We recently had a penetration test, and the tester was able to breach our security.
What it appears he did was write a program, which was in his own library, that had the same name as a vendor program that was in AUTHTSF.
IBM APAR OA17383 (closed DOC) notes the possibility of executing non-authorized programs as authorized, which may have been what he did. His program put itself into a supervisor key 0 state and then spoofed his logon id.
Is there a way in ACF2 to require that certain programs execute only if executed out of specified libraries?
Release : 16.0
Component : CA ACF2 for z/OS
Regarding ACF2's ability to ensure that certain program names are used from only specific libraries, that would be one way to address this problem, but ACF2 does not offer such program-level protection.
The main level of protection in this scenario is the APF library in which the user placed the duplicate-named program(?). That should be the only way that AUTHTSF would have given the ability to run APF under TSO.
Protection of APF libraries in the z/OS environment is of the utmost importance. While the base ACF2 product can protect those libraries from untrusted users, the PDS member-level extension may be used to ensure that the specific program name could only be updated in the APF library it is supposed to be in. Rules could be written to ensure that no AUTHTSF-specified program names could be updated outside of their specific resident APF library.