On Mon, 25 Feb 2008 13:08:53 -0600, Dave Kopischke <[EMAIL PROTECTED]> wrote:
>On Sat, 23 Feb 2008 10:07:24 -0600, Walt Farrell wrote: > >>One could argue that letting you determine your access to resources without >>actually trying to use them (and thus without causing audit records) is a >>form of hacking. You're looking around trying to figure out what you can >>do, rather than simply doing your job. >> > >We have a JCL checker application that verifies dataset access for a JOB. >Through routine use of this product, we end up with thousands of access >warnings on our daily RACF reports. This is not a hacking attempt. If there >were hacking attempts occuring, it would be tough to see them through the >noise though. > >I'm going to try to see if I can have this product changed to use a non-logged >access check. That makes sense. Perhaps what you need, though, is a method allowing your application developers to run the JCL checking procedure against the proper user ID. You could let them put the JCL into a library with a known name, for example, and then have them run a program that either: (a) issued a command to run an STC to do the check, with the STC running under a more appropriate user ID; or (b) switched identity to the proper production ID and then submitted the JCL Check job. -- Walt Farrell, CISSP IBM STSM, z/OS Security Design ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
