An information technology security audit is a manual or systematic measurable technical assessment of an information system. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments or CAAT’s (Computer Assisted Auditing Tools and Techniques), include system generated audit reports or using software to monitor and report changes to files and settings on an IT system.
IBM System z data centers and zOS operating systems are very secure environments. IT people or security people who are not familiar with System z platform may say that it is a kind of “Security though Obscurity”. Mainframe servers as largest servers available, support most of the open system protocols and maintain highest levels of IT security standards available additional to highest service levels of availability. For example IBM LPARs (Logical Partitions) providing that organizations can run many different applications containing confidential data on one System z box, has been awarded EAL5. Common Criteria EAL5 (Evaluation Assurance Level) is highest security certification awarded to a commercially available system.
zOS operating system of System z platform has a security server called RACF (Resource Access Control Facility). The other security server option is Top Secret program product of CA (Computer Associates). Both of them can be used to protect system resources. As Top Secret is not widely used and known as RACF, we will explain Top Secret related listing and reporting characteristics.
APF (Authorized Programs Facility) authorized programs are one of important categories of resources. Those programs are cataloged in system defined APF load libraries with AC (Authorization Facility) of one (AC=1). Authorized programs can switch from problem state to supervisor state and perform authorized functions.
Another category of security related resources are IBM supplied system utilities. They are authorized programs and they can bypass security checks. IEHPROGM (Data management related), IEHINITT (Initialize cartridge media), IEFBR14 (dummy program) and SPZAP (Super zap) are important programs to consider usage for auditing.
PPT (Program Properties Table) is a system initialization table to define trusted programs. Trusted programs bypass security checking.
JES (Job Entry Subsystem) internal readers, PROCLIBs (Procedure Libraries) and job related libraries are important sources of JCL (Job Control Language) statements submitted to system to associate programs and data sources.
Top secret decomposes resources into facilities like STC (started tasks), TSO (time sharing users), BATCH (background workload), CICS (Customer Information Control System online subsystems), MQM (Websphere message queueing management), APPC (advanced program to program communication through SNA), OMVS (open MVS which is a built-in UNIX), TCP, FTP, MISCx (miscellaneous).
Those resources are accessed by users. Users are people like operators, applications developers, systems support staff, third party systems external staff. Their authorities to access any resources may be read-only, update or control authorities.
Top Secret defines users as ACIDs (Accessor IDs). Other than user ACIDs, there are functional and organizational ACIDs like profile, group, control, department, division and zone ACIDs. Control ACIDs define authorized users. MSCA (Master security control ACID) and SCA (Central security control ACID) type users are system wide authorized users and resemble to system special users of RACF. LSCA (Limit central control ACID), ZCA (Zone), VCA (Divisional) and DCA (Dept) users are like group special users whose authorities are limited to the management of resources and members in a group, zone, division or department.
Top Secret has audit utilities like TSSTRACK, TSSUTIL, TSSAUDIT and TSSCHART. It is also possible to perform audit using listings of Top Secret reporting facilities. User listings show parameters related with a user, some statistical usage information, together with authorized facilities with authorization level. Group related information can also be integrated in user listing. It is also possible to create facility listings through WHOHAS and WHOOWNS commands. These listings show authorization levels of users to access to the specified facility.
Performing security audits on zOS shops using Top Secret as security product is as straightforward as performing security audits on RACF using zOS shops.