S 5.114 Protection of the z/OS trace functions

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

Under z/OS, trace functions can be used to analyse errors that occur during connection setup. They can be used both in VTAM (Virtual Telecommunication Access Method) and in TCP/IP. The Generalized Trace Facility (GTF) is used to capture and analyse the trace data. On top of this, the Network Logical Data Manager (NLDM, a NetView component) and Advanced Communication Facility Trace Analysis Program (ACFTAP) are also available for analysing VTAM data.

Trace functions not only point to errors, but also allow the transmitted data itself to be presented. Hence the information set out below should be noted:

Protection of trace functions and GTF

If any session data is transmitted unencrypted, it will be possible to read the passwords in plaintext in the trace. Access to the commands that can initiate traces must therefore be granted only to employees who need GTF in connection with their work. To minimise the risk of breaches of confidentiality, the number of such employees should be kept to a minimum.

Protection of GTF files

The GTF analyses are saved to files. These files must be protected so that only the responsible employees have access to them (especially Universal Access=NONE). The same applies to copies of these files.

NLDM traces

The trace function of NLDM should normally be disabled and only be activated in case of need. It should only be available to the employees responsible.

Protection of ACFTAP

The ACFTAP program should be protected so that only the employees responsible have access to it.

Session data

To protect the passwords from being read by unauthorised persons during transmission, transmitting the session data encrypted should be considered. It is recommended to do this for the connections used by the RACF (Resource Access Control Facility) administrators at a minimum.

Review questions:

• Has it been ensured that only employees who need GTF in connection with their work can initiate traces under z/OS?
• Are the GTF analyses under z/OS protected so that only employees responsible have access to them?
• Has the trace function of NLDM been disabled in z/OS?
• Is ACFTAP in z/OS protected so that only the employees responsible have access to this program?
• For the z/OS trace function, are the session data encrypted to protect passwords from being read by unauthorised persons during transmission?