| |
| |
 |
| |
Free Access To Valuable Tips and Techniques
|
| |
iTIPS is another
Free service from illustro Systems. Periodically our technical staff
contributes an article with a useful tip and technique to help your
shop!
iTIPS is a FREE service provided by
illustro, where valuable tips, tricks and techniques are shared from
the
illustro technical team, drawing on many years of experience working
"in the trenches." Valuable tidbits will be shared on subjects
ranging from hardware installation, z/VSE and VSE/ESA, z/VM and
OS/390 to CICS and TCP/IP from some of the leading experts in the
field. |
| |
|
| |
August 5, 2008 |
| |
Privilege Classes for VM Guests |
| |
If you are running VM with
z/OS, z/VSE, or z/Linux guests, you should review the CP privilege
classes assigned to those guests. Quite probably your guests are
allowed more authority than you need, which can have unfortunate
consequences.
Examine the directory entry for each guest, particularly the USER
card. It will look something like:
USER VSEPROD PASSWORD 64M 64M ABCDEFG
This defines userid VSEPROD (with a password of “PASSWORD”) to have
64M of virtual storage, and CP privilege classes A through G. Absent
any class override definitions (more on that in a bit), this means
that your VSE guest can execute any CP command, including those that
can alter real storage or shut down the VM system. Since CP commands
can be executed programatically, this also means that any job that
can get into supervisor state can, for example, forceably log off
any other virtual machine on the same VM image. If your auditors
found out, they’d have kittens.
Far better to limit the scope of what your VSE (or z/OS, or z/Linux)
guest can do by restricting the privilege classes to B, F, and G,
although the required classes may be different in your shop. Class B
allows attach and detach of real devices, such as tape drives. Class
F allows hardware diagnostics, and every user on the system should
have class G, or innocuous “general user” class commands.
If you want to get precise with the privileges that you allow,
consider creating a class override file. This mechanism allows you
to define a new CP privilege class that contains just the commands
you specify. The idea is to take an unused class (IBM only defines
commands in classes A-G) and add commands that your guest needs to
that new class, while not adding any commands that you don’t want
your guest to have.
For example, if you wanted to allow all class “A” commands except
for SHUTDOWN (brings down the VM system) or FORCE (logs off another
user) then you’d use an override file to create a new class, say
“V”, that contains all of the commands currently in class “A” except
for SHUTDOWN and FORCE. Then you’d remove class “A” from the VSEPROD
directory entry, and add class “V”.
All of the facilities mentioned in this article are documented in
“CP Planning and Administration” and “CP Command and Utility
Reference” for your release of VM, so go and tighten up your system
security. |
|
|
|
|
|
