Hey, didn't we talk about this stuff a few weeks ago on the phone? Anyway, we have a unix/linux product in lieu of sudo (on every place but zLinux at the moment due to vendor support, but that is changing real soon now) that key stroke logs (to a remote server) every thing one does while running as root, because, like Alan said, you can do things like turn off audit and destroy logs, or change the root pw, grant someone else, etc.
While logonby is great and we use it all the time with byonly userids and never ever share a password on VM, we still really can't tell those who care about SOX what someone did when they logged into MAINT or VMSECURE or RACFVM if he's your guy. You can't even use last changed date on minidisks, because, well there is DDR! z/VM doesn't really have anything in place to protect you from your sysprog (or at least read about it after the fact), unlike the other o/s's that at least give the illusion that they can. Marcy Cortes "This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation." -----Original Message----- From: Linux on 390 Port [mailto:[EMAIL PROTECTED] On Behalf Of Alan Altmark Sent: Tuesday, April 15, 2008 10:39 AM To: LINUX-390@VM.MARIST.EDU Subject: Re: [LINUX-390] recover root password Bob Nix wrote: > Anyone sticking to the "I have to have root!" model of system > administration is leaving themselves open to a huge awakening as > Sarbanes-Oxley and other regulations overtake us. While we aren't > required by law to conform to Sarbanes-Oxley, we've chosen to bring > ourselves as close as we possibly can. The are also living in the Dark Ages. > One of the requirements is that what is done to your systems is done > with accountability. To be completely compliant, everything done by / with > root will need to be logged, showing what was done, and by whom. Can > you do > that now, with two or more people logging into root? Can you do it > with even > one person logging into root? Not on any distribution I know today. So you > aren't compliant, and will be pinged on your audit, and if you're > required to be S-O compliant, you're leaving your company open to > legal action. It is heartwarming, after a fashion, to see this discussion. I forget: When did we introduce LOGON BY to z/VM? The requirement for accountability is not driven by law, but by Good Business Practices, with an eye towards long-term survival. (The fact that we had to have laws to tell people that they must use Good Business Practices speaks volumes about our society and its [lack of] values. :-( ) One of the reasons the mainframes have endured for so long is because, I believe, its purchasers' continued adherence to rigid change control practices. "Time is money. So if you screw up a change, you cost us money." This was all before S-O & Co. Give someone root authority, but make them say "Give me root authority. Here are my credentials. If you'll check your e-clipboard, you'll that I'm On The List." (Of course, not REALLY root authority. E.g. no ability to grant root to someone else or to turn off security subsystems, auditing, etc. "Dinosaurs can cause serious injury or death" is not the only message to take from the movie Jurassic Park.) If I was working as a sysadmin, the number of admins was > 1 and all I had was "root", I'd be screaming from the rafters. Like my company, I want protection from the actions of others ("plausible denability"). Don't give me root's password - I don't want to know it. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
