Top Secret Overrides z/OS AUTH(INFO) Console Settings

book

Article ID: 52703

calendar_today

Updated On:

Products

CA Top Secret

Issue/Introduction

Description:

With Top Secret active, a console that has AUTH(INFO) in SYS1.PARMLIB(CONSOLExx) allows commands to be issued.

Without Top Secret active, it only shows information, as desired.

Environment

Release:
Component: AWAGNT

Resolution

When a console is not signed on, it runs with *BYPASS* ACID, which makes Top Secret reply with a RC=0000 (authorized) for any request from the console. 

When RC is 0000, z/OS doesn't check AUTH, like the request has been validated by an external security package.

To prevent the *BYPASS* acid from being used, signon an acid to the CONSOLE having the CONSOLE facility with no other rights or permissions.

There are different situations to look at:

  1. If AUTH=INFO AND OPERCMDS() resources are not defined to Top Secret, it will return a RC=0004. z/OS will check the AUTH parameter and INFO will be honored.

  2. If AUTH=INFO AND OPERCMDS() resources are defined to Top Secret, it will return a RC=0000 (for permitted resources) or RC=0008 (for denied resources). z/OS won't check the AUTH parameter.

    If you signon an acid to any console with just the CONSOLE facility added to it AND no OPERCMDS() resources are defined to Top Secret, then the AUTH parameter will be honored.

The bottom line is when an OPERCMDS resource is not defined to Top Secret, (ie not owned by Top Secret ADD command), Top Secret returns a RC=0004 to the 'CONSOLE' then AUTH() is checked and honored by 'CONSOLE'.

So, every time a command is entered at the console, a security check is issued. Depending on RC, here is what happens:

  1. RC=0004 - AUTH() is assessed. Example: AUTH(INFO) only z/OS/JES commands allowed for INFO priviledge will be accepted and executed.

  2. RC=0000 - whatever AUTH() is set to, the z/OS/JES commands will be accepted and executed.

  3. RC=0008 - whatever AUTH() is set to, the z/OS/JES commands will be denied.

Example:
OPERCMDS(MVS.ACTIVATE) is owned.

If the console ACID is permitted to access to OPERCMDS(MVS.ACTIVATE), Top Secret will return RC=0000 and z/OS command will be accepted and executed regardless AUTH() parameter.

If console acid is not permitted and is in FAIL mode, Top Secret will return RC=0008 and z/OS command will be denied regardless AUTH() parameter.

If you remove ownership of OPERCMDS(MVS.ACTIVATE), Top Secret will return RC=0004 and the z/OS command won't be accepted and won't be executed due to AUTHINFO.