On Wednesday, 12/08/2010 at 02:35 EST, David Boyes <[email protected]> wrote: > OTOH, I think this also argues for a bigger step: for IBM to supply a > default ESM and quit having to do it two different ways. We can always > replace the default one with something better, but there's a lot of > wheel-spinning being done in IBM development to support the two different > models. > > Personally, I dislike RACF with a passion, but I'd rather have RACF be > present by default and have one single way to do security management (via > the ESM) than have to have a completely separate command authorization > matrix to worry about via CP privilege classes, etc, etc, etc. It may have > worked in the past, but it's time HAS past. There's too many regulations > and too many hostile bozos out there to not have a comprehensive security > management tool as part of the VM hypervisor suite. If that means we all > have to suffer under RACF for long enough to turn it off, then so be it.
In order to achieve the savings you imply, then z/VM must move to the z/OS model in which, except for a few specific functions, an ESM is required for proper operation. NO native CP security controls beyone those required to restore ESM control vis a vis SYS1.UADS in order to login to TSO. Any function dependent on the ESM will be configured to DENY access without the ESM. You would HAVE to buy an ESM, whether from IBM or CA. And THAT will be acceptable only when folks wrap their heads around the fact that z/VM systems WITHOUT an ESM will fail a modern security audit. The primary example is the presence of unencrypted passwords in USER DIRECT. Alan Altmark z/VM and Linux on System z Consultant IBM System Lab Services and Training ibm.com/systems/services/labservices office: 607.429.3323 [email protected] IBM Endicott
