On Monday, 04/09/2007 at 03:57 AST, Frank LeFevre <[EMAIL PROTECTED]> wrote:
> We are having an internal debate here. The "official" recommendation for I/O > configuration for Linux on z is to limit access in the IODF to devices Linux > actually uses. Some don't want to take the time. So we are wondering if > everyone does this. No, everyone does not do it. The questions to ask: - What are the risks and the benefits? - Do the benefits outweigh the risks? - Is the identified risk too high, even in the face of significant benefit? - Does our company's data security policy provide any guidance? I'm a Security Guy, so I like to pick on the last item. Let's say your security policy says you must audit all access to customer data. Let's further posit that two hosts have physical access to the data. Do both systems audit access to the data? Can a compromised application bypass the security/audit controls? What if it is a z/OS volume that Linux cannot read, yet has R/W access to? Lots of questions that only your people can answer. I'm not sure about not wanting to "take the time". The machines have dynamic I/O capabilities, so altering the I/O config isn't that difficult. If their issue is the need to do an inventory, then I'd say they need to get crackin'. They need the inventory in order to perform the cost/benefit analysis. Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
