Not really. Our operators know about the loadparm during IPL.
Regards, Richard Schuh ________________________________ From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 28, 2007 6:34 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: z/vm security advise requested To IPL the Non-RACF CP Nucleus, you'll need the SALIPL screen to select it - which would require the Resident VM Guru to be present (to know how to run SALIPL). That being the case, the production VM would be down, and the "supervisor overhead" at that point would probably be very high ("When is it going to be back up???") Auditablility would be moot at that point... there would be enough people standing over your shoulder watching, you wouldn't get away with much of anything :-) Alan Altmark <[EMAIL PROTECTED]> Sent by: The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> 09/28/2007 09:20 AM Please respond to The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> To IBMVM@LISTSERV.UARK.EDU cc Subject Re: z/vm security advise requested On Wednesday, 09/26/2007 at 03:42 EDT, Bill Munson <[EMAIL PROTECTED]> wrote: > Lionel, > > If RACF is broken and you are still IPL'd off of the CP Module with RACF > in it then the only 2 users you can log on to are RACFVM and/or > RACMAINT. Unless RACF for VM has changed in the last few years. > > I would suggest Dave Jones's idea of keeping a NON-RACF CP module > available to IPL from. While tempting, this creates an inherently unauditable system, with nothing to stop you from running the guests. But if you choose such a configuration, do it in a way that doesn't violate security policies. Wishful thinking follows... I have AUTOLOG1 issue a DIAG A0 to find out if the ESM is installed. If so, start RACFVM. If not, CP MSGNOH OPERATOR **** WARNING : RUNNING WITHOUT RACF. **** NOT FOR PRODUCTION USE. **** NETWORKING IS DISABLED. ALL SERVERS DISABLED. **** DO NOT ATTEMPT TO ADJUST THE HORIZONTAL HOLD. **** WE HAVE ASSUMED CONTROL.... And, natch, my PROFILE GCS in RSCS and my :exit. in SYSTEM DTCPARMS for TCPIP would run a DIAG A0 program to look for the ESM, failing to start if not present. And, as Evil Overlord (who is properly paranoid), I modify OPERATOR PROFILE EXEC to issue the same DIAG A0 query and to issue a msg and LOGOFF if RACF isn't active. Bwahahahaaaaaaa!! Not bulletproof, of course, but sufficiently difficult that you have to remove the restraints in order to point the gun at the glass. That provides, IMO, sufficient evidence of intent that I am happy, as Evil Ove-- sorry, I mean "sysprog", to not be blamed if Operations switches to Manual Override and takes over. Hmm....maybe one should be able to select the System Identifier based on the name of the IPLed module, not just CPU id... Alan Altmark z/VM Development IBM Endicott