2.6 Protecting sensitive network commands This section discusses the ways to control the use of the TCP/IP system administration commands. These commands are categorized by where they originate. From the z/OS console, you can use the DISPLAY and VARY commands for the TCP/IP address spaces. The VARY TCPIP command can be used to stop and start TCP/IP interfaces, reload configuration parameters, start and stop traces, drop TCP connections, and quiesce the TN3270 server. This command is powerful and should be authorized only for operators or system administrators. From TSO, there is the NETSTAT command, and from the UNIX shell there is the onetstat command. Both of these commands are used primarily to display information about the local TCP/IP environment. You might want to restrict these commands so that people are unable to obtain information about your TCP/IP configuration, perhaps in preparation for an attack. From the z/OS console (or from TSO and IBM NetView® ), you can use the EZACMD System REXX command to issue selected z/OS Communications Server UNIX shell commands: ipsec nssctl pasearch ping trmdstat You might want to restrict access to issuing some or all of these UNIX shell commands. 2.6.1 z/OS VARY TCPIP command security