DOCSLIB.ORG

CICS Essentials Auditing CICS – a Beginner’S Guide

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
CICS Essentials Auditing CICS – a Beginner’S Guide CICS Essentials Auditing CICS – A Beginner’s Guide Julie-Ann Williams Mike Cairns Martin Underwood Craig Warren ii CICS ESSENTIALS Foreword by Brian Cummings A thorough Audit Guide for CICS is something that is long overdue. This document provides a wealth of information about CICS, its operations, and its various resources and capabilities along with audit guidelines and recommendations. Various documents on AuditNet and other sources have taken a stab at parts or all of CICS, but are likely not up to date or sufficiently complete. CICS largely remains an environment that holds its mysteries against auditors and security officers alike. The results of poor understanding can lead to dangerous levels of unidentified risk to the applications and sensitive information of entities that use the power of CICS for critical business applications. Unlike any other environment, CICS security implementations fail in the first place because all of the security control is often only focused on transactions. Transactions are many levels of resources removed from the data files and data bases they query or update. In the end, we see the greatest level of security established for the least sophisticated technical users – end business users, and the least security facing the most technically sophisticated – the CICS sub-system programmer and the CICS Application programmer. For example, it is typical to leave FCT resources unsecured and to allow the CICS regions to have total rights to the data sets they access. This condition gives sub-system and application programmers full-reign to use CICS utilities to inherit the CICS regions’ authorities and gain full access to freely browse and update data. Worse, such activity would take place well beneath the business and process internal controls established to assure the integrity of the data. There are many other security failures prevalent in CICS security implementations such as: empowering the CICS region default userid; running all CICS sub-systems and regions under the same user account or group, thus failing to achieve a separation of function across business applications; and inadequate protection of high-risk CICS system supplied transactions. I learned a great deal by reading this document, and will value it as a handy reference for my CICS security implementation and audit activities. I’m certain that you will find it equally useful, and possibly disturbing. As a peer professional so well said: When I realize that I don’t know something that is important to me, job one becomes to learn what I need to know. This document is a great start. Brian V. Cummings Practice Lead, IRM Advisory Services Tata Consultancy Services North America by Mike Cairns I was invited into this project late in its development, and asked to contribute some of my previously published articles on the subject of CICS security. When I was publishing online articles about CICS, the writing was limited to well under 2000 words to fit inside publishing limitations. With this book though, we see at last a larger format where subjects can be explained in more depth and detail than I could in my earlier work. It’s been a delight to be able to help a dedicated team of writers complete this CICS ESSENTIALS iii comprehensive introduction to auditing CICS. My contributions have been small, some old articles, and a bit of editing. The chance to re-write my old articles, and try to clarify the parts I now considered weak, was the best part of this project personally for me. But for the group, I have to congratulate Julie-Ann, Martin and Craig for creating the first detailed work on CICS audit that I know of. It’s a complex topic, and needs a book of this length to do it justice. We hope that all auditors when faced with a z/OS audit will find our contribution useful, and we look forward to providing future assistance with similar publications. Mike Cairns – August 2009 iv CICS ESSENTIALS TableofContents About this Book . 1 About the Book’s Sponsor . 1 About the Author(s) . 1 About You . 2 Icons Used in this Book . 2 More Detailed Technical Information . 3 Introduction to CICS Audit requirements . 5 What is CICS? . 5 How is CICS used? . 6 Databases and CICS . 7 Networks and CICS . 7 External Security control and CICS . 8 What types of risk need to be considered when auditing CICS? . 11 z/OS elements . 11 DB2 elements . 12 Networking elements . 13 Auditing CICS 101 . 14 Auditing CICS - A Beginners Guide . 15 Where to look and what to look for . 15 Job Control . 15 Associated Userid . 17 Datasets . 17 STEPLIB/STEPCAT . 18 Journals and Logs . 18 Dynamic transaction backout . 19 Recovery after a system abnormally terminates . 19 CSD . 19 System Initialization Parameters . 20 Override Parameter Settings . 20 SIT Settings . 20 CMDSEC . 21 CONFDATA . 21 CONFTXT . 21 DFLTUSER . 22 EJBROLEPRFX . 22 ENCRYPTION . 22 ESMEXITS . 22 GMTRAN . 22 KEYRING . 23 PLTPIUSR . 23 PLTPISEC . 23 PSBCHK . 24 RESSEC . 24 SEC . 24 SECPRFX . 24 SECPREFIXID . 25 SNSCOPE . 25 CICS ESSENTIALS v table of contents TCPIP . 26 USRDELAY . 26 XAPPC . 27 XCMD . 27 XDB2 . 29 XDCT . 29 XEJB . 30 XFCT . 31 XHFS . 32 XJCT . 32 XPCT . 33 XPPT . 33 XPSB . ..
Load more

Recommended publications
  • CA Top Secret for Z/OS Control Options Guide
    CA Top Secret® for z/OS Control Options Guide r15 Ninth Edition This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the “Documentation”), is for your informational purposes only and is subject to change or withdrawal by CA at any time. This Documentation is proprietary information of CA and may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. If you are a licensed user of the software product(s) addressed in the Documentation, you may print or otherwise make available a reasonable number of copies of the Documentation for internal use by you and your employees in connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy. The right to print or otherwise make available copies of the Documentation is limited to the period during which the applicable license for such software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed. TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
    [Show full text]
  • OS Structures and System Calls
    COS 318: Operating Systems OS Structures and System Calls Kai Li Computer Science Department Princeton University (http://www.cs.princeton.edu/courses/cos318/) Outline Protection mechanisms OS structures System and library calls 2 Protection Issues CPU Kernel has the ability to take CPU away from users to prevent a user from using the CPU forever Users should not have such an ability Memory Prevent a user from accessing others’ data Prevent users from modifying kernel code and data structures I/O Prevent users from performing “illegal” I/Os Question What’s the difference between protection and security? 3 Architecture Support: Privileged Mode An interrupt or exception (INT) User mode Kernel (privileged) mode • Regular instructions • Regular instructions • Access user memory • Privileged instructions • Access user memory • Access kernel memory A special instruction (IRET) 4 Privileged Instruction Examples Memory address mapping Flush or invalidate data cache Invalidate TLB entries Load and read system registers Change processor modes from kernel to user Change the voltage and frequency of processor Halt a processor Reset a processor Perform I/O operations 5 x86 Protection Rings Privileged instructions Can be executed only When current privileged Level (CPR) is 0 Operating system kernel Level 0 Operating system services Level 1 Level 2 Applications Level 3 6 Layered Structure Hiding information at each layer Layered dependency Examples Level N THE (6 layers) . MS-DOS (4 layers) . Pros Level 2 Layered abstraction
    [Show full text]
  • CA Top Secret R16 Security Target
    CA Top Secret r16 Security Target ST Version: 1.0 August 18, 2017 3333 Warrenville Road Suite 800 Lisle, IL 60532 Prepared By: Cyber Assurance Testing Laboratory 304 Sentinel Drive, Suite 100 Annapolis Junction, MD 20701 Security Target CA Top Secret r16 Table of Contents 1 Security Target Introduction ................................................................................................................. 6 1.1 ST Reference ................................................................................................................................. 6 1.1.1 ST Identification ................................................................................................................... 6 1.1.2 Document Organization ........................................................................................................ 6 1.1.3 Terminology .......................................................................................................................... 7 1.1.4 Acronyms .............................................................................................................................. 8 1.1.5 References ............................................................................................................................. 9 1.2 TOE Reference .............................................................................................................................. 9 1.3 TOE Overview .............................................................................................................................
    [Show full text]
  • 402197 350 System Manual.Book
    350 Cable Survey System System Manual Covers DeepView Software Version 5.x.x and Firmware Version 3.7 TSS (International) Ltd 1, Garnett Close Greycaine Industrial Estate Watford, Herts, WD24 7GL Telephone +44 (0)1923 470800 Facsimile +44 (0)1923 470842 24 hr Customer Support +44 (0)7899 665603 e-mail: [email protected] The information in this Manual is subject to change without notice and does not represent a commitment on the part of TSS (International) Ltd Document P/N 402197 Issue 2.4 abcdef January 2008 1 9 9 3 THE QUEEN'S AWARD FOR EXPORT ACHIEVEMENT Contents CAUTIONARY NOTICE This System Manual contains full installation and operating instructions and is an important part of the 350 System. This Manual should remain easily available for use by those who will install, operate and maintain the System. WARNINGS and CAUTIONS Where appropriate, this Manual includes important safety information. Safety infor- mation appears as WARNING and CAUTION instructions. You must obey these instructions: ❐ WARNING instructions alert you to a potential risk of death or injury to users of the 350 System. ❐ CAUTION instructions alert you to the potential risk of damage to the 350 System. For your convenience, the Table of Contents section includes copies of all the WARNING and CAUTION instructions contained in this Manual. Technical Support and contact information TSS (International) Ltd 1 Garnett Close, Greycaine Industrial Estate, Watford, Herts, WD24 7GL Tel: +44 (0)1923 470800 Fax: +44 (0)1923 470842 Out of UK Hours Technical Helpline: +44 (0)7899
    [Show full text]
  • Technical Services Attachment for Technology Support Services (TSS)
    Technical Services Attachment IBM Deutschland GmbH for T echnology S upport Services (TSS) Offerings Using this Attachment, Client may order TSS offerings from IBM. Additional details are provided in Transaction Documents (TDs). The agreement in place between the parties (CRA or equivalent) referenced in the signature block, this Attachment, and TDs are the complete agreement regarding TSS transactions hereunder. 1. Services IBM will provide Services, as described in this Technical Services Attachment for TSS Offerings (Attachment) and Statements of Work (SOW), Transaction Documents, and Change Authorizations (collectively Transaction Documents or TDs), to support Client’s Eligible Machines and Eligible Programs (collectively Eligible Products). This Attachment replaces all other previously accepted versions of this Attachment for the Client named in the signature block, as to new transactions dated after the effective date of this Attachment. IBM will identify Eligible Products, Specified Locations (entire information processing environment, or a portion thereof, at multiple sites or a single building), hours of coverage selected, applicable Services, and the contract period, in TDs. Additional details may be documented in the TD, as applicable to the specific transaction. Client may place service requests 24x7, by voice or electronically, however IBM will begin servicing the request during the applicable entitled coverage days and hours. Coverage is based on the time zone where the Eligible Machine is located. IBM provides Services during the hours of service selected in the Transaction Document. Eligible Machines must meet IBM’s safety and serviceability requirements. Any IBM inspection for maintenance eligibility is subject to a charge. IBM reserves the right to inspect a Machine within one month from the start of Service.
    [Show full text]
  • Norco College Technology Committee Meeting 12:50Pm-1:50 P.M
    Norco College Technology Committee Meeting 12:50pm-1:50 p.m. CSS 219 December 13, 2017 MINUTES Present Absent Ruth Leal (Co-Chair) Cathy Brotherton (CIS/BEIT) Damon Nance (Library) Kim K. Kamerin (AHWL) Daniel Lambros (IMC) Deven Fafard (ASNC) Sergio Quiroz (ASNC) Daren Koch (Tutorial) Lenny Riley (DOI) Guest James Finley (CIS/GAM) Ricardo Aguilera (TSS) Janet Frewing (Math) Mike Angeles (TSS) Mitzi Sloniger (COMM) Frank Martinez (TSS) Vanessa Acosta (A&R) 1. Call to Order 12:50 p.m. 2. Consent Calendar- Ruth Leal a. October 19, 2017 Minutes were reviewed. b. November 9, 2017 Minutes were reviewed. Motion (Finley/Frewing). Two abstentions. Approved. 3. Technology Plan – Ruth a. Subcommittees Report - Ms. Leal provided an update regarding the subcommittees. i. Goal #6 – Phase II computers were not all installed in the summer as reported and an email has been sent to all of the users to see if their computer was replaced or still needs to be replaced. Responses are slow but the committee will continue to follow-up. TSS will use the computers in inventory which were purchased for this in last year’s resource allocation process. TSS reported that there were 53 computers in the warehouse after installation of the podium computer project. The Phase II list was shared with Business Services and TSS in the September 2017. The committee will be updated on this in the spring. The Technology Principles and Guidelines were updated to reflect the prioritization process and new template approved by the Technology Committee. The committee reviewed the document. Motion (Acosta/Sloniger).
    [Show full text]
  • A Technical History of National CSS
    A Technical History of National CSS By Harold Feinleib Written: March 4, 2005 CHM Reference number: R0363.2016 A Technical History of National CSS By Harold Feinleib I knew I wanted to go into computers when I got my first program to work. That was quite a thrill. It happened in 1964 during my senior year at Cornell when I took the only course given in computers. I had to look to the Electrical Engineering school where we worked on a Burroughs 220, a computer filled with thousands of vacuum tubes that took up a good sized room. It was actually a very nice computer because it worked in decimal instead of binary. That memorable program was of course a Sort program—I had to sort a list of numbers. I wonder how many sort programs have been written before or since. It must be millions. With great enthusiasm, I interviewed at the campus-recruiting program where companies sent people to find new employees for their organization. In the 1960’s, unlike today, the job market was very active and no one had a problem getting started right after they graduated from college. I got some interest from three companies: Equitable Life to work in their actuarial program in New York City; IBM as a programmer to work in upstate NY; and with the Service Bureau Corporation to also work in midtown Manhattan. New York City was very appealing to me; I was 20 years old, and living in Manhattan was a very exciting prospect, so I took great interest in the Equitable and the SBC interviews.
    [Show full text]
  • MTS on Wikipedia Snapshot Taken 9 January 2011
    MTS on Wikipedia Snapshot taken 9 January 2011 PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Sun, 09 Jan 2011 13:08:01 UTC Contents Articles Michigan Terminal System 1 MTS system architecture 17 IBM System/360 Model 67 40 MAD programming language 46 UBC PLUS 55 Micro DBMS 57 Bruce Arden 58 Bernard Galler 59 TSS/360 60 References Article Sources and Contributors 64 Image Sources, Licenses and Contributors 65 Article Licenses License 66 Michigan Terminal System 1 Michigan Terminal System The MTS welcome screen as seen through a 3270 terminal emulator. Company / developer University of Michigan and 7 other universities in the U.S., Canada, and the UK Programmed in various languages, mostly 360/370 Assembler Working state Historic Initial release 1967 Latest stable release 6.0 / 1988 (final) Available language(s) English Available programming Assembler, FORTRAN, PL/I, PLUS, ALGOL W, Pascal, C, LISP, SNOBOL4, COBOL, PL360, languages(s) MAD/I, GOM (Good Old Mad), APL, and many more Supported platforms IBM S/360-67, IBM S/370 and successors History of IBM mainframe operating systems On early mainframe computers: • GM OS & GM-NAA I/O 1955 • BESYS 1957 • UMES 1958 • SOS 1959 • IBSYS 1960 • CTSS 1961 On S/360 and successors: • BOS/360 1965 • TOS/360 1965 • TSS/360 1967 • MTS 1967 • ORVYL 1967 • MUSIC 1972 • MUSIC/SP 1985 • DOS/360 and successors 1966 • DOS/VS 1972 • DOS/VSE 1980s • VSE/SP late 1980s • VSE/ESA 1991 • z/VSE 2005 Michigan Terminal System 2 • OS/360 and successors
    [Show full text]
  • Advanced Authentication Connector for Z/OS® Installation and Getting Started Guide © Copyright 2017 - 2020 Micro Focus Or One of Its Affiliates
    Micro Focus® Advanced Authentication Connector for z/OS® Installation and Getting Started Guide © Copyright 2017 - 2020 Micro Focus or one of its affiliates. The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Contains Confidential Information. Except as specifically indicated otherwise, a valid license is required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Release: 1.1 Publication date: Updated May 2020 Table of Contents Welcome to Micro Focus® Advanced Authentication Connector for z/OS® . 5 Typographical Conventions . 6 Chapter 1 Overview . 7 Chapter 2 Implementing the Micro Focus Advanced Authentication Connector for z/OS . 9 Prerequisites . 10 Uploading the AACZ Product Distribution Files to the Host . 10 Creating the AACZ Started Task . 10 Additional Notes About Creating the AACZ Started Task. 12 Sample Start-Up Parameters. 12 Notes on the Use of Signed Certificates . 14 Using a Certificate that Has Been Signed by a Certificate Authority . 15 Using a Self-Signed Certificate . 15 RACF, ACF2, and Top Secret Requirements and Commands . 15 Defining an MFA Profile . 15 Defining Users to the NetIQ AA Server.
    [Show full text]
  • Arxiv:1904.12226V1 [Cs.NI] 27 Apr 2019
    The Ideal Versus the Real: Revisiting the History of Virtual Machines and Containers Allison Randal, University of Cambridge Abstract also have greater access to the host’s privileged software (kernel, operating system) than a physically distinct ma- The common perception in both academic literature and chine would have. the industry today is that virtual machines offer better se- curity, while containers offer better performance. How- Ideally, multitenant environments would offer strong ever, a detailed review of the history of these technolo- isolation of the guest from the host, and between guests gies and the current threats they face reveals a different on the same host, but reality falls short of the ideal. The story. This survey covers key developments in the evo- approaches that various implementations have taken to lution of virtual machines and containers from the 1950s isolating guests have different strengths and weaknesses. to today, with an emphasis on countering modern misper- For example, containers share a kernel with the host, ceptions with accurate historical details and providing a while virtual machines may run as a process in the host solid foundation for ongoing research into the future of operating system or a module in the host kernel, so they secure isolation for multitenant infrastructures, such as expose different attack surfaces through different code cloud and container deployments. paths in the host operating system. Fundamentally, how- ever, all existing implementations of virtual machines and containers
    [Show full text]
  • The Mainframe Audit News
    MANEWS Issue Number 21 the Mainframe Audit News This newsletter tells you stuff you need to know to audit IBM mainframe computers runinng with z/OS and the MVS operating system. This issue we show you how to plan the data gathering for your audit. Table of Contents 1. Planning Data Gathering for a Mainframe Security Audit 2. What Data to Gather for a RACF Audit 3 What Data to Gather for a CA-ACF2 Audit 4. What Data to Gather for a CA-TopSecret Audit 5. What Data to Gather for an MVS Security Audit 6. Other Considerations 7. Seminar Information and Miscellanea 1) Planning Data Gathering for a Mainframe Security Audit Getting the data you need at the beginning of an audit may be one of the most important things you can do to make the audit successful. Knowing what to ask for before the audit starts is key to getting it before you need it. You’ll learn below how to plan what data to ask for. In future issues we will show you how to interpret some of it, and how to make use of it in your audit program. This issue addresses only planning for your data gathering. To decide what to ask for, consider that mainframe (z/OS and MVS) security consists of two major parts: the security software and the MVS operating system security. You will likely want to limit your scope to one or the other. The security software is always one of these Big Three: · RACF (IBM’s Resource Access Control Facility) · CA-ACF2 (CA Technology’s ACF2) or · CA-TopSecret (CA Technology’s TopSecret, often called just TSS) Page 1 www.stuhenderson.com September, 2013 MANEWS Issue Number 21 the Mainframe Audit News The security software handles identification and validation of users (often by means of a userid and password).
    [Show full text]
  • Administrator's Guide
    IBM Open Data Analytics for z/OS Version 1 Release 1 Administrator's Guide IBM SC27-9035-00 Note Before using this information and the product it supports, read the information in “Notices” on page 301. This edition applies to Version 1 Release 1 of IBM® Open Data Analytics for z/OS® (5655-OD1) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2019-08-29 © Copyright International Business Machines Corporation 2016, 2019. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. © Rocket Software, Inc. 2016, 2019. Contents Figures................................................................................................................. ix Tables.................................................................................................................. xi About this information......................................................................................... xv How to send your comments to IBM....................................................................xvii If you have a technical problem............................................................................................................... xvii Summary of changes for IBM Open Data Analytics for z/OS Administrator's Guide ............................................................................................................. xix Chapter 1. Getting started....................................................................................
    [Show full text]