Following was contributed by (Rey LeClerc) at rey@mass-usa.net

MVS Operating System Review

Objectives: To ensure the adequate installation and maintenance of the MVS 
environment.


Audit Program

1. Obtain the listings and/or READ access authority for the system parameter 
library:
 SYS1.PARMLIB.

 (Note: Syntax conventions throughout, this audit program uses the strings of  
'xx' or 'x' to refer to member name suffix variables.  The actual suffix values 
are defined within SYS1.PARMLIB' members of SYS1.PARMLIB used by the MVS IPL to 
establish the system parameters.

 The actual member suffix is either specified by the computer operator during 
the IPL process (using the SYSP=xx parameter) or defaults to '00' (i.e. 
IEASYS00).

 If multiple members exist, compare them, identify their differences, and 
evaluate their potential impact on system controls.

2. Identify the system operator consoles and their command capability groups.  
These are defined in the CONSOLxx members of SYS1.PARMLIB (CON=xx parameter of 
IEASYSxx).

 Determine whether these definitions are being overridden by operator 
commands.  Operator commands are either entered from the console or executed 
automatically at IPL by the CMMNDxx member(s) from the CMD=xx parameter of 
IEASYSxx.

 Verify the active system console definitions by executing the command DISPLAY 
ACTIVE (or D A) from either a real or emulated (e.g. SDSF or OMEGAMON) operator 
console.  Investigate any discrepancies in the active console device names and 
their command groups.

 Locate all active consoles that have been defined with any of the console 
command groups, other than INFO.   Evaluate whether there is adequate physical 
security over the console(s) and whether the console command group(s) are 
appropriate for each console's location and assigned function.

3. Identify the active System Management Facility (SMF) parameter definitions.  
These are provided in the SMFPRMxx member(s) of SYS1.PARMLIB from SMF=xx in the 
IEASYSxx member).

 Key audit concerns include:

 Whether the SMF recording option has been activated.  Identify the names of 
the SYS1.MANx files defined by the DSNAME() parameter.  Verify the update or 
alter access has not been provided to anyone (review the dataset access control 
lists).

 Identify the active SMF exits.  Review the nature and purpose of these exits 
and their impact on the audit and control environment (special attention should 
be given to exits IEFU83 and IEFU84, which can be used to suppress SMF 
recording).

 Which SMF record types are being collected.  The important SMF record types 
and their functions are:

 0, 90 System IPL
 7 SMF lost data
 5,35 Job record
 4,34 Program record
 80,81 RACF and  CA-Top Secret 
   information
 60-69 VSAM information
 30 Combined record (replacing types 
   (4,5,34,35)
 14,15,17,18 Dataset information

 Where operators can override SMF recording (the PROMPT parameter).

 The appropriateness of the console logging options defined.
 
 Whether the JOB WAIT TIME parameter is set to an appropriate length of time.  
This number represents the amount of time (in minutes) that a job will be 
allowed to remain idle before cancellation.

 In addition to the system efficiency concerns, this parameter is where the TSO 
automatic time-out limit for inactive terminals is defined.

4. Identify the libraries that have been designated as APF authorized.  MVS 
requires certain specific system libraries to be APF authorized (either 
consistently or at IPL time) - e.g. SYS1.CMDLIB, SYS1.NUCLEUS, SYS1.LINKLIB, 
SYS1.LPALIB, SYS1.IMAGELIB, SYS1.SVCLIB, and SYS1.VTAMLIB.  Also, the 
installation designated other libraries as APF authorized by referencing these 
libraries in:

 - The IEAAPFxx member(s) as defined in the APF=xx parameter of IEASYSxx;

 - The LNKLSTxx member(s) as defined in the LNK=xx parameter of IEASYSxx.

 For MVS/XA systems, the linklist is APF authorized only when the LNKAUTH 
parameter of IEASYSxx is set to LNKLST (this is the default value; the 
alternate setting is APFTAB).

 - The LPALSTxx member(s) as defined in the LPA=xx parameter of IEASYSxx.  
Programs defined in the LPA libraries get APF authorization when moved into LPA 
during the system IPL.

  Review the libraries designated here as APF with the MVS system programmer 
and determine:

  -  The nature and purpose of each APF library.

  -  Whether there are any duplicate libraries (by function, similar names, 
etc.)

  -  The necessity of these libraries (only production system libraries should 
be defined here.)

  -  Whether any application program libraries (both test and production) or 
data file 
      libraries have been defined here.

  -  The individual and suitable backup personnel responsible for maintaining 
each 
      of these libraries.

  -  The appropriateness of these data set access profiles over the APF defined 
          libraries. Access to these libraries should be strictly controlled.

 In addition to the APF authorized libraries, access controls over the page and 
(if defined) swap datasets should be verified (defined as PAGE= and SWAP= in 
IEASYSxx).

5. Identify the subsystems defined to MVS.  These can be found in the IEFSSNxx 
member(s) as defined in the SSN=xx parameter of IEASYSxx.  Ascertain whether 
these are active, their nature and purpose and their affect on overall MVS 
controls.

6. Ensure that the Program Properties Table (PPT) is protected by RACF.  The 
PPT is included in the SYS1.NUCLEUS dataset and can be modified by the PPT 
entries in the SCHEDxx member(s) of SYS1.PARMLIB as defined in the SCH=xx 
parameter of IEASYSxx.

 In RACF environments, the DSMON Program Properties Table report provides a 
comprehensive listing of the PPT.

 Identify those entries that are defined to bypass password protection.  
Determine the nature and purpose of these programs, access controls over them, 
and evaluate their appropriateness.

7. Review the installation defined SVC's (Supervisory Calls) that are supplied 
in the IEASVCxx member(s) as defined in the SVC=xx parameter of IEASYSxx.

 Identify those SVC's that have been defined with the APF=NO.

 Ascertain whether these SVCs perform any sensitive functions.

 If so, obtain the source code for the SVC(s) and make sure that the TESTAUTH 
macro is used to control the use of the SVC(s).

 A number of vendors provide SVCs for their product as load modules only.  If 
no source code is available, it is necessary to rely on the integrity of 
established and reputable vendors.

8. Review access to sensitive MVS utilities and service aids.

 These special programs and the standard libraries that they reside in include:
 ICKDSF in SYS1.LINKLIB
 IAHDASDR in SYS1.LINKLIB
 AMASPZAP (SUPERZAP) in SYS1.LINKLIB
 IEHINITT in SYS1.LINKLIB

 Determine whether these programs reside in their standard libraries.  List the 
index of the default libraries (e.g. SYS1.LINKLIB) to verify that the programs 
reside there;

 If  these programs reside in the standard system libraries (with universal 
execute access), ascertain whether the data security software is controlling 
execute access to these programs in another manner.

 Examples of such controls include the RACF PROGRAM general resource class.

 Evaluate the adequacy of the controls in place over the execution of special 
programs.  Review the established access rules/profiles over these programs.  
Verify that execute access is granted only to the appropriate system 
programming and computer operations personnel.



*      *      *      *      *

Reference Manual

MVS/Extended Architecture System Programming Library: Initialization and 
Tuning, GC28-1149-5