There are two conflicting pieces of general advice that are applicable here.
A. Making PARMLIB inaccessible is security by obscurity. You are not securing the APF libraries by making one list of them unreadable. B. Multiple lines of defense. Sure, there are other ways to get things like a list of APF libraries, but why not make it as hard as possible? Maybe your attacker is pretty ignorant of z/OS: he knows about SYS1.PARMLIB but does not know about SHOWZOS or how to use Rexx STORAGE. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of ITschak Mugzach Sent: Friday, February 4, 2022 11:07 AM To: [email protected] Subject: Re: What is the audit basis to prevent read access to z/OS PARMLIB's? Only few of the parmlib members are represented on mobs control blocks. Attacker may want to understand how smf is configured, to make sure his activity is not recorded, what are the dump dataset mask, racf dataset table (if it is a racf shop) and and many other information that help penetrate the system. Remember the first rule of security “need to know”. Most users do not have the need. And for the hacker: You want the data, sweat! ITschak בתאריך יום ו׳, 4 בפבר׳ 2022 ב-20:25 מאת Mike Shaw <[email protected] >: > Amen Lionel. SHOWZOS is publicly available. Users can write their own REXX > code using the STORAGE function to display the active APF list on their > system. Security through (attempted) obscurity does not work. > > Mike Shaw > MVS/QuickRef Support Group > Chicago-Soft, Ltd. > > > On Fri, Feb 4, 2022 at 1:02 PM Lionel B. Dyck <[email protected]> wrote: > > > If you want to hide your APF list then you also need to prevent ISRDDN's > > APF option as it displays the APF list very nicely. I'm sure you can > > protect the SDSF APF command, but can you prevent SHOWZOS, and other > tools, > > from looking in storage and displaying the list for you? The fact is > that > > you can't. > > > > Perhaps you should, if following the STIG rules for PARMLIB, also prevent > > user access to /etc in your OMVS and other *nix environments. > > > > Lionel B. Dyck <>< > > Website: https://www.lbdsoftware.com > > Github: https://github.com/lbdyck > > > > “Worry more about your character than your reputation. Character is what > > you are, reputation merely what others think you are.” - - - John > Wooden > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On Behalf > > Of Edgington, Jerry > > Sent: Friday, February 4, 2022 11:47 AM > > To: [email protected] > > Subject: Re: What is the audit basis to prevent read access to z/OS > > PARMLIB's? > > > > I agree with Ed, for most of the PARMLIB, but the APF list of libraries, > > should be protected, since that is one way someone can get into the OS. > > Provided the person has access to one of those libraries. So, I tended > to > > be, maybe, over protective of the APF and possible LNKLST, depending upon > > the system parms. > > > > > > Jerry Edgington | Sr.Technical Analyst IT Technical Operations > > Enterprise Systems > > 400 Broadway | Cincinnati, Ohio 45202 > > 513.629.1826 direct > > 513.629.1787 fax > > WesternSouthern.com > > > > > > > > -----Original Message----- > > From: IBM Mainframe Discussion List <[email protected]> On Behalf > > Of Ed Jaffe > > Sent: Friday, February 4, 2022 12:43 PM > > To: [email protected] > > Subject: Re: What is the audit basis to prevent read access to z/OS > > PARMLIB's? > > > > This message was sent from an external source outside of Western & > > Southern's network. Do not click links or open attachments unless you > > recognize the sender and know the contents are safe. > > > > > ________________________________________________________________________________________________________________________ > > > > On 2/4/2022 7:04 AM, Farley, Peter x23353 wrote: > > > I see the rule but I do not understand the rationale. Limiting UPDATE > > and ALTER access to systems programmers is logical and reasonable. > > Limiting READ access is not unless there are parameters in PARMLIB not > > available anywhere else that can be used to gain an elevation of > authority. > > > > The z/OS STIG is often wrong. I laugh when it protects SYS1.PARMLIB since > > all of our specifications are in SYS2.PARMLIB! LOL > > > > Considering PARMLIB in general, there used to be some passwords in the > > clear that would appear there (e.g., NJE). I have no idea if that's still > > true today. > > > > FWIW, there is absolutely nothing in our PARMLIB that we try to hide from > > end users. We might be naive... > > > > > > -- > > Phoenix Software International > > Edward E. Jaffe > > 831 Parkview Drive North > > El Segundo, CA 90245 > > https://www.phoenixsoftware.com/ > > > > > > > > > -------------------------------------------------------------------------------- > > This e-mail message, including any attachments, appended messages and the > > information contained therein, is for the sole use of the intended > > recipient(s). If you are not an intended recipient or have otherwise > > received this email message in error, any use, dissemination, > distribution, > > review, storage or copying of this e-mail message and the information > > contained therein is strictly prohibited. If you are not an intended > > recipient, please contact the sender by reply e-mail and destroy all > copies > > of this email message and do not otherwise utilize or retain this email > > message or any or all of the information contained therein. Although this > > email message and any attachments or appended messages are believed to be > > free of any virus or other defect that might affect any computer system > > into > > which it is received and opened, it is the responsibility of the > recipient > > to ensure that it is virus free and no responsibility is accepted by the > > sender for any loss or damage arising in any way from its opening or use. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > -- ITschak Mugzach *|** IronSphere Platform* *|* *Information Security Continuous Monitoring for z/OS, x/Linux & IBM I **| z/VM coming soon * ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
