Re: Z/OS Survey - Unusuall system commands
A few profile examples: MVS.PURGE.MSS MVS.HALT.TCAM MVS.RELEASE.TCAM MVS.HOLD.TCAM The profiles were approx. 30 years old, but I'm pretty sure the installation had never had any MSS and possibly no TCAM. All of the profiles are still documented in ...SDSF manual. It is interesting, because MVS System Commands does not document such commands. There are no commands like PURGE or RELEASE or HOLD at all, not to mention TCAM or MSS. What's funny, I have found SMF records for some TCAM command. Was it really used last months? No. It was result of a typo in JES2 command - missing $ prefix. However system interpreted it as TCAM command, unfortunately I can't remember which one. I vaguely remain it was "A" command abbreviation (like F for MODIFY). BTW: IMHO such obsolete things should be erased at all or documented as obsolete. Let's imagine appendix in MVS System Commands: Commands no longer supported. Just brief list. -- Radoslaw Skorupka Lodz, Poland W dniu 19.12.2023 o 22:12, Seymour J Metz pisze: AFAIK TCAM and the 3850 were defunct by the time OPERCMDS came along. The last I heard, MSS staging drives had to be either 3330 or 3350 in compatibility mode and TCAM didn't support Y2K. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Radoslaw Skorupka <0471ebeac275-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 3:31 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Unusal commands? Well, it is enough to open both MVS System Commands and JES2 Commands manuals. OBEY is not exactly the system command, however it is widely used. My favourite is QUIESCE. There are also other commands which I (almost) never use, but I understand their purpose. JES2 world is more complex - there are many commands which I vaguely understand the purpose. And many which I consider really obsolete. Fun fact: recently I've been cleaning some z/OS installation, RACF definitions. I've found approx. 400 OPERCMDS profiles. Some of them were really, really obsolete - like MSS related command, TCAM commands, etc. What's funny, even not-so-current documentation does not mention such commands or profiles, but at least few of them are still present in the system code. Explanation: MSS - Mass Storage Subsystem. Very interesting tape-disc device, but withdrawn in early 80's. TCAM - VTAM predecessor. I have no idea how old it is. I'm pretty sure the OPERCMDS profiles were created for an installation with neither MSS nor TCAM. -- Radoslaw Skorupka Lodz, Poland W dniu 19.12.2023 o 09:12, ITschak Mugzach pisze: There are some MVS commands that are hard to understand how and why they were created. What bothers me is the fact that the input of the commands that modify MVS behavior allows input from private dataset. These are the first commands I am trying when I do a pentest... For example: *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset that is not part of the parmlib concatenation itself. for example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command allows specification of TCPIP configuration from a private library. How frequent do you use these commands (if ever) and how do you identify the use (assuming that the commands are protected by your ESM). I wonder why IBM allows such a scenario. ITschak -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
Wrong thread, Lennie... Itschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Wed, Dec 20, 2023 at 3:35 PM Lennie Dymoke-Bradshaw < 032fff1be9b4-dmarc-requ...@listserv.ua.edu> wrote: > Maybe my statement needs correcting. I meant DD parameters, rather than > JCL statements. > I have done this, but it was over 30 years ago. I believe you can specify > many JCL parameters which can go on DD statements. These are then applied > to the IEFRDER DD statement. > Happy to be corrected if someone else has better knowledge or if behaviour > has changed since then. > > Lennie Dymoke-Bradshaw > https: //rsclweb.com > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of Seymour J Metz > Sent: 20 December 2023 12:31 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Z/OS Survey - Unusuall system commands > > ? > > What JCL statements can START provide. As for parameters, that's limited > to JOB, EXEC and DD. > > Of course, that's enough for a competent auditor to check who can use what. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on behalf > of Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu> > Sent: Tuesday, December 19, 2023 7:33 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Z/OS Survey - Unusuall system commands > > START will take all sorts of JCL statements as parameters. You can use it > to recreate data sets that are needed for other things to start. > Lennie > > -Original Message- > From: IBM Mainframe Discussion List On Behalf > Of Seymour J Metz > Sent: 19 December 2023 14:52 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Z/OS Survey - Unusuall system commands > > No, START. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on behalf > of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> > Sent: Tuesday, December 19, 2023 9:23 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: Z/OS Survey - Unusuall system commands > > Seymour, > Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using > these weaknesses... > > BTW, I like your new Hebrew signature! > > ITschak > > *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere > Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux > and IBM I **| * > > *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* > *Skype**: ItschakMugzach **|* *Web**: > http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il > **|* > > > > > > On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > > > I you control your console commands through SAF, you have fairly fine > > granularity. > > > > BTW, a couple of decades ago I reported a similar issue .on a command > > that is extremely common. If you're doing an audit, look at the > > common commands in addition to the rare ones. > > > > -- > > Shmuel (Seymour J.) Metz > > http://mason.gmu.edu/~smetz3 > > עַם יִשְׂרָאֵל חַי > > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > > > > From: IBM Mainframe Discussion List on > > behalf of ITschak Mugzach > > Sent: Tuesday, December 19, 2023 3:12 AM > > To: IBM-MAIN@LISTSERV.UA.EDU > > Subject: Z/OS Survey - Unusuall system commands > > > > There are some MVS commands that are hard to understand how and why > > they were created. What bothers me is the fact that the input of the > > commands that modify MVS behavior allows input from private dataset. > > These are the first commands I am trying when I do a pentest... > > For example: > > *SETLOAD* allows on-the-fly change of
Re: Z/OS Survey - Unusuall system commands
With that correction it goes back to OS/360 (R14?). Any keyword not recognized is assumed to be a symbolic parameter and is placed on the EXEC. I don't know whicj JOB parameters are allowed in z/OS V3R1. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu> Sent: Wednesday, December 20, 2023 8:34 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Maybe my statement needs correcting. I meant DD parameters, rather than JCL statements. I have done this, but it was over 30 years ago. I believe you can specify many JCL parameters which can go on DD statements. These are then applied to the IEFRDER DD statement. Happy to be corrected if someone else has better knowledge or if behaviour has changed since then. Lennie Dymoke-Bradshaw https: //rsclweb.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 20 December 2023 12:31 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands ? What JCL statements can START provide. As for parameters, that's limited to JOB, EXEC and DD. Of course, that's enough for a competent auditor to check who can use what. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 7:33 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands START will take all sorts of JCL statements as parameters. You can use it to recreate data sets that are needed for other things to start. Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 19 December 2023 14:52 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands No, START. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 9:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Seymour, Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these weaknesses... BTW, I like your new Hebrew signature! ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il **|* On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > I you control your console commands through SAF, you have fairly fine > granularity. > > BTW, a couple of decades ago I reported a similar issue .on a command > that is extremely common. If you're doing an audit, look at the > common commands in addition to the rare ones. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on > behalf of ITschak Mugzach > Sent: Tuesday, December 19, 2023 3:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Z/OS Survey - Unusuall system commands > > There are some MVS commands that are hard to understand how and why > they were created. What bothers me is the fact that the input of the > commands that modify MVS behavior allows input from private dataset. > These are the first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a > dataset that is not part of the parmlib concatenation itself. for > example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command > allows specification of TCPIP configuration from a private library. > > How frequent do you use these commands (if ever) and how do you > identify the use (assuming that the commands are pr
Re: Z/OS Survey - Unusuall system commands
Maybe my statement needs correcting. I meant DD parameters, rather than JCL statements. I have done this, but it was over 30 years ago. I believe you can specify many JCL parameters which can go on DD statements. These are then applied to the IEFRDER DD statement. Happy to be corrected if someone else has better knowledge or if behaviour has changed since then. Lennie Dymoke-Bradshaw https: //rsclweb.com -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 20 December 2023 12:31 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands ? What JCL statements can START provide. As for parameters, that's limited to JOB, EXEC and DD. Of course, that's enough for a competent auditor to check who can use what. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 7:33 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands START will take all sorts of JCL statements as parameters. You can use it to recreate data sets that are needed for other things to start. Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 19 December 2023 14:52 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands No, START. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 9:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Seymour, Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these weaknesses... BTW, I like your new Hebrew signature! ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il **|* On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > I you control your console commands through SAF, you have fairly fine > granularity. > > BTW, a couple of decades ago I reported a similar issue .on a command > that is extremely common. If you're doing an audit, look at the > common commands in addition to the rare ones. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on > behalf of ITschak Mugzach > Sent: Tuesday, December 19, 2023 3:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Z/OS Survey - Unusuall system commands > > There are some MVS commands that are hard to understand how and why > they were created. What bothers me is the fact that the input of the > commands that modify MVS behavior allows input from private dataset. > These are the first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a > dataset that is not part of the parmlib concatenation itself. for > example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command > allows specification of TCPIP configuration from a private library. > > How frequent do you use these commands (if ever) and how do you > identify the use (assuming that the commands are protected by your > ESM). I wonder why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous > Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > >
Re: Z/OS Survey - Unusuall system commands
? What JCL statements can START provide. As for parameters, that's limited to JOB, EXEC and DD. Of course, that's enough for a competent auditor to check who can use what. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Lennie Dymoke-Bradshaw <032fff1be9b4-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 7:33 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands START will take all sorts of JCL statements as parameters. You can use it to recreate data sets that are needed for other things to start. Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 19 December 2023 14:52 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands No, START. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 9:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Seymour, Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these weaknesses... BTW, I like your new Hebrew signature! ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il **|* On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > I you control your console commands through SAF, you have fairly fine > granularity. > > BTW, a couple of decades ago I reported a similar issue .on a command > that is extremely common. If you're doing an audit, look at the > common commands in addition to the rare ones. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on > behalf of ITschak Mugzach > Sent: Tuesday, December 19, 2023 3:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Z/OS Survey - Unusuall system commands > > There are some MVS commands that are hard to understand how and why > they were created. What bothers me is the fact that the input of the > commands that modify MVS behavior allows input from private dataset. > These are the first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a > dataset that is not part of the parmlib concatenation itself. for > example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command > allows specification of TCPIP configuration from a private library. > > How frequent do you use these commands (if ever) and how do you > identify the use (assuming that the commands are protected by your > ESM). I wonder why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous > Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN --
Re: Z/OS Survey - Unusuall system commands
On Tue, 19 Dec 2023 16:23:30 +0200, Itschak Mugzach wrote: >Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using >these weaknesses... I always hated when auditors bashed us for non-issues but then again, these were often simple to show we took some sort of futile action. ROUTE is limited to the sysplex and console is normally the same people in control of the entire sysplex. Even if you include the programming test systems in the sysplex, they use SDSF and never need to issue a console commands. Automation is more likely to be an exposure than the ROUTE command. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
On Tue, 19 Dec 2023 10:12:21 +0200, ITschak Mugzach wrote: >There are some MVS commands that are hard to understand how and why they >were created. You mean "console commands" because MVS is only 1 product that implements console commands. Each subsystem on the SSI can optionally receive commands (e.g. VTAM v net and d net). Additionally, other products like TCP don't need the SSI and implement the modify command. > What bothers me is the fact that the input of the commands >that modify MVS behavior allows input from private dataset. > I wonder why IBM allows such a scenario. There are various benefits to specifying datasets. The most important is to avoid an outage (e.g. IPL or restarting a product to correct a problem), Another benefit is the change is temporary to a non-production dataset. >How frequent do you use these commands (if ever). As a product developer dealing with customers, I've dealt with customers production environments ranging from very secure to very flexible. It's rare that these commands are needed. A few customers don't want to touch production datasets and prefer to make temporary changes. Does a company consider temporary changes thru the use of a temporary dataset any more risky than modifying production datasets or using tools like Omegamon to make those temporary changes without the use of a dataset? >*SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset I would expect specifying a dataset on SETLOAD would be extremely rare and only needed if multiple members are affected. For instance, you have an OEM product that uses PARMLIB for configuration options that you need implemented outside the regular maint window. >TCPCIP *OBEY* command allows specification of TCPIP configuration from a >private library TCP configuration files can be datasets, PDS members or UNIX files. For those customers that use sequential datasets, specifying a DSN is the best option because you're dealing with a lesser experienced customer who hasn't planned for backup and changing TCP config. > and how do you identify the use Identifying console commands that allow specifying datasets requires you review all products that support console commands. Job scheduling software may allow specifying a dataset on the demand request. Automation by local sysprogs can intercept commands, modify them or process the command. System monitors can sometimes allow DSN. Identifying where DSN is allowed requires you put in the effort because there won't be a single document telling you where DSN is allowed. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
START will take all sorts of JCL statements as parameters. You can use it to recreate data sets that are needed for other things to start. Lennie -Original Message- From: IBM Mainframe Discussion List On Behalf Of Seymour J Metz Sent: 19 December 2023 14:52 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands No, START. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 9:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Seymour, Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these weaknesses... BTW, I like your new Hebrew signature! ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il **|* On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > I you control your console commands through SAF, you have fairly fine > granularity. > > BTW, a couple of decades ago I reported a similar issue .on a command > that is extremely common. If you're doing an audit, look at the > common commands in addition to the rare ones. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on > behalf of ITschak Mugzach > Sent: Tuesday, December 19, 2023 3:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Z/OS Survey - Unusuall system commands > > There are some MVS commands that are hard to understand how and why > they were created. What bothers me is the fact that the input of the > commands that modify MVS behavior allows input from private dataset. > These are the first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a > dataset that is not part of the parmlib concatenation itself. for > example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command > allows specification of TCPIP configuration from a private library. > > How frequent do you use these commands (if ever) and how do you > identify the use (assuming that the commands are protected by your > ESM). I wonder why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous > Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, send > email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
TCAM? z/OS 2.3 from 2019 page 21-22 in https://www-40.ibm.com/servers/resourcelink/svc00100.nsf/pages/zOSV2R3sa231379/$file/ieae100_v2r3.pdf On Tue, Dec 19, 2023 at 2:32 PM Radoslaw Skorupka < 0471ebeac275-dmarc-requ...@listserv.ua.edu> wrote: > Unusal commands? > Well, it is enough to open both MVS System Commands and JES2 Commands > manuals. > OBEY is not exactly the system command, however it is widely used. > > My favourite is QUIESCE. > There are also other commands which I (almost) never use, but I > understand their purpose. > JES2 world is more complex - there are many commands which I vaguely > understand the purpose. And many which I consider really obsolete. > > Fun fact: recently I've been cleaning some z/OS installation, RACF > definitions. I've found approx. 400 OPERCMDS profiles. Some of them were > really, really obsolete - like MSS related command, TCAM commands, etc. > What's funny, even not-so-current documentation does not mention such > commands or profiles, but at least few of them are still present in the > system code. > Explanation: MSS - Mass Storage Subsystem. Very interesting tape-disc > device, but withdrawn in early 80's. TCAM - VTAM predecessor. I have no > idea how old it is. I'm pretty sure the OPERCMDS profiles were created > for an installation with neither MSS nor TCAM. > > -- > Radoslaw Skorupka > Lodz, Poland > > > > W dniu 19.12.2023 o 09:12, ITschak Mugzach pisze: > > There are some MVS commands that are hard to understand how and why they > > were created. What bothers me is the fact that the input of the commands > > that modify MVS behavior allows input from private dataset. These are the > > first commands I am trying when I do a pentest... > > For example: > > *SETLOAD* allows on-the-fly change of parmlib concatenation using a > dataset > > that is not part of the parmlib concatenation itself. for example: > SETLOAD > > 03,PARMLIB,DSN=sys4.relson > > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > > private library. > > > > How frequent do you use these commands (if ever) and how do you identify > > the use (assuming that the commands are protected by your ESM). I wonder > > why IBM allows such a scenario. > > > > ITschak > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- Mike A Schwab, Springfield IL USA Where do Forest Rangers go to get away from it all? -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
AFAIK TCAM and the 3850 were defunct by the time OPERCMDS came along. The last I heard, MSS staging drives had to be either 3330 or 3350 in compatibility mode and TCAM didn't support Y2K. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Radoslaw Skorupka <0471ebeac275-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 3:31 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Unusal commands? Well, it is enough to open both MVS System Commands and JES2 Commands manuals. OBEY is not exactly the system command, however it is widely used. My favourite is QUIESCE. There are also other commands which I (almost) never use, but I understand their purpose. JES2 world is more complex - there are many commands which I vaguely understand the purpose. And many which I consider really obsolete. Fun fact: recently I've been cleaning some z/OS installation, RACF definitions. I've found approx. 400 OPERCMDS profiles. Some of them were really, really obsolete - like MSS related command, TCAM commands, etc. What's funny, even not-so-current documentation does not mention such commands or profiles, but at least few of them are still present in the system code. Explanation: MSS - Mass Storage Subsystem. Very interesting tape-disc device, but withdrawn in early 80's. TCAM - VTAM predecessor. I have no idea how old it is. I'm pretty sure the OPERCMDS profiles were created for an installation with neither MSS nor TCAM. -- Radoslaw Skorupka Lodz, Poland W dniu 19.12.2023 o 09:12, ITschak Mugzach pisze: > There are some MVS commands that are hard to understand how and why they > were created. What bothers me is the fact that the input of the commands > that modify MVS behavior allows input from private dataset. These are the > first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset > that is not part of the parmlib concatenation itself. for example: SETLOAD > 03,PARMLIB,DSN=sys4.relson > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > private library. > > How frequent do you use these commands (if ever) and how do you identify > the use (assuming that the commands are protected by your ESM). I wonder > why IBM allows such a scenario. > > ITschak -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
Radoslaw, My concern is security. ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* בתאריך יום ג׳, 19 בדצמ׳ 2023 ב-22:32 מאת Radoslaw Skorupka < 0471ebeac275-dmarc-requ...@listserv.ua.edu>: > Unusal commands? > Well, it is enough to open both MVS System Commands and JES2 Commands > manuals. > OBEY is not exactly the system command, however it is widely used. > > My favourite is QUIESCE. > There are also other commands which I (almost) never use, but I > understand their purpose. > JES2 world is more complex - there are many commands which I vaguely > understand the purpose. And many which I consider really obsolete. > > Fun fact: recently I've been cleaning some z/OS installation, RACF > definitions. I've found approx. 400 OPERCMDS profiles. Some of them were > really, really obsolete - like MSS related command, TCAM commands, etc. > What's funny, even not-so-current documentation does not mention such > commands or profiles, but at least few of them are still present in the > system code. > Explanation: MSS - Mass Storage Subsystem. Very interesting tape-disc > device, but withdrawn in early 80's. TCAM - VTAM predecessor. I have no > idea how old it is. I'm pretty sure the OPERCMDS profiles were created > for an installation with neither MSS nor TCAM. > > -- > Radoslaw Skorupka > Lodz, Poland > > > > W dniu 19.12.2023 o 09:12, ITschak Mugzach pisze: > > There are some MVS commands that are hard to understand how and why they > > were created. What bothers me is the fact that the input of the commands > > that modify MVS behavior allows input from private dataset. These are the > > first commands I am trying when I do a pentest... > > For example: > > *SETLOAD* allows on-the-fly change of parmlib concatenation using a > dataset > > that is not part of the parmlib concatenation itself. for example: > SETLOAD > > 03,PARMLIB,DSN=sys4.relson > > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > > private library. > > > > How frequent do you use these commands (if ever) and how do you identify > > the use (assuming that the commands are protected by your ESM). I wonder > > why IBM allows such a scenario. > > > > ITschak > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
Unusal commands? Well, it is enough to open both MVS System Commands and JES2 Commands manuals. OBEY is not exactly the system command, however it is widely used. My favourite is QUIESCE. There are also other commands which I (almost) never use, but I understand their purpose. JES2 world is more complex - there are many commands which I vaguely understand the purpose. And many which I consider really obsolete. Fun fact: recently I've been cleaning some z/OS installation, RACF definitions. I've found approx. 400 OPERCMDS profiles. Some of them were really, really obsolete - like MSS related command, TCAM commands, etc. What's funny, even not-so-current documentation does not mention such commands or profiles, but at least few of them are still present in the system code. Explanation: MSS - Mass Storage Subsystem. Very interesting tape-disc device, but withdrawn in early 80's. TCAM - VTAM predecessor. I have no idea how old it is. I'm pretty sure the OPERCMDS profiles were created for an installation with neither MSS nor TCAM. -- Radoslaw Skorupka Lodz, Poland W dniu 19.12.2023 o 09:12, ITschak Mugzach pisze: There are some MVS commands that are hard to understand how and why they were created. What bothers me is the fact that the input of the commands that modify MVS behavior allows input from private dataset. These are the first commands I am trying when I do a pentest... For example: *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset that is not part of the parmlib concatenation itself. for example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command allows specification of TCPIP configuration from a private library. How frequent do you use these commands (if ever) and how do you identify the use (assuming that the commands are protected by your ESM). I wonder why IBM allows such a scenario. ITschak -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
No, START. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of Itschak Mugzach <0305158ad67d-dmarc-requ...@listserv.ua.edu> Sent: Tuesday, December 19, 2023 9:23 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Z/OS Survey - Unusuall system commands Seymour, Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these weaknesses... BTW, I like your new Hebrew signature! ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: http://secure-web.cisco.com/1HFDwSALATpGpnOVQ1twvj_azjQO-49TCl66YZFiSGexFVtgJkqArNBLWq14ILxHxchctP5jw0R07PXsqOKidaa7KQIrorgeG3cKJFduizLKhcHE53HCgRQOzbg0MS58ChodSKN6oOU3P8VYqWoIFF2VRL2uFOaZHToBmQGAIQaDFnXV_E5uCdm4BtBTPzrXc3PotMpXndQTj6ODKe5CFxgJcAJc5buY2MuxA3pEIbImngo8exnCd4M59AKiKEyS7qfrtV6rA_YyljMDw7kVJ08WUO3oIEzKtbsZ0MsXUkEmAf4g04v5Nj9_rp4LWAaUBU7MRo2yZ1OgOnR8gDdWnKX1eMDIh5JQUTBRlrVqqjKKGmBNqMiqMGKHF2e_Q8PEItrsFtFUT1aCntdwgf_JNQ_V6Z592kGusGuZ5V9EmTj0/http%3A%2F%2Fwww.Securiteam.co.il **|* On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > I you control your console commands through SAF, you have fairly fine > granularity. > > BTW, a couple of decades ago I reported a similar issue .on a command that > is extremely common. If you're doing an audit, look at the common commands > in addition to the rare ones. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Tuesday, December 19, 2023 3:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Z/OS Survey - Unusuall system commands > > There are some MVS commands that are hard to understand how and why they > were created. What bothers me is the fact that the input of the commands > that modify MVS behavior allows input from private dataset. These are the > first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset > that is not part of the parmlib concatenation itself. for example: SETLOAD > 03,PARMLIB,DSN=sys4.relson > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > private library. > > How frequent do you use these commands (if ever) and how do you identify > the use (assuming that the commands are protected by your ESM). I wonder > why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
Seymour, Was it ROUTE command? ;-) Don't tell them. We fill our refrigerator using these weaknesses... BTW, I like your new Hebrew signature! ITschak *| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: i_mugz...@securiteam.co.il **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* On Tue, Dec 19, 2023 at 4:20 PM Seymour J Metz wrote: > I you control your console commands through SAF, you have fairly fine > granularity. > > BTW, a couple of decades ago I reported a similar issue .on a command that > is extremely common. If you're doing an audit, look at the common commands > in addition to the rare ones. > > -- > Shmuel (Seymour J.) Metz > http://mason.gmu.edu/~smetz3 > עַם יִשְׂרָאֵל חַי > נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר > > > From: IBM Mainframe Discussion List on behalf > of ITschak Mugzach > Sent: Tuesday, December 19, 2023 3:12 AM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Z/OS Survey - Unusuall system commands > > There are some MVS commands that are hard to understand how and why they > were created. What bothers me is the fact that the input of the commands > that modify MVS behavior allows input from private dataset. These are the > first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset > that is not part of the parmlib concatenation itself. for example: SETLOAD > 03,PARMLIB,DSN=sys4.relson > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > private library. > > How frequent do you use these commands (if ever) and how do you identify > the use (assuming that the commands are protected by your ESM). I wonder > why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
I you control your console commands through SAF, you have fairly fine granularity. BTW, a couple of decades ago I reported a similar issue .on a command that is extremely common. If you're doing an audit, look at the common commands in addition to the rare ones. -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 עַם יִשְׂרָאֵל חַי נֵ֣צַח יִשְׂרָאֵ֔ל לֹ֥א יְשַׁקֵּ֖ר From: IBM Mainframe Discussion List on behalf of ITschak Mugzach Sent: Tuesday, December 19, 2023 3:12 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Z/OS Survey - Unusuall system commands There are some MVS commands that are hard to understand how and why they were created. What bothers me is the fact that the input of the commands that modify MVS behavior allows input from private dataset. These are the first commands I am trying when I do a pentest... For example: *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset that is not part of the parmlib concatenation itself. for example: SETLOAD 03,PARMLIB,DSN=sys4.relson TCPCIP *OBEY* command allows specification of TCPIP configuration from a private library. How frequent do you use these commands (if ever) and how do you identify the use (assuming that the commands are protected by your ESM). I wonder why IBM allows such a scenario. ITschak ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Z/OS Survey - Unusuall system commands
Ive always thought the TCPIP OBEY command was a security exposure. Someone could reconfigure TCPIP using their private data set. Yes you can lock down the command. I think VTAM is better, you can only activate a member which is in the VTAM VTAMLST dataset concatenation - and so you have to use one of the system approved data sets. On our test systems we had USER.VTAMLST and could control write access to this Colin On Tue, 19 Dec 2023 at 08:12, ITschak Mugzach wrote: > There are some MVS commands that are hard to understand how and why they > were created. What bothers me is the fact that the input of the commands > that modify MVS behavior allows input from private dataset. These are the > first commands I am trying when I do a pentest... > For example: > *SETLOAD* allows on-the-fly change of parmlib concatenation using a dataset > that is not part of the parmlib concatenation itself. for example: SETLOAD > 03,PARMLIB,DSN=sys4.relson > TCPCIP *OBEY* command allows specification of TCPIP configuration from a > private library. > > How frequent do you use these commands (if ever) and how do you identify > the use (assuming that the commands are protected by your ESM). I wonder > why IBM allows such a scenario. > > ITschak > > ITschak Mugzach > *|** IronSphere Platform* *|* *Information Security Continuous Monitoring > for z/OS, x/Linux & IBM I **| z/VM coming soon * > > -- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
