Program control is the concept of having "trusted" applications. Installations can define libraries to RACF where these trusted applications will reside. When program control is active on a system, processes will be marked "dirty" (by means of the SETROPTS WHEN(PROGRAM) command) if they attempt to load programs from libraries that are not trusted. z/OS UNIX System Services also has the concept of trusted applications. In the UNIX file system, executable files may be tagged with the program-controlled extended attribute. If a user issues a shell command, or runs a program that does not have the program-controlled extended attribute, the process becomes dirty. In either case the process is never "cleaned". The dirty bit remains on, causing certain services to fail as a result. Refer to the z/OS Security Server RACF Security Administrator’s Guide for more information on Program Control.

Program Control in RACF

The purpose of protecting load modules is to provide installations with the ability to control who can execute what programs and to treat those programs as assets. You protect individual load modules (programs) by creating a profile for the program in the PROGRAM general resource class. A program protected by a profile in the PROGRAM class is called a controlled program. OCSF services utilize other elements of z/OS. If RACF Program Control is activated, these program libraries must also be program controlled:

• C/C++ Runtime Libraries
• Language Environment libraries
• ICSF libraries (if ICSF is used)
• System SSL.

For example, if you have a load library called MYLOADLIB residing in SYS1.XYZ you would have to issue this RACF command to make it program controlled:

REDEFINE PROGRAM MYLOADLIB ADDMEM('SYS1.XYZ')

If a discrete profile for the dataset already exists but program control is not enabled in this profile then this command should be issued:

ralt program * addmem('dataset.name') uacc(read)

Then you can activate that profile by issuing this RACF command:

SETROPTS WHEN(PROGRAM) REFRESH

Refer to the z/OS Security Server RACF Security Administrator’s Guide, SC28-1915, for more information on Program Control.

HFS Program Control

You can mark programs and dynamically-loaded libraries (DLLs) in the UNIX file system as controlled (trusted) by turning on the program-controlled extended attribute for the HFS file containing the program or DLL. To turn this extended attribute on, issue:

extattr +p filename

You can check if a file has the program-controlled extended attribute by using the UNIX shell ls command with the -E option. This example shows using ls -E to verify that the program-controlled attribute is set for one of the OCSF DLLs:

$ cd /usr/lpp/ocsf/lib
$ ls -E cssm32.dll
-rwxr-xr-x aps 2 ROOT   SYS1    737280 Nov 3 22:07 cssm32.dll

The "p" flag in the second column of the ls command output indicates that this file does have the program-controlled extended attribute.