Leland, I haven't verified it but if what you posit occurs, and you could access OPERATOR's console, how about: CP SET SECUSER RACFVM * *Make OPERATOR secuser of RACFVM CP SEND RACFVM blah blah command to unrevoke yourid *I don't know the command
or CP XAUTOLOG racf_admin_id CP SET SECUSER racf_admin_id * CP SEND racf_admin_id blah blah command to unrevoke yourid If all else fails, disable RACF and use the CP directory passwords for MAINT, and others (you know what they are, right?) and restore a backup of RACF database in which yourid's not revoked (and you remember your logon password restored by the old backup) CP SEND RACFVM SET RACF INACTIVE and then reply YES to it's prompt to OPERATOR -------------------------------------------------------- This e-mail, including any attachments, may be confidential, privileged or otherwise legally protected. It is intended only for the addressee. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system. -----Original Message----- From: The IBM z/VM Operating System on behalf of Rob van der Heij Sent: Sat 7/12/2008 4:54 PM To: [email protected] Subject: Re: RACF and protecting against the unknown On Sat, Jul 12, 2008 at 8:03 AM, Leland Lucius <[EMAIL PROTECTED]> wrote: > We have removed the password from MAINT and the 2 of us sysprog wannabes > have setup RACF to allow us to LOGONBY to MAINT. Works beautifully. But, > what would happen if some malicious individual decided to attempt sufficient > invalid logons to cause us our IDs to be revoked. How would we ever get > back to MAINT? Now, add in the security admins ID to the mix. Then what? Yep. First, the idea is that userids of the individuals who have logonby is not disclosed, so chances of hitting (all) of them is harder (except that we found Q BYUSER practical, which does reveal this kind of info). As a next safety net, you could set up a group special would could resume you if you get revoked, or have OPERATOR be group special of IBMUSER (assuming OPERATOR will be logged on already while the system is running). This stuff is audited, so it's not that someone could sneak in like this without showing. > Also, any war stories about getting into a situation where no one could log > on due to RACF being unavailable? Should we be concerned about a case like > this? What recovery is possible? Yes... our security officer started to look at Consul/RACF listings and started to remove profiles that his software did not understand, and then activated classes that he felt were "good to enable" and then remembered his appointment with the dentist that afternoon, so he left for the weekend. I was paged in the weekend when the system would not come up after the IPL. I believe I have been there several hours to get the system going again. Rob
