CA-7 Job Scheduling System Review by auditnet

VIEWS: 1,866 PAGES: 8

									Following was contributed to AuditNet LLC by (Rey LeClerc) Objectives: To ensure that adequate security procedures have been established over the production control mechanism of CA-7. General Description CA-7, a product of Computer Associates, is an on-line system that monitors and controls all areas of production activity. The primary function of CA-7 is production control. It also provides for work load scheduling, work load sequencing, work flow control, job flow control, job restart, on-line utility execution, security, work load forecasting, history reporting, management level reporting, work load balancing, text editing and documentation through a system provided text editor. Access to and use of the CA-7 functions are controlled through the CA-7 security macro statement. The CA-7 security macro statement must be included in the CA-7 initialization deck. The initialization listing contains information which identifies all individuals, resources and their authorization. The Initialization Deck contains a SECURITY statement. The SECURITY statement points to a load module containing the user's security definitions. SECURITY macros are used to generate the load module referenced in the initialization deck. A security module should be assembled and link edited for the user's specific environment. Security is defined in five hierarchical levels: o Terminal/Operator - all personnel and the terminals that each individual is allowed to use must be defined to the system. o Operator/Application - this level of authority restricts individuals to only those applications for which they are responsible. o Application/Command - each application system has a set of commands associated with it. Each command is assigned a value to 0 and 15, with the largest number being the most restrictive. An individual is restricted to application commands with an assigned value equal to or less that the application level specified for the operator/application level.

o Command/Function - this level of authorization controls the use of screens, functions and terminals in application areas in which the application/command level security is not sufficient to control access. On such application, database maintenance, requires this level of security for control of database access and update. o User ID/Ownership - restricts access to data sets external to CA-7. It is only effective for individuals who attempt access while logged on to CA7. Audit Program 1. Determine who is responsible for the system installation and maintenance of CA-7. Examine the security procedures for the installation and maintenance of hard-copy listings. 2. Obtain a JCL listing of the initialization deck. Review system command definitions and determine their functions. Evaluate the adequacy of access controls. A complete description of all commands allowable in the initialization deck can be found in the CA-7 System Installation and Maintenance Manual, Chapter 5: Initialization. Particular concern should be placed over the following: o The APPLCTN control statement identifies the use of supplemental application routines or user exits. This control statement is specified as APPLCTN, NAME=SASSxxxx (where xxxx identifies specific CA-7 application modules that are available for use by the product). Note that APPLCTN statements that are active must be defined in the initialization deck before the SASSPROG module. Obtain and review the source code for the CA-7 application routines and user exits specified in the initialization deck APPLCTN control statement. Evaluate the nature and purpose of these modules. Ascertain their impact on the data security environment within CA-7. Important and commonly used user exit routines supplied by CA-7 which can be tailored by the site for specific installation requirements such as: SASSXX02 used to add, delete, or change JCL statements or control cards

immediately preceding job submissions; SASSXX03 used to reject a utility request; SASSXX05 used to add, delete or change JCL statements or control cards at the time of execution JCL is attached to a job in the request queue; SASSXX07 used to examine, and potentially check external data security; SASSXX09 used to allow user modifications of CA-7 command input; SASSXXLx (where x is a variable determined by the installation; it should be the LOGON=x keyword of the SECURITY statement macro of the initialization deck) is used to verify or monitor operator logon and/or passwords entered at logon time. It is also commonly used to provide a sign-on validation interface between CA-7 and CA-Top Secret. SASSRMS1 and SASSRMS2 are used to provide the interface between CA-7 and CA-11. o The TERM statement defines the terminals that have access to CA-7. The CONS keyword identifies both the CA-7 master (MASTR) terminal and the CA-7 alternate master terminals (ALTRN). These terminals can issue the CA-7 SHUTDOWN command, i.e. causes a normal termination of CA-7 execution. Determine the location of each CA-7 terminal as identified in the NAME keyword and review for appropriate physical access security. Evaluate terminals defined in the network and their use according to proper segregation of duties. o Determine whether the time-out function is adequately defined for CA-7 terminals. Time-out limit is curtailed on a terminal basis. TIMLIM keyword within the TERM statement specifies the number of minutes of inactivity allowed to elapse before the terminal is automatically logged off from CA-7. Default is 30 minutes. o Security statement identifies the load module in which the security matrix for CA-7 is identified and specifies if it relies on CA-Top Secret for protection or uses its internal security mechanism. LOGON=x keyword specifies the SASSXLx exit routine that will require control

during logon if any. HIPEPW keyword specifies display of user security password whenever JCL is listed with one of the inquiry commands. The default is NO and it indicates the values are to be displayed. EXTERNAL keyword identifies the security function (calls) which are to be controlled by CA-Top Secret. Options include LOGON, COMMAND, DATASET, SUBCHECK, and SUBOWNER. A description of these options are found in the CA-7 Security Guide. If EXTERNAL=LOGON keyword is used determine that adequate access has been given through CA-Top Secret for CA-7 usage. IF EXTERNAL=COMMAND keyword is used. CA-Top Secret controls access to CA-7 commands, overriding CA-7 internal security. If so, determine that proper protection has been given over sensitive commands through CA-Top Secret resource security. See audit step 4 for listing of sensitive commands and CA-7 MVS Security Guide: Appendix A: CA-7 Security Table. If adequate reliance has been placed on external security, audit steps 3, 4, and 5 may be skipped. If USER keyword is used, CA-7 protects a user-id level. If so, the userid source macro must be obtained and examined to ensure that adequate access is given. This option is described in CA-7 System Installation and Maintenance Manual: Chapter 3. 3. Obtain a copy of the source code for the installation's security module. Review parameters to ensure that adequate access capabilities of CA-7 users has been defined in accordance with each user's actual job requirements. In doing so, note the following: o CA-7 command capabilities are defined by the APLID keyword. There are two parameters that are used by APLID. The value for the first APLID parameter must consist of four characters.

The first three characters identifies a specific CA-7 application driver, and the last character must be 0. CA-7 application drivers are: - SCM (system commands); - SDM (data base maintenance); - SJR (job restart); - SPO (queue posting); - SQM (queue maintenance); - UTL (utilities); - SYS (system information); - SCO (core manipulation); - TRA (system debugging). Note that the last three application drivers are only required by CA-7 Technical Support Representative. The value for the second APLID parameter consist of two character function authorization level. Functions are assigned numeric values from 0 to 15. Functions defined with the lower numbers are more restrictive than those with higher numbers. Functions are disabled if their numeric level assignment exceeds 15. Each application driver allows for the submission of commands based on the given function authorization level. o OPID keyword specifies the operator's identification code which must be used when logging on to a CA-7 terminal. o TRM keyword specifies the name of the CA-7 terminal which the operators are authorized to use. Sensitive APLID should be restricted to protected terminals. o USRID keyword is used to restrict access within CA-7 to certain datasets and or PDS members. The higher the value, greater the privilege. USRID=255 allows access to all information regardless of ownership. If omitted, set to default, USRID=0. 4. Obtain the source code for the SASSTRAN module. Determine the security structure designated here for sensitive commands of the CA-7 applications. Within each CA-7 application there is at least one command which can be

performed. Each command is assigned a required authorization value (level) from 0 to 15 in the SASSTRAN module. Any command is disabled by giving a level greater than 15. Commands assigned with lower numbers are less restricted than commands assigned higher numbers. These command levels values are used to determining the CA-7 command authorities assigned to users, which is specified in the SECURITY module. Sensitive commands include: o CLOSE - clears CA-7 control blocks. If a terminal is not specified, the terminal issuing the command will be disconnected from CA-7. The operator will have to reconnect and log on again. o SHUTDOWN - causes a normal termination of CA-7 execution. o DISPLAY - obtains internal information and/or status of various components of CA-7. o RESTART - used for job restart. o SSCAN - used to change the way schedule scan is responsible for scheduling and controlling all CA-7 jobs and networks. Improper use of SSCAN command can cause severe performance problems with CA-7. o START - used to reactivate interrupted queue activity. o STOP - used to temporarily suspend job movements through the queue. o Utility commands, such as, RENAME, SCRATCH, DELETE, CATALOG, UNCATALOG, SCRATCHP, and ALLOCATE should be restricted to console operators, CA-7 coordinators and system programmers. o System commands, such as, CHANGE, DMP1, DUMP, RELINK, JCLOVRD, DEMAND, NXTCYC, ADDRQ, RUN, SSCAN, START, and STOP allow users to dynamically control and change the production environment. Use of these commands should be subject to high authorization and should be limited by the console operator. Re-examine the SECURITY module to ensure that access to commands has been given on a need-to-know basis. 5. Obtain a copy of the source code for the SASSDSCR module. the Determine

security structure designated here for the CA-7 database maintenance application. Since a single authorization level as defined in the SASSTRAN module is not enough to control database access and update, a security method was devised to control access based on screen, function and terminal. This security table is defined in the SASSDSCR. Access controls are established here over various functions. These are specified for READ, ADD, UPD (update), DEL (delete), and SUBM (job submission) type functions (with numeric values of 0 to 15 representing the function authorization levels). These authorization values are used to determine each user's capabilities within CA-7. Note that users can also be further restricted here to only certain predefined terminals by specifying the name of the CA-7 terminals with the TERM keyword. 6. Determine that procedures for acquiring access to CA-7 are adequately documented, established and maintained. 7. Identify all CA-7 system datasets. Obtain the names of the CA-7 product source and executable libraries. Ascertain that the CA-7 libraries have adequate data set protection. Determine that the individuals that are not directly responsible for maintaining the product (i.e. the system programmers). Examine the data set access rules/profiles to ensure that update access is restricted only to those individuals directly responsible for maintaining the product through usage of CA-Top Secret. 8. Determine that adequate support staff is available to provide timely system maintenance and enhancement. 9. Obtain and review CA-7 log files reports. Particular concern should be placed over the above stated commands on audit step 4. 10. Review CA-7 computer operation procedures and ensure that they are up to date.

11. Determine whether worksheets are prepared for scheduled tasks, and if so, are they reviewed by management. 12. Determine that there is a documented Business Resumption Plan which address backup and emergency procedures for CA-7 recovery. Document backup procedures for CA-7 datasets and evaluate their adequacy.

To top