T 3.69 Incorrect configuration of Unix System Services in z/OS

Unix System Services (USS) is a z/OS subsystem that must be customised prior to putting the system into operation.

During the customisation of the USS parameters there is a series of problems that must be taken into account to ensure that there are no security problems in the z/OS system or parts of the z/OS system.

Depending on the type of error in the configuration, certain subfunctions in the Unix System Services may not be available after starting the z/OS system, or the USS subsystem will not start:

• If USS subfunctions fail, important subsystems such as TCP/IP may be missing.
• If the entire USS subsystem does not start, the z/OS operating system is also not available.
• If HFS files are not mounted during the start phase, applications that need these files cannot be used.

Some typical errors in the configuration of the USS are given in the following:

• The complex layout of the BPXPRMxx member can result in administration errors. Errors will result in an incorrect system start during the Initial Program Load (IPL). This issue is a question of the order in which the individual member definitions are run through.
• Certain parameters in the BPXPRM00 member must be matched to the system's capacity limits. Otherwise there is a risk that more Unix processes will start than the system can handle.
• Errors may occur in the sysplex definitions, e.g. in the VERSION information.
• Errors in the definition of the mount policies for HFS and zFS files (type, mode and mountpoint) are possible.
• Variables may have been used incorrectly in the BPXPRMxx member.

Examples:

• Calling a recursive Unix command continuously generated new processes on a z/OS system until the z/OS swap files (page disks) were exhausted. Despite the presence of further page disks, it was not possible to recover the system as it was only possible to make a few system entries. It was only possible to solve the problem by restarting (IPL) the system.

• On a z/OS system with several BPXPRMxx members a parameter change was made in the wrong member. The change was not taken into account by the system because the parameter was read from a preceding member during the IPL.