On Tuesday, 11/08/2011 at 10:49 EST, Richard Troth <[email protected]>
wrote:
> Stop calling this a security problem.  (but see below about the conf
> file)  The security point for virtual machines is devices.  If the
> device is available, then whatever the guest does is okay by
> definition.

No, it's not.  It may be ok by *policy*, but not by *definition*.  For
example, if the volume contains cardholder data, PCI applies and "strong
access controls" are required and all access to the cardholder data must
be logged.  If you have two logs, then you must have an automated way to
reconstruct who accessed the cardholder data.

> Just because the current crop of security weebles don't "get it" does
> not a true problem make.  They are going to have to figure out
> virtualization eventually.  (Maybe compare MVS vols to USB sticks?
> Would the light bulb come on then?)  If the security police don't want
> the disk (or flash drive) read and/or reformatted by (eg) the Windoze
> box, don't plug it in!

Eh?  Security controls inhibit you when you DO plug in the USB stick. E.g.
configured to ignore USB ports.  Don't autoplay.  Etc.

> If one wants to take issue with the config file being mis-tagged as a
> security solution, THAT is a legit beef.  It's a doc issue.  (Jacob
> was on this list a year ago. Guessing he still is, but please, debate
> it offline.)  But again, it's outside the security model of
> virtualization.  (Thankfully the name of that dataset does not have
> "sec" in it.)

I'm not talking about security of the dasd volume -- that's fully covered
by z/VM.  Rather, I'm speaking of logical controls on the datasets that
reside on the volume and the VTOC itself.

Of course, if the volume contains only those datasets that the Linux guest
is permitted to see, then there's not a logical access issue, BUT the
dataset access isn't audited.  Any audit on the z/VM side can't be
correlated with anything on the z/OS side.  IF these datasets are
specifically constructed for Linux's use, e.g. as a pre-boot configuration
manager (a la CMS), then the audit issue may be able to be ignored.  This
is an example of a having a problem (Linux pre-configuration management
without z/VM) that mvsdasd can solve.

Alan Altmark

Senior Managing z/VM and Linux Consultant
IBM System Lab Services and Training
ibm.com/systems/services/labservices
office: 607.429.3323
mobile; 607.321.7556
[email protected]
IBM Endicott

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
----------------------------------------------------------------------
For more information on Linux on System z, visit
http://wiki.linuxvm.org/

Reply via email to