Let them run it. The vendor used here had to recode for zVM but they were willing to do so. They still check a few things (ports being used, etc.) but they now recognize that the O/S is not unix or linux and they don't try to login to root don't try all their usual ways of getting into a unix or linux system. The linux servers are checked as well and on regular basis. They did make us disable or upgrade older versions of PHP. On the good side, when we started using SLES10, the security folks actually came to us to ask - what is this O/S? Their product said the SLES10 servers had the best rating of the entire enterprise. In any case, if the vendor is marketing their product as an enterprise tool they should be willing to include zVM. Since it sounds like scanning zVM systems is critical to the company purchasing their product they definitely should. But I do understand the concept of folks deciding on products not knowing what they really needed- zVM does tend to be forgotten even when critical apps run there.
-----Original Message----- From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On Behalf Of Schuh, Richard Sent: Monday, February 04, 2008 4:12 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Security Scans Linux is not even a consideration. We have 2 systems that exclusively support Linux guests. They are not the targets. It is the system that supports the TPF test and development environment. Regards, Richard Schuh > -----Original Message----- > From: The IBM z/VM Operating System > [mailto:[EMAIL PROTECTED] On Behalf Of Rob van der Heij > Sent: Monday, February 04, 2008 1:08 PM > To: IBMVM@LISTSERV.UARK.EDU > Subject: Re: Security Scans > > On Feb 4, 2008 9:33 PM, Schuh, Richard <[EMAIL PROTECTED]> wrote: > > It is not that I want to test the site, it is that a committee has > > specified that the same tool be used for all platforms. This was > > chiseled in granite before anyone associated with a mainframe even > > heard that it was being considered. Now that the edict has > been made, > > rules is rules. > > Probably the vendor will be able to confirm they have no clue about VM > and the committee that selected this tool will be conclude that you're > excused. And that would be the end of the story. > > Been there. I invested quite some time to explain why it was > outrageous that we had to install an of an extra version of Java on > each Linux server, just to run the selected security scanner. I > thought my case was pretty strong when we found the product caused a > security risk rather than fix one. The product specialist then > explained the product was supported on Linux for zSeries but not for > Linux on z/VM. Obviously the man had no clue what he was talking > about, but it fit the bill. > > -Rob > ************************************************************************* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies. *************************************************************************
