MVS Operating System Review

Following was contributed by (Rey LeClerc) at rey@mass-usa.net

MVS Operating System Review

Objectives: To ensure the adequate installation and maintenance of the MVS
environment.


Audit Program

1. Obtain the listings and/or READ access authority for the system parameter
library:
SYS1.PARMLIB.

(Note: Syntax conventions throughout, this audit program uses the strings of 
'xx' or 'x' to refer to member name suffix variables.  The actual suffix values
are defined within SYS1.PARMLIB' members of SYS1.PARMLIB used by the MVS IPL to
establish the system parameters.

The actual member suffix is either specified by the computer operator during
the IPL process (using the SYSP=xx parameter) or defaults to '00' (i.e.
IEASYS00).

If multiple members exist, compare them, identify their differences, and
evaluate their potential impact on system controls.

2. Identify the system operator consoles and their command capability groups. 
These are defined in the CONSOLxx members of SYS1.PARMLIB (CON=xx parameter of
IEASYSxx).

Determine whether these definitions are being overridden by operator
commands.  Operator commands are either entered from the console or executed
automatically at IPL by the CMMNDxx member(s) from the CMD=xx parameter of
IEASYSxx.

Verify the active system console definitions by executing the command DISPLAY
ACTIVE (or D A) from either a real or emulated (e.g. SDSF or OMEGAMON) operator
console.  Investigate any discrepancies in the active console device names and
their command groups.

Locate all active consoles that have been defined with any of the console
command groups, other than INFO.   Evaluate whether there is adequate physical
security over the console(s) and whether the console command group(s) are
appropriate for each console's location and assigned function.

3. Identify the active System Management Facility (SMF) parameter definitions. 
These are provided in the SMFPRMxx member(s) of SYS1.PARMLIB from SMF=xx in the
IEASYSxx member).

Key audit concerns include:

Whether the SMF recording option has been activated.  Identify the names of
the SYS1.MANx files defined by the DSNAME() parameter.  Verify the update or
alter access has not been provided to anyone (review the dataset access control
lists).

Identify the active SMF exits.  Review the nature and purpose of these exits
and their impact on the audit and control environment (special attention should
be given to exits IEFU83 and IEFU84, which can be used to suppress SMF
recording).

Which SMF record types are being collected.  The important SMF record types
and their functions are:

0, 90 System IPL
7 SMF lost data
5,35 Job record
4,34 Program record
80,81 RACF and  CA-Top Secret
  information
60-69 VSAM information
30 Combined record (replacing types
  (4,5,34,35)
14,15,17,18 Dataset information

Where operators can override SMF recording (the PROMPT parameter).

The appropriateness of the console logging options defined.

Whether the JOB WAIT TIME parameter is set to an appropriate length of time. 
This number represents the amount of time (in minutes) that a job will be
allowed to remain idle before cancellation.

In addition to the system efficiency concerns, this parameter is where the TSO
automatic time-out limit for inactive terminals is defined.

4. Identify the libraries that have been designated as APF authorized.  MVS
requires certain specific system libraries to be APF authorized (either
consistently or at IPL time) - e.g. SYS1.CMDLIB, SYS1.NUCLEUS, SYS1.LINKLIB,
SYS1.LPALIB, SYS1.IMAGELIB, SYS1.SVCLIB, and SYS1.VTAMLIB.  Also, the
installation designated other libraries as APF authorized by referencing these
libraries in:

- The IEAAPFxx member(s) as defined in the APF=xx parameter of IEASYSxx;

- The LNKLSTxx member(s) as defined in the LNK=xx parameter of IEASYSxx.

For MVS/XA systems, the linklist is APF authorized only when the LNKAUTH
parameter of IEASYSxx is set to LNKLST (this is the default value; the
alternate setting is APFTAB).

- The LPALSTxx member(s) as defined in the LPA=xx parameter of IEASYSxx. 
Programs defined in the LPA libraries get APF authorization when moved into LPA
during the system IPL.

 Review the libraries designated here as APF with the MVS system programmer
and determine:

 -  The nature and purpose of each APF library.

 -  Whether there are any duplicate libraries (by function, similar names,
etc.)

 -  The necessity of these libraries (only production system libraries should
be defined here.)

 -  Whether any application program libraries (both test and production) or
data file
     libraries have been defined here.

 -  The individual and suitable backup personnel responsible for maintaining
each
     of these libraries.

 -  The appropriateness of these data set access profiles over the APF defined
         libraries. Access to these libraries should be strictly controlled.

In addition to the APF authorized libraries, access controls over the page and
(if defined) swap datasets should be verified (defined as PAGE= and SWAP= in
IEASYSxx).

5. Identify the subsystems defined to MVS.  These can be found in the IEFSSNxx
member(s) as defined in the SSN=xx parameter of IEASYSxx.  Ascertain whether
these are active, their nature and purpose and their affect on overall MVS
controls.

6. Ensure that the Program Properties Table (PPT) is protected by RACF.  The
PPT is included in the SYS1.NUCLEUS dataset and can be modified by the PPT
entries in the SCHEDxx member(s) of SYS1.PARMLIB as defined in the SCH=xx
parameter of IEASYSxx.

In RACF environments, the DSMON Program Properties Table report provides a
comprehensive listing of the PPT.

Identify those entries that are defined to bypass password protection. 
Determine the nature and purpose of these programs, access controls over them,
and evaluate their appropriateness.

7. Review the installation defined SVC's (Supervisory Calls) that are supplied
in the IEASVCxx member(s) as defined in the SVC=xx parameter of IEASYSxx.

Identify those SVC's that have been defined with the APF=NO.

Ascertain whether these SVCs perform any sensitive functions.

If so, obtain the source code for the SVC(s) and make sure that the TESTAUTH
macro is used to control the use of the SVC(s).

A number of vendors provide SVCs for their product as load modules only.  If
no source code is available, it is necessary to rely on the integrity of
established and reputable vendors.

8. Review access to sensitive MVS utilities and service aids.

These special programs and the standard libraries that they reside in include:
ICKDSF in SYS1.LINKLIB
IAHDASDR in SYS1.LINKLIB
AMASPZAP (SUPERZAP) in SYS1.LINKLIB
IEHINITT in SYS1.LINKLIB

Determine whether these programs reside in their standard libraries.  List the
index of the default libraries (e.g. SYS1.LINKLIB) to verify that the programs
reside there;

If  these programs reside in the standard system libraries (with universal
execute access), ascertain whether the data security software is controlling
execute access to these programs in another manner.

Examples of such controls include the RACF PROGRAM general resource class.

Evaluate the adequacy of the controls in place over the execution of special
programs.  Review the established access rules/profiles over these programs. 
Verify that execute access is granted only to the appropriate system
programming and computer operations personnel.



*      *      *      *      *

Reference Manual

MVS/Extended Architecture System Programming Library: Initialization and
Tuning, GC28-1149-5