I made the original comment about the auditor and SVC. At the time the discussion sparked a memory of a SVC that was specifically used to gain authorization and circumvent security (quite a while ago) that I had encountered. It was a great trick and pretty useful and very dangerous at the same time (it had absolutely no controls on it).
I am very aware that there are all sorts of cool things that can be done and that SVCs are a bit "yesterday's news". I think that Auditors should be working with the Systems Programmers and Security folks to achieve better controls and review what utilities are available on the system and "scope" the usage. However, usually the relationship with the Auditors is combative and full of suspicion. Instead the combative/suspicious relationship leads to trying to give only the minimum and thus forcing the Auditor to have to either "know the right questions" or just rubber stamp it out of ignorance. Of course the System Programmer should be just as concerned if not more so about such things. After all they are the ones that will be "holding the bag of responsibility" when a known hole or utility is used to the detriment of the system. There are a lot of very smart people out there and security is always a problem. The only truly secure system is one that sits in a corner unplugged... not very useful.. but at least secure until someone shows up with a truck. It seems putting people to work together and achieving more layered (as in an Onion and not a Parfait .. yes.. I know a Shrek reference) and resilient security/integrity would be a more desirable goal. More of a consistent model of incremental improvement being driven from multiple areas. Even after an auditor comes and goes.. it is those responsible for the various areas that have to live with which is usually trying to strike some balance between control and productivity. -- Rob Schramm Senior Systems Engineer w: 513.305.6224 ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
