Secure Automation Point CONTROL Commands In Top Secret
Article ID: 188074
Updated On:
Products
Top Secret
Issue/Introduction
When implementing IBM Automation Point (AP) how can the CONTROL commands for an SMCS console definition be secured?
Environment
Release : 16.0
Component : CA Top Secret for z/OS
Resolution
Use the OPERCMDS resource OPERCMDS(MVS.CONTROL.). Start with this:
TSS PERMIT(acid) OPERCMDS(MVS.CONTROL.) ACCESS(ALL) ACTION(AUDIT)
ACTION(AUDIT) will cut an OK+A record to the audit file each time this permit is used. This way what operator commands are being successfully issued because of this permit can be audited. Run TSSUTIL with the following REPORT statement to get these records:
REPORT EVENT(AUDTA) ACID(acid) RESCLASS(OPERCMDS) LONG END
(LONG will write out the events on 2 lines for each event and will display the full resource class and resource name.)
The IBM doc also states: Many of the functions of the CONTROL command are controlled at IPL by parameters in the CONSOLxx parmlib member. Accompanying the descriptions of some operands on the CONTROL command are the corresponding parameters in CONSOLxx. If you need more information about the parameters in CONSOLxx, see z/OS MVS Planning: Operations and z/OS MVS Initialization and Tuning Reference. See Defining and changing console characteristics for more information about using the CONTROL command.
The operands for the functions of the CONTROL command in the CONSOLxx parmlib member are outside of Top Secret.
TSS PERMIT(acid) OPERCMDS(MVS.CONTROL.) ACCESS(ALL) ACTION(AUDIT)
ACTION(AUDIT) will cut an OK+A record to the audit file each time this permit is used. This way what operator commands are being successfully issued because of this permit can be audited. Run TSSUTIL with the following REPORT statement to get these records:
REPORT EVENT(AUDTA) ACID(acid) RESCLASS(OPERCMDS) LONG END
(LONG will write out the events on 2 lines for each event and will display the full resource class and resource name.)
The IBM doc also states: Many of the functions of the CONTROL command are controlled at IPL by parameters in the CONSOLxx parmlib member. Accompanying the descriptions of some operands on the CONTROL command are the corresponding parameters in CONSOLxx. If you need more information about the parameters in CONSOLxx, see z/OS MVS Planning: Operations and z/OS MVS Initialization and Tuning Reference. See Defining and changing console characteristics for more information about using the CONTROL command.
The operands for the functions of the CONTROL command in the CONSOLxx parmlib member are outside of Top Secret.
Feedback
Yes
No
Powered by
