I just noticed this information message in TSM server 5.1.6.1: ANR1639I. This seems to be an indication that a nodes IP address has changed. Look at the last three fields in a q node xxxx f=d. This message could then be sent to your monitoring software or you could run a daily script against the actlog table to search for it, then you have a list of any client connections that could be possible security breaches. I haven't tested this, just noticed it this second, but it looks like a nice feature.
Date: Mar 17, 11:56 From: Paul Zarnowski <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>> Dwight, What you say is true, but.... If an admin changes the node's password, they have left tracks. They cannot change the password back to what it was, unless they knew what it was to start with. The next time the client goes to use TSM, they will be aware that their password was changed. I was amazed to find out that admins could do this without leaving tracks. This is somewhat disconcerting. ..Paul At 09:03 AM 3/12/2003 -0800, Cook, Dwight E wrote: >Well, since a "system privileged admin id" could change the node's password >and then connect without using their admin id & password (use the one they >just set it to) I can see why the straight use of their id & password would >be allowed. > >Just another reason why management should pay their TSM admin's well ;-) > >Dwight > > > >-----Original Message----- >From: Gerhard Rentschler [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>] >Sent: Wednesday, March 12, 2003 10:01 AM >To: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >Subject: Client login with admin id and password > > >Hello, >I always thought that a tsm admin does not have access to client data. I >think I learned something new. >Calling dsmc or dsm with -node=tarzan and specifying a valid admin id and >password (system privilege) gives access to node tarzan's data. At least it >is possible to list the files. I haven't tried to restore data. This is >indeed documented. However, I would prefer if there were a message in the >activity log saying that admin id was used. >Am I wrong? Could someone explain this feature in more detail? > >Best regards >Gerhard >--- >Gerhard Rentschler email:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >Regional Computing Center tel. ++49/711/685 5806 >University of Stuttgart fax: ++49/711/682357 >Allmandring 30a >D 70550 >Stuttgart >Germany -- Paul Zarnowski Ph: 607-255-4757 719 Rhodes Hall, Cornell University Fx: 607-255-8521 Ithaca, NY 14853-3801 Em: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> Any e-mail message from the European Central Bank (ECB) is sent in good faith but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system.
