________________________________
From: Wayne Driscoll <wdri...@us.ibm.com>
To: IBM-MAIN@bama.ua.edu
Sent: Fri, April 2, 2010 5:12:16 PM
Subject: Re: Heads Up: APAR IO11698 - New SAF FACILITY class definition
required for any SMP/E use
Paul,
Thankfully, APF authorization and system resource access security are 2
separate things. When the OPEN SVC gets invoked, it will perform a
RACROUTE REQUEST=AUTH call for the dataset being opened, regardless of the
value in JSCBAUTH. The only way that security checks are bypassed is via
the NODSI option in the PPT. Now an APF authorized program could switch
to key 0 and update various fields so the security system thinks they have
more authority than they really should, but that isn't an issue when using
a utility, particularly one that is covered under the z/OS statement of
integrity.
===============================================
Wayne Driscoll
OMEGAMON DB2 L3 Support/Development
wdrisco(AT)us.ibm.com
===============================================
Wayne,
I guess we will not talk about IEBCOPY then?
Not to get deeply into the discussion I will make a brief observation and then
let everyone make up their own mind.
OK this was approximately 25 years ago (but still valid today) we had been
running MVS for several years.
We had a *REALLY* good applications programmer that simply bypassed any and all
protections we had, RACF, expiration dates,
password protection, doing cross address space snooping and alterations. In
short he was a nightmare. Before going to upper management we decided we had to
have proof what he was doing . We decided the only possible way to monitor him
was with GTF. He was able to bypass even GTF recording for him, he was that
good.
After 2 or 3 weeks we went to upper management and explained the issue telling
him we could not get real proof and the only facility we had left (dumping his
address space) was not all that proof proof (legally speaking).
The VP talked with us for while and he left it with us that he would have to
talk with some lawyers and others.
Several weeks later we were in a meeting about something else and the meeting
ended and he asked two of us to stay.
He said he talked with some IBM people (he was an ex IBMer himself) and some
lawyers. He told us his options were limited (it was a treacherous political
place in the upper strata). It came down to him letting the subsidiary know
that the programmer was no longer welcome on the system.
We weren't happy but we asked that he do that as our system availability
had gone to pot when ever he was signed on.
We were basically behind a brick wall on this. This was before upper management
had been taught about RAS.
Our VP did ask the subsidiary to restrict his access. They went ballistic and
did some threatening up at high corporate level (I learned this a while later).
The decision came down that we had to do a hands off on this guy.
Fast forward 2 years the company decided to sell of the subsidiary and the guy
left the company. He went to work for some MVS product company (sorry do not
remember what the name was). We heard that and made sure that our company would
never buy a product from them.
MVS Security is pretty damn good (excellent in fact) but if you have a smart
guy he can bypass any and all MVS logging/security/APF etc etc if he wants to.
Ed
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
