I think security auditors should be happy, provided they have done their homework. CSA was wide open to everybody since the beginning, the option to close the gate (userkeycsa(no)) is available for a decade already and now the gate can be controlled in detail.
Kees. > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Paul Gilmartin > Sent: 09 September, 2019 21:21 > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: APAR OA56180 / RUCSA > > On Mon, 9 Sep 2019 13:19:40 -0400, Tom Conley wrote: > > >On 9/9/2019 1:04 PM, Mark Zelden wrote: > >> On Mon, 9 Sep 2019 07:55:29 -0500, Peter Fatzinger wrote: > >> > >>> The 1M increment for RUCSA storage was not chosen haphazardly. We > understand the scarcity of below-the-line memory, but in order to provide > the isolation needed to adequately protect the area we couldn't use any > increment smaller than 1M. > >> > >> I pretty much assumed that, but thanks for the confirmation. > >> > >>> Also, in case anyone is unaware, beginning in z/OS V2R4 RUCSA is a > separately ordered paid feature. > > > >Youse wants to break da rules, youse gotta pay. > > > How might security auditors look at RUCSA which: > > https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2 > r3.ieae100/ieae1-rucsa.htm > Accessible only from address spaces that are running under user IDs > that have > SAF READ authority to the IARRSM.RUCSA profile in the FACILITY class, > or > on z/OSĀ® V2R3 or earlier systems that have the VSM > ALLOWUSERKEYCSA(YES) > parameter specified > > I suppose it depends on the breadth of the exposure. > > This is vaguely similar to the changes introduced by IO11698: IBM found > it > impractical to make the facility secure so they wrapped it with SAF so the > onus can be placed on the customer. > > -- gil > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ******************************************************** For information, services and offers, please visit our web site: http://www.klm.com. This e-mail and any attachment may contain confidential and privileged material intended for the addressee only. If you are not the addressee, you are notified that no part of the e-mail or any attachment may be disclosed, copied or distributed, and that any other action related to this e-mail or attachment is strictly prohibited, and may be unlawful. If you have received this e-mail by error, please notify the sender immediately by return e-mail, and delete this message. Koninklijke Luchtvaart Maatschappij NV (KLM), its subsidiaries and/or its employees shall not be liable for the incorrect or incomplete transmission of this e-mail or any attachments, nor responsible for any delay in receipt. Koninklijke Luchtvaart Maatschappij N.V. (also known as KLM Royal Dutch Airlines) is registered in Amstelveen, The Netherlands, with registered number 33014286 ******************************************************** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
