My question about consoles came up because I was following some documentation on using a "console" request to z/OSMF from Linux. My initial view is, it seems very open and not well documented.
Are there any best practices on setting this up? Some of the things I've learned are 1. Grant access to a console name based on userid eg console name COLIN* for userid COLIN 2. Make sure you have the generic command profiles in place. 3. Give groups access - not individual userids. Is there any doc I can point to for best practice? Colin On Thu, 3 Jul 2025 at 16:20, Jon Perryman <[email protected]> wrote: > On Thu, 3 Jul 2025 07:35:26 -0400, Robert S. Hansel < > [email protected]> wrote: > > >I don't see it as a risk because OPERCMDS is access is still required. > > Sadly, OPERCMDS and EMCS came long after most products were created. Any > OEM product which implemented commands is potentially vulnerable because > they might have an alternative implementation for OPERCMDS. For example, > consider automation products. > 1. RACF class for automation which historically predates OPERCMD & EMCS. > Historically, TSO OPER required the OPER segment. > 2. Automation commands might not have implemented OPERCMD beyond F, P and > S. > 3. Automation rules to intercept commands and process them as automation > commands certainly are not validating OPERCMD. > 4. Automation rules to change commands on the SSI which might even include > modifying the user. > > I'm only telling people about the vulnerabilities they may not have > considered. By giving the profile read authority, you are giving everyone > the ability to establish an EMCS console thus opening access to commands > that you falsely believe are protected by OPERCMD... > > >If you want to restrict users to establishing consoles with names that > are prefixed with their ID > > My first problem is with the possible exposure caused by READ given to the > profile. I have no problem with the names you give to EMCS consoles and how > you coordinate them. I only remind you that there can be hidden impacts to > console names. Automation products have access to console names. With EMCS > allowing a user to access consoles from multiple products, do you need to > distinguish between commands from z/OSMF, Unix, TSO CONSOLE, TSO OPER and > more. E.g. a command repeats every 10 minutes from user xxx but no idea > which product is generating it. > > I have no problem with people doing these things but telling people you do > this everywhere implies you can do this without first understanding the > implications at that site. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
