IBM Security Guardium S-TAP for z/OS security recommendations
The following security recommendations apply to S-TAP for Db2, IMS, and Data Sets.
- Define the ID assigned to the S-TAP started tasks via system authorization facility (SAF) to the S-TAP product load libraries with READ ONLY access.
- The ID assigned to the S-TAP started tasks should not be able to log on to TSO and should be designated for the exclusive use of the S-TAP started tasks.
- Ensure that the only TSO ID’s able to update access to the S-TAP product load libraries are those that perform product installation and apply product maintenance.
- Security administrators need to work with systems programmers to ensure that the contents of APF/LINKLIST/LPA lists of program libraries are maintained correctly. Update access to these libraries must be defined for each library, independently of the RACF controls.
- Ensure verify the source of all APF authorized and system code that you install. If possible, get statements of assurance from the suppliers.
- Manage your APF lists with great care. Double-check entries. Do not leave dead entries in the list for simplicity or ease of use. Use a formal checker for the lists if possible.
- Do not grant READ access for any configuration libraries except to users with a defined business need.
- Strictly follow the documented values for UACC values for system data sets.
For details on security practices, see IBM Redbooks Solution Guide Securing the IBM Mainframe.