Following was contributed by (Rey LeClerc) at rey@mass-usa.net Omegamon/MVS Review Objective: To ensure that adequate security procedures have been established over OMEGAMON/MVS. General Description: Omegamon/MVS is a system management aid that allows users to analyze, control and dynamically modify the MVS/JES system. Audit Program 1. Identify the Omegamon/MVS environment and controls regarding the availability and access to powerful Omegamon/MVS commands. a. Determine whether powerful Omegamon/MVS commands can be used at this site. These commands are provided only when Omegamon/MVS product has been installed as APF authorized. APF authorization for Omegamon/MVS product can be determined by either: - Verifying that the Omegamon/MVS product library is defined as APF authorized library. - Executing the '.APF' immediate command from an Omegamon/MVS sessions. If Omegammon/MVS has been installed without APF authorization, additional audit steps are not necessary use the powerful commands in Omegamon/MVS require that the product be installed as APF authorized. b. Obtain the listing for the Omegamon/MVS security update program - 'OMSECUP', using the control statements of 'LIST=YES', 'UPDATE=NO'. c. To determine the type of security used, note the setting for the 'MODULE = ' control statement. Where there is no entry for this control statement Omegamon/MVS's internal security facility is being used. Alternatively, the Omegamon/MVS external security interface is specified here. d. Obtain and review the source code for the exit routine defined in the 'MODULE = 'control statement. Ascertain what impact the active exit routine has on security for Omegamon/MVS environment at this location. The Omegamon/MVS product is provided with two modules that can be used without modification -'OMRACF', for RACF environments, and 'OMACF2', for ACF2 environments. Because installations can customize these modules, the auditor must also review the source code even with 'OMRACF' or 'OMACF2' specified. 2. Determine whether access to powerful Omegamon/MVS commands are adequately controlled and are they provided only on an as needed basis. a. Using the listing for the Omegamon/MVS security update program - 'OMSECUP' obtained in the previous step, review the command control statement specifications set for sensitive Omegamon/MVS commands. These commands include: DSA - sets and displays authorization to list or zap non-sharable data-only spaces; APFU - updates the APF library list; CONS - displays the MVS operator console; KILL - terminates an address space; LPAM - adds, deletes or lists LPA members; MCHN - scans common area tables; MLIST - displays storage; MSCN - scans storage; MZAP - modifies storage; OCMD - executes MVS or JES2 primary console commands; PEEK - collects information about a single address space; SCHN - scans data-only spaces; SSCN - scans data-only space storage; SZAP - modifies the content of data-only space storage; XMLS - displays MVS storage; XMSC - scans internal table; XMZP - modifies storage; ALIB - (minor command of the SYS command) - displays the defined APF library names. MNSW (minor command) - marks job as non-swappable; External security can be set to use the Omegamon/MVS security levels to specify access authorization (alternatively, external security authorization can be established for each individual command, i.e. commands are defined as resource profiles/rule sets). If either this method, or internal security is being used, identify 'LEVEL' settings for each of the sensitive command s - this can be set to either 0, 1, 2, 3 or DISABLE ( this command is inactive) (the default is 0). Minor commands are protected at the major command level unless the MINOR control statement is specified; when the MINOR ( and EXTERNAL = YES) control statements is specified; when the MINOR (and EXTERNAL = YES) control statement is used, the minor command is protected of major commands. Note whether external security is activated for each command - 'EXTERNAL = ' YES or NO must be specified. NO is the default. If external security is inactive for a command, Omegamon/MVS internal security facility is used for that command. Also, consider where the 'AUDIT = ' control statement is used. The default is NONE. This feature can be activated to audit the execution of any Omegamon/MVS command. When used, either: a message can be sent to the master console ( the parameter, WTO); and SMF record can be written (the SMF parameter); or both (the BOTH parameter). c. For the sensitive OMEGAMON/MVS command authorities (identified in the above procedure), evaluate whether access has been provided only to those individuals that require it in performing their daily job functions. Based on how much security facility is being used (internal or external security), review the access control definitions to the powerful Omegamon/MVS commands and determine whether access is adequately restricted. Perform those procedures below which apply to this environment; if external security is used, the performance of this audit step should be coordinated with the auditor responsible for reviewing RACF, to avoid duplication and assigned to one individual only. Review the Omegamon/MVS resource class rules (type OMS) that control these commands for which external security is being activated. Note: In ACF2 or RACF resource rules can be set up for either individual commands, or for Omegamon/MVS command levels (resource rule sets of INITIAL, INITIAL0, INITIAL1, INITIAL2, and INITIAL3). For Omergamon/MVS internal security, review the command levels and find out which individuals have knowledge of each of the Omegamon/MVS passwords. Examine the password values and evaluate whether they are set to either easily guessed values or to the vendor provided default (i.e. CANDEL1, CANDLE2, and CANDLE3). Also verify that the Omegagamon/MVS passwords are changed on a periodic basis. 3. Verify that the Omegamon/MVS product library has adequate data set protection. a. Obtain the name of the Omegamon/MVS executable libraries. Also, using the listing for the Omegamon/MVS security update program - 'OMSECUP', obtained in the first audit step, obtain the name of the data set specified on the 'AUTHLIB=' control statement b. Determine the individuals that are directly responsible for maintaining the product (i.e. system programmers). c. Examine the data set access rules/profiles to ensure that update access to the Omegamon/MVS executable library and the AUTHLIB data set are restricted only to those individuals directly responsible for maintaining the product.