VSE/SP Review

Following was contributed by (Rey LeClerc) at rey@mass-usa.net VSE/SP Review Objective: To ensure that adequate security procedures have been established over the VSE/SP environment. General Description VSE/SP is a complete pre-generated VSE system. It contains an integrated set of IBM licensed programs. It contains all the processes necessary to allow users to perform on-line functions, as well as, submit of batch tasks. There are four areas of concern in this environment: VSE/SP System Environment provides facilities for Job accounting, logging of programs executed and files used. Additionally, it has an access control function and DASD file protection. These facilities are an integral part of VSE/SP, but will not function until the site activates them. VSE/ICCF provides interactive command interface and is controlled by the security parameters defined in the VSE/SP System Environment. CICS/DOS/VS supports interactive application sessions. are defined within the CICS Security Keys. Security controls VSE/POWER provides support for the submission, execution, and printing of batch jobs. Security controls for VSE/POWER are defined in both the VSE/SP System Environment and the VSE/POWER system generation. VSE/SP System Environment An ID with System Administration authority is necessary to audit steps. In order to review the appropriate system values., locate them. In a VSE/SP environment the Volume DOSRES is System Residence Volume. The first file on this volume contains which control the system values. perform these you must first always the the members If member $ASIPROC exits, it will contain the name of the IPLPROC member used for Automatic System Initialization. If $ASIPROC does not exists, then the operator must enter the appropriate name during IPL. Audit Program 1. Obtain a copy of the IPL Process from the location. An IPL Procedure should be formalized, documented and available to the Operations Staff. 2. Access the Tailor IPL Procedure Dialog to display the parameter settings from the IPLPROC member: From the VSE/SP Function Selection panel select: 2. - Resource Definition 4. - Hardware Configuration & IPL 3. - Tailor IPL Procedure A selection list of one or more IPLPROCs will be displayed. Use the ALTER function next to the one that corresponds to the name in either $ASIPROC or the site's IPL Process. This will present the following selection list: _SUPERVISOR _SYS _DLA _DPD _DLF _DEF _ZONE _SVA 3. SUPERVISOR contains the IPL LOG option. Determine if the IPL log option is active. This option specifies whether or not IPL commands are logged on the IPL console. 4. SYS contains three parameters which are of interest from a control standpoint. DASDFP (DASD File Protection ), JA (Job Accounting) and SEC (Access Control Function). Examine if these are activated by the system. VSE/ICCF The Access Control function provides for user authentication. This feature is always active. Additionally, resource level protection is available when SEC is activated. Security Information is stored in the system table DTSECTAB. two There are types of entries in DTSECTAB. User profiles and resource profiles. Resource profiles are only required if SEC is active. An additional level of logging is available if the optional licensed program, VSE/Access Control-logging and Reporting, has been installed. Audit Program 1. Review user profiles. From the VSE/SP Function Selection panel select: 2. - Resource Definition 1. - User Interface Tailoring 1. - Maintain User Profiles Are the USERTYPEs 1 and 2 assigned only to those users who require it for their job function? Is the password expiration parameter set top a reasonable number of days. Ensure that users who the ESCAPE attribute have a legitimate need to escape to native CICS/DOS/VS. Review the other user profile parameter and determine if authorizations are assigned to individuals appropriately. Verify that the AUTH=YES parameter is not specified. If it is, ensure that the user it has been given to needs Full Access to All Resources. 6. Review Resource Profiles Review the Access Rights for sensitive resources. The Universal Access Right is authority all users have to this resource. Individual Access Rights are only meaningful if they are more restrictive. Determine that access to powerful programs has been restricted to only those users who require them to perform their job functions. Programs which should be looked at include: VSE/DITTO Operations Utility FCOPY, FCOPYB Fast Copy IKQVEDA, IKQVDU VSAM Services MSHP Maintain System History Program INITTP Initialize Tape CLRDSK Clear Disk ICKDSK Device Support Facilities DOSVSDMP Dump Utility Note: Use of DOSVSDMP should be severely restricted. Ensure that logging options have been specified, if the optional licensed program, VSE/Access Control Logging and Reporting. Also, ensure that adequate review and follow-up of violation/access reports, is being performed. CICS/DOS/VS VSE/ICCF sign-on augments CICS/DOS/VS sign-on. If a DFHSNT entry exist for a user, CICS related parameters will be used from DFHSNT. If however, no DFHSNT entry exists the user may use CICS with the information from the VSE/ICCF profile. Audit Program 1. Transaction Security. Review the DFHPCT entries. Make sure that the security keys for sensitive transactions are given only to those users who require them. VSE/POWER Audit Program 1. Obtain a copy of the POWER NDT, Network Definition Table. This table will list all local and remote devices which can access POWER for job submission. Ensure all have been properly defined with passwords that are not easily guessed and that these passwords are changed frequently.