Return code 8 from the USERPASS exit creates a rule which says "REJECT * LOGON (NOTIFY".  When the exit was designed, this rule did what uninformed users still think it does, namely reject all logons.  A few years ago, LOGON rules were redesigned so that this rule only blocks logons from real devices.  Logons from IP addresses, logical devices, and SNA devices are not affected.  This creates a security exposure by rendering controls on the number of invalid logon attempts ineffective for the most common logon sources.  I propose returning "REJECT * LOGON", with or without the NOTIFY option, to its original design of rejecting all logons, and adding a new option such as GRAF or REAL to reject logons only from real devices.  A less-desirable alternative would be for the exit to cause VM:Secure to create multiple rules covering all the different logon sources.

This issue also affects ACCEPT rules and the TERMPASS user exit.

Release : 3.2

Component : VM:Secure for z/VM

Apply VM:Secure PTF LU06226.  It adds the ANYTERM option to enable you to put in a blanket rule for all terminals (* for terminal address) and all terminal types for DIAL, LOGON and STORE.

  As part of the update, the logic will now put one of the following rules in the USER rule file when invalid passwords are maxed out based on rc 8 or 12 from the USERPASS userexit.