TECHNICAL AUDIT OF OS/390 SAMPLE ANSWER CASE PART 7-A Technical audit of OS/390

PART 7-A
Technical audit of OS/390
Case “Local modifications”
Leen van Rij
kpmg IRM
vrije Universiteit amsterdam
29 October 2002
File 7-A Technical audit of OS390 case Local Modifications
© 2002
(with Note pages)
TECHNICAL AUDIT OF OS/390
SAMPLE ANSWER CASE
This example contains the attention items for answering the case. The structure of
standards, findings etc. is not strictly followed here, since the remarks are made
per foil.
Page 1
1
LvR/VU
OCT/2002
Contents
TECHNICAL AUDIT OF OS/390
CONTENTS OF THE WORKSHOP (3 groups of students)
• Case: Audit of local modifications and change management
• Computing center of VUBank:
– Organization and responsibilities
– Data-processing environment (mainframes, DASD and connections)
– Overview of current software and applications
(see handouts ‘VUBank’)
Technical audit of OS/390: Case local modifications
2
Page 2
2
LvR/VU
OCT/2002
How to write the report
HOW TO WRITE THE REPORT
• Objective and scope (objects and quality aspects), summary of major
findings and conclusions (directed to management)
• Appendices with per object of investigation:
– Standard (‘norm’: stellig, duidelijk en toetsbaar, zoals bijvoorbeeld
‘een wachtwoord dient niet triviaal en niet voorspelbaar te zijn’ en
‘voor iedere vitale dienst dient bekend en vastgelegd te zijn binnen
hoeveel uur na een incident deze weer toegankelijk is voor de
eindgebruikers en met welk kwaliteitsniveau’)
– Finding (in fact: observation)
– Evaluation (risk analysis)
– Recommendation
• Optional appendix with priorities for the implementation of the
recommendations (e.g., high, medium and low)
Technical audit of OS/390: Case local modifications
3
Page 3
3
CASE: AUDIT OF LOCAL MODIFICATIONS
LvR/VU
OCT/2002
CASE
CASE
AUDIT
AUDIT OF
OF LOCAL
LOCAL MODIFICATIONS
MODIFICATIONS
AND
AND CHANGE
CHANGE MANAGEMENT
MANAGEMENT
Technical audit of OS/390: Case local modifications
4
Page 4
4
Case: Audit of local modifications
LvR/VU
OCT/2002
CASE: AUDIT OF LOCAL MODIFICATIONS AND
CHANGE MANAGEMENT
• The VUBank computing center has a dedicated acceptance and
maintenance environment
• Change management has been introduced at an early stage and is used
for changes dealing with hardware, OS, standard program products and
the infrastructure
• A new application, called STOCKS and supporting stock-market
transactions, will be developed. It needs some new local modifications
• The development and maintenance of all code will be done by external
hires. All code is tested and installed by systems programmers of the
VUBank (via the change management process)
• The case deals with the ‘development phase’
Technical audit of OS/390: Case local modifications
5
Attention items are:
• Verify that only acceptance team members and authorized systems programmers
have access to the acceptance and maintenance environment. There must be
strict procedures and isolation to avoid access by any other person to this
environment.
• Verify that change management is effective and no changes are implemented
beyond this process.
• Verify that testing and installing at VUBank systems is really done by staff of the
VUBank and not by external hires.
Page 5
5
LvR/VU
OCT/2002
Exercise - group 1
EXERCISE: GROUP 1
• You, as an EDP-auditor, have to review the design for the SVC 202
routine
• Verify whether the design of the SVC 202 routine complies with the
guidelines for secure user SVCs
• Using the information in the handouts ‘VUBank’ and this case
description, can you find any weaknesses allowing you to obtain any data
or to issue any financial transaction for which you are not entitled?
• If there are (potential) weaknesses, describe them and suggest better
solutions
Technical audit of OS/390: Case local modifications
6
Conclusion: The current design of SVC 202 is insecure. Everybody can issue any
financial transaction or retrieve data through SVC 202 without the need for any
authorization. Moreover, hackers can misuse the SVC to endanger system
security and logging, and the continuity of the system. Recommend a redesign.
Page 6
6
LvR/VU
OCT/2002
Exercise - group 2
EXERCISE: GROUP 2
• You, as an EDP-auditor, have to review the effectiveness of the change
management process and the process of testing and implementing local
modifications
• Using the information in the handouts ‘VUBank’ and this case
description, can you find any weaknesses allowing you to obtain any data
or to issue any financial transaction for which you are not entitled?
• Pay attention to internal control, security, privacy, completeness of
logging, separation of duties, and verification by independent staff.
• The review has to include the initial installation of softeware,
maintenance and changes
• If there are (potential) weaknesses, describe them and suggest better
solutions
Technical audit of OS/390: Case local modifications
7
Conclusion: The current process for change management does not pay any attention
to security and internal control. There is no separation of duties within this
process. Testing is done by the developers themselves. Moreover, everybody can
issue any financial transaction without the need for any authorization.
Page 7
7
LvR/VU
OCT/2002
Exercise - group 3
EXERCISE: GROUP 3
• You, as an EDP-auditor, have to review the APF program and its
protection, the automatic job scheduling mechanisms, the JES2
modifications, and the exit routine
• The review has to include NJE, the usage of high RACF authorities by
the jobs involved, and the usage of passwords
• If there are (potential) weaknesses, describe them and suggest better
solutions
Technical audit of OS/390: Case local modifications
8
Conclusion: There is an unacceptable lack of control. With the current design, a
unknown number of people can do anything on the production system, without
any limitation by access control. Recommend an entire redesign of the
procedures and the local modifications. Partly the local modifications can be
replaces by using modern RACF facilities.
Page 8
8
LvR/VU
OCT/2002
Design of a new application
USERS connected
via network
MVS SYSTEM PROD-1
Automatic
submission of
job through OPC/A
STARTED TASK
‘STOCKS’, started
by operator
DATA BASE
APPLICATION
‘STOCKS’
TSO
APPL
SVC 202
CSA
Scratch and
individual data
SVC 202
data via
MVCP
MVCS
‘BANK.STOCK.TRANSACT’
transaction queue
APF BATCHJOB
‘STOCKJOB1’
(userid
TRUSTED)
SUBMIT job
via INTRDR and JES2
modification
NJE
JES2 modification
MVS SYSTEM PROD-2
‘BANK.STOCK.ACCOUNT’
financial data and
stock accounts
Technical audit of OS/390: Case local modifications
BATCHJOB
‘STOCKJOB2’
9
Attention items are:
• Why has the architect chosen for such a complicated structure? Using CICS or
IMS or a similar standard program product makes everything much easier.
Challenge the decisions by the architect.
• The number of local modifications and highly authorized jobs opens many
possibilities for weaknesses. As an EDP-auditor you have to verify all
components on their potential impact on security and internal audit.
Page 9
9
LvR/VU
OCT/2002
Started task
STARTED TASK ‘STOCKS’
The Data Base application STOCKS is started by a system operator at
08.00 by issuing the command S STOCKS. and stopped at 18.00 by issuing
the command P STOCKS
The JCL in ‘SYS1.PROCLIB(STOCKS)’ reads:
//STOCKS JOB (123),’Stock Apll’,TIME=1440,
// REGION=4000K,MSGCLASS=V
//STEP
EXEC PGM=STOCKS,PARM=PROCESS
//STEPLIB DD
DSN=BANK.STOCK.LOADLIB,DISP=SHR
//SYSOUT
DD
SYSOUT=*
//DATABASE DD
DSN=BANK.STOCK.TRANSACT,DISP=OLD
//CONTROL DD
DSN=BANK.STOCK.CNTL(STOCKS),DISP=SHR
//LOG
DD
DSN=BANK.STOCK.LOG,DISP=SHR
//
The data base is exclusively allocated (DISP=OLD)
Technical audit of OS/390: Case local modifications
10
Attention items are:
• Verify who has UPDATE or higher to ‘SYS1.PROCLIB’ and
‘BANK.STOCK.*’.
• Also verify who has READ-access. Verify whether somebody else can run the
program STOCKS as a batch job and, if so, whether it can be misused?
• Between 08.00 and 18.00 o’clock, the transaction database
BANK.STOCK.TRANSACT is exclusively claimed by this program (due to
DISPostion=OLD). However, can somebody get access to it beyond this time
period? If so, can transactions be read and/or inserted?
Page 10
10
LvR/VU
OCT/2002
Started task ...
STARTED TASK ‘STOCK’ (cont.)
• The RACF Started Task entry for this application reads:
PROGRAM NAME
= STOCKS
ASSOCIATED USERID = OPER
ASSOCIATED GROUP = OPER
PRIVILEGED
= YES
• The userid OPER has SPECIAL, OPERATIONS and AUDITOR
• Protection of load module: see below
• The application STOCKS:
– All transactions received via SVC 202 are stored in the data base
BANK.STOCK.TRANSACT, and statistics are updated
– Via SVC 202, the end user may view the transactions queued, the
transactions entered during the last 30 workdays, and the statistics
– Each hour, the transaction queue is copied via STOCKJOB1 to
PROD-2 and processed there
Technical audit of OS/390: Case local modifications
11
Attention items are:
• There is no need for any high RACF authority for the userid OPER. So one has
to remove SPECIAL, OPERATIONS and AUDITOR. Also the item
PRIVILEGED=YES in the RACF Started Task Table has to be removed, making
the program subject to proper RACF control.
• All transaction through SVC 202 are accepted. In which way is the authority to
submit transactions controlled? If this happens in the user’s program, everybody
writing his own program can issue any transaction through SVC 202.
• Which transactions can be viewed, only the user’s own transactions or all?
This description raises a number of questions, which are not answered by the foils of
this case. So you have to interview the developers and read the documentation of
the programs.
Page 11
11
LvR/VU
OCT/2002
Automatic job submission
AUTOMATIC JOB SUBMISSION
• Once per hour, the job STOCKJOB1 has to be submitted to transfer the
transactions from PROD-1’s queue to PROD-2’s data base
• One has installed IBM’s Operations Planning and Control /Advanced
(OPC/A) package as automatic job submission tool:
– The department Production Planning specifies a schedule for job
submissions, and provides JCL, userids and passwords
– Userids and passwords are stored in an OPC/A library which is
protected with UACC=NONE and UPDATE access only for two
persons in Production Planning
– The OPC/A program runs on all Level I systems, but the library with
userids and passwords is unique per system
Technical audit of OS/390: Case local modifications
12
Attention items are:
• Have all relevant logging options been activated to track the activities of these
two trusted persons?
No remarks on the use of OPC/A and the procedure. It seems to be OK.
Page 12
12
LvR/VU
OCT/2002
Automatic job submission ...
JCL OF STOCKJOB1
The JCL resides in a member in OPC’s JCL library, and reads:
//STOCKJOB1 JOB (123),’Stock Transactions’,
// MSGCLASS=V,REGION=4000K,TIME=2,NOTIFY=A99,
// USER=TRUSTED,PASSWORD=SECRET
//STEP
EXEC PGM=STOCKJOB1
//STEPLIB DD
DSN=BANK.STOCK.LOADLIB,DISP=SHR
//SYSOUT DD
SYSOUT=*
//SORTUT1 DD
DISP=(NEW,DELETE),UNIT=SYSDA,
//
SPACE=(CYL,(50,50))
//JOBSUBM DD
SYSOUT=(,INTRDR)
for JOB2
//CONTROL DD
DSN=BANK.STOCK.CNTL(STOCK1),DISP=SHR
//LOG
DD
DSN=BANK.STOCK.LOG,DISP=SHR
//
The SORTUT1 data set is used to sort the transactions. All data sets BANK.* are
cataloged in the Master Catalog of PROD-1
Technical audit of OS/390: Case local modifications
13
Attention items are:
• The password is included in the JCL. Verify that the spool dataset is properly
protected, so that nobody can read it.
• Moreover, using modern RACF support it is no longer necessary to specify a
password in the JCL. One may use password propagation or the Surrogate Userid
concept of RACF 1.9 up.
• The transactions are sorted in a temporary dataset (DDname SORTUT1 with
DISP=(NEW,DELETE). One should activate RACF Erase on Scratch for this
dataset or let the application erase the contents after using it, otherwise the
transactions will stay on disk after deleting the temporary dataset.
Page 13
13
LvR/VU
OCT/2002
Automatic job submission ...
JCL OF STOCKJOB2
STOCKJOB1’s code contains JCL reading:
//STOCKJOB2 JOB (123),’Stock Updates’,REGION=4000K,TIME=2
/*ROUTE XEQ
PROD-2
/*ROUTE PRINT PROD-1
//STEP1
EXEC PGM=STOCKJOB2,PARM=UPDATE
//STEPLIB DD
DSN=BANK.STOCK.LOADLIB,DISP=SHR
//SYSPRINT DD
SYSOUT*
//DATABASE DD
DSN=BANK.STOCK.ACCOUNT,DISP=SHR
//LOG
DD
DSN=BANK.STOCK.LOG,DISP=SHR
//SYSIN
DD
*
(sample input)
transfer f 50,- from 45678 to 90123 ...
transfer f 678,- from 34567 to 89012 ...
transfer f 234,- from 23456 to 78901 ...
transfer f 100,- from 12345 to 67890 ...
total amount is f 1062,//
All data sets BANK.* are cataloged in the Master Catalog of PROD-2
Technical audit of OS/390: Case local modifications
14
No remarks.
Page 14
14
LvR/VU
OCT/2002
Automatic job submission ...
CONTROL THE AUTOMATIC JOB SUBMISSION
• The JCL of STOCKJOB1 is stored in a well protected OPC library
• The JCL of STOCKJOB2 is part of the code of the program
STOCKJOB1 and does not contain a userid nor a password
• The programs reside in BANK.STOCK.LOADLIB which is an APF
library protected with UACC=NONE, UPDATE by two systems
programmers responsible for software installation at Level I, and READ
for the groups STOCK and Production Planning
• The member SYS1.PARMLIB(SCHED00) reads:
PPT PGMNAME(STOCKJOB2) NOPASS KEY(8)
• The log BANK.STOCK.LOG is protected with UACC=NONE,
UPDATE by the group STOCK, and READ by Production Planning
• The userid TRUSTED is connected to the group STOCK with the USE
authority
Technical audit of OS/390: Case local modifications
15
Attention items are:
• Why is the program STOCKJOB2 mentioned in the Program Properties Table
with NOPASS (this means, bypass RACF control). This program must be subject
to regular RACF control.
• Why has the entire group STOCK got UPDATE access to the logging dataset
BANK.STOCK.LOG? Only one or two userids with update for housekeeping
activities (copying and deleting log records) should be sufficient.
Page 15
15
LvR/VU
OCT/2002
Data classification
DATA CLASSIFICATION
The RACF administrator has enabled data classification by activating the
class SECDATA, adding a profile called SECLEVEL, and defining four
levels via the commands:
SETROPTS CLASSACT(SECDATA)
RDEFINE SECDATA SECLEVEL UACC(NONE)
RALTER SECDATA SECLEVEL
ADMEM(INTERNAL/50,
CONFIDENTIAL/100, RESTRICTED/150,
SECRET/200)
The numbers are used to perform comparisons such as ‘higher than or
equal to’
Technical audit of OS/390: Case local modifications
16
No remarks. Correctly defined.
Page 16
16
LvR/VU
OCT/2002
Data classification ...
DATA CLASSIFICATION (cont.)
All data bases and data sets of the group BANK.STOCK.* contain privacyrelated data, and are hence classified as Confidential. The RACF
administrator (with SPECIAL and AUDITOR) has issued:
ADDSD ‘BANK.STOCK.*’ GENERIC AUDIT(ALL(READ))
ERASE
NOTIFY(SECOFFICER)
OWNER(STOCKMGR)
SECLEVEL(CONFIDENTIAL)
SETROPTS ERASE(NOSECLEVEL)
SECLEVELAUDIT(CONFIDENTIAL)
so activating Erase-on-Scratch and auditing for these data bases and data
sets
Technical audit of OS/390: Case local modifications
17
No remarks. Correctly defined.
Page 17
17
LvR/VU
OCT/2002
Local modifications
LOCAL MODIFICATIONS
The new application STOCKS requires four new, additional local
modifications:
1 User SVC 202 for inter-address space data transfer between TSO
address spaces and the data base application STOCKS
2 APF mainline program and 24 APF subroutines for inter-system
exchange of data
3 JES/NJE modifications to prevent specification of USERID= and
PASSWORD= in JOB card for NJE jobs submitted by userid
‘TRUSTED’
4 RACF RACINIT exit routine interacting with the JES2/NJE
modifications
Technical audit of OS/390: Case local modifications
18
Attention items are:
• The standard is: “No local modifications, unless it is absolutely necessary”. So
verify the justification for developing the SVC, the JES/NJE modifications and
the RACF exit routine.
• Moreover, the JES/NJE modification and RACF exit are not necessary if one
uses modern RACF support, such as password propagation and Surrogate Userid.
Page 18
18
LvR/VU
OCT/2002
SVC 202
‘SYS1.PARMLIB(IEASVC00)’ contains:
SVCPARM 202,TYPE(3),EPNAME=DATAMOVE,APF(NO)
The function of the SVC-202 routine is:
• Caller provides in R1 pointer to his own buffer with data
• SVC routine for SVC 202 (running in Supervisor Mode with key-in-PSW =
ZERO):
1 GETMAIN 500-byte buffer in CSA; copy caller’s data to CSA buffer
2 submit SRB to the address space of the Data Base Application STOCKS
and wait
3 SRB task will:
» copy CSA data into private buffer
» execute requested STOCKS function (retrieve or update data)
» return reply data into CSA buffer
» awaken caller’s address space
4 copy 500 bytes from CSA to caller’s buffer; FREEMAIN CSA buffer
5 return to caller with caller’s mode and key-in-PSW
Technical audit of OS/390: Case local modifications
19
Attention items are:
• Everybody can issue this SVC. The description contains no indication of any
authorisation mechanism. This implies that everybody can write a program to
issue financial transactions and/or to retrieve data.
• A hacker can misuse this SVC to breach system security. In step 4, the SVC
routine (running in Supervisor Mode and Key=0) writes 500 bytes to a location
specified by the caller in register R1. The hacker can specify any address in
register R1, including key=0 areas of the operating system and RACF. Without
testing the caller’s key, the SVC routine will write 500 bytes to this area. This is
a threat to the continuity of the system and may, under certain circumstances, be
used to modify the system’s security and logging.
Page 19
19
LvR/VU
OCT/2002
APF batch job
APF BATCH JOB STOCKJOB1
• Collect every hour all transactions submitted by individual users and send
them to PROD-2 to update the data base BANK.STOCK.ACCOUNT
• The function of STOCKJOB1 is:
– Run with APF bit = ‘1’
– Establish a dual-address space environment to exchange data
– Use the code of the application STOCKS to obtain the transaction
queue’s contents (STOCKS then also copies it to the list of transactions
entered, so allowing future inquiries, and resets thereafter the queue)
– Obtain the transactions via the semi-privileged MOVE CHARACTER
FROM SECONDARY TO PRIMARY and MOVE CHARACTER
FROM PRIMARY TO SECONDARY (MVCP and MVCS) instructions
– Allocate the JES2 Internal Reader and submit the transactions as batch
job STOCKJOB2 to PROD-2
Technical audit of OS/390: Case local modifications
20
No remarks.
Page 20
20
LvR/VU
OCT/2002
JES2 modifications
JES2 MODIFICATION 1 ON PROD-1: This code is activated every time
when a job submits another job via the JES2 internal reader
FLOWCHART:
JES2/NJE
NO
if userid of submitter
is ‘TRUSTED’
YES
store in NJE header
field ABC = C’OK’
store in NJE header
field ABC = X’0000’
continue JES2/NJE processing
Technical audit of OS/390: Case local modifications
21
Explanation: If the user TRUSTED submits a batch job, the internal JES2/NJE
header is modified. A locally defined field ABC is filled with the text C’OK’.
This header is sent with the job to the destination system for further processing.
There the field ABC is used to bypass RACF password verification.
Question: Why this complicated solution? Use RACF facilities.
Page 21
21
LvR/VU
OCT/2002
JES modifications ...
JES2 MODIFICATION 1 ON PROD-1: A code review shows:
* load addresses of data fields in R1 and R2
LA R1,address(userid of submitter)
LA R2,address(NJE header field ABC)
* submitted by trusted user?
CLC 0(8,R1),=C’TRUSTED ‘ test 8 characters
BE OK
yes
* submitted by a systems programmer?
CLC 0(4,R1),=C’SPRO’
test 4 ch prefix
BE OK
yes, any syspro
* non-trusted submitter
MVC 0(2,R2),=X’0000’
mark non-trusted
B
EXIT
* trusted submitter
OK MVC 0(2,R2),=C’OK’
mark trusted
EXIT ...
Note: the syntax of Compare Logical Character and Move Character is:
CLC offset(length,address),string
MVC offset(length,destination-address),source-string
Technical audit of OS/390: Case local modifications
22
Attention items are:
• The solution is too complex.
• Why is also tested on the prefix C’SPRO’ ? This means that all systems
programmers may also submit batch jobs which bypass RACF password
verification on the production system PROD-2. This indicates misuse of the
system and creates possibilities for hackers and fraudsters.
• Ask the question: Who has designed this code and who has verified it? What
were their intentions? If there is any indication of intentional misuse or fraud,
this must be reported to your principal.
Page 22
22
LvR/VU
OCT/2002
JES modifications ...
JES2 MODIFICATION 1 ON PROD-2
This code is activated every time when a job arrives via NJE
FLOWCHART:
JES2/NJE
NO
if NJE header field
ABC is C’OK’
YES
- store in JCT field
XYZ = C’OK’
- store in JCT field
USERID=C’TRUSTED
- XYZ = X’0000’
- copy USERID from
JCL JOB card
- standard JES2 processing
continue JES2/NJE processing
(JCT = Job Control Table, associated to a batch job and residing in the JES2 checkpoint
data set)
Technical audit of OS/390: Case local modifications
23
Attention items are:
• On the previous foil, the code listing indicates that jobs by systems programmers
also have ABC=OK. With the code above, these jobs get assigned the userid
TRUSTED and now run as highly privileged jobs on the PROD-2 system. This is
unacceptable.
• Moreover, programmers on other systems connected by NJE connections, may
modify the NJE header of their jobs by adding ABC=OK. In such a case, their
jobs will run as TRUSTED on PROD-2.
Page 23
23
LvR/VU
OCT/2002
RACF exit routine
RACINIT PREPROCESSING EXIT ROUTINE ON PROD-2
This code is activated every time if a batch job is started by an initiator
FLOWCHART:
ICHRIX01 (RACINIT preprocessing exit routine)
NO
if JCT field XYZ is C’OK’
YES
set RACF flag bit PASSCHK=YES
(and let RACF bypass password verification)
continue RACF/RACINIT processing
The job submitted by ‘TRUSTED’ at PROD-1 is now accepted at PROD-2: here it also
has USERID ‘TRUSTED’ and can now be executed
Technical audit of OS/390: Case local modifications
24
Attention items are:
• See the previous foils. Jobs submitted by the userid TRUSTED on PROD-1, by
systems programmers and by an unknown number of programmers on other
systems all can get the userid TRUSTED. In such a case, password verification is
bypassed on PROD-2.
• All these jobs have access to the financial data and stock accounts on PROD-2.
You should investigate to which other resources access is allowed for the userid
TRUSTED (and all those persons who can misuse this userid).
Moreover, you must verify the logging (setting and procedures) on PROD-2 and the
reporting on system use. Will such a misuse of the userid TRUSTED be noticed
at once?
Page 24
24
Software acceptance and maintenance
LvR/VU
OCT/2002
SOFTWARE ACCEPTANCE AND MAINTENANCE
• New program products (including OS) are generated by systems
programmers on the ACCEPTANCE system (Level II) using SMP. After
testing the software is distributed over the other systems
• Applications (and code for local modifications) developed at Level III is
received at Level II via a mailbox
• New applications are tested and accepted on Level II
• After acceptance, the activities by systems programmers at Level I are:
– Save old Level I software
– Switch temporarily disks from II to I to copy software or use mailbox
disks (during maintenance window)
– Install new software at Level I
– Test it
– If it works properly, use it for production during one week
– If there are no problems, scratch the old software
Technical audit of OS/390: Case local modifications
25
No remarks.
Page 25
25
Software acceptance and maintenance ...
LvR/VU
OCT/2002
SOFTWARE ACCEPTANCE AND MAINTENANCE (cont.)
• The department Change/Problem Management (Mr. J. Tulip) verifies
for each new program product and application the existence of an
approved business justification and sufficient documentation
• All installation activities at Level I and III are subject to the change
management process (see flowchart below)
• All first-line managers of Technical Support and Operations meet daily
at 13:00 to discuss all open change requests (Change Advisory Board)
• Mr. Tulip guards the process and reports all deviations and potential
conflicts to the Change Advisory Board
• If there is any risk for continuity or the quality of the services, the
committee may reject or postpone a change
• Note: Level II and TEST environments under PR/SM are explicitly
excluded from the process due to their exploratory function
Technical audit of OS/390: Case local modifications
26
Attention items are:
• The process does not pay any attention to security and internal control. The
decisions are taken by people managers, who are not skilled as EDP auditors.
They only focus on the aspects continuity and quality.
Page 26
26
LvR/VU
OCT/2002
Change management
CHANGE RECORDS
• Each change request is logged as a record in the INFO/MAN data base
(see flowchart below)
• This record is updated at each event related to the change (such as a
decision by the Change Advisory Board, a test, a promote, a restore etc.)
• After completion of the change or after a restore, the record is closed
(note: a restore has to result in a new change request)
• Three months after closing, the records are scratched
Technical audit of OS/390: Case local modifications
27
Attention items are:
• Storing the change records during three months is too short. This must be at least
one year.
Page 27
27
LvR/VU
OCT/2002
Change management ...
REQUEST FOR CHANGE (RFC)
PREPARATION:
- assess risk and impact
- open change record in INFO/MAN
VERIFICATION: Change Advisory Board (CAB)
DECISION: CAB
ASSIGN A DATE
FEEDBACK: change record
REJECTED
APPROVED
FEEDBACK: change record
IMPLEMENTATION: backup and make change
EVALUATION:
- verify correct operation
- complete and close change record
SEVERE PROBLEM: RESTORE
OK: READY
Technical audit of OS/390: Case local modifications
28
Attention items are:
• There is no segregation of duties
• There is no verification of the impact on security and internal control
Page 28
28
LvR/VU
OCT/2002
Change management ...
CHANGE CATAGORIES INDICATING RISKS INVOLVED
Change Description
category
Examples
Warning time
(workdays)
E
Emergency
- system down
-
1
Impact on all users of system
- replace a CPU
- new version of OS
15
2
Impact on all users of a service
- new version of
application
5
3
Impact on some users
- reorganize data base
2
4
Minor change requiring an IPL
- configuration change
2
5
Minor change
- change a network
definition
1
Technical audit of OS/390: Case local modifications
29
Attention items are:
• What is the process of reporting (after the fact) what happened during the
emergency changes?
• Who authorizes emergency changes? Is this process documented and approved
by higher management?
Page 29
29
LvR/VU
OCT/2002
Changes in practice
CHANGES IN PRACTICE
• You interview Mr. J. van Klokkert, manager of Technical Support, and
ask: who tests, accepts and installs new applications?
• His answer is:
– We always adhere to the process
– However, because I have only a limited number of skilled experts in
my team, we use at Level II staff of System Analysis and Application
Programming to do the actual testing
– Usually they are the ones who developed the code at Level III; they
send it to Level II via the mailbox and receive it there to install it in
the test libraries (via SMP) and to test it
– After testing, my systems programmers are informed that they can
allocate the new production libraries at Level I and may copy the
software to Level I
– Local modifications: ditto
Technical audit of OS/390: Case local modifications
30
Attention items are:
• There is no segraration of duties. The persons developing the code (external
hires?) also do the acceptance tests at Level II. So the same people work at both
sides of the border between the levels II and III. This undermines the entire
concept of distinct security levels.
Page 30
30
LvR/VU
OCT/2002
Changes in practice ...
CHANGES IN PRACTICE (cont.)
• You interview Mr. X. Ling, manager Operations and responsible for change
management, and ask: if application programmers may work at Level II, is
that a security exposure?
• His answer is:
– In the past, we granted SPECIAL to all userids at Level II. After a
slashing report by an EDP-auditor, we defined new rules
– Now, only 3 userids of System Entry and two team leaders of System
Programming have SPECIAL
– All other users have individual userids with UAUDIT, all RACF logging
options have been switched on, and both the SMF log and the SMP log
are stored on tape cartridges for five years
– Activities requiring SPECIAL may be prepared by individual users, but
have to be approved and executed by one of the two team leaders
– It is no longer allowed to lend a userid to a colleague: we demand
individual accountability
Technical audit of OS/390: Case local modifications
31
Attention items are:
• This is a major improvement with regard to the use of highly authorized RACF
attributes. Nevertheless, there is still no separation of duties (see also the
previous foil).
• All users have access to the System Modification Program (SMP) and can so
insert changes in the operating system software for all systems. Nobody can
verify this.
Page 31
31