On Saturday, 05/30/2009 at 03:12 EDT, Rob van der Heij <rvdh...@gmail.com> wrote:
> But then, I don't agree with Kris' view of the world that "MAINT must > be allowed to do anything" In my view, *if* there is a single userid > that is allowed to do anything under any circumstances (like no > auditing) then use of such a userid should be very much limited to > exceptional cases where normal tools don't work. In case of an emergency, broad powers can be given to the sysprog, but (IMO) you should have to actually *declare* an emergency to get those powers. You then have to return control to the civilian government when the crisis has passed. Absolute power and all that, wot? That's a reason that STORE HOST can be explicitly controlled by an ESM. Class C is not sufficient. If you need STORE HOST, you get permission, do what you need to do, then your ability to issue it is removed. As I tell IT managers, the system is not protected from an Evil Sysprog. In fact, in the Common Criteria certification there is an explicit assumption that the system administrators are not intent on wrongdoing. The extra ESM protections on privileged interfaces are there to let you establish auditable and meaningful conformance to a robust security policy. But every good security policy includes (should include!) a procedure for obtaining the keys to the kingdom. I was reminded of this when I was reading the security rules for the US HIPPA law. It recognizes that one or more established security controls may need to be lifted in case of emergency. On the other side, it requires that the conformant organization establish penalties for breaking the HIPPA rules, so it is a Good Thing to request and receive supernumerary powers. Annoying, perhaps, but a Good Thing nonetheless. It would be ok to include in the procedure a provision for giving yourself the needed privs in case TPTB cannot be reached within some timeframe. The difference between Evil (or just rogue) Sysprog and Good Sysprog is the use of due process. How many times have you used SCIF to escalate your privilege or access rights beyond what you had when you logged on? (Rhetorical. No hands, please. Just food for thought and an indication of one of my focus areas.) Alan Altmark z/VM Development IBM Endicott