Time Sharing Option (TSO/E)

ctsfz
In an MLS CA Top Secret system, all users must log on to the system and undergo identification and authentication checks. CA Top Secret creates a security environment for each TSO/E user. The security label that is used to logon to TSO/E is maintained in a user's security environment and is used to make access decisions until the user logs off. CA Top Secret ensures that a user cannot alter his security label in any way while logged onto the system. To change his security label, a user must log off and log on again to TSO/E with a new label.
 
 
Support for MLS
The following is supported when MLS is active on an CA Top Secret system:
  • All users can be be identified and authenticated in the system with a acid and security label
  • All user logon attempts can be audited
  • All user messages can be protected
  • Sending and receiving data sets with the TRANSMIT and RECEIVE commands can be controlled based on security labels
  • Users can be restricted to using the CANCEL and OUTPUT commands only on jobs whose job names begin with their acids
Restrictions
The following restrictions apply when MLS is active on an CA Top Secret system:
  • Remove all user-written exits
  • Do not give any TSO/E user the OPERATOR privilege
  • Do not activate the Information Center Facility
Configuration Checklist
This checklist describes the software configuration requirements when MLS is active on an CA Top Secret system.
 
Requirement
 
Define an acid for the TSO started task
Define access rules for the TSO started task
Provide identification and authentication checks
Define a acid for each TSO/E user
Assign security labels to TSO/E users
Audit all logon attempts
Protect user messages
TSO/E SEND and LISTBC commands
Follow requirements for protecting message transmission
Modify IKJTSOxx member of SYS1.PARMLIB
Create resource rules for each user mail log
Label user mail logs SYSHIGH
Create an acid record for *LISTBC ID
Assign security label SYSLOW to SYSI1.BROADCAST
Control use of RECEIVE and TRANSMIT commands
Assign security labels to LOG.MISC data sets
Assign security labels to NAMES.TEXT data sets
Replace default IKJEFF53 exit
Provide an audit trail for SEND and LISTBC commands
Defining an Acid for the TSO Started Task
You must define a acid for the TSO started task. This acid must have the STC attribute. No other attributes need be specified.
Defining Access Rules for the TSO Started Task
When the TSO started task starts up, it reads initialization parameters from SYS1.PARMLIB. Because of this, it must be granted read access to the data set. Here is an example of a rule granting TSO read access to SYS1.PARMLIB:
$KEY(SYS1) PARMLIB UID(TSO) R(A)
Providing Identification and Authentication Checks
In an MLS system, all TSO/E users must undergo identification and authentication checks by CA Top Secret.
Defining a Logonid for Each TSO/E User
The security administrator must create a unique acid record for each TSO/E user. CA Top Secret stores the information in security file and retrieves it when a user attempts to log on to the system.
Assigning Security Labels to TSO/E Users
The security administrator should assign security labels to TSO/E users so that users can access the system and classified data and resources that they need to perform their work on the system.
In an MLS system, when a user logs on to a system, he may specify a security label. However, CA Top Secret will always default a security label for a user who does not supply a label. If a user does not specify a security label at logon on the full-screen panel, if there was a previous TSO/E session for the user, the security label from that session will be used. If there was no security label for the previous TSO/E session, CA Top Secret uses the security label from the terminal (an MLS resource record in the TERMINAL class), if there is one. If the terminal does not have a security label, CA Top Secret uses the default security label from the User's acid record, if one exists. If CA Top Secret cannot default a security label from any of these places, the user will be logged on with the SYSLOW security label.
Once CA Top Secret verifies that the user is authorized to use a security label, the security label is maintained in the user's address space and is used to make access decisions until the user logs off. CA Top Secret ensures that a user cannot alter his security label in any way while logged onto the system.
If a user wants to change his secu