Jon,It seems to me that what you’re saying is that if one works
in a badly run z/OS shop with unprotected UserIDs and unscrupulous employees
who share their user credentials then that might result in a security exposure.
In that regard z/OS is like any other system out there. Ultimately Your
arguments fail to convince me of the existence of any actual vulnerabilities in
z/OS itself.
Keven
Get Outlook for iOS
On Sat, Dec 23, 2017 at 1:11 PM -0600, "Jeremy Nicoll"
<jn.ls.mfrm...@letterboxes.org> wrote:
On Sat, 23 Dec 2017, at 18:40, Jon Perryman wrote:
> I only wanted to know why dynalloc is no longer considered an exposure.
> When these people did the risk analysis for dynalloc on MVS, what made
> them decide why it's not an exposure and does not need to be a
> controlled resource?
Maybe it's because, in general, allocation of a dataset isn't an issue?
Anyone could try to create (ie allocate) a dataset of any name in JCL,
but security software would prevent it from actually being created
except by those users allowed to do so.
Anyone could reference any existing dataset in JCL, but security software
will prevent unauthorised users from reading or writing its contents.
Maybe your experience is of a site without proper security controls set up?
--
Jeremy Nicoll - my opinions are my own.
