The absence or presence of passwords on the MDISK does not change the behavior.
I may have discovered something regarding a GROUP rule. More in a little bit. ____________________ Jim Hughes 603-271-5586 "It is fun to do the impossible." ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Friday, November 20, 2009 1:22 PM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Z/VM 5.4 and VM:Secure running a CLOSED security system I agree that it is intuitive that NORULE REJECT would reject non-directory LINK commands to disks that have no passwords. A blanket ACCEPT does not seem at all right. What happens if you link to a disk that has passwords? Regards, Richard Schuh ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Hughes, Jim Sent: Friday, November 20, 2009 9:25 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Z/VM 5.4 and VM:Secure running a CLOSED security system We really did change to NORULE REJECT and ipled the test system. NORULE REJECT should reject the command unless a RULE exists to grant access to the resource. The LINK statements in the DIRECTORY were denied because no rule existed to allow the LINK to take place. So a change of behavior is taking place. I don't like the idea of the LINK command working at the CP level even though VM:Secure tells me it would be rejected. We will keep looking and experimenting. ____________________ Jim Hughes 603-271-5586 "It is fun to do the impossible." ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Schuh, Richard Sent: Friday, November 20, 2009 11:48 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Re: Z/VM 5.4 and VM:Secure running a CLOSED security system In my version of the VM:Secure Reference, only GROUP, LOGON BY, VM:Tape and VM:Schedule actions are documented as being rejected if NORULE REJECT is in effect. LINK is not mentioned. It looks like CLOSED isn't so closed, after all. Of course, all bets are off if you really did change to NURULE REJECT :-) Regards, Richard Schuh ________________________________ From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf Of Hughes, Jim Sent: Friday, November 20, 2009 8:29 AM To: IBMVM@LISTSERV.UARK.EDU Subject: Z/VM 5.4 and VM:Secure running a CLOSED security system We are moving towards running VM:Secure with RULES enabled as a CLOSED security system. Our testing isn't going as well as we hoped. We have had RULES enabled for many years with NORULE ACCEPT in effect. We changed to NURULE REJECT and some funny things are happening. Anyone can issue any CP command with success. For instance, if I am on a general class G user without the OPTION LNKNOPASS directory statement, I can issue LINK MAINT 123 1 RR with success. MAINT's 123 disk does not have ALL as the password. In fact, it doesn't have any passwords at all. From the same user, if I use VMSECURE QRULES JHUG LINK MAINT 123, VM:Secure tells me the LINK would be rejected via NORULE DEFAULT. Would someone help us figure out what we've missed?? Thanks in advance. Here are the lines from the console. link maint 123 1 rr DASD 0001 LINKED R/O; R/W BY VMSECURE ; R/O BY 4 USERS Ready; T=0.01/0.01 11:24:15 vmsecure qrules jhug link maint 123 VMXACQ0223I Rejected via NORULE default ____________________ Jim Hughes 603-271-5586 "It is fun to do the impossible."