To IPL the Non-RACF CP Nucleus, you'll need the SALIPL screen to select it
- which would require the Resident VM Guru to be present (to know how to
run SALIPL). That being the case, the production VM would be down, and
the "supervisor overhead" at that point would probably be very high ("When
is it going to be back up???") Auditablility would be moot at that
point... there would be enough people standing over your shoulder
watching, you wouldn't get away with much of anything :-)
Alan Altmark <[EMAIL PROTECTED]>
Sent by: The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU>
09/28/2007 09:20 AM
Please respond to
The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU>
To
IBMVM@LISTSERV.UARK.EDU
cc
Subject
Re: z/vm security advise requested
On Wednesday, 09/26/2007 at 03:42 EDT, Bill Munson
<[EMAIL PROTECTED]> wrote:
> Lionel,
>
> If RACF is broken and you are still IPL'd off of the CP Module with RACF
> in it then the only 2 users you can log on to are RACFVM and/or
> RACMAINT. Unless RACF for VM has changed in the last few years.
>
> I would suggest Dave Jones's idea of keeping a NON-RACF CP module
> available to IPL from.
While tempting, this creates an inherently unauditable system, with
nothing to stop you from running the guests. But if you choose such a
configuration, do it in a way that doesn't violate security policies.
Wishful thinking follows...
I have AUTOLOG1 issue a DIAG A0 to find out if the ESM is installed. If
so, start RACFVM. If not, CP MSGNOH OPERATOR
**** WARNING : RUNNING WITHOUT RACF.
**** NOT FOR PRODUCTION USE.
**** NETWORKING IS DISABLED. ALL SERVERS DISABLED.
**** DO NOT ATTEMPT TO ADJUST THE HORIZONTAL HOLD.
**** WE HAVE ASSUMED CONTROL....
And, natch, my PROFILE GCS in RSCS and my :exit. in SYSTEM DTCPARMS for
TCPIP would run a DIAG A0 program to look for the ESM, failing to start if
not present.
And, as Evil Overlord (who is properly paranoid), I modify OPERATOR
PROFILE EXEC to issue the same DIAG A0 query and to issue a msg and LOGOFF
if RACF isn't active. Bwahahahaaaaaaa!!
Not bulletproof, of course, but sufficiently difficult that you have to
remove the restraints in order to point the gun at the glass. That
provides, IMO, sufficient evidence of intent that I am happy, as Evil
Ove-- sorry, I mean "sysprog", to not be blamed if Operations switches to
Manual Override and takes over.
Hmm....maybe one should be able to select the System Identifier based on
the name of the IPLed module, not just CPU id...
Alan Altmark
z/VM Development
IBM Endicott
