Netstat access control

You can control access to Netstat command output from the TSO or UNIX System Services shell environments using the System Authorization Facility (SAF). There are no new TCP definitions required. The Netstat command output is considered the resource to be protected, and you protect it by defining EZB.NETSTAT.sysname.tcpname.netstat_option resource profiles in the SERVAUTH class. A user ID has access to the Netstat output for a particular option if a security profile is defined in the SERVAUTH class for that option, and that user ID has READ access to the associated resource. Access is also given if there is no resource profile defined for a resource.

Guideline: Some security products do not distinguish between a resource profile that is not defined and a user that is not permitted to that resource profile. If your product does not make this distinction, you must define the Netstat resource profiles and permit users to them whenever the SERVAUTH class is active.

An installation can implement a security policy that indicates which users have authorization to selected Netstat options. The level of granularity for this security policy can be either by individual or all Netstat options.

Even though the Netstat RESCache/-q command returns system-wide resolver cache data, at least one TCP/IP stack must be active to ensure that the correct Netstat access controls are enforced for the command. The same EZB.NETSTAT.sysname.tcpname.netstat_option naming convention applies to this Netstat command as it does for any other Netstat command.