On Sat, Jul 12, 2008 at 8:03 AM, Leland Lucius <[EMAIL PROTECTED]> wrote:
> We have removed the password from MAINT and the 2 of us sysprog wannabes > have setup RACF to allow us to LOGONBY to MAINT. Works beautifully. But, > what would happen if some malicious individual decided to attempt sufficient > invalid logons to cause us our IDs to be revoked. How would we ever get > back to MAINT? Now, add in the security admins ID to the mix. Then what? Yep. First, the idea is that userids of the individuals who have logonby is not disclosed, so chances of hitting (all) of them is harder (except that we found Q BYUSER practical, which does reveal this kind of info). As a next safety net, you could set up a group special would could resume you if you get revoked, or have OPERATOR be group special of IBMUSER (assuming OPERATOR will be logged on already while the system is running). This stuff is audited, so it's not that someone could sneak in like this without showing. > Also, any war stories about getting into a situation where no one could log > on due to RACF being unavailable? Should we be concerned about a case like > this? What recovery is possible? Yes... our security officer started to look at Consul/RACF listings and started to remove profiles that his software did not understand, and then activated classes that he felt were "good to enable" and then remembered his appointment with the dentist that afternoon, so he left for the weekend. I was paged in the weekend when the system would not come up after the IPL. I believe I have been there several hours to get the system going again. Rob
