Peter Relson wrote: >As Rob Scott pointed out, the information displayed is available to any >program. There is no system integrity issue with displaying any of this >information. Changing that data to be fetch protected (which is the only way >to protect it) would be unacceptably incompatible and would break existing >tooling.
>If a customer does not have their APF or PARMLIB or LNKLST or LPA libraries >properly protected, that is a different matter entirely, and is one of the >reasons why there is a RACF health check related to APF. Restricting DISASM >would not gain anything practical, since it is already only displaying data >that the user is permitted to access; restricting it would just cost an >interested party a little bit of extra time. >The information itself cannot be "exploited". Customer security gaps can be >exploited. Ok. I will retract what I said earlier in this thread. I was thinking about the line, "if it can be protected in one product, it should be also protected in ISRDDN", but then I see you can obtain it in other ways and this info cannot be 'exploited'. >Security by obscurity (which is what you'd get to a small extent if what was >asked for was implemented) is often only a little better than nothing. This has been discussed many times in IBM-MAIN and RACF-L and probably in other lists too. >I'm quite sure that the request will be declined. I now also think it will be declined. Sorry to the OP, but I think you should show the auditors these replies... Many thanks Peter for your kind reply. Groete / Greetings Elardus Engelbrecht ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
