First, a confession: I am the one who wrote the device driver that enables accessing z/OS dasd from z/Linux.
Regarding the security issues that were raised here: They are valid and I agree with what was said. However, *if* you have a z/OS volume accessible from z/Linux with or without a driver, then you'd better make sure that you are in control of this situation. This was true even without such a driver existing because with a few lines of code and minutes away that z/OS disk can be cloned. Bottom line - make sure you do not put online in z/Linux what does not belong there. As for security that the driver itself provides, these are two: 1. All data is accessed read-only. There is no way to write to the volume because it is accessed read-only, much like a cd or dvd-rom. 2. Mounting the disk is controlled just like any other volume mount in z/Linux. You can grant read access just to root or to everyone. If your z/Linux is on a lower security level - then you should not make the volumes available to z/Linux anyway. Regards, Jacob Dekel http://www.mvsdasd.org On Mon, 2008-05-19 at 14:32 -0400, Alan Altmark wrote: > On Monday, 05/19/2008 at 01:26 EDT, "McKown, John" > <[EMAIL PROTECTED]> wrote: > > > Personal opinion time, doning Security Admin hat: There is NO way that I > > would allow a Linux system to directly access my z/OS datasets. Why? No > > ability to audit. No ability to restrict access and prove that access > > was restricted to authorized users (thinking of HIPAA data). > > > > Now, I __might__ consider it if only a very few z/OS volumes were even > > accessable from the Linux system and I could assure myself that the > > datasets on those volumes never contained any confidential information > > that might require auditing. > > Or *might in the future contain* any auditable information. You have to > build a lot into your deployment processes to prove due diligence if you > operate this way. I get *particularly* nervous when we're talking about > z/OS data. > > How can you programmatically know that a volume does or does not contain > auditable data? You don't. That means a very precise and controlled > process for application and data deployment. > > And if the z/OS system is up and running, you have a real opportunity for > data integrity loss. > > Alan Altmark > z/VM Development > IBM Endicott > > ---------------------------------------------------------------------- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
