On Friday, 05/02/2008 at 11:56 EDT, Thomas Kern <[EMAIL PROTECTED]> wrote: > Thank you for the pointer to that document. I hope it deals with z/VM > security without the requirement of RACF or brand x or brand y security > product. The management of this site has not decided to purchase an > extra security product.
As I said, it is primarily a cookbook for RACF. If you don't use an ESM, there isn't much security to implement. But here's what such a one-page guide would look like: 1. Change user passwords immediately after you take backups of the directory. 2. If the above makes you unhappy, use an encrypting tape drive. 3. Turn on Journaling and use the journal records in the accounting stream as your audit trail. 4. Change the privclass of STORE HOST to class 0 and don't give it to anyone, including yourself. 5. Do not allow minidisk passwords. All links must be done via directory entry. 6. If you're not happy at this point, get an ESM. The bottom line is that you configure your system to meet the requirements. If the security policy says "do X", then you do X. If the security policy has a provision to get an exemption, and management approves, you're free and clear. Just keep a copy of the exemption and its approval in a separate, secure, undisclosed location. It is your Get Out Of Jail Free card. Alan Altmark z/VM Development IBM Endicott
