Provide security product access to Netstat command

Controlling access to Netstat command can be added by using security product resources defined in the following table. You can define the following new security product resource names in the SERVAUTH class to control users' access to the TSO NETSTAT or UNIX shell netstat command options. See the sample EZARACF member for examples of the security product commands used to create the resource names. If the SERVAUTH class is not active or if security product resource name is not defined, access to the Netstat command will not be restricted.
Note: Take care with applications that might be invoking Netstat under the covers. If the Netstat security resource names are defined, the user IDs associated with applications invoking Netstat under the covers need to be permitted for READ access to the resource names.
Resource names in SERVAUTH class Netstat options
EZB.NETSTAT.mvsname.tcpprocname.* All Netstat options
EZB.NETSTAT.mvsname.tcpprocname.ALL ALL / -A
EZB.NETSTAT.mvsname.tcpprocname.ALLCONN ALLCONN / -a
EZB.NETSTAT.mvsname.tcpprocname.ARP ARP / -R
EZB.NETSTAT.mvsname.tcpprocname.BYTEINFO BYTEINFO / -b
EZB.NETSTAT.mvsname.tcpprocname.CACHINFO CACHINFO / -C
EZB.NETSTAT.mvsname.tcpprocname.CLIENTS CLIENTS / -e
EZB.NETSTAT.mvsname.tcpprocname.CONFIG CONFIG / -f
EZB.NETSTAT.mvsname.tcpprocname.COnn CONN / -c
EZB.NETSTAT.mvsname.tcpprocname.DEFADDRT DEFADDRT/-l
EZB.NETSTAT.mvsname.tcpprocname.DEVLINKS DEVLINKS / -d
EZB.NETSTAT.mvsname.tcpprocname.GATE GATE / -g
EZB.NETSTAT.mvsname.tcpprocname.HOME HOME / -h
EZB.NETSTAT.mvsname.tcpprocname.IDS IDS / -k
EZB.NETSTAT.mvsname.tcpprocname.ND ND / -n
EZB.NETSTAT.mvsname.tcpprocname.PORTLIST PORTLIST / -o
EZB.NETSTAT.mvsname.tcpprocname.RESCACHE RESCACHE / -q
EZB.NETSTAT.mvsname.tcpprocname.ROUTE ROUTE / -r
EZB.NETSTAT.mvsname.tcpprocname.SLAP SLAP / -j
EZB.NETSTAT.mvsname.tcpprocname.SOCKETS SOCKETS / -s
EZB.NETSTAT.mvsname.tcpprocname.SRCIP SRCIP / -J
EZB.NETSTAT.mvsname.tcpprocname.STATS STATS / -S
EZB.NETSTAT.mvsname.tcpprocname.TELNET TELNET / -t
EZB.NETSTAT.mvsname.tcpprocname.TTLS TTLS / -x
EZB.NETSTAT.mvsname.tcpprocname.UP Up / -u
EZB.NETSTAT.mvsname.tcpprocname.VCRT VCRT / -V
EZB.NETSTAT.mvsname.tcpprocname.VDPT VDPT / -O
EZB.NETSTAT.mvsname.tcpprocname.VIPADCFG VIPADCFG / -F
EZB.NETSTAT.mvsname.tcpprocname.VIPADYN VIPADYN / -v

You can use the control statements in the sample JCL job provided in SEZAINST(EZARACF) to define these authorizations.

  • If this is the first SERVAUTH class profile that your installation is using, activate the SERVAUTH class using the following commands:
       SETROPTS CLASSACT(SERVAUTH)
       SETROPTS RACLIST(SERVAUTH)   
  • Example 1: If you wanted to permit USER2 access to the Netstat CONN/-c option for TCP/IP stack TCP1 on system MVSA you could use the following definitions:
       RDEFINE SERVAUTH (EZB.NETSTAT.MVSA.TCP1.CONN) UACC(NONE)
       PERMIT (EZB.NETSTAT.MVSA.TCP1.CONN) ACCESS(READ) CLASS(SERVAUTH) ID(USER2)  
  • Example 2: If you wanted to permit USER4 to have access to all of Netstat options you could use the following definitions:
       SETROPTS GENERIC(SERVAUTH)
       RDEFINE SERVAUTH (EZB.NETSTAT.MVSA.TCP1.*) UACC(NONE)
       PERMIT (EZB.NETSTAT.MVSA.TCP1.*) ACCESS(READ) CLASS(SERVAUTH) ID(USER4)
       SETROPTS GENERIC(SERVAUTH) REFRESH   
  • Refresh RACLIST
        SETROPTS RACLIST(SERVAUTH) REFRESH