dfpcontrols storage on DASD and tape volumes for the system. DFSMS
dfpcommunicates information between the processor and the storage devices to provide data, device, program, and storage management activities.
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
- Control access to data on DASD
- Control access to data on tape
- Control access to temporary data sets
- Protect catalogs
- Protect theDFSMSdfpsubsystem
The following restrictions apply when MLS is active on an CA Top Secret system:
- DASDVOL classDo not activate the DASDVOL class. Users with DASDVOL authority to a volume can access its data sets without being restricted by DAC rules.DASDVOL authority is necessary when using the AMASPZAP service aid to modify a Volume Table of Contents (VTOC) on a disk pack. This operation takes the system out of an MLS configuration, and should be done only under controlled conditions, and with only trusted users on the system.
- CVOLs and VSAM catalogsDo not use CVOLs or VSAM catalogs. Only Integrated Catalog Facility (ICF) catalogs should be used in an MLS system. The following steps prevent the use of CVOLs and VSAM catalogs:
- Write DAC access rules to allow only authorized users write access to the master catalog. This prevents unauthorized users from using the IMPORT CONNECT command to connect VSAM catalogs to the master catalog, or from using the DEFINE ALIAS command to connect CVOLs to the master catalog.
- When defining new user catalogs with the DEFINE USERCATALOG command, be sure to specify the ICFCATALOG keyword.
- Do not use the DEFINE ALIAS command to connect CVOLs to the master catalog. When connecting user catalogs to the master catalog, using the IMPORT CONNECT command, make sure the catalogs are ICF catalogs. (The LISTCAT command will tell you.)
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
Control access to data on DASD
Control access to data on tape
Control access to temporary data sets
Protect ICF catalogs
Assign security label to catalogs
Write access rules to control access
Activate name-hiding (optional)
Protect the DFSMS subsystem
Controlling Access to Data on DASD
In an MLS system, data stored on DASD devices is secured by protection provided by MLS resource records.
Controlling Access to Data on Tape
In an MLS system, data stored on tape is secured by protection provided by MLS resource records.
Controlling Access to Temporary Data Sets
In an MLS system, access restrictions apply to temporary data sets. A temporary data set is a special data set created and deleted in the same job. Unlike an ordinary (non-temporary) data set, it is not cataloged and has a system-generated name. Only the job that creates a temporary data set can access it for read, write or scratch purposes. In an MLS system, temporary data sets must be protected from unauthorized access and disclosure. The security administrator must do the following:
- Define procedures for processing temporary data sets
- If necessary, write access rules to control access
A job can always access its own temporary data sets, and in general, other jobs cannot. When a job ends, its temporary data sets are automatically deleted by the system. However, there are some cases where data sets may not be deleted:
- System failure
- Initiator failure or initiator termination by the FORCE command
- Automatic restart
If access to temporary data sets were restricted to just the creating job, these leftover data sets would never be deleted, and would stay around forever, taking up valuable space. To prevent this, it is necessary to allow selected authorized users access to these data sets, so they can be deleted. For this reason, users with the NODSNCHK attribute in their acids can access temporary data sets that they did not create. A logging record is created for each access.
Protecting Integrated Catalog Facility Catalogs
In an MLS system, a site should protect its ICF catalogs using MAC and DAC mechanisms.
Assigning Security Labels to Catalogs
When write-down is protected on an MLS system, a security administrator should assign security label, SYSNONE, to all ICF catalogs. This enables a user logged on with any security label to access the catalog based on the DAC access rules.
Access Rules for Catalogs
A security administrator must write access rules to control access to the catalogs. The security administrator must write access rules for the master catalog and the user catalogs. All system users should be given read access to the master catalog and only a limited number of users should be allowed to write to the master catalog. Below is a sample command:
TSS PER(ALL) DSN(CATALOG.MASTER) ACCESS(READ) TSS PER(SYSADM) DSN(CATALOG.MASTER) ACCESS(UPDATE)