Although everyone knows that non-mainframe platforms have system integrity issues, that is, where there is a way to bypass the formal interfaces of an Operating System to gain control in an authorized state and perform unauthorized actions, everyone has blissfully assumed that the mainframe, because of IBM’s commitment to integrity, has been immune from these issues.
However, incorrect hardware configuration settings, Operating System configuration parameters, Security System controls and system integrity vulnerabilities in z/OS, in your vendor supplied products or even your locally developed or acquired code, can all allow an authorized user of your system to gain unauthorized access to data, possibly without any security system journaling. These issues are independent of the three External Security Managers – RACF, ACF2 and Top Secret, and should be regularly reviewed by all z/OS installations.
The session will cover the concepts of configuration controls, some glaringly weak configurations, introduce the Defense Information Systems Agency’s (DISA) Security Technical Information Guides (STIGs) and address the issue of z/OS System Integrity Vulnerabilities.