Chapter 31: Quiz – COBOL and the z/OS Security Model

Test your knowledge of RACF, dataset security, program security, CICS/DB2 security, secure coding practices, and compliance with the following 25 questions.

Question 1 (Multiple Choice)

Which of the following is IBM's native security facility for z/OS?

  • A) ACF2
  • B) Top Secret
  • C) RACF
  • D) LDAP
Answer **C) RACF (Resource Access Control Facility)** RACF is IBM's built-in security product for z/OS. It provides user authentication, resource authorization, and security auditing. ACF2 and Top Secret are third-party alternatives from Broadcom (formerly CA Technologies).

Question 2 (True/False)

In RACF, a user with UPDATE access to a dataset can also read that dataset.

Answer **True.** RACF access levels are hierarchical. UPDATE includes READ access, CONTROL includes UPDATE and READ, and ALTER includes all lower levels. A user with UPDATE can both read and write to the dataset, but cannot delete or rename it.

Question 3 (Multiple Choice)

What is the purpose of the RACF UACC (Universal Access) setting on a dataset profile?

  • A) It defines the access level for the dataset owner
  • B) It defines the default access level for any user not explicitly listed in the profile's access list
  • C) It defines the maximum access level that can be granted
  • D) It defines the access level for the security administrator
Answer **B) It defines the default access level for any user not explicitly listed in the profile's access list.** UACC is the "fall-through" access level. If a user is not in the profile's access list and does not have access through a group connection, the UACC determines their access. For sensitive datasets, UACC should be set to NONE to enforce explicit authorization.

Question 4 (Code Analysis)

Examine the following RACF commands:

ADDSD 'BANK.PROD.**' UACC(NONE) AUDIT(ALL(READ))
PERMIT 'BANK.PROD.**' ID(BATCHGRP) ACCESS(UPDATE)
PERMIT 'BANK.PROD.**' ID(AUDITORS) ACCESS(READ)
PERMIT 'BANK.PROD.**' ID(SYSADMIN) ACCESS(ALTER)

A user ID JSMITH belongs to the group BATCHGRP. What access does JSMITH have to the dataset BANK.PROD.ACCTMSTR?

  • A) NONE
  • B) READ
  • C) UPDATE
  • D) ALTER
Answer **C) UPDATE** JSMITH is a member of BATCHGRP, which has UPDATE access through the PERMIT command. RACF determines access by checking: (1) the user's explicit access, (2) access through group connections, (3) the UACC. Since JSMITH is in BATCHGRP, which has UPDATE, that is the access level granted. The AUDIT(ALL(READ)) parameter means all accesses at READ level and above will be logged.

Question 5 (True/False)

RACF generic profiles using the ** wildcard match any number of qualifiers in a dataset name, while * matches only a single qualifier.

Answer **True.** In RACF generic profiles: - `*` matches a single qualifier (e.g., `BANK.*.DATA` matches `BANK.PROD.DATA` but not `BANK.PROD.ACCT.DATA`) - `**` matches zero or more qualifiers (e.g., `BANK.**` matches `BANK.PROD.DATA`, `BANK.PROD.ACCT.DATA`, and even `BANK.X`) This distinction is critical for designing effective dataset security profiles.

Question 6 (Multiple Choice)

In a CICS environment, which RACF resource class is used to control access to CICS transactions?

  • A) DATASET
  • B) PROGRAM
  • C) TCICSTRN
  • D) FACILITY
Answer **C) TCICSTRN** The TCICSTRN class (or its grouping class GCICSTRN) is used to define profiles for CICS transaction IDs. When CICS security is active, RACF checks the user's authorization against the TCICSTRN profile before allowing the user to execute a transaction. This is a critical control point for financial applications.

Question 7 (True/False)

A COBOL program should display the full Social Security Number in error messages to help operators identify the affected customer.

Answer **False.** Displaying full SSNs (or any Personally Identifiable Information) in error messages violates secure coding practices and regulatory requirements (PCI-DSS, privacy regulations). COBOL programs should mask sensitive data in all output — displaying at most the last 4 digits of an SSN. Error messages should use internal reference numbers (like account IDs) instead of PII.

Question 8 (Code Analysis)

A COBOL program contains the following code:

       01  WS-SQL-QUERY.
           05  FILLER         PIC X(30)
               VALUE 'SELECT * FROM ACCOUNTS WHERE '.
           05  WS-WHERE-CLAUSE PIC X(200).

       PROCEDURE DIVISION.
           ACCEPT WS-WHERE-CLAUSE FROM CONSOLE.
           STRING WS-SQL-QUERY DELIMITED BY SIZE
               INTO WS-FULL-QUERY.
           EXEC SQL
               EXECUTE IMMEDIATE :WS-FULL-QUERY
           END-EXEC.

What security vulnerability does this code contain?

  • A) Buffer overflow
  • B) SQL injection
  • C) Denial of service
  • D) Privilege escalation
Answer **B) SQL injection** This code accepts a WHERE clause directly from user input and executes it via EXECUTE IMMEDIATE, which is a textbook SQL injection vulnerability. An attacker could enter `1=1; DROP TABLE ACCOUNTS` or any other malicious SQL. COBOL programs should use parameterized SQL with host variables, never dynamic SQL constructed from user input. The secure approach is: 
       EXEC SQL
           SELECT ACCT_BALANCE
             INTO :WS-BALANCE
             FROM ACCOUNTS
            WHERE ACCT_NUMBER = :WS-ACCT-NUM
       END-EXEC.

Question 9 (Multiple Choice)

What type of SMF record does RACF generate for security events?

  • A) SMF Type 14
  • B) SMF Type 30
  • C) SMF Type 80
  • D) SMF Type 119
Answer **C) SMF Type 80** RACF writes SMF Type 80 records to the SMF dataset. These records capture authentication events (logon success/failure), authorization events (resource access granted/denied), and administrative events (profile changes, user ID modifications). SMF Type 80 records are the primary source for security auditing on z/OS.

Question 10 (True/False)

SOX (Sarbanes-Oxley Act) Section 404 requires that developers who write COBOL programs must not have access to promote those programs into production.

Answer **True.** SOX Section 404 requires segregation of duties as part of internal controls over financial reporting. Developers must not have the ability to move code into production environments. This separation ensures that unauthorized changes cannot bypass the change management process. In practice, this means developers have access to development and test libraries but not to production load libraries, and a separate operations or release management team handles production deployments.

Question 11 (Multiple Choice)

Which of the following RACF commands grants user BATCHUSR READ access to all datasets matching the profile BANK.PROD.**?

  • A) GRANT 'BANK.PROD.**' USER(BATCHUSR) ACCESS(READ)
  • B) PERMIT 'BANK.PROD.**' ID(BATCHUSR) ACCESS(READ)
  • C) ALLOW 'BANK.PROD.**' ID(BATCHUSR) LEVEL(READ)
  • D) AUTHORIZE 'BANK.PROD.**' USER(BATCHUSR) TYPE(READ)
Answer **B) `PERMIT 'BANK.PROD.**' ID(BATCHUSR) ACCESS(READ)`** The RACF `PERMIT` command is used to add a user or group to a resource profile's access list. The `ID` operand specifies the user or group, and `ACCESS` specifies the access level. `GRANT` is a DB2 command, not a RACF command.

Question 12 (True/False)

In ACF2, security rules are stored in a hierarchical database structure similar to RACF profiles.

Answer **False.** ACF2 uses a rule-based security model where access rules are stored in a flat structure, unlike RACF's hierarchical profile database. ACF2 rules are text-based entries that specify who can access what resources with what authority. This flat structure makes ACF2 rules easier to read but can make complex security schemes harder to manage compared to RACF's profile hierarchy.

Question 13 (Code Analysis)

Review the following COBOL error handling code:

       READ-ACCOUNT-PARA.
           READ ACCOUNT-MASTER INTO WS-ACCOUNT-REC
               KEY IS WS-ACCT-KEY
               INVALID KEY
                   MOVE 'ACCOUNT NOT FOUND' TO WS-MSG
                   PERFORM WRITE-ERROR-LOG
               NOT INVALID KEY
                   CONTINUE
           END-READ.

       WRITE-ERROR-LOG.
           MOVE WS-ACCT-KEY     TO ERR-ACCT-NUM.
           MOVE WS-ACCOUNT-REC  TO ERR-DETAIL.
           MOVE CURRENT-DATE    TO ERR-TIMESTAMP.
           WRITE ERROR-RECORD FROM WS-ERROR-REC.

What security problem exists in the WRITE-ERROR-LOG paragraph?

  • A) The timestamp format is incorrect
  • B) The error log writes the entire account record (WS-ACCOUNT-REC) which may contain sensitive data like SSN, balance, and personal information
  • C) The error log does not include the user ID
  • D) Both B and C
Answer **D) Both B and C** Two security problems exist: 1. **Sensitive data exposure (B):** The code moves the entire `WS-ACCOUNT-REC` to `ERR-DETAIL`, which would include all fields — potentially SSN, account balance, personal address, and other PII. Error logs should contain only the minimum information needed for troubleshooting, with sensitive fields masked or excluded. 2. **Missing user identification (C):** The error log does not capture who triggered the error. For audit purposes, every security-relevant log entry should include the user ID of the person who initiated the action. In CICS, this would come from `EXEC CICS ASSIGN USERID`. In batch, it would be the job submitter's ID.

Question 14 (Multiple Choice)

What does RACF "WARNING mode" do when set on a dataset profile?

  • A) Sends a warning message to the security administrator
  • B) Allows access but logs a warning instead of denying access, enabling testing of security profiles before enforcement
  • C) Warns users that the dataset is about to be deleted
  • D) Prevents any access and displays a warning message
Answer **B) Allows access but logs a warning instead of denying access, enabling testing of security profiles before enforcement.** WARNING mode is used to test new or modified security profiles without impacting production. When WARNING is active, users who would normally be denied access are allowed in, but a warning message is logged. This allows security administrators to verify that the profile is correct before activating enforcement. WARNING mode should never be left on permanently for production profiles.

Question 15 (True/False)

PCI-DSS requires that credit card CVV/CVC values must never be stored after transaction authorization, even in encrypted form.

Answer **True.** PCI-DSS Requirement 3.2.2 explicitly prohibits storing the card verification value (CVV/CVC) after authorization, regardless of encryption. This means COBOL programs must ensure that any working storage fields containing CVV data are cleared immediately after the authorization call completes, and CVV must never be written to any dataset, log, or database.

Question 16 (Multiple Choice)

In a Top Secret security model, what is the fundamental principle of access control?

  • A) All access is allowed unless explicitly denied
  • B) All access is denied unless explicitly granted
  • C) Access is determined by the dataset owner only
  • D) Access is inherited from the user's manager
Answer **B) All access is denied unless explicitly granted.** Top Secret uses a "top-down" or "closed" security model where access is denied by default. Permissions must be explicitly granted through the security hierarchy. This contrasts with some implementations of RACF where a UACC setting could provide default access. Top Secret's approach is considered more inherently secure because omitting a permission results in denial rather than access.

Question 17 (Code Analysis)

A security auditor reviews the following JCL:

//PRODUPD  JOB (ACCT),'PRODUCTION UPDATE',
//             CLASS=A,MSGCLASS=X,
//             USER=PRODUSER,PASSWORD=BANKING1
//STEP1    EXEC PGM=ACCTUPD
//MASTER   DD  DSN=BANK.PROD.ACCTMSTR,DISP=SHR

Identify the security violation in this JCL.

  • A) The job class is incorrect
  • B) The password is coded in clear text in the JCL, which will be visible in the JES spool and JCL listings
  • C) The DISP parameter should be OLD, not SHR
  • D) The program name is too short
Answer **B) The password is coded in clear text in the JCL, which will be visible in the JES spool and JCL listings.** Hardcoding passwords in JCL is a severe security violation. The password `BANKING1` will appear in: - The JCL listing in the job output - JES spool datasets - SMF records - Any JCL archival systems Passwords should never appear in JCL. Instead, use RACF surrogate submission authority (allowing one user ID to submit jobs for another), PassTickets (one-time generated tokens), or RACF's OIDCARD facility. The `PASSWORD` parameter on the JOB statement should not be used in modern z/OS environments.

Question 18 (True/False)

RACF's SETROPTS AUDIT setting controls system-wide auditing defaults, but individual dataset profile AUDIT settings can override the system default.

Answer **True.** SETROPTS provides system-wide security options including default audit settings. However, individual resource profiles can have their own AUDIT settings that override the system default. For example, even if system-wide auditing is set to log only failures, a specific dataset profile can be set to `AUDIT(ALL(READ))` to log every access. This allows fine-grained audit control for sensitive resources.

Question 19 (Multiple Choice)

Which COBOL statement should be used to obtain the current CICS user ID for security logging purposes?

  • A) ACCEPT WS-USERID FROM ENVIRONMENT
  • B) EXEC CICS ASSIGN USERID(WS-USERID) END-EXEC
  • C) MOVE CURRENT-USER TO WS-USERID
  • D) CALL 'GETUID' USING WS-USERID
Answer **B) `EXEC CICS ASSIGN USERID(WS-USERID) END-EXEC`** In a CICS environment, the `EXEC CICS ASSIGN USERID` command retrieves the 8-character user ID of the currently signed-on CICS user. This is the authenticated identity established through CICS sign-on and verified by RACF. This user ID should be included in all audit log entries for financial transactions.

Question 20 (Code Analysis)

A COBOL programmer writes the following data masking routine:

       MASK-SSN-PARA.
           MOVE WS-CUSTOMER-SSN TO WS-MASKED-SSN.
           MOVE '***-**-'       TO WS-MASKED-SSN(1:7).

       MASK-ACCOUNT-PARA.
           MOVE WS-ACCT-NUMBER  TO WS-MASKED-ACCT.
           MOVE '********'      TO WS-MASKED-ACCT(1:8).

These routines mask an SSN as ***-**-1234 and an account number as ********5678. Are these masking implementations adequate for PCI-DSS compliance?

  • A) Yes, both are adequately masked
  • B) The SSN masking is adequate, but account numbers under PCI-DSS must show at most the first 6 and last 4 digits
  • C) The SSN masking is adequate, but the original unmasked values remain in WS-CUSTOMER-SSN and WS-ACCT-NUMBER, which is a data leakage risk
  • D) Neither is adequate because masking should use encryption, not character replacement
Answer **C) The SSN masking is adequate, but the original unmasked values remain in WS-CUSTOMER-SSN and WS-ACCT-NUMBER, which is a data leakage risk.** While the masking logic for display purposes is reasonable, the original unmasked values remain in the source fields (`WS-CUSTOMER-SSN` and `WS-ACCT-NUMBER`). If a memory dump occurs, these values would be visible. A more secure approach would clear the original fields after masking: 
       MASK-SSN-PARA.
           MOVE WS-CUSTOMER-SSN(8:4) TO WS-LAST-FOUR.
           STRING '***-**-' WS-LAST-FOUR
               DELIMITED BY SIZE
               INTO WS-MASKED-SSN.
           MOVE SPACES TO WS-CUSTOMER-SSN.
Additionally, PCI-DSS allows displaying at most the first 6 and last 4 digits of a PAN (Primary Account Number), so the masking pattern depends on the specific data type.

Question 21 (True/False)

DB2 GRANT statements and RACF PERMIT commands are interchangeable — you only need one or the other to secure DB2 resources.

Answer **False.** DB2 has its own internal authorization system (GRANT/REVOKE) AND can use RACF for external security checking. They are not interchangeable — they are complementary layers. When both are active, a user must be authorized by BOTH DB2 internal security and RACF. Best practice in most shops is to use RACF for plan and package authorization (who can execute what) and DB2 GRANT for table-level privileges (who can SELECT, INSERT, UPDATE, DELETE from which tables). The specific approach depends on the shop's security architecture.

Question 22 (Multiple Choice)

A bank must ensure that changes to COBOL programs affecting financial calculations are reviewed by two separate individuals before production deployment. Which security concept does this implement?

  • A) Defense in depth
  • B) Least privilege
  • C) Segregation of duties / dual control
  • D) Need to know
Answer **C) Segregation of duties / dual control** This is a segregation of duties control where no single individual can make and deploy a change to a financial system without independent review. In practice, this means: the developer writes the code, a peer reviews it, a separate team tests it, and yet another team deploys it. This is a key SOX Section 404 requirement for financial applications.

Question 23 (Code Analysis)

Review the following COBOL paragraph that handles a fund transfer:

       PROCESS-TRANSFER.
           SUBTRACT WS-TRANSFER-AMT FROM WS-FROM-BALANCE.
           ADD WS-TRANSFER-AMT TO WS-TO-BALANCE.
           REWRITE FROM-ACCOUNT-REC.
           REWRITE TO-ACCOUNT-REC.
           PERFORM WRITE-AUDIT-TRAIL.

From a security and integrity perspective, what critical control is missing?

  • A) Input validation of the transfer amount
  • B) Authorization check to verify the user is permitted to perform transfers
  • C) Transaction boundaries (COMMIT/ROLLBACK) to ensure atomicity — if the second REWRITE fails, the first should be rolled back
  • D) All of the above
Answer **D) All of the above** Three critical controls are missing: 1. **Input validation**: The transfer amount should be validated (positive, within limits, not exceeding available balance) before processing. 2. **Authorization check**: The program should verify that the current user has authority to perform fund transfers and that the transfer amount is within their authorized limit. 3. **Transaction atomicity**: If the second REWRITE fails after the first succeeds, the accounts will be out of balance — money has been deducted from one account but not added to the other. DB2 provides COMMIT/ROLLBACK for this purpose. For VSAM, the program must implement compensating logic or use CICS recoverable file support. Additionally, the audit trail write should occur within the same transaction boundary to ensure it is committed or rolled back with the financial updates.

Question 24 (True/False)

RACF PassTickets provide a one-time-use, time-limited authentication token that can replace passwords in JCL, eliminating the need to store or transmit actual passwords.

Answer **True.** RACF PassTickets are dynamically generated, one-time-use authentication tokens that are valid for a limited time window (typically 10 minutes). They are generated using a shared secret (application key) known to both the generating system and RACF. PassTickets are used extensively for: batch job submission (replacing hardcoded passwords in JCL), inter-system communication, and automated scheduling systems. They eliminate the security risk of passwords appearing in JCL, spool output, or audit logs.

Question 25 (Multiple Choice)

Which of the following is the most complete set of audit information that a COBOL financial transaction should log?

  • A) Transaction type, amount, timestamp
  • B) User ID, transaction type, amount, timestamp, source and destination accounts
  • C) User ID, terminal ID, transaction type, amount, timestamp, source and destination accounts, before and after balances, transaction outcome (success/failure), and a unique audit sequence number
  • D) Transaction type and outcome only
Answer **C) User ID, terminal ID, transaction type, amount, timestamp, source and destination accounts, before and after balances, transaction outcome (success/failure), and a unique audit sequence number.** A complete audit trail for financial transactions must answer: Who performed the action? From where? What was the action? When did it occur? What data was affected? What was the state before and after? Was it successful? Can this record be uniquely identified and sequenced? This comprehensive logging is required by SOX, PCI-DSS, and banking regulations, and is essential for forensic investigation of security incidents.