-----Original Message----- From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf Of Alan Altmark Sent: Friday, February 26, 2010 12:33 AM To: [email protected] Subject: Re: Crazed idea: SDSF for z/Linux
On Thu, 25 Feb 2010 11:59:41 -0500, Thompson, Steve <[email protected]> wrote: >Yes this raises security issues. But you have physical access in this >case. If these things are only given to the root or a special user w/in >the *nix environment, you have addressed much of the security issues. > >If you are running under VM, and VM is giving you access to the physical >addresses, then the security is controlled by VM. Not. The problem is that the z/OS audit trail will not contain any record that user STEVE accessed the spool and z/OS access rules will not be applied to the datasets on the volume. <SNIP> I think we are talking about two different issues. In a D/R situation, where you have killed your running system, and somehow your 1 pack emergency system won't IPL (since it takes at least 2 volumes for SYSRES now), you can fix things if you have a standalone system. [OR, you are at the D/R site and need to make some change to get the system to IPL...] I have used such a system that is booted from the HMC's CD unit. And the editor that I used was a royal pain, because it had to write back to the block it read from. If you have more of a system to do that kind of work with, then recovering a wrecked JES2PARM or PARMLIB element/member becomes much easier. And in this case of the standalone editor, there were no directory entry updates made, no SMF data, etc. etc. -- Aside: do I need to get into spool at this point? I dunno, I guess it would depend on if there was something there that would tell me what I need to know to fix this system so it can IPL -- Now, if you were to do this with a running system ("z/Linux" for instance), I'd think that the auditors and security people should be able to use piano wire or whatever. But again if running under VM, VM has the ability to prevent your access to the target volumes by reason of IEF, does it not? This is what gives the last line of defense, such that it is. Regards, Steve Thompson -- Opinions expressed by this poster may not reflect poster's employer's opinions -- ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
