Chapter 28 Exercises: Mainframe Security for COBOL Developers

Chapter 28 Exercises: Mainframe Security for COBOL Developers

Part A: Conceptual Questions

A1. Explain why z/OS address space isolation is a hardware-enforced security boundary rather than a software-enforced one. How does this differ from process isolation on Linux or Windows? What are the implications for vulnerability exploitation?

A2. Describe the System Authorization Facility (SAF) and its role as a security router. Why is having a single security checkpoint for all resource access architecturally superior to having each subsystem implement its own security mechanism?

A3. The chapter describes a "seven gates" model for layered security on z/OS. List all seven layers and explain why each is independently configured. What is the "hard shell, soft center" anti-pattern, and how does defense in depth prevent it?

A4. Explain the difference between RACF discrete profiles and generic profiles. When would you use a discrete profile instead of a generic one? Under what circumstances could a generic profile create a security gap?

A5. What is RACF UACC and why should it always be set to NONE for production profiles? Describe a scenario where UACC(READ) on a production dataset profile creates a compliance violation.

A6. Explain the two-layer security model for DB2 on z/OS (RACF DSNR class + DB2 GRANT/REVOKE). Why are both layers necessary? Could you achieve equivalent security with only one layer? Justify your answer.

A7. Describe how CICS surrogate user security enables per-user authorization in a shared CICS region. Why is this more secure than authorizing based on the CICS region userid alone?

A8. What is the difference between data at rest encryption and data in transit encryption on z/OS? List the specific z/OS technology for each and explain why both are required for PCI-DSS compliance.

A9. The chapter states that encryption on z/OS "costs zero CPU" because CPACF runs on dedicated hardware. Explain the architecture that makes this possible. What are the implications for the "encryption is too expensive" argument in mainframe environments?

A10. Explain the HIPAA "Safe Harbor" provision for encryption. Why does Pinnacle Health encrypt all ePHI even though the HIPAA Security Rule says encryption is "addressable" (not required)?

Part B: Applied Analysis

B1. RACF Profile Design for a New Application

A new COBOL application at CNB processes wire transfers. It has the following components: - CICS transaction ID: WIRE - DB2 tables: CNB.WIRE_TRANSFER, CNB.WIRE_LOG, CNB.WIRE_AUDIT - MQ queues: CNBQM01.WIRE.REQUEST, CNBQM01.WIRE.RESPONSE, CNBQM01.WIRE.DLQ - Batch program for EOD wire reconciliation, running under userid CNBWRBAT - CICS region userid: CNBCICS - End users: RACF group CNBWIRE (wire desk operators) - Auditors: RACF group CNBAUD

Design the complete RACF security model for this application:

a) Write the RACF commands to define dataset profiles for all wire transfer datasets. Assume the naming convention CNB.PROD.WIRE.**.

b) Write the RACF commands for CICS transaction security (TCICSTRN class) for the WIRE transaction.

c) Write the DB2 GRANT statements that implement least-privilege access. Wire desk operators can initiate transfers (INSERT into WIRE_TRANSFER), the batch program can UPDATE all three tables, and auditors can SELECT from all tables.

d) Write the RACF commands for MQ queue security. The CICS region can PUT to the request queue and GET from the response queue. The batch program can GET from the request queue and PUT to the response and DLQ queues.

e) Identify any security gaps in your design. What additional controls would you recommend?

B2. SQL Injection Vulnerability Assessment

Review the following COBOL code fragments and determine whether each is vulnerable to SQL injection. For each vulnerable fragment, write the secure alternative.

Fragment 1:

       EXEC SQL
         SELECT CUST_NAME, ACCT_BAL
           INTO :WS-CUST-NAME, :WS-ACCT-BAL
           FROM CNB.ACCOUNTS
          WHERE CUST_ID = :WS-CUST-ID
       END-EXEC

Fragment 2:

       STRING 'SELECT * FROM CNB.ACCOUNTS WHERE '
              WS-SEARCH-COLUMN
              ' = '''
              WS-SEARCH-VALUE
              ''''
              DELIMITED BY SIZE INTO WS-SQL-STMT
       EXEC SQL PREPARE S1 FROM :WS-SQL-STMT END-EXEC
       EXEC SQL OPEN C1 END-EXEC

Fragment 3:

       MOVE SPACES TO WS-WHERE-CLAUSE
       IF WS-FILTER-ACCT NOT = SPACES
          STRING ' AND ACCT_NUM = '''
                 WS-FILTER-ACCT
                 ''''
                 DELIMITED BY SIZE INTO WS-WHERE-CLAUSE
       END-IF
       STRING 'SELECT * FROM CNB.TRANSACTIONS WHERE '
              'TRAN_DATE = CURRENT DATE'
              WS-WHERE-CLAUSE
              DELIMITED BY SIZE INTO WS-SQL-STMT
       EXEC SQL PREPARE S2 FROM :WS-SQL-STMT END-EXEC

Fragment 4:

       EXEC SQL
         SELECT COUNT(*)
           INTO :WS-COUNT
           FROM CNB.TRANSACTIONS
          WHERE ACCT_NUM = :WS-ACCT-NUM
            AND TRAN_DATE BETWEEN :WS-START-DATE
                                  AND :WS-END-DATE
       END-EXEC

B3. Audit Trail Gap Analysis

CNB's fund transfer program writes an audit record for every transfer. The current audit record contains:

Field	Content
Timestamp	CICS ASKTIME
Userid	CICS ASSIGN USERID
Transaction ID	XFRT
From account	Account number
To account	Account number
Amount	Transfer amount
Result	SUCCESS or FAILURE

A PCI-DSS auditor has found the following gaps:

a) The audit record doesn't capture the terminal ID. Why does the auditor want this? What attack does it help detect?

b) The audit record doesn't capture the user's IP address for web service calls (where there is no 3270 terminal). How would you capture the originating IP for REST API calls through z/OS Connect?

c) The audit record is written to a CICS transient data queue. The auditor wants assurance that audit records cannot be deleted or modified. Describe the controls you would implement.

d) The audit record doesn't capture failed transfer attempts (e.g., insufficient funds, invalid account). Why is auditing failures as important as auditing successes? Design the enhanced audit record.

B4. Buffer Overflow Scenario

A COBOL program receives a JSON payload from a CICS web service. The JSON is parsed into COBOL fields using EXEC CICS GET CONTAINER. Consider this code:

       01  WS-JSON-DATA.
           05  WS-ACCT-NUM        PIC X(12).
           05  WS-ACCT-NAME       PIC X(50).
           05  WS-TRANSFER-AMT    PIC X(15).

       EXEC CICS GET CONTAINER('JSONDATA')
            INTO(WS-JSON-DATA)
            FLENGTH(WS-RECV-LEN)
       END-EXEC

a) What happens if the container holds more data than WS-JSON-DATA (77 bytes)? Does CICS truncate or overflow?

b) What happens if WS-ACCT-NUM in the JSON is 20 characters instead of 12? Where does the overflow go?

c) Write the secure version of this code with proper bounds checking and error handling.

d) What is the security implication if the overflow corrupts WS-TRANSFER-AMT? Describe a specific attack scenario.

Part C: Design Challenges

C1. PCI-DSS Compliance Architecture

You are the architect for a mid-size retail bank implementing PCI-DSS compliance on a z/OS system with: - 2 LPARs in a Parallel Sysplex - DB2 data sharing group with 2 members - 4 CICS AORs (2 per LPAR) - 1 MQ queue sharing group - Batch processing on both LPARs

Design the PCI-DSS compliance architecture:

a) Define the Cardholder Data Environment (CDE) boundary. Which LPARs, CICS regions, DB2 tables, and MQ queues are in scope?

b) Map PCI-DSS Requirements 1, 3, 7, and 10 to specific z/OS controls for your environment.

c) Design the encryption strategy: which data is encrypted at rest? In transit? What key management approach will you use?

d) Design the monitoring and alerting strategy: what SMF records will you collect? What thresholds will trigger alerts? How will you achieve the "log and monitor all access" requirement?

e) Create a quarterly compliance validation checklist — what do you check every 90 days to ensure controls are still effective?

C2. HIPAA Security Implementation

Pinnacle Health Insurance is adding a new claims processing module. The module handles ePHI including: - Patient demographics (name, address, DOB, SSN) - Diagnosis codes (ICD-10) - Treatment details (procedure codes, provider notes) - Payment information (billed amounts, paid amounts)

Four user roles need access: 1. Claims processors: see demographics and payment info, not diagnosis/treatment 2. Clinical reviewers: see demographics and diagnosis/treatment, not payment info 3. Customer service representatives: see demographics and claim status only 4. Auditors: see everything

a) Design the DB2 authorization model using roles and column-level GRANT statements.

b) Design the CICS transaction security model — separate transactions for each role, or one transaction with in-application role checking? Justify your choice.

c) Design the audit logging strategy — what events must be logged? What retention period? How will you answer the question "Who viewed patient X's medical records in the last 90 days?"

d) Design the data masking strategy — which fields are masked for which roles? Where does masking happen (DB2, COBOL, presentation layer)?

C3. Security Architecture Review

You are reviewing the security architecture for Federal Benefits Administration's legacy benefits calculation system. The system has the following characteristics: - 15 million lines of COBOL - IMS database (not DB2) - Batch-only processing (no CICS) - Single LPAR - RACF, but many profiles are generic (**) with UACC(READ) - No encryption (dataset or network) - SMF recording turned off for "performance reasons" - All batch jobs run under the same userid (FBAPROD)

a) List every security deficiency you can identify. Prioritize them by risk level (Critical, High, Medium, Low).

b) For the top 3 critical deficiencies, write a remediation plan including specific RACF commands, timeline, and rollback procedure.

c) Sandra Chen wants to modernize incrementally — she can't shut down the system for a security overhaul. Design a phased remediation plan that can be implemented without a production outage.

d) Marcus Whitfield retires in 2 years and is the only person who knows which RACF profiles are actively protecting resources. Design a knowledge transfer plan for RACF administration.

Part D: Research and Exploration

D1. Research the RACF IRRDBU00 utility. This utility unloads the RACF database into a flat file for analysis. Write a description of how you would use IRRDBU00 to answer the following audit questions: - How many userids have the SPECIAL attribute? - Which datasets have UACC other than NONE? - Which userids haven't logged on in 90+ days?

D2. Research IBM Z Multi-Factor Authentication (MFA). Describe how MFA integrates with RACF and what authentication factors are supported. How would you implement MFA for privileged mainframe access without disrupting batch job scheduling?

D3. Research the IBM zSecure suite (formerly Consul/Tivoli zSecure). How does it complement native RACF capabilities? What specific compliance reporting does it provide for PCI-DSS and HIPAA?

D4. Research the concept of "zero trust architecture" and evaluate how it applies to z/OS. Which z/OS controls already implement zero trust principles? Where are the gaps?

D5. Research the NIST Cybersecurity Framework (CSF) and map its five functions (Identify, Protect, Detect, Respond, Recover) to specific z/OS capabilities discussed in this chapter.

Part E: Hands-On Lab (if z/OS access is available)

E1. Using the RACF TSO commands (LISTUSER, LISTGRP, LISTDSD, RLIST), inventory the security profiles protecting a development CICS region's resources: - List all userids in the CICS region's connected group - List all TCICSTRN profiles - List all dataset profiles matching the region's HLQ - Document any profiles with UACC other than NONE

E2. Using RACF SEARCH, find all profiles in the CSFKEYS class (encryption key labels). For each key, determine which userids have access and what access level they have. Document the key management chain of custody.

E3. Write a COBOL program that reads SMF type 80 records from an SMF dump dataset and produces a report of all failed access attempts in the last 24 hours, sorted by userid and resource name. Include a count of failures per userid to identify potential brute-force attempts.

E4. Configure AT-TLS for a test CICS port. Verify encryption using a network trace tool (CTRACE or Wireshark on the client side). Document the cipher suite negotiated and the certificate chain.

E5. Create a test dataset with z/OS dataset encryption enabled. Verify that: - An authorized userid can read the data normally - An unauthorized userid (one without CSFKEYS access) receives an error - The data on the physical volume is encrypted (use an AMASPZAP dump to verify — for educational purposes only, on test data)