The IBM guidelines for protecting PARMLIB in the RACF Security Administrator's Guide indicate that default access of READ is acceptable; however, they qualify this as follows: "UACC should be NONE if any members contain passwords, or other sensitive information, such as the ACBPW password in the TSOKEYxx member." How often does someone review PARMLIB looking for passwords and the like? Most likely never. If you lock it down, there are no worries you've missed something.
Whereas most of the configuration information in PARMLIB is in storage for anyone to view (e.g., current list of APF libraries), there are a few things in fetch-protected storage that require authorization to see, one being the PPT. READ access to PARMLIB would let me see what additions and modifications an installation has made to the PPT, in particular whether Bypass Password Protection or a System Key have been assigned to any program that could be exploited. This is a reason for also protecting RACF's DSMON program ICHDSM00 as it provides PPT information. I tend to agree with those advocating for least necessary privilege. If access isn't explicitly needed, don't provide it, or at least monitor activity to discover who is checking you out. Why make it easy for someone to probe your system undetected. The STIG and the RACF SAG should both be amended to indicate the PARMLIB concatenation, not just SYS1.PARMLIB. Regards, Bob Robert S. Hansel 35 years of RACF Experience Lead RACF Specialist 2021 #IBMChampion RSH Consulting, Inc. 617-969-8211 www.linkedin.com/in/roberthansel www.twitter.com/RSH_RACF www.rshconsulting.com ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
