Re: More of LOG4J

memento Solarwind... David, I like your confidence. At Solarwind, twice the size of Rocket, the toxic code was injected during the build process, by someone(s) penetrated long before they started to interfere with code. BTW, the Solarwind attack was based on a vendor code, not open source. ITschak

Directories on ft server with Hebrew names

Hi, We have a need to transfer files to an FTP server to a directory who's name contains Hebrew characters. The encoding is UTF-8. How do I configure the FTP client on z/OS to allow this? If I do a directory listing on the level above the directory, I get all types of weird named, showing that th

Re: Tracking CLIST/Exec Usage

Are you willing to dumpster dive into SMF? I'm sure you can whip something together with a few different record types. First pulling out SYSPROG and SYSEXEC dataset list. Then dataset/member stats on those. With some amount of filtering, you'll be able to reduce the amount of data you need to pro

Re: LISTSERV Noise?

On 1/26/22 7:24 PM, Seymour J Metz wrote: See RFC 3676, The Text/Plain Format and DelSp Parameters: 4.3. Usenet Signature Convention RFC 3676 § 4.3 seems to be documenting an existing convention. (IM(ns)HO) It does not /define/ nor /specify/ the convention. At most it is an acknowledge

Re: AW: z/OS port of gawk

On 27/1/22 3:44 am, David Frenzel wrote: Still reading through old messages after vacation and saw this. Thanks, David! Do you mind sharing the process of building the binary? Basically, it just ran the following. ./configure make I can see that instructions for building gawk from source o

ZSORT support for program invoked sort

Hello all, With APAR PH03207, ZSORT has been enabled as follows. https://www.ibm.com/support/pages/sites/default/files/inline-files/DFSORT%20User%20Guide%20for%20PH03207.pdf In the above, some restrictions are described as follows. Below is a list of restrictions that will disable DFSORT's use

Re: LISTSERV Noise?

> My understanding is that the dash dash space is a /convention/ and is > not actually defined anywhere. See RFC 3676, The Text/Plain Format and DelSp Parameters: 4.3. Usenet Signature Convention 4.5. Quoting -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 _

Re: More of LOG4J

On 27/1/22 3:36 am, ITschak Mugzach wrote: It is a nightmare to vendors and clients looking for potential security issues. Not if they invest in state of the art tooling. Black Duck and Polaris make short work of scanning for vulnerabilities. FRom other hand, open source is here to stay.

Re: More of LOG4J

On 26/1/22 11:31 pm, Kirk Wolf wrote: Good companies have policies and processes for approving any open source used internally. What's the alternative, write everything from scratch? Surely there will be no vulnerabilities there:-) It's company policy where I work to perform code scans

Re: More of LOG4J

On 27/1/22 4:35 am, Tom Brennan wrote: Those are things we don't like to talk about :) Indeed! And even less talked about: What's to stop a trusted ISV or even IBM from being hacked or having a rogue employee that does the same? Absolutely nothing. Any executable code that runs authorized

Re: Tracking CLIST/Exec Usage

We do that in security sometimes: If we can't figure out who owns an ID, try turning it off and see who complains. But 90 days isn't enough; there are some routines that are run only once a quarter or once a year. For processes I use 14 months. --- Bob Bridges, robhbrid...@gmail.com, cell 33

Re: More of LOG4J

Kirk Wolf wrote: > Sorry, I agree that the entirety of what you wrote was more balanced. I reacted (poorly) to this part: "Same with open source: using random code from an unknown author would have been unthinkable; now it's common." >I don't think that this is common. Mostly projects use p

Re: More of LOG4J

Many people are worried, which is why sandboxed application environments are becoming so popular. On Wed, Jan 26, 2022, at 2:35 PM, Tom Brennan wrote: > Those are things we don't like to talk about :) And even less talked > about: What's to stop a trusted ISV or even IBM from being hacked or >

Re: More of LOG4J

Those are things we don't like to talk about :) And even less talked about: What's to stop a trusted ISV or even IBM from being hacked or having a rogue employee that does the same? On 1/26/2022 11:41 AM, Gibney, Dave wrote: If I was a long term bad actor, or perhaps a nation/state, I might c

Re: More of LOG4J

In a different sort of way, it is a real tribute to the usability of Log4j. Seems like all popular software/hardware suffers from vulnerability eventually. And a reminder not to be too trusting of software. Rob On Wed, Jan 26, 2022 at 2:41 PM Gibney, Dave < 03b5261cfd78-dmarc-requ...@list

Re: Tracking CLIST/Exec Usage

Rename them and watch for complaints? (seriously I have seen this done - after 90? Days delete what has not been renamed back Chris Hoelscher IDMS/DB2 DBA and System Analyst Kyndryl Inc. on assignment to Humana.com 502-407-7266 -Original Message- From: IBM Mainframe Discussion List On B

AW: z/OS port of gawk

Still reading through old messages after vacation and saw this. Thanks, David! Do you mind sharing the process of building the binary? I can see that instructions for building gawk from source on z/OS actually exist: gawk/README.zos at master · redondos/gawk · GitHub

Re: More of LOG4J

If I was a long term bad actor, or perhaps a nation/state, I might consider evaluating open source for useful/popular components. Then, contribute to their development, spread, and usefulness, while inserting subtle exploitable defects. > -Original Message- > From: IBM Mainframe Discussi

Re: More of LOG4J

I was told about LOG4J V2 (2.1.x for example) from other people that ran the scanner on 2.5 systems. It is a nightmare to vendors and clients looking for potential security issues. FRom other hand, open source is here to stay. In short, mainframe modernization has its price. ITschak ITschak Mugz

Re: More of LOG4J

Phil, Sorry, I agree that the entirety of what you wrote was more balanced. I reacted (poorly) to this part: "Same with open source: using random code from an unknown author would have been unthinkable; now it's common." I don't think that this is common. Mostly projects use popular open

Re: Tracking CLIST/Exec Usage

Hello, Let me just add a little cautionary note to this thread. Do not delete anything without knowing what it is used for. Some of the products I support have CLIST or EXEC tools used to create or change resources that can be used unchanged for years and then suddenly require changes. You might ha

Re: More of LOG4J

Kirk Wolf wrote: >Is that really what you think is going on? >The economics of open source are about *reuse*. The overwhelming majority of software these days is built with it for that reason. Good developers are very careful about what open source that they use.Good companies have policie

Re: Tracking CLIST/Exec Usage

CA TSO-MON does this handily, but you gotta spend money to get it. Type 32 SMF records count TSO/E commands, but that would be counts of the EXEC command without the CLIST name. If I had to do this on my own, I would write a CSECT that I linked as a front-end to the EXEC command (IKJCT429) in SYS

Re: Tracking CLIST/Exec Usage

Dunno whether you'll like this idea, but if don't want to download a package, you can insert a line into each REXX or CLIST that logs each time it runs in a dataset. You can review the log occasionally and remove the line from any exec that you no longer need to review. At some point (months?

Re: Tracking CLIST/Exec Usage

Hi Mark, I should have mentioned that I was not given a budget to purchase/lease software for this project. I will, however, mention it to my superiors. Thanks and regards, David On 2022-01-26 10:48, Mark Jacobs wrote: eventACTION by Action Software can do that. Mark Jacobs Sent from Proton

Re: Tracking CLIST/Exec Usage

IIRC David, PDSMAN can do this, I'm not sure of any other way to track CLIST REXX usage. if its software tracking there are tools to do that also, the simplest was I think if if you can ID the software libraries and using your security tools audit the libraries usage, instead of revoking acces

Re: Tracking CLIST/Exec Usage

eventACTION by Action Software can do that. Mark Jacobs Sent from ProtonMail, Swiss-based encrypted email. GPG Public Key - https://api.protonmail.ch/pks/lookup?op=get&search=markjac...@protonmail.com --- Original Message --- On Wednesday, January 26th, 2022 at 10:40 AM, David Spiegel

Tracking CLIST/Exec Usage

Hi List, I have been given the task of cleaning up unused software. Part of that is identifying which CLISTs/Execs are not being used. Can someone please suggest a way to do this? Thank you in advance. Regards, David -- For IB

Re: List of PTFs

I believe you can do an APPLY CHECK selecting RSU2112 as the SOURCEID. That should make the list of FMID's easier to parse out. Thanks Todd Burrell | Sr. IT Systems Engineer | Mainframe todd.burr...@bcbsfl.com M 404.723.2017 -Original Message- From: IBM Mainframe Discussion List O

Re: More of LOG4J

On Tue, Jan 25, 2022, at 4:33 PM, Phil Smith III wrote: > > > Forty years ago, vendors barely spoke to each other; now we OEM and embed > each other's products. Same with open source: using random code from an > unknown author would have been unthinkable; now it's common. Is that really what you

Re: IBM z/OS Management Facility 2022 Survey

Erin, can you provide a link to the Github chart? thank you Carmen On 1/26/2022 2:55 AM, Erin Yu wrote: Dear z/OS users, We are from the z/OSMF development team. Last year we made a z/OSMF survey that some of you might have participated in. We appreciate all of the feedback and also made so

IBM z/OS Management Facility 2022 Survey

Dear z/OS users, We are from the z/OSMF development team. Last year we made a z/OSMF survey that some of you might have participated in. We appreciate all of the feedback and also made some enhancements accordingly. For instance, we published a z/OSMF Value Proposition chart in Github so that i