TSO: Time Sharing Option Subsystem Review Following was contributed to AuditNet LLC by (Rey LeClerc) email@example.com Objective: To determine whether TSO access and privileges are controlled and provided only as necessary. General Description TSO (Time-Sharing Option) is an on-line program development and testing tool. It allows programmers to create, edit and test application programs from an on-line terminal, thereby eliminating most of the turnaround time required by a batch system. There are several basic functions which TSO executes, as follows: Data Management - These functions manage the on-line programs and test data files for the user. o List - Used to display the contents of an on-line file (member) on the terminal. o Copy - Used to copy one file to another or combine two or more files into one file. o Rename - Can be used to rename a file. o Delete - Used to delete one or more files from the on-line system. o Allocate - Allocates space for a file. o Protect- May be used to protect one or more files from access by other users or accidental deletion by the user. Program Development - Used to create, edit, compile and place programs into production. o Edit - Used to create and/or edit a program or test datafile. This is the only function within the program development functions to which most programmers should have access, as all the others relate to compilation and placement of the test programs into production. o Link - Used to link-edit two or more programs together for execution. o COBOL and PL/1 - Compilers for the respective languages. Miscellaneous o Submit - Used to submit a program to the reader queue for execution in a batch mode. o Status - Used to check the status of programs in the reader or output queue. o Output - Allows the user to display the output of a test program on the
terminal. o Cancel - Used to cancel a program out of the reader queue before or during execution. o Send - Used for sending messages between terminals and to/from the operator. o Log-off - Logs the user off the system. The actual terminal control of the TSO system is handled by the communications system (such as ACF/VTAM), and is not handled by TSO. Whenever a user logs onto the system, the logon information is compared against the User Attribute Data Set (UADS) to see that the user is valid. The UADS contains a User-ID, which the name of the user is identified to the system, a password and an account number. The latter two features are optional and not always used. The auditor should review that the passwords are being used and never assume that just because an environment has TSO that the security features are being used. The TSO - ISPF (Interactive System Productivity Facility) is a further enhancement of the TSO system. Some of the features of the system include menu format which allows for greater ease of use, full screen text editing, scrolling for displaying output on the terminal and on-line tutorial. Through the menu, the user can also access most of the common IBM utility programs. The risks related to the use of ISPF are similar to those of TSO, namely the need to restrict access to those utilities and functions which are available to each programmer. Also, since the system is menu-driven and has a tutorial built-in, there is a risk that an unauthorized user could gain access to the system through a weak security system and learn how to use the TSO and ISPF commands to manipulate programs and data files. The major point to remember in environments that use TSO is that it is strictly a programmer productivity tool. It is not even a true on-line monitor in that you cannot run production programs on-line with it. It does not add any additional controls to an environment, and may increase the overall security risk if access to the commands and utilities is not tightly controlled.
Audit Program 1. Ascertain whether this site restricts access to TSO facilities to only those individuals that need it. Identify the means used by this location to define and control access to TSO. The options available are: to use only the RACF data base; to only use the SYS1.UADS; or to use both (usually for transitional purposes. SYS1.UADS may also be retained only for emergency backup purposes. 2. If SYS1.UADS is used as a primary means to control TSO access, obtain the SYS1.UADS file; use either the TSO ACCOUNT command (executed by a user defined with ACCOUNT capabilities) for this. If RACF is used as to control TSO access, list the active TSO type resource classes (i.e. TSOAUTH, TSOPROC, ACCTNUM, PERFGRP) by using the SEARCH and/or the RLIST commands. TSO user authorities are defined in either of these places. The RACF User-ID definition takes precedence when the same User-ID is also defined in SYS1.UADS. If TSO access is controlled by RACF (instead of SYS1.UADS), TSO users must have profile definitions in the TSOPROC and ACCTNUM resource classes. Review these listings selectively, i.e. where key access controls rely on their definitions. Verify that the OPER privilege has only been provided to MIS operations and system programming personnel. This is specified in the TSOAUTH resource class or in SYS1.UADS, according to where the TSO user attributes are defined.