MVS AUDIT PROGRAM Contributed by Pamela Jerskey, Boston College 1. Run IDCAMS to produce Master Catalog Listing (do not print) - use as reference for looking up libraries for audit tests (MVSMSTR.JCL). 2. Run PDSLIST of SYS1.PARMLIB to produce listing (do not print) - edit as needed for workpapers for audit tests (MVSPARM.JCL). 3. Run PDSLIST of SYS2.PARMLIB to produce listing (do not print) - edit as needed for workpapers for audit tests (MVSPARM2.JCL). 4. Run PDSLIST of SYS1.PROCLIB to produce listing (do not print) - edit as needed for workpapers for audit tests (MVSPROCL.JCL). 5. Obtain RACF DSMON Report and Data Sets Report from Security Administrator. I. MASTER CATALOG: Review all data sets in the Master Catalog and determine if protected under RACF. II. SYS1.NUCLEUS REVIEW: A. Run IEHLIST of SYS1.NUCLEUS to review for multiple members (MVSNUC.JCL). Check for IEANUCxx where xx = 00, 01, etc. B. Determine that SYS1.NUCLEUS is protected under RACF by reviewing RACF DSMON Report from Security Administrator. III. SYS1.PARMLIB REVIEW: A. Edit SYS1.PARMLIB listing for member IEASYS00. Review parameters. Use of the ,L option within specified IEASYSxx members is encouraged. The IEASYS00 parameters of audit significance and their associated PARMLIB members include: 1. APF=(00) IEAAPFxx 2. MLPA=(00,L) IEALPAxx 3. CMD=(00) COMMNDxx 4. LNK=(00,L) LNKLSTxx 5. LPA=(00,L) LPALSTxx 6. MSTRJCL=(00) MSTJCLxx 7. LNKAUTH=LNKLST LNKLSTxx 8. SCH=(00,L) SCHEDxx 9. SMF=(00) SMFPRMxx 10. SVC=(00,L) IEASVCxx 11. PAGE= Review protection for all datasets listed including PAGE datasets. B. Authorized Program Facility (APF) is the primary mechanism for security and control within the MVS Operating System. APF is a facility that identifies programs authorized to use restricted functions in the MVS Operating System. Access to APF libraries should be controlled to prevent unauthorized routines from being inserted in these libraries and run in an authorized state. Nonexistent data sets or volumes which could allow a user to improperly allocate an authorized library. Edit SYS1.PARMLIB listing for member PROG00. Run IEHLIST for each data set in member IEAPF00 (MVSIEAAP.JCL). Determine: 1) that all members exist on the volume specified by reviewing the output. 2) that all members are catalogued by reviewing the Master Catalogue listing. 3) that no duplicate data sets exist by reviewing IEAPF00. 4) that all members are RACF protected by reviewing RACF DSMON report (Selected Data Sets Report). 5) Review protection for SYS1.IMAGELIB. C. Edit SYS1.PARMLIB listing for member LNKLST00. Run IEHLIST for each data set in member LNKLST00 (MVSLKLST.JCL) (volume can be identified by searching the Master Catalog). Determine: 1) that all members exist on the volume specified by reviewing the output. 2) that no duplicate data sets exist by reviewing LNKLST00. 3) that all members are RACF protected by reviewing RACF DSMON Report (Selected Data Sets Report). D. Edit SYS1.PARMLIB listing for member LPALST00. Review as in #C. (MVSLPALS.JCL). E. Edit SYS1.PARMLIB listing for member IKJTSO00. Review with systems programmer the following: AUTHCMD NAMES (determine what function each command performs) AUTHPGM NAMES (determine what function each program performs) IV. SVC REVIEW: A. Edit SYS1.PARMLIB listing for member IEASVC00. B. Run IEHLIST report for SYS1.LPALIB and all members in LPALST00. (MVSLPALB.JCL). C. Run AMBLIST of SYS1.NUCLEUS (MVSIEANU.JCL) to identify any user added SVCs (IGCxxx where xxx = 200-255). D. Using reports from B & C, search listing for members that begin with IGC. Edit listing for workpapers. Compare IGC listing to IEASVC00 to determine user added SVCs and if they are active (Note: IGCxxx where xxx = 200-255 are user added SVCs). E. Run IEHLIST for SYS1.SVCLIB (MVSSVCLB.JCL). Identify member names that begin with NSL. Discuss with system programmer. F. Determine that SYS1.SVCLIB is protected under RACF by reviewing RACF DSMON Report (Selected Data Sets Report). G. From IEASVC00, APF(NO), the default, allows any user to invoke the SVC. Ensure that any SVC available to all users (APF(NO)) respects system integrity requirements. Discuss with systems programmer. V. EXIT REVIEW: JES EXITS: A. Edit SYS1.PROCLIB for member names JESM and JES. Locate HASPPARM DSN. Edit SYS2.PARMLIB for JESMPARM and JES2PARM. Locate each exit (EXITnn). Edit listing for workpapers. Discuss the function of each exit with system programmer. SMF EXITS: A. Edit SYS1.PARMLIB listing for member SMFPRM00. Ensure that the member that specifies the SMF is ACTIVE. Review the NOPROMPT option. NOPROMPT offers the operator no choice in the parameters selected. NOPROMPT is the most secure. List exits. Identify exits in SYS1.LPALIB from IEHLIST report (see Audit Program IIIB.) (IEFU......). Run AMBLIST for all exits in SMFPRM00 (MVSDUMP.JCL). Determine: 1) if exit is used. 2) if used, what function it is performing. 3) if used, last linkage date. 4) length. VI. PROGRAM PROPERTIES TABLE REVIEW: Edit SYS1.PARMLIB listing for member SCHED00. Obtain DSMON Program Properties Table Report from Security Administrator. Review programs that bypass password protection and have a system key=yes from DSMON Report (from SCHED00, have NOPASS and Key 0-7). Determine what these programs are doing. Discuss with system programmer. VII. VTAM REVIEW: A. Edit SYS1.PROCLIB listing for member NET. Identify VTAMLST DSN and VTAMLIB DSN. Run PDSLIST of SYS2.ACFVTAM.VTAMLST (dsn of VTAMLST) to product listing (do not print) - edit as needed for workpapers for audit tests (MVSVTML.JCL). Review Start-Up VTAM. Review ATCSTR00 to identify which member contains start-up vtam members. Review ATCCON00 (Start-up VTAM). Search and edit entire listing for: 1) AUTH=(ACQ, Can acquire other "LU" or PASS Can pass LU to another application or SPO, PPO) Application can issue net commands 2) AUTHEXIT=YES Application exits get control in supervisor state whether or not authorized. Identify which members are in Start-up VTAM and which members are not. Review any of these conditions with system programmer. Discuss how these members are defined to RACF. VIII. JES REVIEW: A. Determine to what level SYS1.HASPACE is protected under RACF. SYS1.HASPACE is the data set for all spooled input and output. Review with systems programmer why "alter" level is needed by systems programmers (only JES needs access). B. Edit SYS2.PARMLIB for JES2PARM. Locate SPOOL (spooldef) and CHECKPOINT (ckptdef) volumes. Determine what level of protection exists under RACF. Review the following parameters: COMMAND=(execute, ignore or verify). Ignore or verify is best. The console command allows operators to change JES2 parameters. OFFLOAD= This should not be turned on. It is a non-standard way of interrupting data flow in JES2. RMT1 RMT2, etc. This is remote JES. Check for passwords. How often are they changed? MVSMSTR.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxx,PASSWORD=xxxxxxx /*ROUTE PRINT //* //* THIS PROGRAM IS USED FOR AUDITING MVS TO ACCESS //* THE MASTER CATALOG //* //SS1 EXEC PGM=IDCAMS //SYSPRINT DD SYSOUT=* //SYSIN DD * LISTC ALL MVSPARM.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxx,PASSWORD=xxxxxx /* ROUTE PRINT //S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX' //* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME) //* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL) //SYSPRINT DD SYSOUT=*,OUTLIM=0 //OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80 //SYSUT9 DD DSN=SYS1.PARMLIB,DISP=SHR //SYSIN DD * // MVSPARM2.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxx,PASSWORD=xxxxxxx /* ROUTE PRINT //S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX' //* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME) //* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL) //SYSPRINT DD SYSOUT=*,OUTLIM=0 //OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80 //SYSUT9 DD DSN=SYS2.PARMLIB,DISP=SHR //SYSIN DD * // MVSPROCL.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxxxx,PASSWORD=xxxxxxxx /*ROUTE PRINT //S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX' //* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME) //* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL) //SYSPRINT DD SYSOUT=*,OUTLIM=0 //OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80 //SYSUT9 DD DSN=SYS1.PROCLIB,DISP=SHR //SYSIN DD * // MVSNUC.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxxx,PASSWORD=xxxxxxx /*ROUTE PRINT //* //* This program is used to review sys1.nucleus members for mvs audit //* //SS1 EXEC PGM=IEHLIST //SYSPRINT DD SYSOUT=* //DD1 DD DSNAME=SYS1.NUCLEUS,DISP=SHR //SYSIN DD * LISTPDS DSNAME=SYS1.NUCLEUS,FORMAT MVSIEAAP.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxxx,PASSWORD=xxxxxxx /*ROUTE PRINT //* //* THIS PROGRAM IS USED TO LIST MEMBERS IN IEAAPF TO DETERMINE //* IF ALL MEMBERS EXIST; ALL MEMBERS ARE CATALOGUED, ETC. //* //SS1 EXEC PGM=IEHLIST //SYSPRINT DD SYSOUT=* //DD1 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //DD2 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //DD3 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //SYSIN DD * LISTPDS DSNAME=(ieaapf file name),VOL=SYSALLDA=(volume name),FORMAT LISTPDS DSNAME=(ieaapf file name),VOL=SYSALLDA=(volume name),FORMAT (list all ieaapf file names in each volume) MVSLKLST.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxxx,PASSWORD=xxxxxxx /*ROUTE PRINT //* //* THIS PROGRAM IS USED TO LIST MEMBERS IN LNKLST00 TO DETERMINE //* IF ALL MEMBERS EXIST; ALL MEMBERS ARE CATALOGUED, ETC. //* //SS1 EXEC PGM=IEHLIST //SYSPRINT DD SYSOUT=* //DD1 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //DD2 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //DD3 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //SYSIN DD * LISTPDS DSNAME=(lnklst file name),VOL=SYSALLDA=(volume name),FORMAT LISTPDS DSNAME=(lnklst file name),VOL=SYSALLDA=(volume name),FORMAT (list all lnklst file names in each volume) MVSLPALS.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxxx,PASSWORD=xxxxxxx /*ROUTE PRINT //* //* THIS PROGRAM IS USED TO LIST MEMBERS IN LPALST00 TO DETERMINE //* IF ALL MEMBERS EXIST; ALL MEMBERS ARE CATALOGUED, ETC. //* //SS1 EXEC PGM=IEHLIST //SYSPRINT DD SYSOUT=* //DD1 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //DD2 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //DD3 DD UNIT=SYSALLDA,VOL=SER=(volume name),DISP=SHR //SYSIN DD * LISTPDS DSNAME=(lpalst file name),VOL=SYSALLDA=(volume name),FORMAT LISTPDS DSNAME=(lpalst file name),VOL=SYSALLDA=(volume name),FORMAT (list all lpalst file names in each volume) MVSIEANU.JCL //AUDIT JOB,CLASS, // USER=xxxxx,PASSWORD=xxxxx /*ROUTE PRINT //SS1 EXEC PGM=AMBLIST //SYSPRINT DD SYSOUT=* //SYSLIB DD DSN=SYS1.NUCLEUS,DISP=SHR //NUCLEUS DD DSN=SYS1.NUCLEUS,DISP=SHR //SYSIN DD * LISTIDR DDN=NUCLEUS,OUTPUT=IDENT,MODLIB,MEMBER=IEANUC01 LISTLOAD DDN=SYSLIB,MEMBER=IEANUC01,OUTPUT=XREF MVSSVCLB.JCL //AUDIT JOB,CLASS, // USER=xxxxxx,PASSWORD=xxxxxxxx /*ROUTE PRINT //SS1 EXEC PGM=IEHLIST //SYSPRINT DD SYSOUT=* //DD1 DD DISP=SHR,UNIT=SYSALLDA,VOL=SER=(volume name) //SYSIN DD * LISTPDS VOL=SYSALLDA=(volume name),DSNAME=SYS1.SVCLIB MVSDUMP.JCL //AUDIT JOB,CLASS, // USER=xxxxxx,PASSWORD=xxxxxxxx /*ROUTE PRINT //SS1 EXEC PGM=AMBLIST //SYSPRINT DD SYSOUT=* //LPALIB DD DSN=SYS1.LPALIB,DISP=SHR //SYSIN DD * LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU83 LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU84 LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFACTRT LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUJV LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUSI LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUJI LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUTL LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU29 LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUJP LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUSO LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFUAV LISTIDR DDN=LPALIB,OUTPUT=IDENT,MEMBER=IEFU85 LISTLOAD DDN=LPALIB,MEMBER=IEFU83,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFU84,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFACTRT,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUJV,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUSI,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUJI,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUTL,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFU29,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUJP,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUSO,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFUAV,OUTPUT=XREF LISTLOAD DDN=LPALIB,MEMBER=IEFU85,OUTPUT=XREF MVSVTML.JCL //AUDIT JOB,CLASS,MSGCLASS, // USER=xxxxxx,PASSWORD=xxxxxxxx /*ROUTE PRINT //S1 EXEC PGM=PDSLIST,PARM='EJECT,INDEX' //* PARM= SPACE (SKIP A LINE) - EJECT (A PAGE) - ALPHA (LIST BY NAME) //* INDEX (INDEX IT) - UPDTE (IEBUPDTE CONTROL) //SYSPRINT DD SYSOUT=*,OUTLIM=0 //OUTPDS DD SYSOUT=(B,,CHAR),DCB=BLKSIZE=80 //SYSUT9 DD DSN=SYS2.ACFVTAM.VTAMLST,DISP=SHR //SYSIN DD * //