On Thu, 16 Aug 2012 10:58:42 -0500, Elardus Engelbrecht wrote: >Karl Severson wrote: > >>We have to have our systems waivered for one reason: no anti virus software >>on VM. > >Just ask these auditors this one question: 'Are there ANY vendors for >antivirus software for these platforms: z/VM and z/OS?' (I'm not speaking >about Linux under z/VM and such software inside Linux.) > "No vendors" should not be grounds for a waiver, no more than certain foreign automobiles for which equipment required by EPA or USDOT is unavailable should therefore be granted waivers. (But STS got lots of waivers on basis of need.)
"No one writes viruses for VM," (you snipped) should not be grounds for a waiver, as long as they might. (Remember the Christmas Card Trojan.) "The architecture of the system makes AV software unnecessary" should be ground not for a waiver but for intelligent revision of the requirement. (Yes, RACF should count.) Even as intelligent design of requirements does not mandate emergency oxygen systems in automobiles. >>Clearly there has to come a time when each platform (Windows, Linux, zVM, >>etc.) is judged on its own merits but that will probably be too much work and >>will never happen. > >Agreed. In a galaxy far far away, gazillion years ago, some auditors wanted me >(and my network guys) to ensure that all platforms (Novell LAN, Microsoft LAN, >OS/390, Windows 98, NT and XP) must have ONE shared grouping of employees, >accesses, logon restrictions, userid standard and password standard policy... > >For example: group X must have Z accesses on certain grouping of 'directory / >folders' [1] on all these platforms including OS/390! > z/OS Unix System Services (USS) creates a pretty good wormhole between those galaxies. LDAP client support is questionable, notwithstanding Timothy S's protestations -- I'll believe it when someone cites an example in production in enterprise. But an ISV has said on this list that they provide a solution. The 7-character restriction remains an obstacle to z/OS (but not to VM). That's got to be addressed. (Of course it can; SMOP.) >I gave up... (and these auditors soon gave up too... ;-D ) > An armistice if not a truce. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
