Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-15 Thread retired mainframer 
:: -Original Message-
:: From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
:: Behalf Of Paul Gilmartin
:: Sent: Monday, April 14, 2014 8:51 PM
:: To: IBM-MAIN@LISTSERV.UA.EDU
:: Subject: Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)
::
:: On Wed, 9 Apr 2014 14:27:28 +, Storr, Lon A CTR USARMY HRC (US)
:: wrote:
:: 
:: When a dataset is deleted, it is scratched and its DSCB in the VTOC is
:: freed. Hence, as far as I know, the dataset's data can only be accessed
:: in one of two ways:
:: 
:: Pedantry:  have no DSCB?  Is there not in fact a DSCB describing such
:: an extent?  Perhaps a Format 5, or thereabouts?

Only for non-indexed volumes.  If the volume is indexed, the free space
details are kept in the index, not the VTOC.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-15 Thread R.S. 

W dniu 2014-04-15 11:11, retired mainframer pisze:

:: -Original Message-
:: From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
:: Behalf Of Paul Gilmartin
:: Sent: Monday, April 14, 2014 8:51 PM
:: To: IBM-MAIN@LISTSERV.UA.EDU
:: Subject: Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)
::
:: On Wed, 9 Apr 2014 14:27:28 +, Storr, Lon A CTR USARMY HRC (US)
:: wrote:
:: 
:: When a dataset is deleted, it is scratched and its DSCB in the VTOC is
:: freed. Hence, as far as I know, the dataset's data can only be accessed
:: in one of two ways:
:: 
:: Pedantry:  have no DSCB?  Is there not in fact a DSCB describing such
:: an extent?  Perhaps a Format 5, or thereabouts?

Only for non-indexed volumes.  If the volume is indexed, the free space
details are kept in the index, not the VTOC.
Nevermind, the question was about free space, regardless of the wording 
used to descirbe it.


--
Radoslaw Skorupka
Lodz, Poland






--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2014 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.696.052 złote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-15 Thread Mike Schwab 
If you deleted a dataset and the DASD is thin provisioned, it will
recycle the tracks when the VTOC is updated, and the records are gone.
If you deleted a dataset and RACF has Secure erase, the tracks are
erased before the VTOC is updated.
If you deleted a dataset and another dataset has allocated and written
on those tracks, the data is destroyed when overwritten.
If you deleted a dataset, and the three ways to destroy the data have
not occurred, then you use Absolute Track allocation to re-allocate
those tracks and read them.  The DCB must match, along with directory
entries.


On Mon, Apr 14, 2014 at 10:50 PM, Paul Gilmartin paulgboul...@aim.com wrote:
 On Wed, 9 Apr 2014 14:27:28 +, Storr, Lon A CTR USARMY HRC (US) wrote:

When a dataset is deleted, it is scratched and its DSCB in the VTOC is freed. 
Hence, as far as I know, the dataset's data can only be accessed in one of 
two ways:

 Pedantry:  have no DSCB?  Is there not in fact a DSCB describing such
 an extent?  Perhaps a Format 5, or thereabouts?

 -- gil

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN



-- 
Mike A Schwab, Springfield IL USA
Where do Forest Rangers go to get away from it all?

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-15 Thread Paul Gilmartin 
On Tue, 15 Apr 2014 11:33:39 -0500, Mike Schwab wrote:

If you deleted a dataset, and the three ways to destroy the data have
not occurred, then you use Absolute Track allocation to re-allocate
those tracks and read them.  The DCB must match, along with directory
entries.
 
FSVO match.  Nearly anything ought to be readable with RECFM=U.
Keys make it more complicated, but there are (used to be?) CCWs
for this (backup utilites need them).  An assembler program can read 
beyond end-of-file (to wit the utilities for recovering deleted PDS
members).  PDSE, HFS, and zFS are harder yet, in part because of
ab$ence of documentation.

I thought no DCB information as such is retained for a deleted data set.

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-14 Thread Paul Gilmartin 
On Wed, 9 Apr 2014 14:27:28 +, Storr, Lon A CTR USARMY HRC (US) wrote:

When a dataset is deleted, it is scratched and its DSCB in the VTOC is freed. 
Hence, as far as I know, the dataset's data can only be accessed in one of two 
ways:

Pedantry:  have no DSCB?  Is there not in fact a DSCB describing such
an extent?  Perhaps a Format 5, or thereabouts?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-10 Thread Gerhard Postpischil 

On 4/9/2014 2:49 PM, R.S. wrote:

IMHO remote access to the DASD box does not include access to data on
disks. Yes, CE can switch off the machine, but not access data.
Do you know any confirmed case where CE access to data was given with
remote (or even local) access?


While I can't speak to current controllers, I had a long discussion with 
the Hitachi C.E. about the capabilities. However, we never had a 
security breach, and had a policy of having a systems programmer watch 
C.E.s at work (running diagnostics).



Gerhard Postpischil
Bradford, Vermont

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-10 Thread Shmuel Metz (Seymour J.) 
In 53459a09.8020...@bremultibank.com.pl, on 04/09/2014
   at 09:05 PM, R.S. r.skoru...@bremultibank.com.pl said:

There are several tools which allows user to read free disk 
space. ADRDSSU, AMASPZAP, DITTO are few of them. However those 
tools require some special authorization, all of the tools I 
mentioned are controlled  by RACF CL(FACILITY) profiles (and can 
be blocked at all using PROGRAM  class) - so I wouldn't worry 
about them. BTW: those tools should be reasonably controlled for 
other reasons

Lack of training? Lack of change control for production libraries?
Management that doesn't understand that those tools won't give a user
access to any data that he doesn't already have? Awkward syntax? I
don't know of any legitimate reason to restrict access to the
unauthorized functions of those programs.
 
-- 
 Shmuel (Seymour J.) Metz, SysProg and JOAT
 ISO position; see http://patriot.net/~shmuel/resume/brief.html 
We don't care. We don't have to care, we're Congress.
(S877: The Shut up and Eat Your spam act of 2003)

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread John McKown 
3) allocate a new data set and be sure that the DSORG is _not_ specified
either in the JCL or via the DATACLAS, or that it is DA. This tells DADSM
to _not_ write an EOF or anything else in the newly allocate disk space. If
you need to inspect some specific tracks, _and the disk is not SMS
managed_, then use ABSTR allocation. Once allocated, you can use BSAM or
BDAM to read the data as RECFM=U to simply read the uninterpreted blocks
of data (physical blocks).

Or, once allocated, you can use ADRDSSU to DUMP the tracks in HEX format.
Again, you are simply fishing and hoping to see something interesting.
Back, long ago, I have a manager who did this for _every_ disk volume we
ever installed just because he was curious. This was in the 3350 days. In
today's environment where the back end is usually RAID  5, I would say the
likelihood of someone getting one of the array drives, inspecting it, and
finding proprietary information of any use is very unlikely. But if you
have credit card data, or HIPAA data then it _might_ be a good idea for CYA.


On Wed, Apr 9, 2014 at 9:27 AM, Storr, Lon A CTR USARMY HRC (US) 
lon.a.storr@mail.mil wrote:

 Classification: UNCLASSIFIED
 Caveats: NONE

 Hello List,

 Due to an audit requirement, we shall be enabling the ERASE function
 provided by RACF. We know better than to resist this mandate but it did
 make me wonder about the purpose of this feature.

 When a dataset is deleted, it is scratched and its DSCB in the VTOC is
 freed. Hence, as far as I know, the dataset's data can only be accessed in
 one of two ways:

 1) Via a utility like AMASPZAP that accepts CCHHR addresses
 2) Via a program that uses EXCPVR (or SSCH)

 In case #2, the program must be authorized in some way (i.e. key 0-7,
 supervisor state or APF-authorized).

 In case #1, most installations (including us) use program protection to
 restrict users of these utilities. A user would have to be authorized in
 some way (i.e. key 0-7, supervisor state or APF-authorized) to bypass that
 protection.

 It therefore seems to me that a user must have the ability to become
 authorized in some way to access areas of DASD (in which a deleted dataset
 resided) by CCHHR. A user who has become authorized in some way can also
 access any live (undeleted) dataset. Why then are we worried that a user
 who can access any live dataset in the system may attempt to access a
 deleted dataset?

 If the aforementioned is true and complete, the ERASE functionality
 doesn't appear to have any practical purpose other than to slow down the
 scratch process. So, I assume that I'm missing something.

 Can someone please identify the flaw in my logic? Can a non-authorized
 user gain access to these scratched areas of DASD?

 Thanks,
 Alan




 Classification: UNCLASSIFIED
 Caveats: NONE

 --
 For IBM-MAIN subscribe / signoff / archive access instructions,
 send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




-- 
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Storr, Lon A CTR USARMY HRC (US) 
Classification: UNCLASSIFIED
Caveats: NONE

Thank you John. I had overlooked both of those mechanisms. Using ADRDSSU 
doesn't worry me because it's program protected but there does not appear to 
be an easy way to protect usage of the ABSTR keyword in JCL.

Best regards,
Alan

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of John McKown
Sent: Wednesday, April 09, 2014 10:41 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

3) allocate a new data set and be sure that the DSORG is _not_ specified either 
in the JCL or via the DATACLAS, or that it is DA. This tells DADSM to _not_ 
write an EOF or anything else in the newly allocate disk space. If you need to 
inspect some specific tracks, _and the disk is not SMS managed_, then use 
ABSTR allocation. Once allocated, you can use BSAM or BDAM to read the data as 
RECFM=U to simply read the uninterpreted blocks of data (physical blocks).

Or, once allocated, you can use ADRDSSU to DUMP the tracks in HEX format.
Again, you are simply fishing and hoping to see something interesting.
Back, long ago, I have a manager who did this for _every_ disk volume we ever 
installed just because he was curious. This was in the 3350 days. In today's 
environment where the back end is usually RAID  5, I would say the likelihood 
of someone getting one of the array drives, inspecting it, and finding 
proprietary information of any use is very unlikely. But if you have credit 
card data, or HIPAA data then it _might_ be a good idea for CYA.


On Wed, Apr 9, 2014 at 9:27 AM, Storr, Lon A CTR USARMY HRC (US)  
lon.a.storr@mail.mil wrote:

 Classification: UNCLASSIFIED
 Caveats: NONE

 Hello List,

 Due to an audit requirement, we shall be enabling the ERASE function
 provided by RACF. We know better than to resist this mandate but it
 did make me wonder about the purpose of this feature.

 When a dataset is deleted, it is scratched and its DSCB in the VTOC is
 freed. Hence, as far as I know, the dataset's data can only be
 accessed in one of two ways:

 1) Via a utility like AMASPZAP that accepts CCHHR addresses
 2) Via a program that uses EXCPVR (or SSCH)

 In case #2, the program must be authorized in some way (i.e. key 0-7,
 supervisor state or APF-authorized).

 In case #1, most installations (including us) use program protection
 to restrict users of these utilities. A user would have to be
 authorized in some way (i.e. key 0-7, supervisor state or
 APF-authorized) to bypass that protection.

 It therefore seems to me that a user must have the ability to become
 authorized in some way to access areas of DASD (in which a deleted
 dataset
 resided) by CCHHR. A user who has become authorized in some way can
 also access any live (undeleted) dataset. Why then are we worried that
 a user who can access any live dataset in the system may attempt to
 access a deleted dataset?

 If the aforementioned is true and complete, the ERASE functionality
 doesn't appear to have any practical purpose other than to slow down
 the scratch process. So, I assume that I'm missing something.

 Can someone please identify the flaw in my logic? Can a non-authorized
 user gain access to these scratched areas of DASD?

 Thanks,
 Alan




 Classification: UNCLASSIFIED
 Caveats: NONE

 --
 For IBM-MAIN subscribe / signoff / archive access instructions, send
 email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN




--
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Classification: UNCLASSIFIED
Caveats: NONE



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Gerhard Postpischil 

On 4/9/2014 10:27 AM, Storr, Lon A CTR USARMY HRC (US) wrote:

Can someone please identify the flaw in my logic? Can a
non-authorized user gain access to these scratched areas of DASD?


I'd add 4) - many modern control units have diagnostic capability that 
allows unrestricted hardware access to the drives. If yours do, you'll 
need physical access controls.


I first ran into this when we got our first string of Hitachi 3380s. The 
C.E. wanted a telephone line so he could service the units remotely; I 
had to educate management that that would allow uncontrolled access to 
customer data.


Gerhard Postpischil
Bradford, Vermont

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Elardus Engelbrecht 
John McKown wrote:

3) allocate a new data set and be sure that the DSORG is _not_ specified 
either in the JCL or via the DATACLAS, or that it is DA. This tells DADSM to 
_not_ write an EOF or anything else in the newly allocate disk space. If you 
need to inspect some specific tracks, _and the disk is not SMS managed_, 
then use ABSTR allocation. Once allocated, you can use BSAM or BDAM to read 
the data as RECFM=U to simply read the uninterpreted blocks of data 
(physical blocks).

Or, once allocated, you can use ADRDSSU to DUMP the tracks in HEX format.

DITTO (and possibly IDCAMS PRINT) is another friend for such data 
scavenging/fishing.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Storr, Lon A CTR USARMY HRC (US) 
Classification: UNCLASSIFIED
Caveats: NONE

Thanks Gerhard, this is another consideration of which I was unaware.

It is certainly significant but I believe that this function would also permit 
access to live datasets. Hence, the issue is not specific to ERASE.

Regards,
Alan





-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Gerhard Postpischil
Sent: Wednesday, April 09, 2014 10:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

On 4/9/2014 10:27 AM, Storr, Lon A CTR USARMY HRC (US) wrote:
 Can someone please identify the flaw in my logic? Can a non-authorized
 user gain access to these scratched areas of DASD?

I'd add 4) - many modern control units have diagnostic capability that allows 
unrestricted hardware access to the drives. If yours do, you'll need physical 
access controls.

I first ran into this when we got our first string of Hitachi 3380s. The C.E. 
wanted a telephone line so he could service the units remotely; I had to 
educate management that that would allow uncontrolled access to customer data.

Gerhard Postpischil
Bradford, Vermont

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Classification: UNCLASSIFIED
Caveats: NONE

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Nims,Alva John (Al) 
In a previous instance of my career, I was a member of a team that tested a 
security product, not RACF and had to verify that the space was ERASED and 
this was done by using SPACE with it's ABSTR format and SMS was not as 
popular as it is today.

To request specific tracks: SPACE= (ABSTR,(primary-qty,address [,directory])

Request for Specific Tracks
For an SMS-managed data set (one with an assigned storage class), do not code 
ABSTR.

ABSTR
Requests that the data set be allocated at the specified location on 
the volume.
primary-qty
Specifies the number of tracks to be allocated to the data set.

The volume must have enough available space for the primary quantity. 
If it does not, the system terminates the job step.

address
Specifies the track number of the first track to be allocated. Count 
the first track of the first cylinder on the volume as 0. Count through the 
tracks on each cylinder until you reach the track on which you want the data 
set to start.

address
Specifies the track number of the first track to be allocated. Count 
the first track of the first cylinder on the volume as 0. Count through the 
tracks on each cylinder until you reach the track on which you want the data 
set to start. The absolute track address must be a decimal number equal to or 
less than 65535.

Note: Do not request track 0.

Al Nims
Systems Admin/Programmer 3
Information Technology
University of Florida
(352) 273-1298

-Original Message-
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Gerhard Postpischil
Sent: Wednesday, April 09, 2014 10:53 AM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

On 4/9/2014 10:27 AM, Storr, Lon A CTR USARMY HRC (US) wrote:
 Can someone please identify the flaw in my logic? Can a non-authorized 
 user gain access to these scratched areas of DASD?

I'd add 4) - many modern control units have diagnostic capability that allows 
unrestricted hardware access to the drives. If yours do, you'll need physical 
access controls.

I first ran into this when we got our first string of Hitachi 3380s. The C.E. 
wanted a telephone line so he could service the units remotely; I had to 
educate management that that would allow uncontrolled access to customer data.

Gerhard Postpischil
Bradford, Vermont

--
For IBM-MAIN subscribe / signoff / archive access instructions, send email to 
lists...@listserv.ua.edu with the message: INFO IBM-MAIN

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Tom Marchant 
On Wed, 9 Apr 2014 14:27:28 +, Storr, Lon A CTR USARMY HRC (US) wrote:

... most installations (including us) use program protection to restrict users 
of these utilities.

Protecting AMASPZAP and ADRDSSU is, in my opinion, not a good way to protect 
data from them.

-- 
Tom Marchant

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Elardus Engelbrecht 
Tom Marchant wrote:

... most installations (including us) use program protection to restrict 
users of these utilities.

Protecting AMASPZAP and ADRDSSU is, in my opinion, not a good way to protect 
data from them.

Agreed. Protect the resource (data), not the method (program). 

If you still want to limit usage of programs and their functions beside program 
protection, consider these too:
- For ADRDSSU the relevant STGADMIN.whatever profiles in RACF FACILITY class.
- DITTO for example has FACILITY class profiles for its functions.

Of course, protect your datasets + catalogs.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread retired mainframer 
:: -Original Message-
:: From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On
:: Behalf Of Storr, Lon A CTR USARMY HRC (US)
:: Sent: Wednesday, April 09, 2014 7:27 AM
:: To: IBM-MAIN@LISTSERV.UA.EDU
:: Subject: Accessing DASD areas that have no DSCB (UNCLASSIFIED)
::
:: Classification: UNCLASSIFIED
:: Caveats: NONE
::
:: Hello List,
::
:: Due to an audit requirement, we shall be enabling the ERASE function
:: provided by RACF. We know better than to resist this mandate but it did
:: make me wonder about the purpose of this feature.
::
:: When a dataset is deleted, it is scratched and its DSCB in the VTOC is
:: freed. Hence, as far as I know, the dataset's data can only be accessed
:: in one of two ways:
::
:: 1) Via a utility like AMASPZAP that accepts CCHHR addresses
:: 2) Via a program that uses EXCPVR (or SSCH)
::
:: In case #2, the program must be authorized in some way (i.e. key 0-7,
:: supervisor state or APF-authorized).
::
:: In case #1, most installations (including us) use program protection to
:: restrict users of these utilities. A user would have to be authorized in
:: some way (i.e. key 0-7, supervisor state or APF-authorized) to bypass
:: that protection.
::
:: It therefore seems to me that a user must have the ability to become
:: authorized in some way to access areas of DASD (in which a deleted
:: dataset resided) by CCHHR. A user who has become authorized in some way
:: can also access any live (undeleted) dataset. Why then are we worried
:: that a user who can access any live dataset in the system may attempt to
:: access a deleted dataset?
::
:: If the aforementioned is true and complete, the ERASE functionality
:: doesn't appear to have any practical purpose other than to slow down the
:: scratch process. So, I assume that I'm missing something.
::
:: Can someone please identify the flaw in my logic? Can a non-authorized
:: user gain access to these scratched areas of DASD?

As others have noted, there are multiple ways to gain access to previously
occupied tracks.  But there still can be a practical result from using
ERASE.  When you initialize a volume, do so without the SMS parameter.  Then
allocate one or more datasets to completely fill the volume.  Delete the
dataset(s) and let ERASE zero all the tracks.  If necessary, CONVERT the
volume to SMS.  Make the volume available to users.  From that point on, all
unused space on the volume should always be zeroed.

Note that this is not foolproof.  On at least one old STK DASD system, when
data is written to a CKD track, the hardware automatically remapped that
track to a different FBA address.  While a read always returned the
current data, the old data was still physically present if anyone could
figure out how to get to it.  I don't know if any modern DASD systems do
something similar.

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Paul Gilmartin 
On Wed, 9 Apr 2014 11:06:22 -0500, Elardus Engelbrecht wrote:

Tom Marchant wrote:

... most installations (including us) use program protection to restrict 
users of these utilities.

Protecting AMASPZAP and ADRDSSU is, in my opinion, not a good way to protect 
data from them.

Agreed. Protect the resource (data), not the method (program). 
...
Of course, protect your datasets + catalogs.
 
I generally agree.  However, any APF-authorized program has a risk of bugs.
Consider the horrible thing that was done to SMP/E a few years ago because
of a newly recognized security flaw.

Is there any way to limit authorized invocation of a utility to selected users
and allow all others to invoke it unauthorized?  Of course a copy could be
installed in a non-authorized library.

(Several years ago, I discovered that SMP/E worked pretty well unauthorized
as long as I avoided functions that invoke IEBCOPY (I know), ahd used NOWAIT
on all my DDDEFs.  Don't know about AMASPZAP; skeptical about ADRDSSU.
But I disagree strongly with those who will probably argue here that only
storage administrators have justifiable use for ADRDSSU.  Elitism.)

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread John McKown 
On Wed, Apr 9, 2014 at 11:44 AM, Paul Gilmartin paulgboul...@aim.comwrote:

snip


 Is there any way to limit authorized invocation of a utility to selected
 users
 and allow all others to invoke it unauthorized?  Of course a copy could be
 installed in a non-authorized library.


At present, there is no way to have a single copy of a program run with APF
authorization based simply on a RACF profile. As I understand it, the
program loader in the initiator will set the APF auth bit if (1) the
program from the EXEC PGM= is marked AC(1), and (2) it is loaded from an
authorized library.



 (Several years ago, I discovered that SMP/E worked pretty well unauthorized
 as long as I avoided functions that invoke IEBCOPY (I know), ahd used
 NOWAIT
 on all my DDDEFs.  Don't know about AMASPZAP; skeptical about ADRDSSU.
 But I disagree strongly with those who will probably argue here that only
 storage administrators have justifiable use for ADRDSSU.  Elitism.)


I don't mind _anybody_ using a program _which they know how to use_.
ADRDSSU is generally not one of those. Unfortunately, around here, I
sometimes wonder about the COBOL compiler too.



 -- gil


-- 
There is nothing more pleasant than traveling and meeting new people!
Genghis Khan

Maranatha! 
John McKown

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Elardus Engelbrecht 
Paul Gilmartin wrote:

But I disagree strongly with those who will probably argue here that only 
storage administrators have justifiable use for ADRDSSU. 

I'm on your side. 

My DB2 colleagues and users want ENQ toleration to be, well, tolerated in 
ADRDSSU. DB2 v10 generates a COPY job which needs FACILITY class profile 
STGADMIN.ADR.COPY.TOLERATE.ENQF.

Before creation of that profile, I explained the risk of that (wearing my 
storage admin hat).

Go figure.

Groete / Greetings
Elardus Engelbrecht

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Paul Gilmartin 
On Wed, 9 Apr 2014 11:52:07 -0500, John McKown wrote:

I don't mind _anybody_ using a program _which they know how to use_.
ADRDSSU is generally not one of those. Unfortunately, around here, I
sometimes wonder about the COBOL compiler too.
 
Be careful.  That view can too easily lead to elitist stereotyping.  The
storage administrator might believe, No one but a storage administrator
could acquire the skills necessary to use ADRDSSU!  And, White men
can't jump; we don't even let them try out!

I wasn't thinking of volume restore; I was only experimenting with
ADRDSSU as an alternative to TSO TRANSMIT for data interchange.
And I was somewhat dismayed to learn that ADRDSSU RESTORE
with RENAME requires READ authority to the original data set name.
I understand the rationale for this, but it paints with too broad a
brush; READ authority to the archive and WRITE authority to the
new data set name should suffice.  What if the original data set
name doesn't even exist on the receiving system, and UACC=NONE?

-- gil

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread Peter Hunkeler 

Am 09.04.2014 16:53, schrieb Gerhard Postpischil:
I'd add 4) - many modern control units have diagnostic capability that 
allows unrestricted hardware access to the drives. If yours do, you'll 
need physical access controls.


I first ran into this when we got our first string of Hitachi 3380s. 
The C.E. wanted a telephone line so he could service the units 
remotely; I had to educate management that that would allow 
uncontrolled access to customer data.


True but not only related to the ERASE function. It applies to deleted 
as well as non-deleted data.


--
Peter Hunkeler

--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread R.S. 

W dniu 2014-04-09 16:53, Gerhard Postpischil pisze:

On 4/9/2014 10:27 AM, Storr, Lon A CTR USARMY HRC (US) wrote:

Can someone please identify the flaw in my logic? Can a
non-authorized user gain access to these scratched areas of DASD?


I'd add 4) - many modern control units have diagnostic capability that 
allows unrestricted hardware access to the drives. If yours do, you'll 
need physical access controls.


I first ran into this when we got our first string of Hitachi 3380s. 
The C.E. wanted a telephone line so he could service the units 
remotely; I had to educate management that that would allow 
uncontrolled access to customer data.
IMHO remote access to the DASD box does not include access to data on 
disks. Yes, CE can switch off the machine, but not access data.
Do you know any confirmed case where CE access to data was given with 
remote (or even local) access?


--
Radoslaw Skorupka
Lodz, Poland






---
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread R.S. 

W dniu 2014-04-09 18:06, Elardus Engelbrecht pisze:

Tom Marchant wrote:


... most installations (including us) use program protection to restrict users 
of these utilities.

Protecting AMASPZAP and ADRDSSU is, in my opinion, not a good way to protect 
data from them.

Agreed. Protect the resource (data), not the method (program).

If you still want to limit usage of programs and their functions beside program 
protection, consider these too:
- For ADRDSSU the relevant STGADMIN.whatever profiles in RACF FACILITY class.
- DITTO for example has FACILITY class profiles for its functions.

Objection, you honour!
We don't talk about regular programs, it's about APF-authorized tools. 
From the other hand the tools give better granularity than 0/1 - that's 
why the profiles you mentioned exist.
So one can use APF-authorized power-tool like SPZAP, but only against 
TEST%% volumes, but not PROD%% ones.


--
Radoslaw Skorupka
Lodz, Poland






--
Treść tej wiadomości może zawierać informacje prawnie chronione Banku 
przeznaczone wyłącznie do użytku służbowego adresata. Odbiorcą może być jedynie 
jej adresat z wyłączeniem dostępu osób trzecich. Jeżeli nie jesteś adresatem 
niniejszej wiadomości lub pracownikiem upoważnionym do jej przekazania 
adresatowi, informujemy, że jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne działanie o podobnym charakterze jest prawnie zabronione i może być 
karalne. Jeżeli otrzymałeś tę wiadomość omyłkowo, prosimy niezwłocznie 
zawiadomić nadawcę wysyłając odpowiedź oraz trwale usunąć tę wiadomość 
włączając w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzibą w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sąd Rejonowy dla m. st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego, nr rejestru przedsiębiorców KRS 025237, NIP: 526-021-50-88. Według stanu na dzień 01.01.2014 r. kapitał zakładowy mBanku S.A. (w całości wpłacony) wynosi 168.696.052 złote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Re: Accessing DASD areas that have no DSCB (UNCLASSIFIED)

2014-04-09 Thread R.S. 

Alan,
There are several tools which allows user to read free disk space. 
ADRDSSU, AMASPZAP, DITTO are few of them. However those tools require 
some special authorization, all of the tools I mentioned are controlled 
by RACF CL(FACILITY) profiles (and can be blocked at all using PROGRAM 
class) - so I wouldn't worry about them. BTW: those tools should be 
reasonably controlled for other reasons


The problem is it can be AFAIK possible to read the disk space using 
IEBGENER (assuming user created a dataset on the interesting tracks). 
This possibility is reduced/blocked for SMS-managed disks.


Of course the best method to protect obituary data is to erase it. The 
best method to erase the data is to use ERASE in RACF (IMHO preferred) 
or VSAM (limited to VSAM). Of course ERASE is not free, it takes 
considerable resources.



HTH

--
Radoslaw Skorupka
Lodz, Poland






--
Tre tej wiadomoci moe zawiera informacje prawnie chronione Banku 
przeznaczone wycznie do uytku subowego adresata. Odbiorc moe by jedynie 
jej adresat z wyczeniem dostpu osób trzecich. Jeeli nie jeste adresatem 
niniejszej wiadomoci lub pracownikiem upowanionym do jej przekazania 
adresatowi, informujemy, e jej rozpowszechnianie, kopiowanie, rozprowadzanie 
lub inne dziaanie o podobnym charakterze jest prawnie zabronione i moe by 
karalne. Jeeli otrzymae t wiadomo omykowo, prosimy niezwocznie 
zawiadomi nadawc wysyajc odpowied oraz trwale usun t wiadomo 
wczajc w to wszelkie jej kopie wydrukowane lub zapisane na dysku.

This e-mail may contain legally privileged information of the Bank and is 
intended solely for business use of the addressee. This e-mail may only be 
received by the addressee and may not be disclosed to any third parties. If you 
are not the intended addressee of this e-mail or the employee authorized to 
forward it to the addressee, be advised that any dissemination, copying, 
distribution or any other similar activity is legally prohibited and may be 
punishable. If you received this e-mail by mistake please advise the sender 
immediately by using the reply facility in your e-mail software and delete 
permanently this e-mail including any copies of it either printed or saved to 
hard drive.

mBank S.A. z siedzib w Warszawie, ul. Senatorska 18, 00-950 Warszawa, www.mBank.pl, e-mail: kont...@mbank.pl 
Sd Rejonowy dla m. st. Warszawy XII Wydzia Gospodarczy Krajowego Rejestru Sdowego, nr rejestru przedsibiorców KRS 025237, NIP: 526-021-50-88. Wedug stanu na dzie 01.01.2014 r. kapita zakadowy mBanku S.A. (w caoci wpacony) wynosi 168.696.052 zote.



--
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN