On Wed, 5 Sep 2012 16:59:16 +0100, haralder haralder wrote: > >We explained our auditor that the software instalation tool in z/OS is >SMP/E, which is protected by the GIM.* profile in the FACILITY class >in our RACF. We printed the accesses for that profile and they were >satisfied enough after we explained that the admins don't need UPDATE >but READ access to install software. > Ah, so you can thank IBM for not fixing that integrity exposure circa April, 2010.
And the auditors understood why READ but not UPDATE access sufficed. And you didn't mention to them that SMP/E could be bypassed using IEBCOPY directly, and leaving far less audit trail. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
