On Wed, Apr 22, 2009 at 10:46 PM, RPN01 <[email protected]> wrote: > None of the z/Linux guests run in anything more than a class G user on z/VM, > so they really don't have any "magic" facilities within z/VM via the root > userid. For the images that the end user has root access, if they want to > mess around and screw up their virtual machine, isn't that their right? And > a simple logout / login will reset anything they've done, because DirMaint > is a CMS facility, and CMS isn't running there for them to invoke any > commands.
Class G was meant for CMS users that you know to find when your audit records reveal a reason to go after them. The criteria for that don't work well for anonymous visitors from the Internet. Although http://www.rvdheij.nl/Presentations/2004-L84.pdf is a bit dated, it gives an idea about the possible Denial of Service attacks that visitors could arrange. Someone with an evil mind and enough spare time would be able to write a Linux program that issues Dirmaint commands. > In addition, the users with root access are from an Intel background, and > would have to find and implement the z/VM additions before they could even > begin to touch their environment. While it could happen, it isn't likely. Depends on your environment whether you settle for "it isn't likely" If I were responsible for security, I would not. When the target is appealing enough, there will be people willing to read CP Programming Services or CP Commands. Especially now that softcopy books are available. Rob ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
