T 3.73 Incorrect use of the z/OS system functions

When the z/OS system is in operation, operators need to make changes from time to time, such as customising RACF settings or other system definitions.

Due to the complexity of the z/OS operating system and its components, it is not possible to fully exclude the possibility of incorrect actions by the operators. Depending on the nature of the incorrect action, individual components or the entire system may fail. A few typical examples of incorrect actions are given in the following.

Inadvertent restart using the Hardware Management Console (HMC)

A system restart can be requested using the HMC. To select the system it is sufficient to simply click the system icon, then it is only necessary to select the function (e.g. Initial Program Load). After accepting a corresponding prompt, this action will result in an immediate restart of the selected system. All processes that are running will be stopped in an uncontrolled manner. As a result, a mistake selecting the system can have serious consequences.

As groups of systems can also be set up in the HMC, including all z/OS systems in a computer centre, large areas of information processing could be affected.

Errors in the JES3 DSI (Dynamic System Interchange)

The Job Entry Subsystem JES3 permits the operation of a system group comprising a global computer and various local computers. Predominantly batch jobs are distributed across all computers in the group (global and local) under the control of the global computer and can be run (similar to a parallel sysplex cluster, but limited to JES3). The global computer takes over the central control of the entire life cycle of the batch job, such as interpretation of the job control language, system allocation, resource control, output management, etc.

To take over the function of the global computer on a local computer, a series of system questions must be answered. In an extreme case incorrect entries can result in an IPL (Initial Program Load) on all systems in the group.

Disabling z/OS IDs

IDs with the Special attribute generate a console message (reply) if the password is entered incorrectly several times during login. The operator can decide whether this ID is to be disabled. If, in an extreme case, e.g. during a DoS attack, all IDs with the Special attribute are disabled (e.g. by automatic means), there is then no longer an ID on this system that can operate the RACF. The security system is then completely locked.

Setting disks offline

Accidentally setting a disk offline can have serious consequences and even lead to the total failure of the system.

Deleting the default program class in RACF

If the star profile for the program class is deleted accidentally (e.g. by a typing error), the system may come to a halt. An IPL will not help, as the cause of the error will not be rectified. First the RACF database must be corrected. Such an error can result in a system failure lasting hours and considerable effort to rectify the error.

Forwarding of incorrect RACF commands

If a system is included in a RACF command synchronisation (e. g. RACF Remote Sharing Facility - RRSF), an incorrect RACF command can affect all other systems in this group. If, for instance, the deletion of the Default Program Class is transmitted via RRSF, all systems in the related RRSF group may come to a halt.

Incorrect operation of pre-defined program function keys

The use of pre-defined program function keys can also cause security problems in certain circumstances. Particular care is required, for example, if function keys are allocated commands that require the addition of specific values prior to execution. Here there is a risk of the operator pressing the function key accidentally without entering the supplementary information. If the related command is syntactically correct even without the supplementary information, it will be executed and may cause undesirable effects or even massive damage in certain circumstances.

Incorrect input in general

In general there is always the risk of incorrect input. If, for example, a system task (or a batch job) is to be stopped and the operator makes a typing mistake, the wrong job may be stopped if job names are similar. The same applies for the use of system commands.

If, for example, on deactivating SNA nodes, the cross domain manager name is accidentally entered instead of a specific terminal name, all SNA sessions in this domain will be lost. After the node is restarted, the user must login again and re-establish the SNA connection to the system.

Locking of resources

On mutual locking of resources (enqueue contention), functions may not be available until the lock is removed. Often a series of system prompts (displays) and considerable experience are necessary to remove the mutual locks with the aid of the right MVS commands.

Inadvertent entry of the "Z EOD" command

If the Z EOD command is entered on an MVS master console during operation, this system will be shut down in a controlled manner. All processes will be stopped and must be restarted. This action and the related system failure will last, as a rule, at least 30 minutes.

© Federal Office for Information Security. All rights reserved.