Currently running on a zVM 6.4 1801+ first level system with VMSECURE 3.2 RSU-1801+. One of my coworkers utilized the CHGVOLNM command recently and it had an unexpected result. Specifically it altered the AUTHORIZ CONFIG. There were no changes made in the file as a result of the CHGVOLNM command - however, since our CONFIG file had the specifications of RECFM V and a LRECL of 74, it ended up truncating the last 3 characters of many records in the file. Most specifically it altered *DIRMGRS to *DIRM. This basically had the extremely bad side effect of rendering VMSECURE unable to start-up due to invalid records in the AUTHORIZ CONFIG.
A review of the documentation indicates the an lrecl of 71 is the maximum support. Ok - our bad. But it does not appear that VMSECURE is validating or enforcing that restriction. This wasn't a recent change to the file. As best I can tell it has had that format for over 5 years.
To summarize my concerns:
1) AUTHORIZ CONFIG updated when it was not necessary.
2) Seeming lack of enforcement on the file structure of the various configuration files
3) During cleanup I made a typo and while startup told me I had an error - it didn't tell me the line number or the record - just the first word 'TO' was invalid (a bit tough to figure out when your configs stretch into the hundreds of lines
4) Came across a line in the file that I don't believe is syntactically correct - it may be, but i'm not really sure what someone was trying to do with that.
GRANT TRANSFER *DIRUSRS OF *SELF,
*DIRUSRS OF *SELF TO *DIRMGRS
Release : 3.2
Component : CA VM:Secure for z/VM
VM:Secure doesn't verify configuration file records don't go past column 71. The product prevents this if the CONFIG command is used to update configuration information, but, if the files are updated outside of the product the records may not be truncated at column 71 automatically. This can also occur if the user resets the TRUNC setting to other than 71 while in the CONFIG command XEDIT process.
Apply VM:Secure PTF SO13925.
With it applied, VM:Secure will now give an error when the CONFIG record goes past column 71.
Site confirmed PTF SO13925. With applied, if I bring down VMSECURE and manually update a CONFIG so that it doesn't meet the specs, once I restart, I get error messages and the product doesn't initialize. Exactly what is expected.
Similarly, if I issue VMSECURE CONFIG and alter a CONFIG file so it doesn't meet specs, it gives an error and asks if I wish to correct. Again, exactly what I would expect.