First, a confession: I am the one who wrote the device driver that
enables accessing z/OS dasd from z/Linux.

Regarding the security issues that were raised here: They are valid and
I agree with what was said. However, *if* you have a z/OS volume
accessible from z/Linux with or without a driver, then you'd better make
sure that you are in control of this situation. This was true even
without such a driver existing because with a few lines of code and
minutes away that z/OS disk can be cloned. Bottom line - make sure you
do not put online in z/Linux what does not belong there.

As for security that the driver itself provides, these are two:
1. All data is accessed read-only. There is no way to write to the
volume because it is accessed read-only, much like a cd or dvd-rom.
2. Mounting the disk is controlled just like any other volume mount in
z/Linux. You can grant read access just to root or to everyone. If your
z/Linux is on a lower security level - then you should not make the
volumes available to z/Linux anyway.

Regards,
Jacob Dekel
http://www.mvsdasd.org


On Mon, 2008-05-19 at 14:32 -0400, Alan Altmark wrote:
> On Monday, 05/19/2008 at 01:26 EDT, "McKown, John"
> <[EMAIL PROTECTED]> wrote:
>
> > Personal opinion time, doning Security Admin hat: There is NO way that I
> > would allow a Linux system to directly access my z/OS datasets. Why? No
> > ability to audit. No ability to restrict access and prove that access
> > was restricted to authorized users (thinking of HIPAA data).
> >
> > Now, I __might__ consider it if only a very few z/OS volumes were even
> > accessable from the Linux system and I could assure myself that the
> > datasets on those volumes never contained any confidential information
> > that might require auditing.
>
> Or *might in the future contain* any auditable information.  You have to
> build a lot into your deployment processes to prove due diligence if you
> operate this way.  I get *particularly* nervous when we're talking about
> z/OS data.
>
> How can you programmatically know that a volume does or does not contain
> auditable data?  You don't.  That means a very precise and controlled
> process for application and data deployment.
>
> And if the z/OS system is up and running, you have a real opportunity for
> data integrity loss.
>
> Alan Altmark
> z/VM Development
> IBM Endicott
>
> ----------------------------------------------------------------------
> For LINUX-390 subscribe / signoff / archive access instructions,
> send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
> http://www.marist.edu/htbin/wlvindex?LINUX-390

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to