Luigi Perrone, profile picture
Uploaded byLuigi Perrone
211 views

z/OS Authorized Code Scanner

The document discusses system integrity on z/OS, emphasizing the importance of safeguarding against unauthorized access and exposure through various controls such as the authorized programming facility (APF) and resource access control facility (RACF). It introduces the IBM Z/OS Authorized Code Scanner (ZACS), a tool designed to help clients identify potential vulnerabilities in their authorized code and improve their security posture. The document also details the process for running ZACS and interpreting its outputs to address vulnerabilities.

Embed presentation

Download to read offline
Luigi Perrone IBM Security – Executive IT Specialist Security & Audit for zSystem & enterprise Security Intelligence solution luigi_perrone@it.ibm.com https://www.linkedin.com/in/luigiperrone/
The matter of system integrity System Integrity the state of a system in terms of system functionalities without being degraded or compromised by changes or disruptions
System Integrity on Z/OS Protecting the system involves a number of tasks • Maintenance of system integrity • Use of the authorized programming facility • Use of the resource access control facility (RACF) • Changing system status • Protecting low storage. “There is no way for unauthorized programs to bypass store or fetch protection, password checking, RACF checking, or obtain control in an authorized state”
Potentially integrity exposures • User-supplied addresses for user storage areas. • User-supplied addresses for protected control blocks. • Resource identification • SVC routines calling SVC routines • Control program and user data accessibility • Resource serialization (for example, through locking) They are controlled by : APF, Storage Protection and Cross Memory Communication An installation should consider the areas for potential integrity exposure:
Protection from integrity exposures To avoid integrity exposures z/OS use: • APF to identify system/user programs that can use sensitive system functions • Storage Protection to prevent unauthorized alteration of storage or unauthorized reading of storage areas • Cross Memory Communication to identify system/user programs that can use sensitive system functions
Just to clarify the risk SVC - Supervisor Call PC - Program Call IBM OEM • Authorized programs on z/OS and their associated application programming interfaces are critical to that integrity. • What is the potential severity associated with this risk ? • CVSS 6.5 for a fetch-related vulnerability (“medium”) • CVSS 8.8 for a store-related vulnerability (“high”) ( See https://www.first.org/ )
IBM zACS – Authorized Code Scanner • a new priced feature of z/OS version 2 release 4 • help support clients in their efforts to strengthen the security posture of the z/OS dev/test pipeline • scans the client’s authorized code and provides diagnostic information for subsequent investigation as needed zACS searches for potential vulnerabilities
zACS components The IBM z/OS Authorized Code Scanner (zACS) consists of: • REXX • Batch • Started Task The input: • Generated PC & SVC tables • Syslog The output: • Data Set
How does it work ? zACS is run in the following steps: 1. Initialize the Started Task 2. Run the batch jobs to generate the PC & SVC tables 3. Run the REXX to generate test cases in batch • Run REXX directly or via ISPF panels • Optionally filter by inclusion or exclusion list • Wait for completion of the set
zACS configuration 'SYS1.BPN.SBPNSAMP’ (BPNCFG)‘
zACS Started Task S BPNZACS zACS will clear the output data set defined in the started task, including any vulnerability data that was found. zACS sets the slip : SLIP SET,ID=BPN1,ERRTYP=PROG,A=(RECORD,NODUMP),END
PC & SVC table generation BPNPCNUM BPNSVCNM
Testing PC & SVC To test all SVC and PC you need to run the two rexx: • ex 'SYS1.BPN.SBPNEXEC(BPNKNSVC)’ • ex 'SYS1.BPN.SBPNEXEC(BPNKNPCX)’
Using zACS ISPF panels (1/3) zACS can also be used with ISPF panels: ex 'SYS1.BPN.SBPNEXEC(BPNISPFR)'
Using zACS ISPF panels (2/3)
Using zACS ISPF panels (3/3) Confirmation panel. To continue with the run, select 1 and press enter, to prevent the run from starting select 2 and press enter.
zACS: Potential Vulnerability Output
zACS: Potential Vulnerability Output
zACS: Potential Vulnerability Output
zACS: Potential Vulnerability Output

More Related Content

PDF
La Cruz de Cristo
byAntony G.
 
PPT
zSecurity_L3_OperatingSystemsSecurity.ppt
bypallavisvhasakale136
 
PPTX
IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure
byNico Chillemi
 
PPS
Systemz Security Overview (for non-Mainframe folks)
byMike Smith
 
PDF
Novidades interessantes e importantes do z/os 2.2
byJoao Galdino Mello de Souza
 
PDF
An Introduction to zOS Real-time Infrastructure and Security Practices
byJerry Harding
 
PDF
Should I Patch My ICS?
byDigital Bond
 
PPTX
2545 Debugging back to-basics
bynick_garrod
 
La Cruz de Cristo
byAntony G.
 
zSecurity_L3_OperatingSystemsSecurity.ppt
bypallavisvhasakale136
 
IBM Workload Scheduler for z/OS Security with RACF & IBM zSecure
byNico Chillemi
 
Systemz Security Overview (for non-Mainframe folks)
byMike Smith
 
Novidades interessantes e importantes do z/os 2.2
byJoao Galdino Mello de Souza
 
An Introduction to zOS Real-time Infrastructure and Security Practices
byJerry Harding
 
Should I Patch My ICS?
byDigital Bond
 
2545 Debugging back to-basics
bynick_garrod
 

Similar to z/OS Authorized Code Scanner

PDF
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
byMarna Walle
 
PDF
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
byMarna Walle
 
PDF
State of the (evil) Mainframe
byHenri Kuiper
 
PDF
Privilege Elevation in z/OS Systems - APF and More.pdf
byPrecisely
 
PDF
Upgrade to V2.5 Plan and Tech Actions.pdf
byMarna Walle
 
PDF
Closing Mainframe Integrity Gaps
byRay Overby
 
PPTX
Using Assessment Tools on ICS (English)
byDigital Bond
 
PDF
Best Practices in IBM i Security
byPrecisely
 
PDF
Revealing the 2016 State of IBM i Security
byHelpSystems
 
PPT
System Z Mainframe Security For An Enterprise
byJim Porell
 
PDF
z/OS Small Enhancements - Episode 2014B
byMarna Walle
 
PDF
z/OS Small Enhancements - Episode 2013A
byMarna Walle
 
PDF
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
byNRB
 
PDF
Upgrade to IBM z/OS V2.5 Planning
byMarna Walle
 
PDF
3 florin coada - sast in the days of dev ops
byIevgenii Katsan
 
PDF
The NRB Group mainframe day 2021 - IBM Z-Strategy & Roadmap - Adam John Sturg...
byNRB
 
PDF
z/OS Small Enhancements - Episode 2016A
byMarna Walle
 
PDF
Automatic Performance Improvement for Legacy COBOL
byDevOps for Enterprise Systems
 
PPT
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
byIBM Security
 
PPSX
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
byMarna Walle
 
Upgrade to zOS V2.5 - Planning and Tech Actions.pdf
byMarna Walle
 
State of the (evil) Mainframe
byHenri Kuiper
 
Privilege Elevation in z/OS Systems - APF and More.pdf
byPrecisely
 
Upgrade to V2.5 Plan and Tech Actions.pdf
byMarna Walle
 
Closing Mainframe Integrity Gaps
byRay Overby
 
Using Assessment Tools on ICS (English)
byDigital Bond
 
Best Practices in IBM i Security
byPrecisely
 
Revealing the 2016 State of IBM i Security
byHelpSystems
 
System Z Mainframe Security For An Enterprise
byJim Porell
 
z/OS Small Enhancements - Episode 2014B
byMarna Walle
 
z/OS Small Enhancements - Episode 2013A
byMarna Walle
 
The Mainframe's Role in Enterprise Security Management - Jean-Marc Darees
byNRB
 
Upgrade to IBM z/OS V2.5 Planning
byMarna Walle
 
3 florin coada - sast in the days of dev ops
byIevgenii Katsan
 
The NRB Group mainframe day 2021 - IBM Z-Strategy & Roadmap - Adam John Sturg...
byNRB
 
z/OS Small Enhancements - Episode 2016A
byMarna Walle
 
Automatic Performance Improvement for Legacy COBOL
byDevOps for Enterprise Systems
 
Don't Risk Your Reputation or Your Mainframe: Best Practices for Demonstratin...
byIBM Security
 
IBM: Cognitive Security Transformation for the Enrgy Sector
byFMA Summits
 

More from Luigi Perrone

PDF
EKMF solution overview
byLuigi Perrone
 
PDF
Sklm webinar
byLuigi Perrone
 
PDF
Mfa.intro
byLuigi Perrone
 
PDF
Pervasive Encryption for DB2
byLuigi Perrone
 
PDF
Key management
byLuigi Perrone
 
PDF
z/OS Pervasive Encryption
byLuigi Perrone
 
PDF
Come gestire l'encryption dei dati con SKLM
byLuigi Perrone
 
PDF
2017 racf 2.3 news
byLuigi Perrone
 
PDF
IBM Qradar-Advisor
byLuigi Perrone
 
PDF
Come integrare il mainframe con QRadar
byLuigi Perrone
 
PDF
Fare sicurezza con zSecure
byLuigi Perrone
 
PDF
Racf psw enhancement
byLuigi Perrone
 
EKMF solution overview
byLuigi Perrone
 
Sklm webinar
byLuigi Perrone
 
Mfa.intro
byLuigi Perrone
 
Pervasive Encryption for DB2
byLuigi Perrone
 
Key management
byLuigi Perrone
 
z/OS Pervasive Encryption
byLuigi Perrone
 
Come gestire l'encryption dei dati con SKLM
byLuigi Perrone
 
2017 racf 2.3 news
byLuigi Perrone
 
IBM Qradar-Advisor
byLuigi Perrone
 
Come integrare il mainframe con QRadar
byLuigi Perrone
 
Fare sicurezza con zSecure
byLuigi Perrone
 
Racf psw enhancement
byLuigi Perrone
 

Recently uploaded

PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
PPTX
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
What is a stablecoin and business adoption in 2026.pdf
bymeerasingh12189
 
PDF
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
PDF
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
PDF
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PDF
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
PDF
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
PDF
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
openstack_operations_slides_version1.3_pp.pdf
byssuser47d511
 
‘Analyzing Application Logs Using AI’ Webinar
byTier1 app
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Introduction to Modern Artificial Intelligence.pdf
byAI n Dot Net
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
What is a stablecoin and business adoption in 2026.pdf
bymeerasingh12189
 
Building production-ready AI Agents with Strands Agents and Amazon Bedrock Ag...
byVadym Kazulkin
 
MySQL Routing Guidelines: Designing Smarter Query Routing Together
byMiguel Araújo
 
Lost Android Phone Recovery_ Steps That Work Fast.pdf
byIsabella Reed
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
Langchain4J – An Introduction for Impatient Developers
byJuarez Junior
 
Building Smarter AI: 16 RAG Approaches for Accuracy, Memory, and Reasoning Vi...
byVineet Sharma
 
Imperative Bowling Kata - 20 Years On - Delegating Menial Tasks to AI Coding ...
byPhilip Schwarz
 

z/OS Authorized Code Scanner

  • 1.
    Luigi Perrone IBM Security– Executive IT Specialist Security & Audit for zSystem & enterprise Security Intelligence solution luigi_perrone@it.ibm.com https://www.linkedin.com/in/luigiperrone/
  • 2.
    The matter ofsystem integrity System Integrity the state of a system in terms of system functionalities without being degraded or compromised by changes or disruptions
  • 3.
    System Integrity onZ/OS Protecting the system involves a number of tasks • Maintenance of system integrity • Use of the authorized programming facility • Use of the resource access control facility (RACF) • Changing system status • Protecting low storage. “There is no way for unauthorized programs to bypass store or fetch protection, password checking, RACF checking, or obtain control in an authorized state”
  • 4.
    Potentially integrity exposures •User-supplied addresses for user storage areas. • User-supplied addresses for protected control blocks. • Resource identification • SVC routines calling SVC routines • Control program and user data accessibility • Resource serialization (for example, through locking) They are controlled by : APF, Storage Protection and Cross Memory Communication An installation should consider the areas for potential integrity exposure:
  • 5.
    Protection from integrityexposures To avoid integrity exposures z/OS use: • APF to identify system/user programs that can use sensitive system functions • Storage Protection to prevent unauthorized alteration of storage or unauthorized reading of storage areas • Cross Memory Communication to identify system/user programs that can use sensitive system functions
  • 6.
    Just to clarifythe risk SVC - Supervisor Call PC - Program Call IBM OEM • Authorized programs on z/OS and their associated application programming interfaces are critical to that integrity. • What is the potential severity associated with this risk ? • CVSS 6.5 for a fetch-related vulnerability (“medium”) • CVSS 8.8 for a store-related vulnerability (“high”) ( See https://www.first.org/ )
  • 7.
    IBM zACS –Authorized Code Scanner • a new priced feature of z/OS version 2 release 4 • help support clients in their efforts to strengthen the security posture of the z/OS dev/test pipeline • scans the client’s authorized code and provides diagnostic information for subsequent investigation as needed zACS searches for potential vulnerabilities
  • 8.
    zACS components The IBMz/OS Authorized Code Scanner (zACS) consists of: • REXX • Batch • Started Task The input: • Generated PC & SVC tables • Syslog The output: • Data Set
  • 9.
    How does itwork ? zACS is run in the following steps: 1. Initialize the Started Task 2. Run the batch jobs to generate the PC & SVC tables 3. Run the REXX to generate test cases in batch • Run REXX directly or via ISPF panels • Optionally filter by inclusion or exclusion list • Wait for completion of the set
  • 10.
  • 11.
    zACS Started Task SBPNZACS zACS will clear the output data set defined in the started task, including any vulnerability data that was found. zACS sets the slip : SLIP SET,ID=BPN1,ERRTYP=PROG,A=(RECORD,NODUMP),END
  • 12.
    PC & SVCtable generation BPNPCNUM BPNSVCNM
  • 13.
    Testing PC &SVC To test all SVC and PC you need to run the two rexx: • ex 'SYS1.BPN.SBPNEXEC(BPNKNSVC)’ • ex 'SYS1.BPN.SBPNEXEC(BPNKNPCX)’
  • 14.
    Using zACS ISPFpanels (1/3) zACS can also be used with ISPF panels: ex 'SYS1.BPN.SBPNEXEC(BPNISPFR)'
  • 15.
    Using zACS ISPFpanels (2/3)
  • 16.
    Using zACS ISPFpanels (3/3) Confirmation panel. To continue with the run, select 1 and press enter, to prevent the run from starting select 2 and press enter.
  • 17.
  • 19.
  • 20.
  • 21.