On Monday, 11/26/2007 at 10:03 EST, Mark Jacobs <[EMAIL PROTECTED]> wrote: > Without an external security manager product such as RACF does zVM > provide any security services or controls such as logging for > administrator actions. > > Our corporate standards require regular password changes, SMF like > logging, non-shared userids... and looking at the VM documentation it > doesn't look like native zVM provides these facilities, but please > correct me if I am incorrect.
You are correct. A "vanillia" z/VM system with no ESM: o Stores passwords in clear-text in the directory. Unless you encrypt your backup tapes, they will contain the clear-text passwords. [I've often wondered how much They pay the people who pick up your backups and drive them to the archives, or otherwise handle the tapes....] o Does not provide an end-user password change mechanism nor a password expiry capability. (DirMaint or an ESM will add this capability.) o Does not have the concept of "access lists" for minidisks. Access to minidisks is authorized by a LINK statement in the user's directory entry or dynamically by using a password on the LINK command. If a User A knows the password to a minidisk, then he can tell User B and you have no way to stop User B from linking to the disk. o Generates a miniscule amount of security-relevant audit data via the CP accounting data stream. (Details in the CP Planning book - "Setting up SVMs".) Without an ESM you can only find out that: - someone successfully LINKed to another user's minidisk - too many (as defined by the installation) incorrect passwords have been used on a LINK command or for user authentication (e.g. LOGON) - a device was ATTACHed to a user - someone issued SET PRIVCLASS - the use of virtual network connections (but it does not record entry/exit from promiscuous mode) o Cannot enforce mandatory access controls to enable different administrative security "zones". Naturally, your IT security policy will determine whether you need an ESM, but I (on behalf of IBM) recommend the use of an ESM on any z/VM system that contains sensitive data or that has availability requirements. Alan Altmark z/VM Development Chief z/VM Security Weasel IBM Endicott
