Protect ISHELL In Top Secret For ACID With OMVS Segment
search cancel

Protect ISHELL In Top Secret For ACID With OMVS Segment

book

Article ID: 46213

calendar_today

Updated On:

Products

Top Secret Top Secret - LDAP

Issue/Introduction

There are users that use USS (Unix System Services) via TWS connections that should not be allowed to enter into ISHELL. How do you prevent this with Top Secret?

Environment

Release: TOPSEC00200-15-Top Secret-Security
Component:

Resolution

There is no obvious way to protect "ishell", because no security call is made from the operating system for users who are allowed to use OMVS and are defined as a UNIX user. However, you can use the PDS member level protection in the following way:

TSS MODI PDSPROT(ON) 

TSS MODI PDSPROT(ADD,DSN(your.CLIST),CLASS(PDSMEM2)) 

TSS ADD(owner#) PDSMEM(BPXWIRAC) 

"your.CLIST" must contains the TSSWIRAC renamed BPXWIRAC.

PDSMEM2 is intentionally used to distinguish from PDSMEM1 if it is already in use. But, there is not a restriction to use PDSMEM1 class as well.

Any user not permitted to read BPXWIRAC won't be able to use "ishell".

You can do:

TSS PER(ALL) PDSMEM2(BPXWIRAC) ACCESS(READ) 
TSS PER(acid) PDSMEM2(BPXWIRAC) ACCESS(NONE)

acid could be a user type or profile type acid. If it is a profile you have to add it to any unix user not allowed to use ishell.

This way any unix user will access to ishell, only the specific ones or the ones connected to the permitted profile won't be allow to use ishell. 

Additional Information

PDS Member Protection