JZOS is just a thin JNI wrapper over the C/C++ runtime __smf_record()
function
https://www.ibm.com/support/knowledgecenter/SSLTBW_1.13.0/com.ibm.zos.r13.bpxbd00/rsmfre.htm.
The same rules apply.
On 31/05/2016 9:16 AM, Andrew Rowley wrote:
I just discovered that JZOS can now write Java statistics to SMF - nice!
But... it looks like it requires users to have access to BPX.SMF to
write the record - not so nice. If I understand correctly, access
means you can write any type of record with any sort of garbage to SMF
- not what you need for an audit trail.
I think Co:Z SFTP also creates SMF records that require everyone to
have access to BPX.SMF. BPX.SMF is supposed to be for server address
space userids, but it seems like it is being used as a shortcut to
bypass designing a proper way of cutting SMF records. I don't think
that this is a good thing. It is even worse that it is IBM shipping
features (JZOS) that encourage you to disable the security. (They
don't tell you to do it, but if it doesn't work if you don't...)
Maybe what is required is an official interface for untrusted tasks to
write data to SMF?
Something along the lines of:
* A single SMF record type for all untrusted data
* The interface adds a header that identifies the user & job that
wrote the record, plus some sort of key to identify the user record type
* RACF control over who can write records with specific keys - even
better if you can control which programs can write the records
* User data supplied is appended after the system generated header
On the Java side, it would be nice if Java statistics were added to
the type 30 records. I assume the JVM already has various functions
that require authorization, so it shouldn't be too much of a stretch
to keep the statistics somewhere that they could be included in the
type 30. Much better than writing them from userland in JZOS.
Andrew Rowley
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
