Program control provides the following functions:
- Simple controls to restrict the ability to execute specified programs
by granting users either READ or NONE access through the PROGRAM class,
and (when necessary) READ access to the DATASET profile that protects
the load library that contains the program.
- More complex controls that can prevent users from copying sensitive
programs or viewing the contents of such programs by granting the
users either EXECUTE or NONE access through the PROGRAM class, or
(in some cases) EXECUTE to the DATASET profile that protects the library
that contains the program. Programs controlled in this way are referred
to as execute-controlled programs.
- Improved resistance to attacks by malicious users or programs
implementing malicious functions (such as Trojan horses) in a z/OS UNIX environment
when you define the BPX.DAEMON profile in the FACILITY class and require
that the program execution environments for UNIX daemons and servers remain clean.
- Program access to data sets (PADS) to allow users to have more
access to data sets than they would otherwise have while running specified
programs that provide restricted access to the data.
- Program access to SERVAUTH resources to allow access to IP addresses
only when executing certain programs.
By defining programs in the PROGRAM class you indicate that you
place some amount of trust in their behavior. Although the level of
trust can vary, these programs are trusted more than programs created
by general users of the system. An environment in which someone has
run a program not defined in the PROGRAM class is considered a dirty, unsafe,
or uncontrolled environment.
RACF® requires a clean environment
in functions 2 through 5 above because allowing use of those functions
in an uncontrolled environment would make it relatively simple for
malicious users with some specific knowledge to bypass the program-related
security controls and gain inappropriate access to the data.
Terms to know:
- When used in this discussion, an environment is one of
the following:
- TSO session
- TSO command invoked by TSOEXEC or the IKJEFTSR service
- Job step in a batch job, started procedure, or started job
- UNIX address space
- A clean environment is one in which only programs defined
in the PROGRAM class have run.
- A program refers to a load module residing in a partitioned
data set (PDS) or a program object residing in a program library (PDS/E).
Restrictions:
- Programs that reside in the UNIX file
system are excluded from this discussion. Execution of programs in
the UNIX file system is controlled
using UNIX security controls
(as opposed to RACF PROGRAM
profiles), and programs resident in the UNIX file
system cannot be used for PADS or program access to SERVAUTH resources.
- RACF and z/OS® cannot protect programs written in the
TSO/E CLIST language, PERL, Java™,
or other interpreted languages.
- RACF and z/OS can protect programs written in REXX only if they
are compiled and link-edited as load modules or program objects.
In making use of program control, you must decide:
- Whether to operate in BASIC (default) or ENHANCED (more secure)
program security mode.
- Which programs to define in the PROGRAM class and how to define
them (which to some extent depends on the program security mode chosen).
- How to protect the libraries that contain the programs.
See the Migrating from BASIC to ENHANCED program security mode for migration and other
planning considerations.