Be careful with FORCE DISC. If the user has any VM:Schedule jobs scheduled for
his userid, they won't run if the userid has been left idle and disconnected.
Dennis O'Brien
4 8 15 16 23 42
-----Original Message-----
From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On Behalf
Of Martin, Terry R. (CMS/CTR) (CTR)
Sent: Tuesday, June 01, 2010 09:13
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: [IBMVM] Automated Logoff of CMS user
Hi
Sorry for the late response I did not have connectivity for awhile.
Anyway yes basically what Marcy mentioned is about what the requirement
read. The emulater forcing locking of the desk top did not seem to
please them.
So I will look into TUNEFR from velocity. I say LOGOFF because it was
their terminology but I will being using FORCE DISC instead.
Thanks for all of the information!
Thank You,
Terry Martin
Lockheed Martin - Citic
z/OS and z/VM Performance Tuning and Operating Systems Support
Office - 443 348-2102
Cell - 443 632-4191
-----Original Message-----
From: The IBM z/VM Operating System [mailto:ib...@listserv.uark.edu] On
Behalf Of Schuh, Richard
Sent: Tuesday, June 01, 2010 11:49 AM
To: IBMVM@LISTSERV.UARK.EDU
Subject: Re: Automated Logoff of CMS user
We also use FORCE DISC because of the very same situation. The auditors
did give ground when we pointed out that the only access to our VM
system was via terminal emulator running on a desktop or laptop that was
logged on to our development network. They actually did not know that
there was already protection in place that met their requirement. After
admitting that, they came up with a "But then ..." saying that they were
not completely convinced. That is when we proposed the gentler solution
that broke the connection between the userid and termulator.
Regards,
Richard Schuh
> -----Original Message-----
> From: The IBM z/VM Operating System
> [mailto:ib...@listserv.uark.edu] On Behalf Of Marcy Cortes
> Sent: Tuesday, June 01, 2010 8:17 AM
> To: IBMVM@LISTSERV.UARK.EDU
> Subject: Re: Automated Logoff of CMS user
>
> Here's an example of one such policy
> "A session must be suspended after a period of inactivity not
> to exceed fifteen minutes. Reauthentication must be required
> to resume the session."
>
> Now, one could argue that all the desktops/laptops have this
> capability, but some auditors will read this as needed on
> each system that has the ability to authenticate. One can
> argue (and likely lose), or just setup velocity tunefrc or
> the perftk equiv. We use FORCE DISC which is kinder, gentler.
>
>
> Marcy
>
> "This message may contain confidential and/or privileged
> information. If you are not the addressee or authorized to
> receive this for the addressee, you must not use, copy,
> disclose, or take any action based on this message or any
> information herein. If you have received this message in
> error, please advise the sender immediately by reply e-mail
> and delete this message. Thank you for your cooperation."
>
>
> -----Original Message-----
> From: The IBM z/VM Operating System
> [mailto:ib...@listserv.uark.edu] On Behalf Of Alan Altmark
> Sent: Tuesday, June 01, 2010 8:02 AM
> To: IBMVM@LISTSERV.UARK.EDU
> Subject: Re: [IBMVM] Automated Logoff of CMS user
>
> On Tuesday, 06/01/2010 at 09:51 EDT, "Martin, Terry R.
> (CMS/CTR) (CTR)"
> <terry.mar...@cms.hhs.gov> wrote:
> > This may have been asked before but I was wondering the best way to
> > Automatically log off a CMS user after a designated time
> frame. This
> > is
> to
> > address an Audit finding.
>
> You opened the door, Terry, so I will walk through it: What
> policy would
> drive an auditor to create such a finding? I just have
> trouble with a policy that says "After a CMS user has been
> logged on for [n] minutes, log them off." To what end? And
> is it really only CMS users? In Linux systems the CMS users
> are the admins and SVMs, none of whom should be logged off
> (IMO). (I might buy FORCE DISC, but not logoff.)
>
> Alan Altmark
> z/VM Development
> IBM Endicott
>
