I just discovered that JZOS can now write Java statistics to SMF - nice!
But... it looks like it requires users to have access to BPX.SMF to
write the record - not so nice. If I understand correctly, access means
you can write any type of record with any sort of garbage to SMF - not
what you need for an audit trail.
I think Co:Z SFTP also creates SMF records that require everyone to have
access to BPX.SMF. BPX.SMF is supposed to be for server address space
userids, but it seems like it is being used as a shortcut to bypass
designing a proper way of cutting SMF records. I don't think that this
is a good thing. It is even worse that it is IBM shipping features
(JZOS) that encourage you to disable the security. (They don't tell you
to do it, but if it doesn't work if you don't...)
Maybe what is required is an official interface for untrusted tasks to
write data to SMF?
Something along the lines of:
* A single SMF record type for all untrusted data
* The interface adds a header that identifies the user & job that wrote
the record, plus some sort of key to identify the user record type
* RACF control over who can write records with specific keys - even
better if you can control which programs can write the records
* User data supplied is appended after the system generated header
On the Java side, it would be nice if Java statistics were added to the
type 30 records. I assume the JVM already has various functions that
require authorization, so it shouldn't be too much of a stretch to keep
the statistics somewhere that they could be included in the type 30.
Much better than writing them from userland in JZOS.
Andrew Rowley
--
Andrew Rowley
Black Hill Software
+61 413 302 386
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
