CA Auditor is an optional component of an MLS configuration.
CA Auditor can help you determine if your z/OS system is properly configured along with identifying possible integrity exposures on your system.
Do not make CA Auditor APF authorized.CA Auditor is not intended to be marked APF authorized in an MLS configuration. It does not install authorized, and must not be made authorized after the fact.
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Protect CA Auditor libraries
Use CA Auditor to verify proper configuration
CA Auditor requires the services of ISPF/PDF: therefore, if CA Auditor is installed, you must install ISPF/PDF.
Protecting CA Auditor Libraries
Users typically concatenate their own ISPF/PDF CLIST, panel, skeleton, and message libraries to tailor the way ISPF/PDF works to meet their needs. In most cases, this is perfectly acceptable in an MLS configuration. There is, however, one case when it is not acceptable. This is when a security administrator is using CA Auditor to verify the proper configuration of the system. In this case, the ISPF/PDF libraries, CA Auditor libraries, and CA Top Secret ISPF libraries must be concatenated in front of any user libraries.
The following example shows how the JCL for this concatenation would look in a TSO LOGON procedure:
//ISPPLIB DD DSN=ISP.V3R5M0.ISPPENU,DISP=SHR ISPF panels // DD DSN=ISP.V3R5M0.ISRPENU,DISP=SHR PDF panels // DD DSN=CAI.CAISPP,DISP=SHR <TSS> panels // DD ... User panels //* //ISPMLIB DD DSN=ISP.V3R5M0.ISPMENU,DISP=SHR ISPF messages // DD DSN=ISR.V3R5M0.ISRMENU.DISP=SHR PDF messages // DD DSN=CAI.CAISPM,DISP=SHR <TSS> messages // DD DSN=CAI.AUDITOR.MESSAGES,DISP=SHR CA Auditor messages // DD ... User messages //* //ISPSLIB DD DSN=ISP.V3R5M0.ISPSENU,DISP=SHR ISPF skeletons // DD DSN=ISR.V3R5M0.ISRSENU,DISP=SHR PDF skeletons // DD DSN=CAI.CAISPS,DISP=SHR <TSS> skeletons // DD ... User skeletons //* //ISTPLIB DD DSN=ISP.V3R5M0.ISPTENU,DISP=SHR ISPF tables // DD D5N=ISP.V3R5M0.ISRTENU,DISP=5HR PDF tables // DD DSN=CAI.AUDITOR.TABLES,DISP=SHR CA Auditor tables // DD ... User tables //* //SYSPROC DD DSN=ISR.V3R5M0.ISRCLIB,DISP=SHR PDF CLISTs // DD DSN=CAI.CAICLIB,D1SP=SHR <TSS> CLISTs // DD DSN=CAI.AUDITOR.CLIST,DISP=SHR CA Auditor CLISTs // DD ... User CLISTs //*
These libraries must be protected with CA Top Secret access rules so only system maintenance personnel can update them. In an MLS system, if the option to require security labels is activated, they should be labeled "SYSLOW" so they are accessible to all users.
Using CA Auditor to Verify Proper Configuration
CA Auditor can help you determine if your z/OS system is properly configured. It shows you various facets of z/OS by way of interactive, easy-to-read screens. Its batch facility makes it possible to save scripts of examinations, and run them periodically as batch jobs to ensure that the configuration has not changed. The following list details examples of what CA Auditor can display:
- The SVC Analysis option can show if you have any user SVCs, which are forbidden in an MLS system configuration.
- The Appendages option shows if you have any user I/O appendages, which are forbidden in a mulilevel-secure system configuration.
- The PARMLIB display takes the work out of determining your system options, by displaying for each member a list of other members that it points to. Members can be selected from the list for browsing.
- The JES2 Options and SMF Options displays show you the options that are in effect for these subsystems.
- The APF library display shows you all your APF-authorized libraries. This makes it easy to ensure that they are properly protected by access rules.
- The operator console display shows how your consoles are configured.
- The Freezer option saves a checksum of selected libraries. It can be rerun periodically to ensure that system libraries have not been changed.
All these functions and many more are described in the CA Auditor documentation.