IBM Security Guardium S-TAP for z/OS security recommendations

The following security recommendations apply to S-TAP for Db2, IMS, and Data Sets.

  • Define the ID assigned to the S-TAP started tasks via system authorization facility (SAF) to the S-TAP product load libraries with READ ONLY access.
  • The ID assigned to the S-TAP started tasks should not be able to log on to TSO and should be designated for the exclusive use of the S-TAP started tasks.
  • Ensure that the only TSO ID’s able to update access to the S-TAP product load libraries are those that perform product installation and apply product maintenance.
  • Security administrators need to work with systems programmers to ensure that the contents of APF/LINKLIST/LPA lists of program libraries are maintained correctly. Update access to these libraries must be defined for each library, independently of the RACF controls.
  • Ensure verify the source of all APF authorized and system code that you install. If possible, get statements of assurance from the suppliers.
  • Manage your APF lists with great care. Double-check entries. Do not leave dead entries in the list for simplicity or ease of use. Use a formal checker for the lists if possible.
  • Do not grant READ access for any configuration libraries except to users with a defined business need.
  • Strictly follow the documented values for UACC values for system data sets.

For details on security practices, see IBM Redbooks Solution Guide Securing the IBM Mainframe.