T 3.74 Inadequate protection of the z/OS system settings against dynamic changes
Many z/OS system settings can be changed during operation without the need to perform an IPL. After an existing parameter file (member of the parmlib) has been changed or a new file added, an activation command triggers the change process.
The security of z/OS systems can be impaired if certain commands are used incorrectly or they are misused by unauthorised persons. The most important, critical parameter files and system commands that can be changed by dynamic settings during operation are listed in the following.
Extension of the APF files
Files that must be authorised using the Authorized Program Facility (APF) can be defined in a definitions member (PROGnn) and then activated using the command SET PROG=nn (SET command and parameter PROG=m). As an alternative, individual libraries can be incorporated in the APF mechanism using the command SETPROG APF (SETPROG command and parameter APF). If the parmlib definitions or the corresponding commands are not correctly protected, security problems may arise as third parties may be able to give their programs a high level of authorisation and activate them during operation.
Extension of the LINKLIST mechanism
Programs that are to be available in a batch job without a Steplib or Joblib DD statement can be defined in the LINKLIST. These definitions are saved in a PROGnn member in the parmlib. Files can be added dynamically using the SETPROG LNKLST command via a member that must be defined. If the LINKLIST is defined in the system definition (IEASYSnn) using LNKAUTH=LNKLST, all programs loaded using this mechanism are automatically APF-authorised. The integrity of the system is also jeopardised here if the command is available without protection.
Deactivation and modification of the user exits
Using the SETPROG EXIT command it is possible to deactivate exits or replace them with others. If the command is only inadequately protected, an attacker may be able to run his/her own exits on the system in certain circumstances. In this way it is possible, for example, to prevent the writing of SMF records (System Management Facility) and to affect the auditing of the system (covering up).
Modification of the Message Processing Facility (MPF)
A large number of programs evaluate system messages for the automation of processes. By setting different MPF versions (Message Processing Facility) using the command T MPF=nn, automation can be disrupted or even completely disabled (T MPF=NO).
Exchange of parmlibs
Parameter files (parmlibs) are the central point for the z/OS system definitions. With the aid of the SETLOAD command, existing parmlibs can be replaced with new parmlibs.
Other critical z/OS commands for dynamic changes
Along with the commands described above, a series of other commands for changing z/OS system settings is available, such as SETSSI for adding or deleting subsystems or SETSMS for changing the SMS definitions.
Security problems can be caused by all these commands that dynamically change the z/OS definitions if they are available in the system without control. The misuse of these commands can result in problems similar to those from tampering with critical definition files.
Examples:
- An employee in an organisation was able to authorise his own program file due to inadequate protection of the SETPROG APF command. With the aid of a further program loaded by this file, it was possible for the employee to corrupt important financial data.
- Using the command T MPF=NO (T is a short form for the SET command), an operator disabled the z/OS message processing. This action resulted in a console overload (message flood) and some exits defined there were disabled such that the automation of the system was seriously impeded.