Following was contributed to AuditNet LLC by (Rey LeClerc) rey@mass-usa.net
ACF/VTAM

Objective: To ensure that ACF/VTAM is adequately installed and that proper 
security access has been given.

General Description

Advanced Communications Function for Virtual Telecommunications Access Method 
(ACF/VTAM) is an IBM product that directs the transmission of data between 
application programs and terminals in a telecommunications network.  To support 
communications within the network, ACF/VTAM:
 o controls the allocation of network resources;
 o establishes, terminates, and controls connections between application 
programs and terminals;
 o transfers data between application programs and terminals;
 o permits application programs to share resources such as communication lines, 
communications controllers, and terminals;
 o permits communications controllers and terminals to perform some network 
functions;
 o permits concurrent execution of Telecommunications Access Method (TCAM) and 
VTAM  application programs using the same network;
 o permits the operation of the network to be monitored;
 o permits the configuration of the network to be changed while the network is 
being used.

Using VTAM facilities, an installation can control the use of specified 
terminals and application programs.  Resources to be controlled can be defined 
during VTAM definition.    The installation can control sensitive resources by 
verifying terminal identifications, verifying logon, controlling the 
connections between application programs and terminals, controlling which 
application can use VTAM, restricting an application program's use of VTAM 
facilities, and protecting sensitive data being transmitted by VTAM.  In 
addition, the installation can configure their network for security.  Nodes 
sharing similar security requirements can be placed in an isolated (secure) 
network and allowed communication between these nodes and less secure nodes in 
other networks.

The installation can group together routes used to carry sessions into lists on 
the basis of characteristics such as security, transmission priority, and 
bandwidth of the route.  The characteristics of a particular list determine the 
class of service.  It defines these classes of services by creating a class of 
service (COS) table.  By specifying the name of an entry from the COS table in 
the logon mode table associated with a session.

A logon mode table contains entries specifying different session parameters, 
which are sets of rules that describe how a session is to be conducted.  This 
table identifies the usage of the VTAM data encryption facility.  In these 
sessions, data requiring high security is enciphered when entering the network 
and deciphered when leaving the network.  This is indicated through the ENCR 
parameter of the MODEENT macro.

The bit settings are as follows:
 0  default value.  No usage of data encryption.
 xx..  private cryptography field;
 00..  no private cryptography;
 01..  private cryptography used;
 ..xx  VTAM cryptography field;
 ..00  no session-level cryptography;
 ..01  selective cryptography;
 ..10  reserved;
   11  mandatory cryptography.
  
When VTAM processes a session establishment or termination request it uses the 
interpret table (INTAB) to determine which application program is to be 
notified.

VTAM contains two IBM-supplied unformatted system services (USS) definition 
tables, which it uses to define certain commands and messages.  You can 
optionally redefine these commands and messages by creating your own tables to 
be used in addition to the IBM-supplied tables.

In addition, the installation can write an authorization routine to check or 
restrict the use of an application program or a logical unit.


ACF/VTAM Audit Program

1. Obtain and review the COS table.  Ensure that adequate transmission priority 
indicator is maintained.  Note: A transmission priority indicator must be an 
integer from 0 to 2, where:
 0 specifies low-priority session traffic;
 1 specifies medium-priority session traffic;
 2 specifies high-priority session traffic.
 Particular concern should be given to high-priority session traffic.

2. Obtain and review the logon mode table as follows:

 a.  Ensure that all COS are identified in the logon mode table.

 b.  Review the usage of VTAM data encryption facility by ensuring that highly 
critical 
  applications use ENCR parameter greater that 0.

 c.  Ensure that LOGMODE names are not repeated.  If duplicate names appear in 
the table, the  first occurrence of the name is used.

3. Obtain and review INTAB.  Ensure that the LOGCHAR macro is well defined.  
LOGCHAR macro instructions should be arranged so that the logon sequences for 
the logon messages are from the most restrictive (greatest number of 
characters) to the least restrictive (fewest number of characters) in the 
SEQNCE parameter.

4. Obtain and review the USS tables to ensure that proper logon and logoff 
procedures have been properly defined.  Also ensure that user-defined commands 
follow proper procedure.

5. Review the usage of session authorization exit routines to ensure that 
adequate control is maintained over critical applications.




Sources/References


Network Program Products Planning (SC30-3351)

VTAM Customization (SC23-0112)

VTAM Installation and Resource Definition (SC23-0111)

VTAM Operation (SC23-0113)