What we do is run REPORT ERRSYSMODS ZONES(DSNTARG) NOPUNCH report and look for secint ptf an and then run apply check only for them. Performance and availability is important, but not for helping hackers
*| **Itschak Mugzach | Director | SecuriTeam Software **|** IronSphere Platform* *|* *Information Security Continuous Monitoring for Z/OS, zLinux and IBM I **| * *|* *Email**: [email protected] **|* *Mob**: +972 522 986404 **|* *Skype**: ItschakMugzach **|* *Web**: www.Securiteam.co.il **|* בתאריך יום ג׳, 10 בדצמ׳ 2024 ב-20:35 מאת Jousma, David < [email protected]>: > Kurt….I was hoping you would speak up, thanks for confirming that there is > no reporting method for what they want. Its Audit. Because we apply > maintenance twice per year, the ERRSYSMODS report is pretty lengthy after 6 > months. > > He wants to pin me down on 1) not applying knowingly defective maintenance > with some exceptions, 2) applying SECINT assigned PTF’s within 90 days. > They will likely get access to ResourceLink Security portal, and download > the enhanced CVSS file, and use that as the standard that we have to meet. > I’ll spend uncounted hours of time cross-referencing the APAR’s to PTF’s > then telling them if they are on or not. > > Well #2 wont happen, we cannot roll maintenance that quickly through our > complex without sacrificing stability in the environment. > > Dave Jousma > Vice President | Director, Technology Engineering > > > > > > From: IBM Mainframe Discussion List <[email protected]> on behalf > of Kurt Quackenbush <[email protected]> > Date: Tuesday, December 10, 2024 at 1:22 PM > To: [email protected] <[email protected]> > Subject: Re: SMPE and auditors > > > > > Well, what he was wanting to see was all the listings to see that there > were no BYPASS HOLD ERROR specified. > > > > You can't get this kind of info from the CSI, so they'd have to review the > SMPLOGs or APPLY output listings. But it sure seems like an odd request to > me. Why not check the results of the REPORT ERRSYSMODS command to see all > currently unresolved PEs, HIPERs, and SECINTs instead, rather than look for > the rare occasion you might have specified BYPASS(HOLDERR) in the past? > Even if you did indeed BYPASS an ERROR HOLD previously, as long as you've > subsequently applied the fix then I wouldn't think it should matter that > you used BYPASS(HOLDERR). Just my opinion. > > > > Kurt Quackenbush > > IBM | z/OS SMP/E and z/OSMF Software Management | [email protected] > > > > Chuck Norris never uses CHECK when he applies PTFs. > > > > ---------------------------------------------------------------------- > > For IBM-MAIN subscribe / signoff / archive access instructions, > > send email to [email protected] with the message: INFO IBM-MAIN > > > This e-mail transmission contains information that is confidential and may > be privileged. It is intended only for the addressee(s) named above. If > you receive this e-mail in error, please do not read, copy or disseminate > it in any manner. If you are not the intended recipient, any disclosure, > copying, distribution or use of the contents of this information is > prohibited. Please reply to the message immediately by informing the sender > that the message was misdirected. After replying, please erase it from your > computer system. Your assistance in correcting this error is appreciated. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to [email protected] with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
