Re: Mixing Auth and Non-Auth Modules

2011-05-03 Thread Shmuel Metz (Seymour J.)
In <4dbeddbf.6f0f.008...@efirstbank.com>, on 05/02/2011 at 04:35 PM, Frank Swarbrick said: >Are you saying that most z/OS COBOL programmers are aware of what SVC >and PC routines are? No[1]. Are you saying that security breaches don't matter until the majority of your programmers are exploiti

Re: Mixing Auth and Non-Auth Modules

2011-05-02 Thread Ted MacNEIL
>Are you saying that most z/OS COBOL programmers are aware of what SVC and PC >routines are? >I'm sorry to sound "ignorant", but none of the COBOL or z/OS applications >development training I've received has any reference to these things. I >assumed they were things that only systems programme

Re: Mixing Auth and Non-Auth Modules

2011-05-02 Thread Steve Comstock
On 5/2/2011 4:35 PM, Frank Swarbrick wrote: Are you saying that most z/OS COBOL programmers are aware of what SVC and PC routines are? I'm sorry to sound "ignorant", but none of the COBOL or z/OS applications development training I've received has any reference to these things. I assumed they

Re: Mixing Auth and Non-Auth Modules

2011-05-02 Thread Frank Swarbrick
Are you saying that most z/OS COBOL programmers are aware of what SVC and PC routines are? I'm sorry to sound "ignorant", but none of the COBOL or z/OS applications development training I've received has any reference to these things. I assumed they were things that only systems programmers kn

Re: Mixing Auth and Non-Auth Modules

2011-05-02 Thread Shmuel Metz (Seymour J.)
In , on 05/01/2011 at 11:40 PM, "Robert A. Rosenberg" said: >That is because the difference between a T3 and T4 SVC is historical >(for OS/360). No. Even in OS/360 a type 3 SVC could do an XCTL. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; see

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Robert A. Rosenberg
At 08:09 -0400 on 05/01/2011, Shmuel Metz (Seymour J.) wrote about Re: Mixing Auth and Non-Auth Modules: In <1303531947.985.110.ca...@mckown5.johnmckown.net>, on 04/22/2011 at 11:12 PM, John McKown said: There are 4 types: 1, 2, 3, 4, and 6. Types three and 4 are the same. Despit

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In <1520186165-1303494199-cardhu_decombobulator_blackberry.rim.net-20697284...@bda2487.bisx.prod.on.blackberry>, on 04/22/2011 at 05:43 PM, Ted MacNEIL said: >>You must not have auditors. >This is not an audit issue. Nonsense! >Auditors can only monitor procedures. Even if true it's irrele

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In <4db1cabf.6f0f.008...@efirstbank.com>, on 04/22/2011 at 06:35 PM, Frank Swarbrick said: >Where can an application programmer who can barely spell SVC and PC >get an understanding of what these are? I'll take your word that the majority of your programmers are that ignorant, but do you have

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In , on 04/22/2011 at 07:04 PM, Patrick Roehl said: >Would this work? No, >Program A (non-authorized) does an ATTACHX with DCB which points to >an authorized library to start program B in a new TCB. Program B >would be authorized How? You can't use RSAPF if you're key 8 problem state. -

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In <1303531947.985.110.ca...@mckown5.johnmckown.net>, on 04/22/2011 at 11:12 PM, John McKown said: >There are 4 >types: 1, 2, 3, 4, and 6. Types three and 4 are the same. Despite what the documentation says, a type 3 SVC routine can do an XCTL. -- Shmuel (Seymour J.) Metz, SysProg and

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In <1303533321.985.132.ca...@mckown5.johnmckown.net>, on 04/22/2011 at 11:35 PM, John McKown said: >However, the fact that it is not even documented in the manual There's more than one manual. >Also, it likely requires that the code be at least APF authorized, No. >if not in supervisor st

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In , on 04/25/2011 at 01:13 AM, john gilmore said: >Thecthrust of my comments was that the preoccupation of auditors with >SVCs, all but to the exclusion of concern with PC-PR constructs, is >both unfortunate and shortsighted. Is it the case that auditors are not concerned with PC routines?

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In , on 04/26/2011 at 08:42 AM, Jeff Holst said: >Guess which days they came. That was the time to get upper management involved. A e-mail asking the CEO for permission to delay payroll for the auditors' convenience would have put a stop to it tout suite. >We were written up >because we di

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In , on 04/21/2011 at 02:57 PM, Patrick Roehl said: >Is the best option to handle this setting up a separate region to >handle the authorized calls and communicating via a PC? Yes. >It looks like a PC client would have to be authorized, What do you mean by authorized? The client certainly

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In , on 04/21/2011 at 03:40 PM, "McKown, John" said: >But before that it creates an APF authorized subtree. No. It relies on RSAPF=YES[1] to ATTACH commands in the authorized command table. [1] From the parallel TMP. -- Shmuel (Seymour J.) Metz, SysProg and JOAT ISO position; s

Re: Mixing Auth and Non-Auth Modules

2011-05-01 Thread Shmuel Metz (Seymour J.)
In , on 04/22/2011 at 11:27 AM, "Emily A. Rambo" said: >If there's no way to get what you need without using the functions >that IBM requires be authorized, here's another possibility. We had >a sysprog years ago who coded a user SVC that could be called to >flip the JSCBAUTH bit on or off,

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-29 Thread John McKown
Just say No! To OCO! That war was lost. IBM made the decision and it was their right. Even tho I hate it. On Apr 29, 2011 7:21 PM, "Edward Jaffe" wrote: > On 4/28/2011 11:11 AM, Tony Harminc wrote: >> On the other hand, no matter how many exit points IBM or anyone else >> puts in, and where, ther

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-29 Thread Edward Jaffe
On 4/28/2011 11:11 AM, Tony Harminc wrote: On the other hand, no matter how many exit points IBM or anyone else puts in, and where, there is always some unanticipated need for another one. The system needs to provide for those as well. JES2, among other [sub]systems, does a pretty good job of tha

Re: SVC Screening (was Mixing Auth and Non-Auth Modules

2011-04-29 Thread Peter Relson
>Most SVC's document which registers contain data to be used by the SVC >routine. Why would reissuing GETMAIN require the original callers R6? Only >R15-R1 are part of the API. Most does not equal all. And none document internal-only interfaces. And what if new function is compatibly added (for e

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-28 Thread Binyamin Dissen
On Thu, 28 Apr 2011 13:45:12 -0400 Peter Relson wrote: :>>>A key question is: once the SVC Screening routine has gotten control, :>how :>>>does it then make sure that the "real" SVC routine gets control both in :>>>the right environment (locks included) and also with all the right data :>>>(p

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-28 Thread Tony Harminc
On 28 April 2011 13:45, Peter Relson wrote: > As to your point about CICS "stealing" GETMAIN (my term), it would have > to, at least, be able to differentiate GETMAINs done by its application > from those done within the system that just happened to be under the same > task. That in general is di

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-28 Thread Peter Relson
>>A key question is: once the SVC Screening routine has gotten control, how >>does it then make sure that the "real" SVC routine gets control both in >>the right environment (locks included) and also with all the right data >>(potentially all 16 64-bit GRs and ARs at the time of the SVC issuanc

Re: IT Auditors was Re: Mixing Auth and Non-Auth Modules

2011-04-28 Thread Rob Schramm
Well... maybe there is a way for the auditors to stay less than savvy. I sat in on a presentation for http://www.vatsecurity.com/ which, other than scarin the %^&* out of me, give an excellent way to look at the system from an integrity standpoint. I end up spending a lot of time on just working t

IT Auditors was Re: Mixing Auth and Non-Auth Modules

2011-04-27 Thread Clark Morris
On 26 Apr 2011 06:43:16 -0700, in bit.listserv.ibm-main you wrote: While at a company which no longer is in the business it was when I was there, headquarters IT auditors came to audit one of our systems. They were informed that it was virtually non-existent and that we would be very happy with an

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-27 Thread Binyamin Dissen
On Wed, 27 Apr 2011 07:45:53 -0400 Peter Relson wrote: :>>Is it your statement that the only "supported" use of this routine is to :>fail :>>the SVC call, not to do alternate processing? :>Yes, more or less, that is my statement. The routine may do anything it :>wants :>that is related to fai

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-27 Thread Peter Relson
>Is it your statement that the only "supported" use of this routine is to fail >the SVC call, not to do alternate processing? Yes, more or less, that is my statement. The routine may do anything it wants that is related to failing the SVC call. >has anyone ever submitted requirements to formal

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-26 Thread John McKown
The crazy idea this inspires in me is to use it to make a Linux ABI capture in order to run Linux applications under z/OS. In that case, the code could run in normal, non-priviliged mode. The only obvious issue is that Linux apps are ASCII based. On Apr 26, 2011 6:59 AM, "Peter Relson" wrote: >>Cu

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread Jeff Holst
On Tue, 26 Apr 2011 14:37:31 +, Ted MacNEIL wrote: >And, management should have backed the ops manager. I failed to mention that management did in fact back up the actions of the ops manager. As I mentioned, the change in assignments from ops manager to 3rd shift operator was NOT performa

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread Scott Rowe
No offense Ted, but saying it doesn't make it so. I don't think I have ever worked with a truly competent mainframe auditor in the corporate world. I have seen far better in some (but certainly not all) government organizations. I remember one government auditor who said he was going to remove t

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread Ted MacNEIL
>happened that our payroll process occurred during the period > of the audit. Our > operations manager informed the auditors that payroll > processing would take > priority over the audit if they came on those days, on any > other days they > could have the machine. Guess which days they came

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread Anne & Lynn Wheeler
jeff.ho...@fiserv.com (Jeff Holst) writes: > I think that when I was later in an MVS shop, our auditors used that same > playbook, but I also think that they read slowly, as they seemed to find one > new thing in the book each year. when corporate came in for audit of SJR datacenter in the early

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread McKown, John
The MEGA Life and Health Insurance Company.SM > -Original Message- > From: IBM Mainframe Discussion List > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Jeff Holst > Sent: Tuesday, April 26, 2011 8:42 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Mixing Auth and Non-Auth M

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread Jeff Holst
Perhaps this is a bit off topic, but I have yet to encounter an IT auditor I could trust. At my very first job I was in a small shop running DOS on a 360/40. The company was scheduled for its annual outside audit. The IT auditors typically wanted to completely take over the machine for the day

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-26 Thread Rob Schramm
Peter, Since it appears that the majority of the usage of SVC screening is other than intended... has anyone ever submitted requirements to formalize the way it really gets used? Thereby securing against future changes that might break the unsupported feature? Rob Schramm On Tue, Apr 26, 2011 a

Re: SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-26 Thread Binyamin Dissen
On Tue, 26 Apr 2011 07:59:27 -0400 Peter Relson wrote: :>>Curious: Does anyone use SVC screening for its documented intended :>>purpose: to define those SVCs that a particular task is allowed to issue :>>(and conversely those that it is not allowed to issue)? :>I intentionally phrased the que

SVC Screening (was Mixing Auth and Non-Auth Modules)

2011-04-26 Thread Peter Relson
>Curious: Does anyone use SVC screening for its documented intended >purpose: to define those SVCs that a particular task is allowed to issue >(and conversely those that it is not allowed to issue)? I intentionally phrased the question the way I did, although no one answered it in that spirit.

Re: Mixing Auth and Non-Auth Modules

2011-04-26 Thread Ted MacNEIL
>So far as I am concerned, if the auditor is not qualified to do the job of a Systems Programmer, they are not qualified to audit the work of one. IOW: If you are not capable of doing my job, you are not qualified to critique my performance or methods of working. That's why the audit process re

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Robert A. Rosenberg
At 13:19 -0400 on 04/25/2011, Tony Harminc wrote about Re: Mixing Auth and Non-Auth Modules: his preoccupation lends support to the theory that all auditors are working from a z/OS playbook written somewhere around 1978. Or worse (and I have had an auditor attempt to pull this in an ZOS

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Rob Schramm
I will take a look around to see if there is anything more recent. But I think the point would be to also help SysProgs and Security folks and to illuminate pet peeves and cautionary practices. Maybe something like a wiki. Make it something living then maybe use the original guide as a starting

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Binyamin Dissen
On Mon, 25 Apr 2011 07:48:38 -0400 Peter Relson wrote: :>One point about SVCs vs PC's: unless you go fairly far out of your way, a :>PC routine will not confer additional key/state authorization to its :>invoker. An SVC routine easily can do that by manipulating control block :>fields. This co

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Rob Scott
: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Tony Harminc Sent: 25 April 2011 18:07 To: IBM-MAIN@bama.ua.edu Subject: Re: Mixing Auth and Non-Auth Modules On 25 April 2011 07:48, Peter Relson

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Ted MacNEIL
>This preoccupation lends support to the theory that all auditors are working from a z/OS playbook written somewhere around 1978. IIRC, it was called "MVS for Auditors". It had a lot of inaccuracies, but the auditors treated it as a 'bible'. It was a bain for many years. - Ted MacNEIL eamacn...@ya

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Rob Schramm
How about an auditors guide written by us and some of the other listservs? Rob Schramm On Apr 25, 2011 2:13 PM, "Ted MacNEIL" wrote: >>This preoccupation lends support to the theory that all auditors are > working from a z/OS playbook written somewhere around 1978. > > IIRC, it was called "MVS fo

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Ted MacNEIL
>How about an auditors guide written by us and some of the other listservs? Does one exist? - Ted MacNEIL eamacn...@yahoo.ca Twitter: @TedMacNEIL -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to li

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Tony Harminc
On 24 April 2011 21:13, john gilmore wrote: > The thrust of my comments was that the preoccupation of auditors with SVCs, > all but to the exclusion of concern with PC-PR constructs, is both > unfortunate and shortsighted. This preoccupation lends support to the theory that all auditors are wo

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Tony Harminc
On 25 April 2011 07:48, Peter Relson wrote: > One point about SVCs vs PC's: unless you go fairly far out of your way, a > PC routine will not confer additional key/state authorization to its > invoker. An SVC routine easily can do that by manipulating control block > fields. This conferrence leads

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Gerhard Postpischil
On 4/25/2011 7:48 AM, Peter Relson wrote: Curious: Does anyone use SVC screening for its documented intended purpose: to define those SVCs that a particular task is allowed to issue (and conversely those that it is not allowed to issue)? Screening is useful for debug packages, allowing detail

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Shane Ginnane
ROTFL ... Interesting concept Peter. Shane ... On Mon, Apr 25th, 2011 at 9:48 PM, Peter Relson wrote: ... > Curious: Does anyone use SVC screening for its documented intended > purpose: -- For IBM-MAIN subscribe / signoff / ar

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread McKown, John
] On Behalf Of Peter Relson > Sent: Monday, April 25, 2011 6:49 AM > To: IBM-MAIN@bama.ua.edu > Subject: Re: Mixing Auth and Non-Auth Modules > > One point about SVCs vs PC's: unless you go fairly far out of > your way, a > PC routine will not confer additional key/state

Re: Mixing Auth and Non-Auth Modules

2011-04-25 Thread Peter Relson
One point about SVCs vs PC's: unless you go fairly far out of your way, a PC routine will not confer additional key/state authorization to its invoker. An SVC routine easily can do that by manipulating control block fields. This conferrence leads directly to many of (or is itself) the system in

Re: Mixing Auth and Non-Auth Modules

2011-04-24 Thread Rob Schramm
I made the original comment about the auditor and SVC. At the time the discussion sparked a memory of a SVC that was specifically used to gain authorization and circumvent security (quite a while ago) that I had encountered. It was a great trick and pretty useful and very dangerous at the same ti

Re: Mixing Auth and Non-Auth Modules

2011-04-24 Thread John McKown
Perhaps the "auditors", or those who actually made their lists, need to be trained. Of course, who wants to learn how to audit an obsolescent system like z/OS? You go where the money is. SVCs have been around since the beginning and so are part of the lore. PC/PT are relatively new and more complic

Re: Mixing Auth and Non-Auth Modules

2011-04-24 Thread john gilmore
I agree with Edward Jaffe---He put the matter more politely---that botching an SVC does not usually have the disastrous systemic consequences that botching a PC-PR construct can have. Thecthrust of my comments was that the preoccupation of auditors with SVCs, all but to the exclusion of concer

Re: Mixing Auth and Non-Auth Modules

2011-04-24 Thread Edward Jaffe
On 4/22/2011 3:56 PM, john gilmore wrote: What has interested me more about this thread has been its preoccupation with SVCs, which are at best obsolescent. There is nothing anyone can do with an SVC that I cannot do, much less obtrusively, with a PC-based scheme. SVCs offer a nice screening

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread John McKown
No. APF is not done on a TCB by TCB basis. Every TCB points to a control block called the JSCB (Job Step Control Block). There is an undocumented parameter: JSCB= on the ATTACHX macro which allows specification of the address of this control block, possibly dynamically allocated and initialized. Ho

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread John McKown
On Fri, 2011-04-22 at 18:35 -0600, Frank Swarbrick wrote: > Where can an application programmer who can barely spell SVC and PC > get an understanding of what these are? (I know the SVC is supervisor > call, but that's about it.) Well, how to write an SVC is documented here: http://publibz.bould

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Robert A. Rosenberg
At 19:04 -0500 on 04/22/2011, Patrick Roehl wrote about Re: Mixing Auth and Non-Auth Modules: Would this work? Program A (non-authorized) does an ATTACHX with DCB which points to an authorized library to start program B in a new TCB. Program B would be authorized and service RACROUTE

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Frank Swarbrick
Where can an application programmer who can barely spell SVC and PC get an understanding of what these are? (I know the SVC is supervisor call, but that's about it.) -- Frank Swarbrick Applications Architect - Mainframe Applications Development FirstBank Data Corporation - Lakewood, CO USA P:

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Patrick Roehl
Would this work? Program A (non-authorized) does an ATTACHX with DCB which points to an authorized library to start program B in a new TCB. Program B would be authorized and service RACROUTE requests from program A via common storage and a WAIT/POST protocol. Program A would then be free to c

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread john gilmore
Gerhard Postpischl is of course quite right; trapdoors are necessary during the development of much softwar; and they are useful for later troubleshooting tooe. What has interested me more about this thread has been its preoccupation with SVCs, which are at best obsolescent. There is nothin

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Scott Rowe
As long as that sandbox doesn't share anything with any production system maybe. On Fri, Apr 22, 2011 at 5:45 PM, Gerhard Postpischil wrote: > On 4/22/2011 4:17 PM, Rob Schramm wrote: > >> Super Secret (aka Security Through Obscurity) is always a bad idea. >> Security and integrity are difficult

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Rob Schramm
Dang.. did I use Always again and left out the 1 or 2 use cases? Then lock them up in data sets only the trusted can use and certainly putting them in linklst would be something to be avoided. Or on sandbox systems that if co-opted would not adversely affect your business. Rob Schramm On

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Gerhard Postpischil
On 4/22/2011 4:17 PM, Rob Schramm wrote: Super Secret (aka Security Through Obscurity) is always a bad idea. Security and integrity are difficult enough when balanced against allowing progress to occur. Adding in ridiculously risky back doors into your system is a recipe for disaster. I take

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Rob Schramm
Super Secret (aka Security Through Obscurity) is always a bad idea. Security and integrity are difficult enough when balanced against allowing progress to occur. Adding in ridiculously risky back doors into your system is a recipe for disaster. An auditor that doesn't know enough to ask the righ

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Rick Fochtman
--- I hope that this SVC has been removed. These "super-secret" SVC's are nothing more than MASSIVE integrity exposures, that can be relatively easily spoofed, and should be banned from any and all z/OS sites. -

Re: EXTERNAL: Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Roach, Dennis (N-GHG CORP.)
, natural or manufactured, since the beginning of time. -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Ted MacNEIL Sent: Friday, April 22, 2011 12:43 PM To: IBM-MAIN@bama.ua.edu Subject: EXTERNAL: Re: Mixing Auth and Non-Auth Modules >You m

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Emily A. Rambo
m any and all z/OS sites. > >=== >Wayne Driscoll >OMEGAMON DB2 L3 Support/Development >wdrisco(AT)us.ibm.com >=== > > > >From: >"Emily A. Rambo" >To: >IBM-MAIN@bama.ua.edu >Date: >04/

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Ted MacNEIL
>You must not have auditors. This is not an audit issue. >This is a security breach waiting to happen. Auditors can only monitor procedures. And, they can only point out issues that SMEs have identified. >How do you prevent someone from calling their program the same name as one in >the intern

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Wayne Driscoll
DB2 L3 Support/Development wdrisco(AT)us.ibm.com === From: "Emily A. Rambo" To: IBM-MAIN@bama.ua.edu Date: 04/22/2011 11:27 AM Subject: Re: Mixing Auth and Non-Auth Modules Sent by: IBM Mainframe Discussion List If there's no wa

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread John McKown
That is a very bad idea. It would be better to make the RACF functions in the SVC itself. Perhaps doing a validation before by checking a FACILITY profile. On Apr 22, 2011 11:28 AM, "Emily A. Rambo" wrote: > If there's no way to get what you need without using the functions that IBM > requires be

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Veilleux, Jon L
Sent: Friday, April 22, 2011 12:27 PM To: IBM-MAIN@bama.ua.edu Subject: Re: Mixing Auth and Non-Auth Modules If there's no way to get what you need without using the functions that IBM requires be authorized, here's another possibility. We had a sysprog years ago who coded a user SVC

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Emily A. Rambo
If there's no way to get what you need without using the functions that IBM requires be authorized, here's another possibility. We had a sysprog years ago who coded a user SVC that could be called to flip the JSCBAUTH bit on or off, with a very short list of program names in an internal table t

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Walt Farrell
On Thu, 21 Apr 2011 15:27:48 -0500, Patrick Roehl wrote: >The RACF functions are used to determine if a 3rd party is allowed to access a >specific resource. > >RACROUTE REQUEST=VERIFY,ENVIR=CREATE >RACROUTE REQUEST=AUTH >RACROUTE REQUEST=VERIFY,ENVIR=DELETE > >The process is run as a started task

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Patrick Roehl
: +1.617.614.2305 Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm Sent: 21 April 2011 22:01 To: IBM-MAIN@bama.ua.edu Subject: Re: Mixing Auth and Non-Auth Modules Maybe some others are

Re: Mixing Auth and Non-Auth Modules

2011-04-22 Thread Rob Scott
Email: rsc...@rs.com Web: www.rocketsoftware.com -Original Message- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Rob Schramm Sent: 21 April 2011 22:01 To: IBM-MAIN@bama.ua.edu Subject: Re: Mixing Auth and Non-Auth Modules Maybe some others are willing to

Re: Mixing Auth and Non-Auth Modules

2011-04-21 Thread Paul Gilmartin
On Thu, 21 Apr 2011 15:40:03 -0500, McKown, John wrote: > >Now, being the weirdo that I am, I'd likely do my APF authorized work by using >the UNIX fork() and exec(), where I exec() a module which is in the UNIX >filesystem marked as APF authorized. Depending on what I need to do, I would >eithe

Re: Mixing Auth and Non-Auth Modules

2011-04-21 Thread Rob Schramm
h. Anyone? Rob Schramm On Thu, Apr 21, 2011 at 4:40 PM, McKown, John wrote: > > -Original Message- > > From: IBM Mainframe Discussion List > > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Patrick Roehl > > Sent: Thursday, April 21, 2011 2:57 PM > > To: IBM-MAIN@

Re: Mixing Auth and Non-Auth Modules

2011-04-21 Thread McKown, John
> -Original Message- > From: IBM Mainframe Discussion List > [mailto:IBM-MAIN@bama.ua.edu] On Behalf Of Patrick Roehl > Sent: Thursday, April 21, 2011 2:57 PM > To: IBM-MAIN@bama.ua.edu > Subject: Mixing Auth and Non-Auth Modules > > I have a situation where APF

Re: Mixing Auth and Non-Auth Modules

2011-04-21 Thread Patrick Roehl
The RACF functions are used to determine if a 3rd party is allowed to access a specific resource. RACROUTE REQUEST=VERIFY,ENVIR=CREATE RACROUTE REQUEST=AUTH RACROUTE REQUEST=VERIFY,ENVIR=DELETE The process is run as a started task and functions as a server from TCP/IP clients. Database access

Re: Mixing Auth and Non-Auth Modules

2011-04-21 Thread Skip Robinson
Services Electric Dragon Team Paddler SHARE MVS Program Co-Manager 626-302-7535 Office 323-715-0595 Mobile jo.skip.robin...@sce.com From: Patrick Roehl To: IBM-MAIN@bama.ua.edu Date: 04/21/2011 12:58 PM Subject:Mixing Auth and Non-Auth Modules Sent by:IBM Mainframe

Re: Mixing Auth and Non-Auth Modules

2011-04-21 Thread Walt Farrell
I would say your first action should be to determine whether there are alternative RACF functions (or functions that invoke RACF functions) that do not require authorization. If so, try to use them instead. Thus, to start, perhaps you should describe the RACF functions you're using and need in gre

Mixing Auth and Non-Auth Modules

2011-04-21 Thread Patrick Roehl
I have a situation where APF-authorization is needed by a new subprogram that performs RACF functions. This was working fine until it came time to call the new subprogram from the main program, which does not need to be authorized. Making the whole process authorized seems silly (or worse), in