On Thursday, 06/09/2011 at 04:15 EDT, Scott Rohling
<[email protected]> wrote:
> Implementing the driver isn't an auditable offense..   gaining access to
the
> volume through a DEDICATE or LINK, etc is another story - but that
shouldn't
> discourage use of the driver.   I see little difference between this and
the
> cmsfs driver...  access to a z/OS or CMS disk is auditable (or should
be) -
> the ability to read a z/OS volume or CMS disk is not.

In the z/OS, case I must, in general, disagree.  The problem is that MVS
volumes can contain multiple datasets and MVS access controls are at the
dataset level, not volume.  (Subject to DASDVOL authority.)

I did make the exception for an MVS volume very specifically constructed
for this purpose.  But that also means additional controls on who can
allocate datasets on the volume.  They better be only the Users Who
Understand The Implications.

LINK to a fullpack minidisk would provide RACF control & audit on VM.
ATTACH/DEDICATE does not yet do so.  For CMSFS, you can make the
reasonable argument that the volumes are owned by the VM system and the
audit records are properly contained there as CMS files on minidisk are
authorized at the virtual volume level.

Alan Altmark

z/VM and Linux on System z Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
[email protected]
IBM Endicott

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Reply via email to