To: Z/OS Audit Files From: Date: Re: Audit Program Objectives: * To document the z/OS (z-server Operating System) environments. * To review for adequacy the steps taken to protect the integrity of the z/OS operating systems. Scope: * Include all productional z/OS systems * Include steps taken regarding the protection and control of key z/OS libraries * Include steps taken regarding the protection and control of exits to the operating system * Include steps taken regarding the protection and control of supervisor calls (SVC's) * Include reasonableness of the Z/OS parameters controlling the operation of the systems * Include control of SMF (System Management Facility) processing General Issues: 1. Document the hardware and software environments for the productional z/OS systems. 2. Obtain/prepare an organization chart depicting who has responsibility for the integrity of the z/OS systems. 3. Determine the location of the operator consoles. Review each to determine if they are in secured areas. 4. Review the SMF (System Management Facility) parameters. Determine if operator overrides are permitted. If so, determine if any controls are in place to ensure SMF options are correctly set. 5. Determine if SMF files are adequately RACF protected. 6. Determine if adequate steps are in place to prevent loss of SMF data due to failure to dump the records in a timely manner. Also, determine if the dump program is adequately RACF protected. 7. Review the SMF exits for reasonableness. Determine if exits IEFU83 and IEFU84 are being used. If so, determine which SMF records are being discarded by these exits. Installation Options: 8. Determine if the system libraries are adequately RACF protected. 9. Determine if the operator can override the parmlist at IPL (Initial Program Load) time. If so, determine if any controls are in place to ensure only appropriate options are used. 10. Determine if the APF (Authorized Program Facility) libraries are RACF protected. If protected, determine if the access list is reasonable. 11. Determine if any APF libraries are missing or offline. 12. Review the Program Properties Table (PPT) to ensure that programs are assigned appropriate system-level attributes. 13. Determine if application programs reside in APF libraries. If so, determine what controls are in place to control the usage of these programs. Internal Control Blocks and Tables 14. List each I/O appendage. Review this list for reasonableness. Review the change control procedures for I/O appendages. 15. List each z/OS exit. Review this list for reasonableness. Review the change control procedures for z/OS exits. 16. List all of the LPA (Link Pack Area) libraries. Review this list for reasonableness. Review the change control procedures for LPA libraries. Determine if these libraries are RACF protected. 17. List all SVC's (Supervisor Calls). Review this list for reasonableness. Note any missing SVC's. Administrative Tasks 1. Prepare Audit Objectives and Scope statement and audit program. 2. Finalize workpapers 3. Write report 4. Post audit follow-up. Contributed 02 MAY 2002 by Bobby Barrett