While the status of the active settings derived from Parmlib members may be viewable using tools such as IPLINFO and the like, there are other things in Parmlibs as well.
For example, 1. many sites will have Parmlib shared amongst members of a sysplex. So READ access to Parmlib gives you those settings as well. If you don't have the ability to logon to those systems you can still get some of their settings. 2. Many sites keep fallback settings or recovery setting in Parmlib. It is possible these may have lower security (in order to accommodate recovery). So read access gives you those as well. 3. The names of people involved in making settings changes are often recorded in Parmlib in comments. Using these names can be an opportunity for social engineering of help desk staff. Above all, turn the question round. Why do users *need* access to Parmlib? If they can manage without read access and still do their jobs efficiently why give them (and others) access? Most development TSO users will not need access. Many support staff will need access. Set the access accordingly. Use the principle of least access to grant access where needed, rather than denying where needed. Think further. Think like a hacker. Lennie Lennie Dymoke-Bradshaw https://rsclweb.com ‘Dance like no one is watching. Encrypt like everyone is.’ -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Radoslaw Skorupka Sent: 04 February 2022 11:42 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What is the audit basis to prevent read access to z/OS PARMLIB's? W dniu 04.02.2022 o 00:12, Farley, Peter x23353 pisze: > I'll be the first to admit that I know just enough of what is in SYS1.PARMLIB > to be dangerous, BUT . . . > > What information could possibly be gleaned from reading PARMLIB that would > require a knowledgeable auditor to insist on restricting read access (other > than security by obscurity and sysprog/auditor job security)? > > Just curious, I don't plan on hacking anything. Official IBM documentations says the proper security setting for PARMLIB is READ. This is good answer to any auditor. (Exceptions like open-text passwords should be moved to separate dataset, but definitely avoided) IBM's clarification: the information in PARMLIB is accessible to any non-privileged user via control blocks, CVT, etc. My humble opinion: security by obscurity is no security. Educated hacked (or currently trendy "threat actor") will get relevant information without readind PARMLIB. Uneducated hacker... Stop! If you afraid of uneducated hackers then you quickly need to fix something. My €0,02 -- Radoslaw Skorupka Lodz, Poland ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
