USER= on the job card, your > security package (TSS in your case, RACF in mine) will have to be > instructed to allow that particular mortal to do so. SURROGAT does indeed > cover your fear. Set a (very) generic profile that forbids any surrogate > user and then set specific profiles to grant the access to only those that > actually need it. > > Apart from that, I would recommend to use the USER= clause on the job card > of the jobs that are submitted by your CICS regions, but then to specify a > DIFFERENT user ID than that of the region. Give the CICS region user ID > (and nobody else) SURROGATE on this other user ID. > > O, and, yes, I would worry about what JCL can be submitted from CICS, but > I understand that is under control in your installation (the assembler > program, you spoke about). > > > Very best regards, > > Jantje. > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in > the first place, right? Whatever gave you that idea? TSO is just another application that uses the internal reader, with no special privileges. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Bob Bridges Sent: Monday, September 9, 2019 9:14 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? What I'm asking is how users might submit batch who ~don't~ have TSO. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* In an emergency, a drawstring from a parka hood can be used to strangle a snoring tent mate. -"Camping Tips" */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Kelly Sent: Wednesday, September 4, 2019 14:21 If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) --- On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Using the network requires an existing server that will do what you want. The z/OS FTP server communicates with JES; an FTP client does not. It can only do what the FTP server does on its behalf. The auditors should be verifying that each of the servers is properly secured. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Dr. Rick Williams Sent: Monday, September 9, 2019 9:43 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Many ways to do this,, many use CICS, however there are security issues doing this.. the easiest way would be to use the network... This is quite simple.. if you have sockets experience, it’s easy enough to submit from about anywhere,, z/os network socket, a pc, Mac, iPad, anything that can access the ip network.. or if you don’t have sockets programming experience, use something as easy as ftp.. which even in freeware offerings can communicate directly with jes and submit and/or extract job info (same rules, any platform). Even pull spool data.. (I do this with Windows pc) there are many other tcp/ip methods, but these are the simplest.. hope this helps! -- Dr. Rick Williams -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Any user who can submit a job can submit a job with USER=. For that job to run he needs to either include the password for that userid of have surrogate authority to it. I he is submitting jobs with a password than there is a risk that he will compromise that password; surrogate authority is a much safer way to enable the submissions. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Jantje. Sent: Tuesday, September 10, 2019 7:04 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges wrote: >Not sure where to ask this, Here is fine... So, I've read the whole thread and unless I am missing something, I don't think you run any more risk than what you would have if none of your users have a TSO segment. As others have pointed out, the USER= is superfluous, because, by default, when CICS submits the job it is with that userID anyway. Then, yes, there are tons of ways to get a job into the system, but submitting JCL from TSO in se will not allow any user to submit that job as the CICS region userID. Unless of course your security set-up allows uncontrolled usage of the USER= clause on the job card. For any mere mortal to submit a job with a USER= on the job card, your security package (TSS in your case, RACF in mine) will have to be instructed to allow that particular mortal to do so. SURROGAT does indeed cover your fear. Set a (very) generic profile that forbids any surrogate user and then set specific profiles to grant the access to only those that actually need it. Apart from that, I would recommend to use the USER= clause on the job card of the jobs that are submitted by your CICS regions, but then to specify a DIFFERENT user ID than that of the region. Give the CICS region user ID (and nobody else) SURROGATE on this other user ID. O, and, yes, I would worry about what JCL can be submitted from CICS, but I understand that is under control in your installation (the assembler program, you spoke about). Very best regards, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges wrote: >Not sure where to ask this, Here is fine... So, I've read the whole thread and unless I am missing something, I don't think you run any more risk than what you would have if none of your users have a TSO segment. As others have pointed out, the USER= is superfluous, because, by default, when CICS submits the job it is with that userID anyway. Then, yes, there are tons of ways to get a job into the system, but submitting JCL from TSO in se will not allow any user to submit that job as the CICS region userID. Unless of course your security set-up allows uncontrolled usage of the USER= clause on the job card. For any mere mortal to submit a job with a USER= on the job card, your security package (TSS in your case, RACF in mine) will have to be instructed to allow that particular mortal to do so. SURROGAT does indeed cover your fear. Set a (very) generic profile that forbids any surrogate user and then set specific profiles to grant the access to only those that actually need it. Apart from that, I would recommend to use the USER= clause on the job card of the jobs that are submitted by your CICS regions, but then to specify a DIFFERENT user ID than that of the region. Give the CICS region user ID (and nobody else) SURROGATE on this other user ID. O, and, yes, I would worry about what JCL can be submitted from CICS, but I understand that is under control in your installation (the assembler program, you spoke about). Very best regards, Jantje. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Mon, 9 Sep 2019 at 21:15, Bob Bridges wrote: > > Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in > the first place, right? What I'm asking is how users might submit batch who > ~don't~ have TSO. TSO isn't magic. Any running z/OS process (loosely speaking - not necessarily a UNIX process) can Dynalloc an Intrdr and write a jobstream to it. If a malicious user can convince anything that's running, or that s/he can cause to run, to Dynalloc and submit, then the job's done (and so are you). Some examples that have Dynalloc/submit capability already coded or trivially scripted are, as mentioned, FTP, a UNIX shell (via telnet or ssh). Do you know what's listening on every TCP port on your system, and what it does? What web servers are running, and what logon controls they have? And so on. As I type I see that Rick Williams has responded similarly. Going outside z/OS, do you have NJE over TCP/IP configured? What about ancient SNA not-quite-discontinued-yet connections to some other system? Remote RJE style print stations, running on an IBM i or an AIX box, maybe with a (virtual) card reader that can submit from a file on that box? And so on. Tony H. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Many ways to do this,, many use CICS, however there are security issues doing this.. the easiest way would be to use the network... This is quite simple.. if you have sockets experience, it’s easy enough to submit from about anywhere,, z/os network socket, a pc, Mac, iPad, anything that can access the ip network.. or if you don’t have sockets programming experience, use something as easy as ftp.. which even in freeware offerings can communicate directly with jes and submit and/or extract job info (same rules, any platform). Even pull spool data.. (I do this with Windows pc) there are many other tcp/ip methods, but these are the simplest.. hope this helps! -- Dr. Rick Williams -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Ok, but the only way to submit a job via SYSOUT=(A,INTRDR) is to have TSO in the first place, right? What I'm asking is how users might submit batch who ~don't~ have TSO. --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* In an emergency, a drawstring from a parka hood can be used to strangle a snoring tent mate. -"Camping Tips" */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John Kelly Sent: Wednesday, September 4, 2019 14:21 If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) --- On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Lots of folks replied to this to tell me how to do the same thing more securely, and I'll save those up and read them if and when my management provides any encouragement for any rewriting at all to those transactions. What I was really looking for, though, was ammunition to hand to management: "We need to fix this because here's what could happen". FTP is one, and I should have thought of it because I've used FTP to submit jobs myself. It's a TSS shop, not RACF, but that makes no never-mind; I'll go find out how many of the folks who can run these batch jobs also have TSO and/or a UID. I don't know much about SSH or Telnet - hardly anything about them, in fact. Is it worth asking for details? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* Every now and then go away, have a little relaxation, for when you come back to your work your judgment will be surer. Go some distance away because then the work appears smaller and more of it can be taken in at a glance and a lack of harmony and proportion is more readily seen. -Leonardo Da Vinci */ -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of John McKown Sent: Wednesday, September 4, 2019 14:18 Possibly via FTP using the QUOTE SITE FILETYPE=JES followed by a PUT of the file containing the JCL. Less likely is the ability to use TELNET or SSH to get a UNIX prompt. But you need to check to see if the RACF profiles. --- On Wed, Sep 4, 2019 at 1:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Thu, Sep 5, 2019 at 8:27 PM Jon Perryman wrote: > > > On Thursday, September 5, 2019, 06:06:41 AM PDT, John McKown < > john.archie.mck...@gmail.com> wrote: > > I completely agree. Unfortunately, we have a number of batch jobs which > are > > > submitted by CICS transactions run by users. The JCL is contained in an > > > ASSEMBLER non-CICS program in the DFHRPL. These modules do go through > > > change control, but I don't really know how close they are examined. > > It should be a simple change to move the JCL from the assembler program to > the job scheduler. The assembler program would then issue a saf call to > verify they are allowed to request the job and then use a dataset trigger. > I don't think the dataset must exist when issuing the trigger rather than > on dataset close. The trigger event can be specified in the JCL allowing > the user to pass some data from the CICS transaction. > Technically, that is correct. And, IMO, is much better. But politically, it is impossible. "That would require a change to our code, which is working fine. Go AWAY!!!" Until someone compentent does an audit, nothing will be changed. > > Jon. > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Thursday, September 5, 2019, 06:06:41 AM PDT, John McKown wrote: > I completely agree. Unfortunately, we have a number of batch jobs which are > submitted by CICS transactions run by users. The JCL is contained in an > ASSEMBLER non-CICS program in the DFHRPL. These modules do go through > change control, but I don't really know how close they are examined. It should be a simple change to move the JCL from the assembler program to the job scheduler. The assembler program would then issue a saf call to verify they are allowed to request the job and then use a dataset trigger. I don't think the dataset must exist when issuing the trigger rather than on dataset close. The trigger event can be specified in the JCL allowing the user to pass some data from the CICS transaction. Jon. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
This topic comes up from time to time at my shop. We have allowed it in the past, but we try to steer away from any new development with submitting batch jobs from a region. The security implications are extremely broad. If you're using a generic CICS plan exit for DB2 that is defined to use the region userid as plan authorization, then the region userid has update access to every DB2 table that is updated by a CICS transaction. If a user submits a QMF or Spufi job under the region userid, then they can read your DB2 tables. Or even worse, update them. The region userid will may also have update access to system datasets. It will definitely have read access to system datasets (although it may be limited to CICS specific HLQs). I would only allow the region to submit jobs under a different user. Thank you, Brian Chapman On Thu, Sep 5, 2019 at 1:59 PM Seymour J Metz wrote: > <https://www.oed.com/view/Entry/246938> > > But there are some good auditors, and if you're lucky enough to have them > they're your natural allies. > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > > > > From: IBM Mainframe Discussion List on behalf > of John McKown > Sent: Thursday, September 5, 2019 1:49 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > > On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz wrote: > > > There's no way that adding a RACF segment would reduce the exposure. > They > > need to close the loophole. I'm cheering for the auditor, assuming that > > he's not brain dead. > > > > Most auditors that I've had to work with are absymally ignorant of z/OS, or > anything other than Windows. Except one in the past, pre-Windows, who was > an idiot. He wanted an explanation of every possible exit in MVS and every > installed product on MVS and what could be done using them. {shudder} > > > > > > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > > > -- > I find television very educational. The minute somebody turns it on, I go > into the library and read a good book > -- Groucho Marx > > Maranatha! <>< > John McKown > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
<https://www.oed.com/view/Entry/246938> But there are some good auditors, and if you're lucky enough to have them they're your natural allies. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of John McKown Sent: Thursday, September 5, 2019 1:49 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz wrote: > There's no way that adding a RACF segment would reduce the exposure. They > need to close the loophole. I'm cheering for the auditor, assuming that > he's not brain dead. > Most auditors that I've had to work with are absymally ignorant of z/OS, or anything other than Windows. Except one in the past, pre-Windows, who was an idiot. He wanted an explanation of every possible exit in MVS and every installed product on MVS and what could be done using them. {shudder} > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Thu, Sep 5, 2019 at 12:38 PM Seymour J Metz wrote: > There's no way that adding a RACF segment would reduce the exposure. They > need to close the loophole. I'm cheering for the auditor, assuming that > he's not brain dead. > Most auditors that I've had to work with are absymally ignorant of z/OS, or anything other than Windows. Except one in the past, pre-Windows, who was an idiot. He wanted an explanation of every possible exit in MVS and every installed product on MVS and what could be done using them. {shudder} > > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
There's no way that adding a RACF segment would reduce the exposure. They need to close the loophole. I'm cheering for the auditor, assuming that he's not brain dead. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Paul Gilmartin <000433f07816-dmarc-requ...@listserv.ua.edu> Sent: Thursday, September 5, 2019 1:34 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO On Thu, 5 Sep 2019 12:05:30 +, Lennie Dymoke-Bradshaw wrote: > >"The problem, of course, is that if I'm authorized to submit jobs with >USER= on the JOB card then I can submit ~any~ such job, to do anything >I want that the region can do." > >The CICS transaction runs under the security context of the region userid. > Looking at the condition in the Subject:, "if you don't have TSO" I wonder, would the exposure somehow be less if the user were given a RACF TSO segment? I wouldn't expect so. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Thu, 5 Sep 2019 12:05:30 +, Lennie Dymoke-Bradshaw wrote: > >"The problem, of course, is that if I'm authorized to submit jobs with >USER= on the JOB card then I can submit ~any~ such job, to do anything >I want that the region can do." > >The CICS transaction runs under the security context of the region userid. > Looking at the condition in the Subject:, "if you don't have TSO" I wonder, would the exposure somehow be less if the user were given a RACF TSO segment? I wouldn't expect so. -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Thu, Sep 5, 2019 at 7:59 AM ITschak Mugzach wrote: > I wouldn't allow a cics to submit jobs on behalf of the user. not as a copy > to internal reader, nor by exec interface. I expect the jcl pass a change > management process and be stored in a production jcl dataset. the formal > and recommended way for jobs is to schedule them by a scheduler. all of the > job scheduler products I know allow turning a condition on, including > support for CICS transactions. > > If the job depends on data supplied by the transaction, it can read it from > a DB2 table, VSAM or any other data store. this way, multiple requesters > with different requirements (aka sysin) can run. on successful end, the > program can delete the entry from where it was read from. > > My two Israeli shekels. > I completely agree. Unfortunately, we have a number of batch jobs which are submitted by CICS transactions run by users. The JCL is contained in an ASSEMBLER non-CICS program in the DFHRPL. These modules do go through change control, but I don't really know how close they are examined. > > ITschak > > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
I wouldn't allow a cics to submit jobs on behalf of the user. not as a copy to internal reader, nor by exec interface. I expect the jcl pass a change management process and be stored in a production jcl dataset. the formal and recommended way for jobs is to schedule them by a scheduler. all of the job scheduler products I know allow turning a condition on, including support for CICS transactions. If the job depends on data supplied by the transaction, it can read it from a DB2 table, VSAM or any other data store. this way, multiple requesters with different requirements (aka sysin) can run. on successful end, the program can delete the entry from where it was read from. My two Israeli shekels. ITschak On Thu, Sep 5, 2019 at 3:35 PM Ambros, Thomas < 010f77c934b1-dmarc-requ...@listserv.ua.edu> wrote: > If I had to guess I'd say that it is the CICS region that is permitted to > submit jobs with USER= in the absence of any evident surrogate > profiles. > > However one still needs to have a chain of logging events where one can > tell which job was submitted from which CICS transaction running under > which user context to maintain the whole non-repudiation thing. That's the > piece I'd be a little more concerned with establishing and I think it'd be > a little harder to manage this in an unalterable form even if I had it > given that I would need to tie a few different things together to do it. > > Thomas Ambros > zEnterprise Operating Systems > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of Lennie Dymoke-Bradshaw > Sent: Thursday, September 05, 2019 08:06 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Submitting batch if you don't have TSO > > Bob, > > I think ITschak's words are good advice. > > However, I am concerned at your statement, > > "The problem, of course, is that if I'm authorized to submit jobs with > USER= on the JOB card then I can submit ~any~ such job, to do > anything I want that the region can do." > > The CICS transaction runs under the security context of the region userid. > > Are the CICS users explicitly authorised to do job submission? > Are security checks made against the requester of the CICS transaction? > Is the CICS user involved at all? > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of ITschak Mugzach > Sent: 04 September 2019 19:33 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: [IBM-MAIN] Submitting batch if you don't have TSO > > Bob, > > few comments: > >1. You don't need to specify user= in the job card. any job submitted >under CICS without propagation control, will be assigned the CICS > userid. >2. can cics end users manipulate the jcl they are submitting or it is >just submitted by the transaction? I hope they can't! >3. You can control this facility with the PROPCNTL resource class class >(all esms). >4. If STIG framework is of relevant to you organization, submitting jobs >under the CICS user-id is a medium level risk. >5. management forgot to mention "currently". what happens when a CICS >user will be assigned a TSO segment? >6. FTP is a potential security risk, however, the end-user must have an >OMVS segment. go guess who has one and why. >7. You don't leave open doors. Someone may use it to enter in. (see the >swiss cheese model). > > ITschak > > On Wed, Sep 4, 2019 at 9:06 PM Bob Bridges wrote: > > > Not sure where to ask this, but I've wondered about it off and on for > > a while and it's past time I asked. I'm responsible for security at a > > mainframe shop where they use a lot of CICS. There are CICS > > transactions that fire off batch jobs; the way this place handles it > > is to submit the job under the authority of the CICS region ID > > (USER= on the JOB card), and give each user of such a > transaction the necessary authority. > > > > This gives me the screaming heeby-jeebies, but when I complain about > > it I get little support back. The problem, of course, is that if I'm > > authorized to submit jobs with USER= on the JOB card then I > > can submit ~any~ such job, to do anything I want that the region can > > do. (And of course any installation that's careless about letting > > folks have that authority is even more careless about what their CICS > > regions can do.) > > > > One argument management offers in mitigation is that mo
Re: Submitting batch if you don't have TSO
If I had to guess I'd say that it is the CICS region that is permitted to submit jobs with USER= in the absence of any evident surrogate profiles. However one still needs to have a chain of logging events where one can tell which job was submitted from which CICS transaction running under which user context to maintain the whole non-repudiation thing. That's the piece I'd be a little more concerned with establishing and I think it'd be a little harder to manage this in an unalterable form even if I had it given that I would need to tie a few different things together to do it. Thomas Ambros zEnterprise Operating Systems -Original Message- From: IBM Mainframe Discussion List On Behalf Of Lennie Dymoke-Bradshaw Sent: Thursday, September 05, 2019 08:06 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Submitting batch if you don't have TSO Bob, I think ITschak's words are good advice. However, I am concerned at your statement, "The problem, of course, is that if I'm authorized to submit jobs with USER= on the JOB card then I can submit ~any~ such job, to do anything I want that the region can do." The CICS transaction runs under the security context of the region userid. Are the CICS users explicitly authorised to do job submission? Are security checks made against the requester of the CICS transaction? Is the CICS user involved at all? Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of ITschak Mugzach Sent: 04 September 2019 19:33 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] Submitting batch if you don't have TSO Bob, few comments: 1. You don't need to specify user= in the job card. any job submitted under CICS without propagation control, will be assigned the CICS userid. 2. can cics end users manipulate the jcl they are submitting or it is just submitted by the transaction? I hope they can't! 3. You can control this facility with the PROPCNTL resource class class (all esms). 4. If STIG framework is of relevant to you organization, submitting jobs under the CICS user-id is a medium level risk. 5. management forgot to mention "currently". what happens when a CICS user will be assigned a TSO segment? 6. FTP is a potential security risk, however, the end-user must have an OMVS segment. go guess who has one and why. 7. You don't leave open doors. Someone may use it to enter in. (see the swiss cheese model). ITschak On Wed, Sep 4, 2019 at 9:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for > a while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS > transactions that fire off batch jobs; the way this place handles it > is to submit the job under the authority of the CICS region ID > (USER= on the JOB card), and give each user of such a transaction the > necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about > it I get little support back. The problem, of course, is that if I'm > authorized to submit jobs with USER= on the JOB card then I > can submit ~any~ such job, to do anything I want that the region can > do. (And of course any installation that's careless about letting > folks have that authority is even more careless about what their CICS > regions can do.) > > One argument management offers in mitigation is that most of these > CICS users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking > there's probably a way and I just don't know about it. Can anyone > confirm? If I were a CICS user without the ability to log on to TSO, > could I still submit a batch job somehow? > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* You know you've had too much coffee when > Juan Valdez names his donkey after you. > You've worn out the handle on your favorite coffee mug. > Your eyes stay open when you sneeze. */ > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@lists
Re: Submitting batch if you don't have TSO
On Thu, Sep 5, 2019 at 7:05 AM Lennie Dymoke-Bradshaw < lenni...@rsmpartners.com> wrote: > Bob, > > I think ITschak's words are good advice. > > However, I am concerned at your statement, > > "The problem, of course, is that if I'm authorized to submit jobs with > USER= on the JOB card then I can submit ~any~ such job, to do > anything I want that the region can do." > > The CICS transaction runs under the security context of the region userid. > > Are the CICS users explicitly authorised to do job submission? > Are security checks made against the requester of the CICS transaction? > Is the CICS user involved at all? > As best as I can see, the answer is "No". The simpliest way to submit a job using CICS is the EXEC CICS SPOOL API. Just do a SPOOLOPEN with a USERID of INTRDR. Then use SPOOLWRITE to send the JCL. The submitted job will run with the userid of the CICS region, unless there is a valid USER= (and possibly PASSWORD=) on the JOB card. There is no RACF security on this that I can see. more info: https://www.ibm.com/support/knowledgecenter/en/SSGMCP_5.1.0/com.ibm.cics.ts.doc/dfht5/topics/dfht52p.html There may be a way to totally disable job submission from a CICS region using the JESSPOOL profile, but I don't know that for sure. I am guessing for the really security conscious, they could write an XEIIN exit and "do something" when a SPOOLOPEN is attempted. I guess it's a case of "trust the programmer to not introduce a security exposure" (no offense, but most programmers I know are not really security conscious -- they just want the users & management to be satisfied) > > Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd > Web: www.rsmpartners.com > ‘Dance like no one is watching. Encrypt like everyone is.’ > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Bob, I think ITschak's words are good advice. However, I am concerned at your statement, "The problem, of course, is that if I'm authorized to submit jobs with USER= on the JOB card then I can submit ~any~ such job, to do anything I want that the region can do." The CICS transaction runs under the security context of the region userid. Are the CICS users explicitly authorised to do job submission? Are security checks made against the requester of the CICS transaction? Is the CICS user involved at all? Lennie Dymoke-Bradshaw | Security Lead | RSM Partners Ltd Web: www.rsmpartners.com ‘Dance like no one is watching. Encrypt like everyone is.’ -Original Message- From: IBM Mainframe Discussion List On Behalf Of ITschak Mugzach Sent: 04 September 2019 19:33 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: [IBM-MAIN] Submitting batch if you don't have TSO Bob, few comments: 1. You don't need to specify user= in the job card. any job submitted under CICS without propagation control, will be assigned the CICS userid. 2. can cics end users manipulate the jcl they are submitting or it is just submitted by the transaction? I hope they can't! 3. You can control this facility with the PROPCNTL resource class class (all esms). 4. If STIG framework is of relevant to you organization, submitting jobs under the CICS user-id is a medium level risk. 5. management forgot to mention "currently". what happens when a CICS user will be assigned a TSO segment? 6. FTP is a potential security risk, however, the end-user must have an OMVS segment. go guess who has one and why. 7. You don't leave open doors. Someone may use it to enter in. (see the swiss cheese model). ITschak On Wed, Sep 4, 2019 at 9:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for > a while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS > transactions that fire off batch jobs; the way this place handles it > is to submit the job under the authority of the CICS region ID > (USER= on the JOB card), and give each user of such a transaction the > necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about > it I get little support back. The problem, of course, is that if I'm > authorized to submit jobs with USER= on the JOB card then I > can submit ~any~ such job, to do anything I want that the region can > do. (And of course any installation that's careless about letting > folks have that authority is even more careless about what their CICS > regions can do.) > > One argument management offers in mitigation is that most of these > CICS users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking > there's probably a way and I just don't know about it. Can anyone > confirm? If I were a CICS user without the ability to log on to TSO, > could I still submit a batch job somehow? > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* You know you've had too much coffee when > Juan Valdez names his donkey after you. > You've worn out the handle on your favorite coffee mug. > Your eyes stay open when you sneeze. */ > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they > haven't the ability to submit batch jobs. Job's can easily be submitted from CICS or IMS thru your job scheduler (I think IBM OPC or CA7). I can't remember the specifics for requesting a job and passing parms but it used to be well documented. I suggest you include the requesting user so that it can be validated if necessary or used for tracking purposes. If you don't have a job scheduler, then use your automation product. Worst case, the program can simply issue a message if you don't have the CICS automation component. If the job is not submitted with the requesting user's credentials, then you should greatly restrict the job's functionality. Your security admin does not expect a built in user spoofing tool (outside of surogate). Even surogate can be a security exposure but sometimes necessary. NEVER allow CICS users to submit JCL as the CICS user. With access to everything CICS, the job could destroy something vital, gain access to restricted information (e.g. SSN's) or possibly gain access to restricted CICS commands. User's must always be limited to user data. Jon. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, 4 Sep 2019 22:46:24 +0300, ITschak Mugzach wrote: >Not at all. Removing the user parameter from job card will limit use to >cics. Surrohat will work on all environments. True. But you can create one or more user IDs with less authority than the CICS region's user ID has and give the CICS region surrogate authority to that ID. The fact that the surrogate ID can be used in any environment doesn't create additional risks unless people have the authority to log on with the ID that is used for the region. I readily admit that my experience in this area is quite limited. -- Tom Marchant >ITschak > >בתאריך יום ד׳, 4 בספט׳ 2019, 22:24, מאת Tom Marchant < >000a2a8c2020-dmarc-requ...@listserv.ua.edu>: > >> Does surrogate authority help? >> >> https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/surru.htm >> >> -- >> Tom Marchant >> >> -- >> For IBM-MAIN subscribe / signoff / archive access instructions, >> send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN >> > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Not at all. Removing the user parameter from job card will limit use to cics. Surrohat will work on all environments. ITschak בתאריך יום ד׳, 4 בספט׳ 2019, 22:24, מאת Tom Marchant < 000a2a8c2020-dmarc-requ...@listserv.ua.edu>: > Does surrogate authority help? > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/surru.htm > > -- > Tom Marchant > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
> One argument management offers in mitigation is that most of these CICS users > don't have TSO, so they > haven't the ability to submit batch jobs. What art they smoking? If "There are CICS transactions that fire off batch jobs; " then they have the ability to submit batch jobs. It's a disaster waiting to happen. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Bob Bridges Sent: Wednesday, September 4, 2019 2:06 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Submitting batch if you don't have TSO Not sure where to ask this, but I've wondered about it off and on for a while and it's past time I asked. I'm responsible for security at a mainframe shop where they use a lot of CICS. There are CICS transactions that fire off batch jobs; the way this place handles it is to submit the job under the authority of the CICS region ID (USER= on the JOB card), and give each user of such a transaction the necessary authority. This gives me the screaming heeby-jeebies, but when I complain about it I get little support back. The problem, of course, is that if I'm authorized to submit jobs with USER= on the JOB card then I can submit ~any~ such job, to do anything I want that the region can do. (And of course any installation that's careless about letting folks have that authority is even more careless about what their CICS regions can do.) One argument management offers in mitigation is that most of these CICS users don't have TSO, so they haven't the ability to submit batch jobs. Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's probably a way and I just don't know about it. Can anyone confirm? If I were a CICS user without the ability to log on to TSO, could I still submit a batch job somehow? --- Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 /* You know you've had too much coffee when Juan Valdez names his donkey after you. You've worn out the handle on your favorite coffee mug. Your eyes stay open when you sneeze. */ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Does surrogate authority help? https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.1.0/com.ibm.zos.v2r1.icha700/surru.htm -- Tom Marchant -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
Bob, few comments: 1. You don't need to specify user= in the job card. any job submitted under CICS without propagation control, will be assigned the CICS userid. 2. can cics end users manipulate the jcl they are submitting or it is just submitted by the transaction? I hope they can't! 3. You can control this facility with the PROPCNTL resource class class (all esms). 4. If STIG framework is of relevant to you organization, submitting jobs under the CICS user-id is a medium level risk. 5. management forgot to mention "currently". what happens when a CICS user will be assigned a TSO segment? 6. FTP is a potential security risk, however, the end-user must have an OMVS segment. go guess who has one and why. 7. You don't leave open doors. Someone may use it to enter in. (see the swiss cheese model). ITschak On Wed, Sep 4, 2019 at 9:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* You know you've had too much coffee when > Juan Valdez names his donkey after you. > You've worn out the handle on your favorite coffee mug. > Your eyes stay open when you sneeze. */ > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Contiguous Monitoring for Legacy **| * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, 4 Sep 2019 14:06:21 -0400, Bob Bridges wrote: > >One argument management offers in mitigation is that most of these CICS users >don't have TSO, so they haven't the ability to submit batch jobs. Off-hand I >can't contradict them, but I'm skeptical. I'm thinking there's probably a way >and I just don't know about it. Can anyone confirm? If I were a CICS user >without the ability to log on to TSO, could I still submit a batch job somehow? > Don't know about CICS. But, for example: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.2.0/com.ibm.zos.v2r2.bpxa400/jclsub.htm Or FTP. Or anything that can allocate INTRDR and write to it. Your concerns ought to be addressable by exits but, SMOP. Does CICS retain any information about who logged in? Would you expect the person submitting a job to be prompted for ID and password? -- gil -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
If they have 'job' authority, they can submit a JOB via SYSOUT(A,INTRDR) On Wed, Sep 4, 2019 at 2:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* You know you've had too much coffee when > Juan Valdez names his donkey after you. > You've worn out the handle on your favorite coffee mug. > Your eyes stay open when you sneeze. */ > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- John Kelly -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Submitting batch if you don't have TSO
On Wed, Sep 4, 2019 at 1:06 PM Bob Bridges wrote: > Not sure where to ask this, but I've wondered about it off and on for a > while and it's past time I asked. I'm responsible for security at a > mainframe shop where they use a lot of CICS. There are CICS transactions > that fire off batch jobs; the way this place handles it is to submit the > job under the authority of the CICS region ID (USER= on the JOB > card), and give each user of such a transaction the necessary authority. > > This gives me the screaming heeby-jeebies, but when I complain about it I > get little support back. The problem, of course, is that if I'm authorized > to submit jobs with USER= on the JOB card then I can submit ~any~ > such job, to do anything I want that the region can do. (And of course any > installation that's careless about letting folks have that authority is > even more careless about what their CICS regions can do.) > > One argument management offers in mitigation is that most of these CICS > users don't have TSO, so they haven't the ability to submit batch jobs. > Off-hand I can't contradict them, but I'm skeptical. I'm thinking there's > probably a way and I just don't know about it. Can anyone confirm? If I > were a CICS user without the ability to log on to TSO, could I still submit > a batch job somehow? > Possibly via FTP using the QUOTE SITE FILETYPE=JES followed by a PUT of the file containing the JCL. Less likely is the ability to use TELNET or SSH to get a UNIX prompt. But you need to check to see if the RACF profiles. > > --- > Bob Bridges, robhbrid...@gmail.com, cell 336 382-7313 > > /* You know you've had too much coffee when > Juan Valdez names his donkey after you. > You've worn out the handle on your favorite coffee mug. > Your eyes stay open when you sneeze. */ > -- I find television very educational. The minute somebody turns it on, I go into the library and read a good book -- Groucho Marx Maranatha! <>< John McKown -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN