John Gilmore wrote: >> Is it a consensus best practice to restrict read access of syslog/operlog >> data to those people with a need-to-know?
>It is not, not least because the question itself is not well-formed. >Need-to-know is a useful notion for highly sensitive information that lends >itself to misuse in the wrong hands. >For syslog/.operlog the operative question should instead be: >Who, if anyone, needs to be prevented from accessing this information? >The answer will then usually be no minimally qualified user. While 'need to know' is a good argument [1] and I agree with your argument that minimally qualified user [2] should be kept away from SYSLOG / OPERLOG, I ask another set of questions before giving accesses. When deciding WHO may need to access such resources, I ask several questions, some of them are listed: 1. Do you really need to know, so you can perform your job? Examples please. On a postcard. I'm busy. 2. Can you make *useful* usage of those resources? 3. What is the supervisor/boss opinion? I weight all answers, needs, etc. before decisions. Sometimes they get a YES, while I should give a NO. :-p Please don't jump on me: I know for a fact that some unnamed vendor software can with a tweaking of options [3] display sensitive data like userid/password, control-fields, etc. Groete / Greetings Elardus Engelbrecht [1] - If you don't have any other arguments to start with. [2] - I have in the past some nosy users who tried out career limiting things! ;-) [3] -This is by design and is turned off by default. You better protect your 'F yyy,blah' modify command of course. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN