You have to show the whole picture of security involved in z/OS. 1) The instruction set is broken into general, semi-privileged and privileged. 2) The operating system has RACF, or equivalent, to control who can put what in what libraries and data sets. 3) Data set (read as libraries) control the level of instructions and functions that can execute. 4) If a user can put an 'unapproved' program in a library, but can't use it, is it a risk?
The trick is to show that there are required procedures that must be followed to get programs into a situation that could be 'dangerous' to the system. Of course, you could write a program that scans every PDS/PDSE and verifies that every program is on an approved list, but then how do you verify that someone didn't put a 'bad' program with a 'good' name in a library. Of course your checker program could use a CRC check and verify what is there is what you think it should be, but what do you do when maintenance is applied? Send the question back to them. What product or system is available for you to use to do what they want? Chris Blaicher Senior Software Engineer, Software Services Syncsort Incorporated 50 Tice Boulevard, Woodcliff Lake, NJ 07677 P: 201-930-8260 | M: 512-627-3803 E: [email protected] -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Greg Dorner Sent: Wednesday, September 05, 2012 7:22 AM To: [email protected] Subject: Preventing the installation of "unapproved" software Man, the auditors came up with a new one! "Gap noted. Automated controls to prevent the installation of unapproved software were not documented." So I have been assigned the task of researching how to provide "Automated controls to prevent the installation of unapproved software". I'm hoping someone on the list has a clue to what could possibly do this. My brain already hurts thinking about it. Just thinking logically with my limited intellect tells me doing this is somewhat close to impossible. Any thoughts? I also accept rants and expletives. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ATTENTION: ----- The information contained in this message (including any files transmitted with this message) may contain proprietary, trade secret or other confidential and/or legally privileged information. Any pricing information contained in this message or in any files transmitted with this message is always confidential and cannot be shared with any third parties without prior written approval from Syncsort. This message is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any use, disclosure, copying or distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Syncsort and destroy all copies of this message in your possession, custody or control. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
