On Wednesday, 05/14/2008 at 04:02 EDT, Charles LeDuff <[EMAIL PROTECTED]> wrote: > I am wondering if there is anyone who has automated the shutdown of linux > instances in z/VM, that has to follow the Department of Defense (DoD) > requirements? The requirements, I am referring to, are the Security > Technical Implementation Guide (STIG). > > The SIGNAL command would be the perfect solution, but it requires enabling > the CTL-ALT-DEL function under linux. According to the STIG, the > CTL-ATL-DEL function cannot be enable. > > I have tried using the CP SEND command, in a REXX EXEC, to send the userid > and password to linux, but z/VM changes the case of the letter from lower to > upper. Another problem according to the STIG. All passwords must be mixed > case. Is there a way for z/VM to not change the case of the letter? > > Is there another way to automate the shutdown of the linux instances?
I'm confused. Presumably the ban on CTL-ALT-DEL was to eliminate anonymous reboots. You have to login to issue shutdown -r, or physically turn off the server. But on System z, SIGNAL SHUTDOWN is not anonymous. Your ESM will happily audit anyone issuing the command. CP SEND and SIGNAL SHUTDOWN are equivalent in this respect: both are outside agencies acting on the server. I content that SIGNAL is more secure because it does not require root (or whoever) to be logged on at the virtual console. Further, I think SIGNAL is more reliable because you don't have to add logic to logon to root if it is not already logged on. Maybe a practical demonstration to the owners of STIG would be sufficient that you are not *ACTUALLY* enabling CAD on Linux? Alan Altmark z/VM Development IBM Endicott
