Checklist for MVS setup

Use the following checklist to ensure that you complete all the tasks required to set up MVS™ for multilevel security:

• Set the DEFAULT statement in the CONSOLxx member of SYS1.PARMLIB to LOGON(REQUIRED), to specify that operators must log on.
• Create a RACF® user profile for each console operator. Assign a default security label of SYSHIGH to each console operator, and permit each operator to the SYSHIGH security label in the SECLABEL class.
• Create a profile in the CONSOLE RACF resource class for each MCS and SMCS console, specifying the SYSHIGH security label and UACC(NONE). Update the access control lists for the profiles to control which operators can log on to particular consoles.
• Create a profile in the OPERCMDS class for each EMCS console, of the form MVS.MCSOPER.console-name, and assign the profile a security label of SYSHIGH.
• Create a profile in the OPERCMDS class of the form MVS.MCSOPER.** to prevent the use of EMCS console names that you have not defined:

  RDEFINE OPERCMDS MVS.MCSOPER.** UACC(NONE) SECLABEL(SYSHIGH)

• Create RACF profiles in the OPERCMDS resource class for MVS operator commands, and update the access control lists to identify users authorized to issue the commands.
• Update the program properties table (PPT) to specify the PASS option for each entry.
• Specify NOBUFFS(HALT) and LASTDS(HALT) in the SFMPRMxx member of SYS1.PARMLIB.
• Create RACF profiles in the DEVICES resource class to allow only programs in the trusted computing base to allocate unit record, communication, and graphic devices, and activate the DEVICES class.
• If you are using LLA, create a generic profile in the FACILITY class to protect all LLA-managed data sets. Give operators allowed to revise the LNKLST and other LLA-managed data sets at least UPDATE access to the profile.
• Create RACF profiles in the DATASET resource class to protect system data sets that can be accessed by all users. Specify a security label of SYSLOW and a UACC of READ. These data sets include:
  • SYS1.LINKLIB
  • SYS1.IMAGELIB
  • SYS1.PROCLIB
• Create RACF profiles in the DATASET resource class to protect system data sets that only certain users need to access. Specify a security label of SYSLOW and a UACC of NONE. Update the access control lists to give users who need access the appropriate authority. Theses data sets include:
  • SYS1.PARMLIB
  • SYS1.VTAMLST
• Create RACF profiles in the DATASET resource class to protect system data sets that contain multiple levels of data. Specify a security label of SYSHIGH and a UACC of NONE. Update the access control lists to give users who need access the appropriate authority. Theses data sets include:
  • Log data sets
  • SYS1.dump data sets (user dump data sets should have the security label of the user)
  • Trace data sets
  • SMF data sets
  • Page and swap data sets
  • Spool data sets
  • Dump analysis and elimination (DAE) data sets
  • Spool offload and dump job data sets
  • JES checkpoint data sets
  • PSF security libraries (overlay, font, page segment, security definitions)
  • XCF couple data sets
  • SMS configuration data sets (CDS)
• Assign all catalogs a security label of SYSNONE.
• Protect APF-authorized libraries. Ensure that you have profiles in the RACF FACILITY class protecting the following resources:
  • CSVAPF.libname
  • CSVAPF.MVS.SETPROG.FORMAT.STATIC
  • CSVAPF.MVS.SETPROG.FORMAT.DYNAMIC
• Protect the dynamic exits facility. Ensure that you have profiles in the RACF FACILITY class protecting the following resources:
  • CSVDYNEX.exitname.DEFINE
  • CSVDYNEX.exitname.modname
  • CSVDYNEX.exitname.UNDEFINE
  • CSVDYNEX.exitname.ATTRIB
  • CSVDYNEX.LIST
  • CSVDYNEX.exitname.CALL
  • CSVDYNEX.exitname.RECOVER
• Protect global resource serialization services:
  • Create a profile in the FACILITY class to protect GQSCAN and ISGQUERY:

    RDEFINE FACILITY ISG.QSCANSERVICES.AUTHORIZATION UACC(NONE)

    If any unauthorized callers need to issue the protected requests, give them READ access to the profile. If the FACILITY class is active and RACLISTed, refresh the in-storage profiles:

    SETROPTS RACLIST(FACILITY) REFRESH

    If the FACILITY class is not active or RACLISTed, make sure that you activate and RACLIST it before you activate the MLACTIVE option.
  • Protect the ENQ/RESERVE/DEQ monitor by using the RACF PROGRAM class to protect the program ISGAUDIT in the library SYS1.LINKLIB.
• Check job control language (JCL)
  • Ensure that all JOB statements specify a user ID.
  • Add the SECLABEL keyword to JOB statements to specify the security label at which the job executes. If the SECLABEL keyword is not specified, the job uses the user's default security label.
• Remove any installation-written exit routines or modifications that you have added to your system.
• Create profiles to protect the BLSACTV.ADDRSPAC and BLSACTV.SYSTEM resources in the FACILITY class, specifying UACC(NONE) and SECLABEL(SYSHIGH). Ensure that only highly trusted users are on the access list.
• Do not allow an operator to place the system console in problem determination mode. Use the RACF OPERCMDS resource class to disable the VARY CN command with the ACTIVATE option.
• Use RACF program control to disable APPC/MVS programs.

  RDEFINE PROGRAM ATB* ADDMEM('SYS1.MIGLIB' 'SYS1.LINKLIB') UACC(NONE)
  RDEFINE PROGRAM ASB* ADDMEM('SYS1.MIGLIB' 'SYS1.LINKLIB') UACC(NONE)
  SETROPTS WHEN(PROGRAM) REFRESH