Contributed by Pamela Jerskey, Boston College
1. Run IDCAMS to produce Master Catalog Listing (do not print) - use as reference for
looking up libraries for audit tests (MVSMSTR.JCL).
2. Run PDSLIST of SYS1.PARMLIB to produce listing (do not print) - edit as needed for
workpapers for audit tests (MVSPARM.JCL).
3. Run PDSLIST of SYS2.PARMLIB to produce listing (do not print) - edit as needed for
workpapers for audit tests (MVSPARM2.JCL).
4. Run PDSLIST of SYS1.PROCLIB to produce listing (do not print) - edit as needed for
workpapers for audit tests (MVSPROCL.JCL).
5. Obtain RACF DSMON Report and Data Sets Report from Security Administrator.
I. MASTER CATALOG:
Review all data sets in the Master Catalog and determine if protected under RACF.
II. SYS1.NUCLEUS REVIEW:
A. Run IEHLIST of SYS1.NUCLEUS to review for multiple members
(MVSNUC.JCL). Check for IEANUCxx where xx = 00, 01, etc.
B. Determine that SYS1.NUCLEUS is protected under RACF by reviewing RACF
DSMON Report from Security Administrator.
III. SYS1.PARMLIB REVIEW:
A. Edit SYS1.PARMLIB listing for member IEASYS00. Review parameters. Use
of the ,L option within specified IEASYSxx members is encouraged. The
IEASYS00 parameters of audit significance and their associated PARMLIB
members include:
1. APF=(00) IEAAPFxx
2. MLPA=(00,L) IEALPAxx
3. CMD=(00) COMMNDxx
4. LNK=(00,L) LNKLSTxx
5. LPA=(00,L) LPALSTxx
6. MSTRJCL=(00) MSTJCLxx
7. LNKAUTH=LNKLST LNKLSTxx
8. SCH=(00,L) SCHEDxx
9. SMF=(00) SMFPRMxx
10. SVC=(00,L) IEASVCxx
11. PAGE=
Review protection for all datasets listed including PAGE datasets.
B. Authorized Program Facility (APF) is the primary mechanism for security and
control within the MVS Operating System. APF is a facility that identifies
programs authorized to use restricted functions in the MVS Operating System.
Access to APF libraries should be controlled to prevent unauthorized routines
from being inserted in these libraries and run in an authorized state. Nonexistent
data sets or volumes which could allow a user to improperly allocate an authorized
library.
Edit SYS1.PARMLIB listing for member PROG00. Run IEHLIST for each data
set in member IEAPF00 (MVSIEAAP.JCL). Determine:
1) that all members exist on the volume specified by reviewing the output.
2) that all members are catalogued by reviewing the Master Catalogue listing.
3) that no duplicate data sets exist by reviewing IEAPF00.
4) that all members are RACF protected by reviewing RACF DSMON report
(Selected Data Sets Report).
5) Review protection for SYS1.IMAGELIB.
C. Edit SYS1.PARMLIB listing for member LNKLST00. Run IEHLIST for each
data set in member LNKLST00 (MVSLKLST.JCL) (volume can be identified by
searching the Master Catalog). Determine:
1) that all members exist on the volume specified by reviewing the output.
2) that no duplicate data sets exist by reviewing LNKLST00.
3) that all members are RACF protected by reviewing RACF DSMON Report
(Selected Data Sets Report).
D. Edit SYS1.PARMLIB listing for member LPALST00. Review as in #C.
(MVSLPALS.JCL).
E. Edit SYS1.PARMLIB listing for member IKJTSO00. Review with systems
programmer the following:
AUTHCMD NAMES (determine what function each command performs)
AUTHPGM NAMES (determine what function each program performs)
IV. SVC REVIEW:
A. Edit SYS1.PARMLIB listing for member IEASVC00.
B. Run IEHLIST report for SYS1.LPALIB and all members in LPALST00.
(MVSLPALB.JCL).
C. Run AMBLIST of SYS1.NUCLEUS (MVSIEANU.JCL) to identify any user
added SVCs (IGCxxx where xxx = 200-255).
D. Using reports from B & C, search listing for members that begin with IGC. Edit
listing for workpapers. Compare IGC listing to IEASVC00 to determine user
added SVCs and if they are active (Note: IGCxxx where xxx = 200-255 are user
added SVCs).
E. Run IEHLIST for SYS1.SVCLIB (MVSSVCLB.JCL). Identify member names
that begin with NSL. Discuss with system programmer.
F. Determine that SYS1.SVCLIB is protected under RACF by reviewing RACF
DSMON Report (Selected Data Sets Report).
G. From IEASVC00, APF(NO), the default, allows any user to invoke the SVC.
Ensure that any SVC available to all users (APF(NO)) respects system integrity
requirements. Discuss with systems programmer.
V. EXIT REVIEW:
JES EXITS:
A. Edit SYS1.PROCLIB for member names JESM and JES. Locate HASPPARM
DSN. Edit SYS2.PARMLIB for JESMPARM and JES2PARM. Locate each
exit (EXITnn). Edit listing for workpapers. Discuss the function of each exit with
system programmer.
SMF EXITS:
A. Edit SYS1.PARMLIB listing for member SMFPRM00. Ensure that the member
that specifies the SMF is ACTIVE. Review the NOPROMPT option.
NOPROMPT offers the operator no choice in the parameters selected.
NOPROMPT is the most secure. List exits. Identify exits in SYS1.LPALIB from
IEHLIST report (see Audit Program IIIB.) (IEFU......). Run AMBLIST for all
exits in SMFPRM00 (MVSDUMP.JCL). Determine:
1) if exit is used.
2) if used, what function it is performing.
3) if used, last linkage date.
4) length.
VI. PROGRAM PROPERTIES TABLE REVIEW:
Edit SYS1.PARMLIB listing for member SCHED00. Obtain DSMON Program
Properties Table Report from Security Administrator. Review programs that
bypass password protection and have a system key=yes from DSMON Report
(from SCHED00, have NOPASS and Key 0-7). Determine what these programs
are doing. Discuss with system programmer.
VII. VTAM REVIEW:
A. Edit SYS1.PROCLIB listing for member NET. Identify VTAMLST DSN and
VTAMLIB DSN. Run PDSLIST of SYS2.ACFVTAM.VTAMLST (dsn of
VTAMLST) to product listing (do not print) - edit as needed for workpapers for
audit tests (MVSVTML.JCL). Review Start-Up VTAM. Review ATCSTR00
to identify which member contains start-up vtam members. Review ATCCON00
(Start-up VTAM). Search and edit entire listing for:
1) AUTH=(ACQ, Can acquire other "LU"
or PASS Can pass LU to another application
or SPO, PPO) Application can issue net commands
2) AUTHEXIT=YES Application exits get control in supervisor
state whether or not authorized.
Identify which members are in Start-up VTAM and which members are not.
Review any of these conditions with system programmer. Discuss how
these members are defined to RACF.
VIII. JES REVIEW:
A. Determine to what level SYS1.HASPACE is protected under RACF.
SYS1.HASPACE is the data set for all spooled input and output. Review with
systems programmer why "alter" level is needed by systems programmers (only
JES needs access).
B. Edit SYS2.PARMLIB for JES2PARM. Locate SPOOL (spooldef) and
CHECKPOINT (ckptdef) volumes. Determine what level of protection exists
under RACF. Review the following parameters:
COMMAND=(execute, ignore or verify). Ignore or verify is best. The console
command allows operators to change JES2 parameters.
OFFLOAD= This should not be turned on. It is a non-standard way of
interrupting data flow in JES2.
RMT1
RMT2, etc. This is remote JES. Check for passwords. How often are they
changed?
MVSMSTR.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxx,PASSWORD=xxxxxxx
/*ROUTE PRINT
//*
//* THIS PROGRAM IS USED FOR AUDITING MVS TO ACCESS
//* THE MASTER CATALOG
//*
//SS1 EXEC PGM=IDCAMS
//SYSPRINT DD SYSOUT=*
//SYSIN DD *
LISTC ALL
MVSPARM.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxx,PASSWORD=xxxxxx
/* ROUTE PRINT
//S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX'
//* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME)
//* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL)
//SYSPRINT DD SYSOUT=*,OUTLIM=0
//OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80
//SYSUT9 DD DSN=SYS1.PARMLIB,DISP=SHR
//SYSIN DD *
//
MVSPARM2.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxx,PASSWORD=xxxxxxx
/* ROUTE PRINT
//S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX'
//* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME)
//* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL)
//SYSPRINT DD SYSOUT=*,OUTLIM=0
//OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80
//SYSUT9 DD DSN=SYS2.PARMLIB,DISP=SHR
//SYSIN DD *
//
MVSPROCL.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxxxx,PASSWORD=xxxxxxxx
/*ROUTE PRINT
//S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX'
//* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME)
//* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL)
//SYSPRINT DD SYSOUT=*,OUTLIM=0
//OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80
//SYSUT9 DD DSN=SYS1.PROCLIB,DISP=SHR
//SYSIN DD *
//
MVSNUC.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxxx,PASSWORD=xxxxxxx
/*ROUTE PRINT
//*
//* This program is used to review sys1.nucleus members for mvs audit
//*
//SS1 EXEC PGM=IEHLIST
//SYSPRINT DD SYSOUT=*
//DD1 DD DSNAME=SYS1.NUCLEUS,DISP=SHR
//SYSIN DD *
LISTPDS DSNAME=SYS1.NUCLEUS,FORMAT
MVSIEAAP.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxxx,PASSWORD=xxxxxxx
/*ROUTE PRINT
//*
//* THIS PROGRAM IS USED TO LIST MEMBERS IN IEAAPF TO DETERMINE
//* IF ALL MEMBERS EXIST; ALL MEMBERS ARE CATALOGUED, ETC.
//*
//SS1 EXEC PGM=IEHLIST
//SYSPRINT DD SYSOUT=*
//DD1 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//DD2 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//DD3 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//SYSIN DD *
LISTPDS DSNAME=(ieaapf file name),VOL=SYSALLDA=(volume name),FORMAT
LISTPDS DSNAME=(ieaapf file name),VOL=SYSALLDA=(volume name),FORMAT
(list all ieaapf file names in each volume)
MVSLKLST.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxxx,PASSWORD=xxxxxxx
/*ROUTE PRINT
//*
//* THIS PROGRAM IS USED TO LIST MEMBERS IN LNKLST00 TO DETERMINE
//* IF ALL MEMBERS EXIST; ALL MEMBERS ARE CATALOGUED, ETC.
//*
//SS1 EXEC PGM=IEHLIST
//SYSPRINT DD SYSOUT=*
//DD1 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//DD2 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//DD3 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//SYSIN DD *
LISTPDS DSNAME=(lnklst file name),VOL=SYSALLDA=(volume name),FORMAT
LISTPDS DSNAME=(lnklst file name),VOL=SYSALLDA=(volume name),FORMAT
(list all lnklst file names in each volume)
MVSLPALS.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxxx,PASSWORD=xxxxxxx
/*ROUTE PRINT
//*
//* THIS PROGRAM IS USED TO LIST MEMBERS IN LPALST00 TO DETERMINE
//* IF ALL MEMBERS EXIST; ALL MEMBERS ARE CATALOGUED, ETC.
//*
//SS1 EXEC PGM=IEHLIST
//SYSPRINT DD SYSOUT=*
//DD1 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//DD2 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//DD3 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR
//SYSIN DD *
LISTPDS DSNAME=(lpalst file name),VOL=SYSALLDA=(volume name),FORMAT
LISTPDS DSNAME=(lpalst file name),VOL=SYSALLDA=(volume name),FORMAT
(list all lpalst file names in each volume)
MVSIEANU.JCL
//AUDIT JOB,CLASS,
// USER=xxxxx,PASSWORD=xxxxx
/*ROUTE PRINT
//SS1 EXEC PGM=AMBLIST
//SYSPRINT DD SYSOUT=*
//SYSLIB DD DSN=SYS1.NUCLEUS,DISP=SHR
//NUCLEUS DD DSN=SYS1.NUCLEUS,DISP=SHR
//SYSIN DD *
LISTIDR DDN=NUCLEUS,OUTPUT=IDENT,MODLIB,MEMBER=IEANUC01
LISTLOAD DDN=SYSLIB,MEMBER=IEANUC01,OUTPUT=XREF
MVSSVCLB.JCL
//AUDIT JOB,CLASS,
// USER=xxxxxx,PASSWORD=xxxxxxxx
/*ROUTE PRINT
//SS1 EXEC PGM=IEHLIST
//SYSPRINT DD SYSOUT=*
//DD1 DD DISP=SHR,UNIT=SYSALLDA,VOL=SER=(volume name)
//SYSIN DD *
LISTPDS VOL=SYSALLDA=(volume name),DSNAME=SYS1.SVCLIB
MVSDUMP.JCL
//AUDIT JOB,CLASS,
// USER=xxxxxx,PASSWORD=xxxxxxxx
/*ROUTE PRINT
//SS1 EXEC PGM=AMBLIST
//SYSPRINT DD SYSOUT=*
//LPALIB DD DSN=SYS1.LPALIB,DISP=SHR
//SYSIN DD *
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU83
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU84
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFACTRT
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUJV
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUSI
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUJI
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUTL
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU29
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUJP
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUSO
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUAV
LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU85
LISTLOAD DDN=LPALIB,MEMBER=IEFU83,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFU84,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFACTRT,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUJV,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUSI,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUJI,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUTL,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFU29,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUJP,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUSO,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFUAV,OUTPUT=XREF
LISTLOAD DDN=LPALIB,MEMBER=IEFU85,OUTPUT=XREF
MVSVTML.JCL
//AUDIT JOB,CLASS,MSGCLASS,
// USER=xxxxxx,PASSWORD=xxxxxxxx
/*ROUTE PRINT
//S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX'
//* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME)
//* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL)
//SYSPRINT DD SYSOUT=*,OUTLIM=0
//OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80
//SYSUT9 DD DSN=SYS2.ACFVTAM.VTAMLST,DISP=SHR
//SYSIN DD *
//
2011年4月12日 星期二
MVS audit program
訂閱:
張貼留言 (Atom)
沒有留言:
張貼留言