On Friday, 04/17/2009 at 08:54 EDT, Harold Grovesteen <[email protected]> wrote: > Harder, Pieter wrote: > > >>That would be my desire as well, but IBM says it is what it is for security > >>reasons. > > > >I agree with them. Paranoia maybe, but better safe than sorry. > > > More likely EALS certification related.
No, it has nothing to do with certification. In the evaluated configuration, RACF is present and is protecting all Guest LANs and VSWITCHes. When an ESM is active, even unrestricted Guest LANs are under ESM control. If you want everyone to freely access a virtual network, you must explicitly say so. [Note: The z/VM EAL 4+ common critieria certification only applies to the evaluated configuration. No claims are made for other configurations.] My background in both security and networking has shaped my support for explicit authorization. In my world view: - [SET] VMLAN TRANSIENT 0 would be the default, preventing class G users from using DEFINE LAN. If you want class G users to define LANs, then I recommend explicitly saying so in SYSTEM CONFIG (VMLAN statement) - just in case the default for transient Guest LANs changes from "unlimited" to zero. - A DEFINE LAN would actually result in a disconnected VSWITCH under the covers so that VLAN rules are enforced. If you do not use an ESM, then I recommend VMLAN TRANSIENT 0. If you do have an ESM, then I recommend a rule (e.g. RACF generic profile "**") that defines the default access as "denied." Alan Altmark z/VM Development IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
